gromit tui deployed

infra/gromit.tf

@@ -0,0 +1,105 @@
+provider "sops" {}
+
+data "sops_file" "secrets" {
+  source_file = "infra-secrets.yaml"
+}
+
+data "aws_region" "current" {}
+
+data "aws_route53_zone" "dev_tyk_tech" {
+  name         = "dev.tyk.technology"
+  private_zone = false
+}
+
+resource "aws_ssm_parameter" "licenser_tokens" {
+  for_each = toset(["dashboard", "mdcb"])
+
+  name        = "/cd/${each.value}_trial_token"
+  type        = "SecureString"
+  description = "Token to fetch the ${each.value} trial license"
+  value       = data.sops_file.secrets.data["licenser_tokens.${each.value}"]
+}
+
+# API server for test UI
+module "tui" {
+  source = "./modules/fg-service"
+
+  cluster = aws_ecs_cluster.internal.arn
+  cdt     = "templates/cd-awsvpc.tpl"
+  # Container definition
+  cd = {
+    name      = "tui",
+    port      = 80,
+    log_group = "internal",
+    image     = var.gromit_image,
+    command   = ["--textlogs=false", "policy", "serve", "--save=/shared/test-variations.yml", "--port=:80"],
+    mounts = [
+      { src = "shared", dest = "/shared", readonly = false },
+    ],
+    env     = [],
+    secrets = [],
+    region  = data.aws_region.current.name
+  }
+  trarn      = aws_iam_role.ter.arn
+  tearn      = aws_iam_role.ter.arn
+  vpc        = data.terraform_remote_state.base.outputs.vpc.id
+  subnets    = data.terraform_remote_state.base.outputs.vpc.public_subnets
+  volume_map = { shared = { fs_id = data.terraform_remote_state.base.outputs.shared_efs, root = "/tui" } }
+}
+
+# Refresh dash license
+module "licenser" {
+  source = "./modules/fg-sched-task"
+
+  schedule = "rate(25 days)"
+  cluster  = aws_ecs_cluster.internal.arn
+  cdt      = "templates/cd-awsvpc.tpl"
+  # Container definition
+  cd = {
+    name      = "db-license",
+    log_group = "internal",
+    image     = var.gromit_image,
+    command   = ["--textlogs=false", "env", "licenser", "dashboard-trial", "/cd/dashboard_license"],
+    mounts    = [],
+    env       = [],
+    secrets = [
+      { name = "LICENSER_TOKEN", valueFrom = aws_ssm_parameter.licenser_tokens["dashboard"].arn }
+    ],
+    region = data.aws_region.current.name
+  }
+  trarn      = aws_iam_role.ter.arn
+  tearn      = aws_iam_role.ter.arn
+  vpc        = data.terraform_remote_state.base.outputs.vpc.id
+  subnets    = data.terraform_remote_state.base.outputs.vpc.private_subnets
+  volume_map = {}
+}
+
+
+# Keep DNS refreshed
+# module "chitragupta" {
+#   source = "../modules/fg-sched-task"
+
+#   schedule = "rate(13 minutes)"
+#   cluster  = aws_ecs_cluster.internal.arn
+#   cdt      = "templates/cd-awsvpc.tpl"
+#   # Container definition
+#   cd = {
+#     name      = "chitragupta",
+#     log_group = "internal",
+#     image     = var.gromit_image,
+#     command   = ["cluster", "expose", "-a"],
+#     mounts    = [],
+#     env = [
+#       { name = "GROMIT_CLUSTER_DOMAIN", value = data.aws_route53_zone.dev_tyk_tech.name },
+#       { name = "GROMIT_CLUSTER_ZONEID", value = data.aws_route53_zone.dev_tyk_tech.zone_id }
+#     ],
+#     secrets = [],
+#     region  = var.region
+#   }
+#   trarn       = aws_iam_role.gromit_tr.arn
+#   tearn       = aws_iam_role.gromit_ter.arn
+#   vpc         = module.vpc.vpc_id
+#   subnets     = module.vpc.private_subnets
+#   volume_map  = { config = data.terraform_remote_state.base.outputs.config_efs }
+#   common_tags = local.common_tags
+# }

infra/infra-secrets.yaml

@@ -0,0 +1,18 @@
+licenser_tokens:
+    dashboard: ENC[AES256_GCM,data:u1B1KGOh92bVfktN9g6RS9NQLUXDsVUD,iv:KoBlulrFLg0PTnXLFHOTjFnQEVXTucp8IwfLeMauRhQ=,tag:v2UhZ/MtX+u5OMfoCXY+jg==,type:str]
+    mdcb: ENC[AES256_GCM,data:+qTuXUgqmO4RZU1pYazSk3WAaG1E1FdG,iv:YqO0vbY67lchZWVWdW5WvcCIS+WiXpFgy+OE2dUcNJU=,tag:bljHmF4VHk9zRtU/k1jAuQ==,type:str]
+sops:
+    kms:
+        - arn: arn:aws:kms:eu-central-1:754489498669:key/215a7274-5652-4521-8a88-b18e02b8f13e
+          created_at: "2024-05-29T06:41:45Z"
+          enc: AQICAHiDjTyDzev9deXqMt8qn7IIVL95PjWZTOOP+RjKHUtt0AGrZPgA+y+xDk2alhHiR+b7AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gwhG51MD8EVbk/dAgEQgDvTJKJ9nmeih80qSogOkwKer8uJ+c6odA2OT2oSSOQxZ/ECFM2TO0fbNQEE2LN9wcJXPYxh1+W7EGooWA==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-29T06:41:51Z"
+    mac: ENC[AES256_GCM,data:Pnfu5731hZU+WQF7XDoxVGSMhLkNr4tjduwX/cPQB079/av5mmscto2Xxdp69pUjTjD/+xnbh3GZk3HLyqBNsSNOmjNlrUoNE49YdJQ5qeEzlAWCyBNxmHsTc4EuobXjBaWUxfUPSK8GuWtlXf4j64z6NeB033xXgVLfAYrJOIM=,iv:emLpO/C0zVVGMypEAkp19hK4YiBNWgNViv4i6UsDsiQ=,tag:i2E17VrUkmOA9tZqtiJ5aA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

