add sample fargate

examples/fargate-cluster/.gitignore

@@ -0,0 +1,4 @@
+aws.*.txt
+aws.*.zip
+aws.*.zip.password
+logs/

examples/fargate-cluster/cicd-deployer.tf

@@ -0,0 +1,154 @@
+locals {
+  cicd_iam_username      = format("%v%v-%v", local._prefixes["ecs-user"], var.cluster_name, var.cicd_group_name)
+  policy_cicd_group_name = replace(local.cicd_iam_username, local._prefixes["ecs-user"], local._prefixes["ecs-policy"])
+  role_cicd_group_name   = replace(local.cicd_iam_username, local._prefixes["ecs-user"], "")
+  cicd_group_name        = local.role_cicd_group_name
+  iam_policies_cicd      = ["p-inf-manage-access-keys"]
+}
+
+data "aws_iam_policy" "cicd_deployer_policies" {
+  for_each = toset(local.iam_policies_cicd)
+  name     = each.key
+}
+
+module "service_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git"
+
+  iam_username        = local.cicd_iam_username
+  username            = ""
+  email_address       = ""
+  groups              = ["g-inf-ip-restriction"]
+  generate_password   = false
+  service_account     = true
+  enable_sending_mail = false
+  create_access_keys  = false
+  attached_policies   = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "role_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name              = local.role_cicd_group_name
+  role_description       = "Role for ECS cluster ${var.cluster_name} for access by ${var.cicd_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+  attached_policies      = [aws_iam_policy.cicd_deployer.arn]
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+resource "aws_iam_policy" "cicd_deployer" {
+  name        = local.policy_cicd_group_name
+  path        = "/"
+  description = "Policy for ECS ${var.cluster_name} IAM access ${var.cicd_group_name}"
+  policy      = data.aws_iam_policy_document.cicd_deployer.json
+}
+
+locals {
+  cicd_deployer_policy_statements = {
+    ECRRead = {
+      actions = [
+        "ecr:Describe*",
+        "ecr:Get*",
+        "ecr:ListImages",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+      resources = ["*"]
+    }
+    ECRWrite = {
+      #      effect = "Deny"
+      actions = [
+        "ecr:BatchDeleteImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart"
+      ]
+      not_resources = [
+        format(local.common_arn, "ecr", "repository/eks/*"),
+      ]
+    }
+    ECSRead = {
+      actions = [
+        "ecs:ListClusters",
+      ]
+      resources = ["*"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cicd_deployer" {
+  dynamic "statement" {
+    for_each = local.cicd_deployer_policy_statements
+    iterator = s
+    content {
+      sid           = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+      effect        = lookup(s.value, "effect", "Allow")
+      actions       = lookup(s.value, "actions", [])
+      resources     = lookup(s.value, "resources", [])
+      not_resources = lookup(s.value, "not_resources", [])
+    }
+  }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
+# output "service_cicd_deployer_arn" {
+#   description = "CICD Deployer user ARN"
+#   value       = module.service_cicd_deployer.user_arn
+# }
+# 
+# output "service_cicd_deployer_username" {
+#   description = "CICD Deployer username"
+#   value       = module.service_cicd_deployer.user_name
+# }
+
+module "group_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+  group_name        = local.cicd_group_name
+  attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+output "info_cicd_deployer" {
+  description = "CID Deployer IAM details"
+  value = {
+    user_name  = module.service_cicd_deployer.user_name
+    user_arn   = module.service_cicd_deployer.user_arn
+    group_name = module.group_cicd_deployer.group_name
+    group_arn  = module.group_cicd_deployer.group_arn
+  }
+}

examples/fargate-cluster/cluster.tf

@@ -0,0 +1,24 @@
+resource "aws_ecs_cluster" "ecs" {
+  name = var.cluster_name
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+  capacity_providers = ["FARGATE"]
+
+  # default_capacity_provider_strategy = {
+  #    capacity_provider
+  #    weight
+  #    base
+  # }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    { "Name" = format("ecs-%v", var.cluster_name) },
+  )
+}
+
+
+

