From b408c7deb5c1ccb05d75873a55f5c7e01af0a6f3 Mon Sep 17 00:00:00 2001 From: "Jorge E. Gamboa G." Date: Sat, 9 Dec 2023 08:55:15 +0100 Subject: [PATCH] Adapting services --- b2b/aurora/outputs.tf | 11 ++- b2b/service/pg_backup/main.tf | 125 +++++++++++++++------------ b2b/service/pg_backup/terraform.tf | 5 +- b2b/service/pg_backup/variables.tf | 66 ++++++++++---- generic/service/service/main.tf | 7 ++ generic/service/service/variables.tf | 6 ++ 6 files changed, 137 insertions(+), 83 deletions(-) diff --git a/b2b/aurora/outputs.tf b/b2b/aurora/outputs.tf index e8d761c4..0114ff9b 100644 --- a/b2b/aurora/outputs.tf +++ b/b2b/aurora/outputs.tf @@ -4,12 +4,6 @@ output "postgres_url" { sensitive = true } -output "postgres_arn" { - description = "ARN from the Postgres Cluster" - value = aws_rds_cluster.this.arn - sensitive = true -} - output "postgres_username" { description = "Aurora username" value = aws_ssm_parameter.postgres_username.value @@ -36,6 +30,11 @@ output "postgres_url_ssm_parameter_name" { value = aws_ssm_parameter.postgres_url.name } +output "security_group_id" { + description = "The ID of the security group" + value = module.security_group.security_group_id +} + output "alarm_arns" { description = "ARNs of the CloudWatch alarms." value = module.alarms.arns diff --git a/b2b/service/pg_backup/main.tf b/b2b/service/pg_backup/main.tf index b088c8a7..4c6a6951 100644 --- a/b2b/service/pg_backup/main.tf +++ b/b2b/service/pg_backup/main.tf @@ -1,72 +1,85 @@ +data "aws_region" "current" {} +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} + locals { - container_name = var.container_name - service_name = "${var.id}-${local.container_name}" - create_tasks_role = var.task_role_arn != "" ? false : true + create_task_role = var.task_role_arn != "" ? false : true + account_id = data.aws_caller_identity.current.account_id + partition = data.aws_partition.current.partition + region = data.aws_region.current.name } -module "service" { - source = "terraform-aws-modules/ecs/aws//modules/service" - version = "5.2.0" - - name = local.service_name - cluster_arn = var.cluster_arn - subnet_ids = var.subnet_ids - assign_public_ip = var.public_ip - create_iam_role = false - - runtime_platform = { - operating_system_family = "LINUX" - cpu_architecture = var.cpu_architecture - } - - ephemeral_storage = { - size_in_gib = var.task_storage - } - - cpu = var.container_cpu - memory = var.container_memory - desired_count = var.desired_count - create_tasks_iam_role = local.create_tasks_role - tasks_iam_role_arn = var.task_role_arn - - container_definitions = { - (local.container_name) = { - image = var.container_image - enable_cloudwatch_logging = true - cloudwatch_log_group_retention_in_days = var.log_retention_in_days +# module "secret_policy" { +# source = "../../../generic/service/secret_policy" - port_mappings = [ - { - name = local.container_name - containerPort = var.container_port - protocol = "tcp" - } - ] - } - } +# role_name = var.taks_role_name +# ssm_parameter_arns = [var.postgres_password_ssm_parameter_arn] +# description = "Allow PG backup service access to parameter store" +# path = "/pg_backup/" +# prefix = "pgbackupg" +# tags = var.tags +# } - create_security_group = false - security_group_ids = var.security_groups +module "security_group" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-security-group?ref=v4.16.0" - security_group_rules = { - ingress-https = { - type = "ingress" - description = "Allow from inbound traffic on container port" - from_port = "443" - to_port = "443" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + name = "${var.tenant}-pg-backup-sg" + description = "Allow from ALB inbound traffic, Allow all egress traffic (Docker)" + vpc_id = var.vpc_id + ingress_with_source_security_group_id = [ + { + description = "Allow RDS inbound traffic on container port" + from_port = var.container_port + to_port = var.container_port + protocol = "tcp" + source_security_group_id = var.rds_security_group_id } - egress_all = { - type = "egress" + ] + egress_with_cidr_blocks = [ + { description = "Allow all egress traffic (Docker)" from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } + cidr_blocks = "0.0.0.0/0" + }] + tags = var.tags +} + + +module "service" { + source = "../../../generic/service/service" + + name = "pgbackup" + security_group_ids = [module.security_group.security_group_id] + + cluster_id = var.cluster_id + vpc_id = var.vpc_id + subnet_ids = var.subnet_ids + + cpu_architecture = var.cpu_architecture + container_cpu = var.container_cpu + container_memory = var.container_memory + container_image = var.container_image + container_port = var.container_port + desired_count = "1" + task_role_arn = var.task_role_arn + ephemeral_storage = var.task_storage + environment = { + TASK = var.pg_task + S3_BUCKET = var.s3_bucket_name + } + + secrets = { + PGPASSWORD = var.postgres_password + DB_USER = var.postgres_username + DB_URL = var.postgres_url + DB_NAME = var.tenant } + log_retention_in_days = var.log_retention_in_days + tags = var.tags } + diff --git a/b2b/service/pg_backup/terraform.tf b/b2b/service/pg_backup/terraform.tf index 92149b12..dbede771 100644 --- a/b2b/service/pg_backup/terraform.tf +++ b/b2b/service/pg_backup/terraform.tf @@ -1,10 +1,11 @@ terraform { - required_version = ">= 1.3.7" + required_version = "1.3.7" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.55" + version = "4.50.0" } } } + diff --git a/b2b/service/pg_backup/variables.tf b/b2b/service/pg_backup/variables.tf index 8f4a5719..605adbfa 100644 --- a/b2b/service/pg_backup/variables.tf +++ b/b2b/service/pg_backup/variables.tf @@ -1,10 +1,10 @@ -variable "id" { - description = "A unique identifier for the service" +variable "tenant" { + description = "Name of the tenant" type = string validation { - condition = can(regex("^[a-z0-9]{2,16}$", var.id)) - error_message = "Only alphanumeric characters are allowed in 'id', and must be 2-16 characters" + condition = can(regex("^[a-z0-9]{2,18}$", var.tenant)) + error_message = "Only alphanumeric characters are allowed in 'tenant', and must be 2-18 characters" } } @@ -13,15 +13,16 @@ variable "container_name" { type = string } -variable "cluster_arn" { - description = "ARN of the ECS cluster" +variable "cluster_id" { + description = "ID of the ECS cluster" type = string } -variable "public_ip" { - description = "Wether to assign a public IP or not when launch" - type = bool - default = false + +variable "taks_role_name" { + description = "IAM role that allows your Amazon ECS container task to make calls to other AWS services." + type = string + default = "" } variable "task_role_arn" { @@ -30,12 +31,22 @@ variable "task_role_arn" { default = "" } +variable "rds_security_group_id" { + description = "Security group ID of the RDS" + type = string +} + ## network variable "subnet_ids" { description = "VPC subnet IDs to launch in the ECS service" type = list(string) } +variable "vpc_id" { + description = "The ID of the VPC" + type = string +} + ## container variable "cpu_architecture" { description = "CPU architecture" @@ -73,23 +84,40 @@ variable "task_storage" { } -# Autoscaling of ECS -variable "desired_count" { - description = "Number of instances of the task definition to place and keep running" - type = number - default = 1 -} - variable "log_retention_in_days" { description = "Specifies the number of days you want to retain log events of the container" type = number default = 7 } +# Environmental Variables +variable "postgres_url" { + description = "Postgres URL" + type = string +} + +variable "postgres_username" { + description = "Postgres username" + type = string +} + +variable "postgres_password" { + description = "ARN of the postgres password SSM parameter" + type = string +} + +variable "pg_task" { + description = "Wether to create a backup or a restore from a Postgres DB" + type = string +} + +variable "s3_bucket_name" { + description = "Name of the S3 bucket where the backup/restore file will be located" + type = string +} + variable "tags" { description = "Custom tags to set on the underlining resources" type = map(string) default = {} } - - diff --git a/generic/service/service/main.tf b/generic/service/service/main.tf index c86d09c1..a23e8530 100644 --- a/generic/service/service/main.tf +++ b/generic/service/service/main.tf @@ -52,6 +52,13 @@ resource "aws_ecs_task_definition" "this" { cpu_architecture = var.cpu_architecture } + dynamic "ephemeral_storage" { + for_each = var.ephemeral_storage == null ? [] : [1] + content { + size_in_gib = var.ephemeral_storage + } + } + tags = var.tags } diff --git a/generic/service/service/variables.tf b/generic/service/service/variables.tf index bef57cc3..52d316bf 100644 --- a/generic/service/service/variables.tf +++ b/generic/service/service/variables.tf @@ -101,6 +101,12 @@ variable "environment" { default = {} } +variable "ephemeral_storage" { + description = "Ephemeral storage size if the task requires a specific amount of ephemeral storage" + type = number + default = null +} + variable "secrets" { description = "An object representing the secret to expose to the container" type = map(string)