infra/infra.tf

@@ -113,10 +113,10 @@ module "bastion" {
     CloudWatchAgentServerPolicy  = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
   }
   # Spot request specific attributes
-  # spot_price                          = "0.1"
-  # spot_wait_for_fulfillment           = true
-  # spot_type                           = "persistent"
-  # spot_instance_interruption_behavior = "terminate"
+  spot_price                          = "0.1"
+  spot_wait_for_fulfillment           = true
+  spot_type                           = "persistent"
+  spot_instance_interruption_behavior = "terminate"
 
   metadata_options = {
     http_tokens = "required" # IMDSv2
@@ -144,10 +144,19 @@ data "aws_ami" "al2023" {
   }
 }
 
+# Log group for CD tasks
 # Everything logs to cloudwatch with prefixes
 resource "aws_cloudwatch_log_group" "cd" {
   name = "cd"
 
+  retention_in_days = 3
+}
+
+
+# Log group for internal tasks
+resource "aws_cloudwatch_log_group" "internal" {
+  name = "internal"
+
   retention_in_days = 7
 }
 

infra/modules/fg-sched-task/main.tf

@@ -1,5 +1,5 @@
 data "template_file" "cd" {
-  template = templatefile(var.cdt, merge(var.cd, { port=null}))
+  template = templatefile(var.cdt, merge(var.cd, { port = null }))
 }
 
 resource "aws_ecs_task_definition" "td" {
@@ -19,12 +19,11 @@ resource "aws_ecs_task_definition" "td" {
       name = volume.value
 
       efs_volume_configuration {
-	file_system_id = var.volume_map[volume.value]
+        file_system_id = var.volume_map[volume.value]
         root_directory = "/"
       }
     }
   }
-  tags = var.common_tags
 }
 
 resource "aws_security_group" "sg" {
@@ -38,8 +37,6 @@ resource "aws_security_group" "sg" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-  tags = var.common_tags
 }
 
 resource "aws_cloudwatch_event_rule" "cw_erule" {

infra/modules/fg-sched-task/variables.tf

@@ -11,12 +11,12 @@ variable "cdt" {
 
 variable "cd" {
   description = "Container definition object to fill in the template"
-  type = object({ 
+  type = object({
     name      = string
     command   = list(string)
     log_group = string
     image     = string
-    mounts    = list(object({src=string, dest=string, readonly=bool}))
+    mounts    = list(object({ src = string, dest = string, readonly = bool }))
     env       = list(map(string))
     secrets   = list(map(string))
     region    = string
@@ -40,11 +40,6 @@ variable "schedule" {
   type        = string
 }
 
-variable "common_tags" {
-  description = "Tags to apply to every resource that can be tagged"
-  type        = map(string)
-}
-
 variable "vpc" {
   description = "VPC to use, the task will be attached to networks below"
   type        = string

infra/modules/fg-service/main.tf

@@ -19,12 +19,11 @@ resource "aws_ecs_task_definition" "td" {
       name = volume.value
 
       efs_volume_configuration {
-        file_system_id = var.volume_map[volume.value]
-        root_directory = "/"
+        file_system_id = var.volume_map[volume.value].fs_id
+        root_directory = var.volume_map[volume.value].root
       }
     }
   }
-  tags = var.common_tags
 }
 
 resource "aws_security_group" "sg" {
@@ -45,8 +44,6 @@ resource "aws_security_group" "sg" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-  tags = var.common_tags
 }
 
 resource "aws_ecs_service" "service" {
@@ -61,6 +58,4 @@ resource "aws_ecs_service" "service" {
     security_groups  = [aws_security_group.sg.id]
     assign_public_ip = true
   }
-
-  tags = var.common_tags
 }

infra/modules/fg-service/variables.tf

@@ -17,7 +17,7 @@ variable "cd" {
     port      = number
     log_group = string
     image     = string
-    mounts    = list(object({src=string, dest=string, readonly=bool}))
+    mounts    = list(object({ src = string, dest = string, readonly = bool }))
     env       = list(map(string))
     secrets   = list(map(string))
     region    = string
@@ -36,11 +36,6 @@ variable "tearn" {
   default     = ""
 }
 
-variable "common_tags" {
-  description = "Tags to apply to every resource that can be tagged"
-  type        = map(string)
-}
-
 variable "vpc" {
   description = "VPC to use, the task will be attached to networks below"
   type        = string
@@ -53,5 +48,5 @@ variable "subnets" {
 
 variable "volume_map" {
   description = "map of volume name to EFS id"
-  type        = map(string)
+  type        = map(object({ fs_id = string, root = string }))
 }

infra/prod.auto.tfvars

@@ -1,3 +1,3 @@
 base         = "base-prod"
 stepca_image = "smallstep/step-ca:0.25.2"
-#gromit_image = "tykio/gromit:v1.4.4"
+gromit_image = "tykio/gromit:latest"

infra/variables.tf

@@ -6,3 +6,7 @@ variable "base" {
 variable "stepca_image" {
   description = "Full repo URL with tag of the step-ca image to use"
 }
+
+variable "gromit_image" {
+  description = "Gromit image for TUI and licensers"
+}