examples/fargate-cluster/data.tf

@@ -0,0 +1,22 @@
+data "aws_vpc" "ecs_vpc" {
+  filter {
+    name   = "tag:Name"
+    values = [ var.ecs_vpc_filter ]
+  }
+}
+
+data "aws_subnets" "container_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [ data.aws_vpc.ecs_vpc.id ]
+  }
+  filter {
+    name   = "tag:Name"
+    values = [ var.ecs_container_subnet_filter ]
+  }
+}
+
+data "aws_subnet" "container_subnets" {
+  for_each = toset(data.aws_subnets.container_subnets.ids)
+  id       = each.key
+}

examples/fargate-cluster/locals.tf

@@ -0,0 +1,9 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+
+  base_arn   = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
+  iam_arn    = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+  common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
+}

examples/fargate-cluster/outputs.tf

@@ -0,0 +1,4 @@
+output "ecs_cluster_id" {
+  description = "ECS Cluster ID"
+  value       = aws_ecs_cluster.ecs.id
+}

examples/fargate-cluster/prefixes.tf

@@ -0,0 +1,40 @@
+locals {
+  _prefixes = {
+    "efs"            = "v-efs-"
+    "s3"             = "v-s3-"
+    "ebs"            = "v-ebs-"
+    "kms"            = "k-kms-"
+    "role"           = "r-"
+    "policy"         = "p-"
+    "group"          = "g-"
+    "security-group" = "" # "sg-"
+    # VPC
+    "vpc"              = ""
+    "dhcp-options"     = ""
+    "vpc-peer"         = "vpcp-"
+    "route-table"      = "route-"
+    "subnet"           = ""
+    "vpc-endpoint"     = "vpce-"
+    "elastic-ip"       = "eip-"
+    "nat-gateway"      = "nat-"
+    "internet-gateway" = "igw-"
+    "network-acl"      = "nacl-"
+    "customer-gateway" = "cgw-"
+    "vpn-gateway"      = "vpcg-"
+    "vpn-connection"   = "vpn_"
+    "log-group"        = "lg-"
+    "log-stream"       = "lgs-"
+    # EKS
+    "eks"                = "eks-"
+    "eks-user"           = "s-eks-"
+    "eks-role"           = "r-eks-"
+    "eks-policy"         = "p-eks-"
+    "eks-security-group" = "eks-" # "sg-eks-"
+    # ECS
+    "ecs"                = "ecs-"
+    "ecs-user"           = "s-ecs-"
+    "ecs-role"           = "r-ecs-"
+    "ecs-policy"         = "p-ecs-"
+    "ecs-security-group" = "ecs-"
+  }
+}

examples/fargate-cluster/region.tf

@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}

examples/fargate-cluster/tf-run.data

@@ -0,0 +1,10 @@
+VERSION 1.0.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+COMMAND ln -sf ../variables.vpc.tf
+COMMAND ln -sf ../variables.vpc.auto.tfvars
+POLICY
+ALL
+COMMAND tf-directory-setup.py -l s3

examples/fargate-cluster/variables.application_tags.tf

@@ -0,0 +1,8 @@
+# include this link to bring in the variable
+# include the link to the .tfvars to bring in the values
+
+variable "application_tags" {
+  description = "Default application tags to be used on non-infrastructure resources"
+  type        = map(string)
+  default     = {}
+}

examples/fargate-cluster/variables.cicd-deployer.tf

@@ -0,0 +1,12 @@
+variable "cicd_user_name" {
+  description = "The user name of CICD Deployer"
+  type        = string
+  default     = "cicd-deployer"
+}
+
+variable "cicd_group_name" {
+  description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)"
+  type        = string
+  default     = "cicd-deployer"
+}
+

examples/fargate-cluster/variables.ecs.tf

@@ -0,0 +1,18 @@
+variable "cluster_name" {
+  description = "Cluster name of form {program}-{env}-fargate or {org}-{project}-{env}-fargate"
+  type = string
+}
+
+# examples: dice-qa-fargate
+# examples: ditd-gups-test-fargate
+
+variable "ecs_vpc_filter" {
+  description = "VPC filter (ex.,, vpc4-*) for selecting the correct VPC for this cluster"
+  type = string
+}
+
+variable "container_subnet_filter" {
+  description = "Container subnet filter (ex., *-container-*) to use to select the container subents in this VPC"
+  type = string
+}
+

examples/fargate-cluster/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}