Adapting services

xaynetwork · Dec 9, 2023 · b408c7d · b408c7d
1 parent de6bc40
commit b408c7d
Show file tree

Hide file tree

Showing 6 changed files with 137 additions and 83 deletions.
diff --git a/b2b/aurora/outputs.tf b/b2b/aurora/outputs.tf
@@ -4,12 +4,6 @@ output "postgres_url" {
   sensitive   = true
 }
 
-output "postgres_arn" {
-  description = "ARN from the Postgres Cluster"
-  value       = aws_rds_cluster.this.arn
-  sensitive   = true
-}
-
 output "postgres_username" {
   description = "Aurora username"
   value       = aws_ssm_parameter.postgres_username.value
@@ -36,6 +30,11 @@ output "postgres_url_ssm_parameter_name" {
   value       = aws_ssm_parameter.postgres_url.name
 }
 
+output "security_group_id" {
+  description = "The ID of the security group"
+  value       = module.security_group.security_group_id
+}
+
 output "alarm_arns" {
   description = "ARNs of the CloudWatch alarms."
   value       = module.alarms.arns

diff --git a/b2b/service/pg_backup/main.tf b/b2b/service/pg_backup/main.tf
@@ -1,72 +1,85 @@
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
 locals {
-  container_name    = var.container_name
-  service_name      = "${var.id}-${local.container_name}"
-  create_tasks_role = var.task_role_arn != "" ? false : true
+  create_task_role = var.task_role_arn != "" ? false : true
+  account_id       = data.aws_caller_identity.current.account_id
+  partition        = data.aws_partition.current.partition
+  region           = data.aws_region.current.name
 }
 
-module "service" {
-  source  = "terraform-aws-modules/ecs/aws//modules/service"
-  version = "5.2.0"
-
-  name             = local.service_name
-  cluster_arn      = var.cluster_arn
-  subnet_ids       = var.subnet_ids
-  assign_public_ip = var.public_ip
-  create_iam_role  = false
-
-  runtime_platform = {
-    operating_system_family = "LINUX"
-    cpu_architecture        = var.cpu_architecture
-  }
-
-  ephemeral_storage = {
-    size_in_gib = var.task_storage
-  }
-
-  cpu                   = var.container_cpu
-  memory                = var.container_memory
-  desired_count         = var.desired_count
-  create_tasks_iam_role = local.create_tasks_role
-  tasks_iam_role_arn    = var.task_role_arn
-
-  container_definitions = {
-    (local.container_name) = {
-      image                                  = var.container_image
-      enable_cloudwatch_logging              = true
-      cloudwatch_log_group_retention_in_days = var.log_retention_in_days
+# module "secret_policy" {
+#   source = "../../../generic/service/secret_policy"
 
-      port_mappings = [
-        {
-          name          = local.container_name
-          containerPort = var.container_port
-          protocol      = "tcp"
-        }
-      ]
-    }
-  }
+#   role_name          = var.taks_role_name
+#   ssm_parameter_arns = [var.postgres_password_ssm_parameter_arn]
+#   description        = "Allow PG backup service access to parameter store"
+#   path               = "/pg_backup/"
+#   prefix             = "pgbackupg"
+#   tags               = var.tags
+# }
 
-  create_security_group = false
-  security_group_ids    = var.security_groups
+module "security_group" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-security-group?ref=v4.16.0"
 
-  security_group_rules = {
-    ingress-https = {
-      type        = "ingress"
-      description = "Allow from inbound traffic on container port"
-      from_port   = "443"
-      to_port     = "443"
-      protocol    = "tcp"
-      cidr_blocks = ["0.0.0.0/0"]
+  name        = "${var.tenant}-pg-backup-sg"
+  description = "Allow from ALB inbound traffic, Allow all egress traffic (Docker)"
+  vpc_id      = var.vpc_id
 
+  ingress_with_source_security_group_id = [
+    {
+      description              = "Allow RDS inbound traffic on container port"
+      from_port                = var.container_port
+      to_port                  = var.container_port
+      protocol                 = "tcp"
+      source_security_group_id = var.rds_security_group_id
     }
-    egress_all = {
-      type        = "egress"
+  ]
+  egress_with_cidr_blocks = [
+    {
       description = "Allow all egress traffic (Docker)"
       from_port   = 0
       to_port     = 0
       protocol    = "-1"
-      cidr_blocks = ["0.0.0.0/0"]
-    }
+      cidr_blocks = "0.0.0.0/0"
+  }]
+  tags = var.tags
+}
+
+
+module "service" {
+  source = "../../../generic/service/service"
+
+  name               = "pgbackup"
+  security_group_ids = [module.security_group.security_group_id]
+
+  cluster_id = var.cluster_id
+  vpc_id     = var.vpc_id
+  subnet_ids = var.subnet_ids
+
+  cpu_architecture  = var.cpu_architecture
+  container_cpu     = var.container_cpu
+  container_memory  = var.container_memory
+  container_image   = var.container_image
+  container_port    = var.container_port
+  desired_count     = "1"
+  task_role_arn     = var.task_role_arn
+  ephemeral_storage = var.task_storage
+  environment = {
+    TASK      = var.pg_task
+    S3_BUCKET = var.s3_bucket_name
+  }
+
+  secrets = {
+    PGPASSWORD = var.postgres_password
+    DB_USER    = var.postgres_username
+    DB_URL     = var.postgres_url
+    DB_NAME    = var.tenant
   }
 
+  log_retention_in_days = var.log_retention_in_days
+
   tags = var.tags
 }
+
diff --git a/b2b/service/pg_backup/terraform.tf b/b2b/service/pg_backup/terraform.tf
@@ -1,10 +1,11 @@
 terraform {
-  required_version = ">= 1.3.7"
+  required_version = "1.3.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.55"
+      version = "4.50.0"
     }
   }
 }
+
diff --git a/b2b/service/pg_backup/variables.tf b/b2b/service/pg_backup/variables.tf
@@ -1,10 +1,10 @@
-variable "id" {
-  description = "A unique identifier for the service"
+variable "tenant" {
+  description = "Name of the tenant"
   type        = string
 
   validation {
-    condition     = can(regex("^[a-z0-9]{2,16}$", var.id))
-    error_message = "Only alphanumeric characters are allowed in 'id', and must be 2-16 characters"
+    condition     = can(regex("^[a-z0-9]{2,18}$", var.tenant))
+    error_message = "Only alphanumeric characters are allowed in 'tenant', and must be 2-18 characters"
   }
 }
 
@@ -13,15 +13,16 @@ variable "container_name" {
   type        = string
 }
 
-variable "cluster_arn" {
-  description = "ARN of the ECS cluster"
+variable "cluster_id" {
+  description = "ID of the ECS cluster"
   type        = string
 }
 
-variable "public_ip" {
-  description = "Wether to assign a public IP or not when launch"
-  type        = bool
-  default     = false
+
+variable "taks_role_name" {
+  description = "IAM role that allows your Amazon ECS container task to make calls to other AWS services."
+  type        = string
+  default     = ""
 }
 
 variable "task_role_arn" {
@@ -30,12 +31,22 @@ variable "task_role_arn" {
   default     = ""
 }
 
+variable "rds_security_group_id" {
+  description = "Security group ID of the RDS"
+  type        = string
+}
+
 ## network
 variable "subnet_ids" {
   description = "VPC subnet IDs to launch in the ECS service"
   type        = list(string)
 }
 
+variable "vpc_id" {
+  description = "The ID of the VPC"
+  type        = string
+}
+
 ## container
 variable "cpu_architecture" {
   description = "CPU architecture"
@@ -73,23 +84,40 @@ variable "task_storage" {
 
 }
 
-# Autoscaling of ECS
-variable "desired_count" {
-  description = "Number of instances of the task definition to place and keep running"
-  type        = number
-  default     = 1
-}
-
 variable "log_retention_in_days" {
   description = "Specifies the number of days you want to retain log events of the container"
   type        = number
   default     = 7
 }
 
+# Environmental Variables
+variable "postgres_url" {
+  description = "Postgres URL"
+  type        = string
+}
+
+variable "postgres_username" {
+  description = "Postgres username"
+  type        = string
+}
+
+variable "postgres_password" {
+  description = "ARN of the postgres password SSM parameter"
+  type        = string
+}
+
+variable "pg_task" {
+  description = "Wether to create a backup or a restore from a Postgres DB"
+  type        = string
+}
+
+variable "s3_bucket_name" {
+  description = "Name of the S3 bucket where the backup/restore file will be located"
+  type        = string
+}
+
 variable "tags" {
   description = "Custom tags to set on the underlining resources"
   type        = map(string)
   default     = {}
 }
-
-
diff --git a/generic/service/service/main.tf b/generic/service/service/main.tf
@@ -52,6 +52,13 @@ resource "aws_ecs_task_definition" "this" {
     cpu_architecture        = var.cpu_architecture
   }
 
+  dynamic "ephemeral_storage" {
+    for_each = var.ephemeral_storage == null ? [] : [1]
+    content {
+      size_in_gib = var.ephemeral_storage
+    }
+  }
+
   tags = var.tags
 }
 

diff --git a/generic/service/service/variables.tf b/generic/service/service/variables.tf
@@ -101,6 +101,12 @@ variable "environment" {
   default     = {}
 }
 
+variable "ephemeral_storage" {
+  description = "Ephemeral storage size if the task requires a specific amount of ephemeral storage"
+  type        = number
+  default     = null
+}
+
 variable "secrets" {
   description = "An object representing the secret to expose to the container"
   type        = map(string)