From b78ffcb1c7d2ce1ed19b934584086db3b1025954 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 18 Apr 2022 13:24:27 -0400 Subject: [PATCH] add sample fargate --- examples/fargate-cluster/.gitignore | 4 + examples/fargate-cluster/cicd-deployer.tf | 154 ++++++++++++++++++ examples/fargate-cluster/cluster.tf | 24 +++ examples/fargate-cluster/data.tf | 22 +++ examples/fargate-cluster/locals.tf | 9 + examples/fargate-cluster/outputs.tf | 4 + examples/fargate-cluster/prefixes.tf | 40 +++++ examples/fargate-cluster/region.tf | 3 + examples/fargate-cluster/tf-run.data | 10 ++ .../variables.application_tags.tf | 8 + .../variables.cicd-deployer.tf | 12 ++ examples/fargate-cluster/variables.ecs.tf | 18 ++ examples/fargate-cluster/versions.tf | 8 + 13 files changed, 316 insertions(+) create mode 100644 examples/fargate-cluster/.gitignore create mode 100644 examples/fargate-cluster/cicd-deployer.tf create mode 100644 examples/fargate-cluster/cluster.tf create mode 100644 examples/fargate-cluster/data.tf create mode 100644 examples/fargate-cluster/locals.tf create mode 100644 examples/fargate-cluster/outputs.tf create mode 100644 examples/fargate-cluster/prefixes.tf create mode 100644 examples/fargate-cluster/region.tf create mode 100644 examples/fargate-cluster/tf-run.data create mode 100644 examples/fargate-cluster/variables.application_tags.tf create mode 100644 examples/fargate-cluster/variables.cicd-deployer.tf create mode 100644 examples/fargate-cluster/variables.ecs.tf create mode 100644 examples/fargate-cluster/versions.tf diff --git a/examples/fargate-cluster/.gitignore b/examples/fargate-cluster/.gitignore new file mode 100644 index 0000000..3d569dc --- /dev/null +++ b/examples/fargate-cluster/.gitignore @@ -0,0 +1,4 @@ +aws.*.txt +aws.*.zip +aws.*.zip.password +logs/ diff --git a/examples/fargate-cluster/cicd-deployer.tf b/examples/fargate-cluster/cicd-deployer.tf new file mode 100644 index 0000000..c4b5aba --- /dev/null +++ b/examples/fargate-cluster/cicd-deployer.tf @@ -0,0 +1,154 @@ +locals { + cicd_iam_username = format("%v%v-%v", local._prefixes["ecs-user"], var.cluster_name, var.cicd_group_name) + policy_cicd_group_name = replace(local.cicd_iam_username, local._prefixes["ecs-user"], local._prefixes["ecs-policy"]) + role_cicd_group_name = replace(local.cicd_iam_username, local._prefixes["ecs-user"], "") + cicd_group_name = local.role_cicd_group_name + iam_policies_cicd = ["p-inf-manage-access-keys"] +} + +data "aws_iam_policy" "cicd_deployer_policies" { + for_each = toset(local.iam_policies_cicd) + name = each.key +} + +module "service_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git" + + iam_username = local.cicd_iam_username + username = "" + email_address = "" + groups = ["g-inf-ip-restriction"] + generate_password = false + service_account = true + enable_sending_mail = false + create_access_keys = false + attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +module "role_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = local.role_cicd_group_name + role_description = "Role for ECS cluster ${var.cluster_name} for access by ${var.cicd_group_name}" + enable_ldap_creation = false + assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json + attached_policies = [aws_iam_policy.cicd_deployer.arn] + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +resource "aws_iam_policy" "cicd_deployer" { + name = local.policy_cicd_group_name + path = "/" + description = "Policy for ECS ${var.cluster_name} IAM access ${var.cicd_group_name}" + policy = data.aws_iam_policy_document.cicd_deployer.json +} + +locals { + cicd_deployer_policy_statements = { + ECRRead = { + actions = [ + "ecr:Describe*", + "ecr:Get*", + "ecr:ListImages", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + ] + resources = ["*"] + } + ECRWrite = { + # effect = "Deny" + actions = [ + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:CreateRepository", + "ecr:DeleteRepository", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart" + ] + not_resources = [ + format(local.common_arn, "ecr", "repository/eks/*"), + ] + } + ECSRead = { + actions = [ + "ecs:ListClusters", + ] + resources = ["*"] + } + } +} + +data "aws_iam_policy_document" "cicd_deployer" { + dynamic "statement" { + for_each = local.cicd_deployer_policy_statements + iterator = s + content { + sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) + effect = lookup(s.value, "effect", "Allow") + actions = lookup(s.value, "actions", []) + resources = lookup(s.value, "resources", []) + not_resources = lookup(s.value, "not_resources", []) + } + } +} + +# allow anyone in this account to assume the role, if they have the permission to do so +data "aws_iam_policy_document" "cicd_deployer_allow_sts" { + statement { + sid = "AllowSTSAssume" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + format(local.iam_arn, "root"), + ] + } + } +} + +# output "service_cicd_deployer_arn" { +# description = "CICD Deployer user ARN" +# value = module.service_cicd_deployer.user_arn +# } +# +# output "service_cicd_deployer_username" { +# description = "CICD Deployer username" +# value = module.service_cicd_deployer.user_name +# } + +module "group_cicd_deployer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" + + group_name = local.cicd_group_name + attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn])) + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +output "info_cicd_deployer" { + description = "CID Deployer IAM details" + value = { + user_name = module.service_cicd_deployer.user_name + user_arn = module.service_cicd_deployer.user_arn + group_name = module.group_cicd_deployer.group_name + group_arn = module.group_cicd_deployer.group_arn + } +} diff --git a/examples/fargate-cluster/cluster.tf b/examples/fargate-cluster/cluster.tf new file mode 100644 index 0000000..7014f61 --- /dev/null +++ b/examples/fargate-cluster/cluster.tf @@ -0,0 +1,24 @@ +resource "aws_ecs_cluster" "ecs" { + name = var.cluster_name + setting { + name = "containerInsights" + value = "enabled" + } + capacity_providers = ["FARGATE"] + + # default_capacity_provider_strategy = { + # capacity_provider + # weight + # base + # } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { "Name" = format("ecs-%v", var.cluster_name) }, + ) +} + + + diff --git a/examples/fargate-cluster/data.tf b/examples/fargate-cluster/data.tf new file mode 100644 index 0000000..86a3d62 --- /dev/null +++ b/examples/fargate-cluster/data.tf @@ -0,0 +1,22 @@ +data "aws_vpc" "ecs_vpc" { + filter { + name = "tag:Name" + values = [ var.ecs_vpc_filter ] + } +} + +data "aws_subnets" "container_subnets" { + filter { + name = "vpc-id" + values = [ data.aws_vpc.ecs_vpc.id ] + } + filter { + name = "tag:Name" + values = [ var.ecs_container_subnet_filter ] + } +} + +data "aws_subnet" "container_subnets" { + for_each = toset(data.aws_subnets.container_subnets.ids) + id = each.key +} diff --git a/examples/fargate-cluster/locals.tf b/examples/fargate-cluster/locals.tf new file mode 100644 index 0000000..786f6c2 --- /dev/null +++ b/examples/fargate-cluster/locals.tf @@ -0,0 +1,9 @@ +locals { + base_tags = { + "boc:created_by" = "terraform" + } + + base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) + iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) +} diff --git a/examples/fargate-cluster/outputs.tf b/examples/fargate-cluster/outputs.tf new file mode 100644 index 0000000..33abb2c --- /dev/null +++ b/examples/fargate-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "ecs_cluster_id" { + description = "ECS Cluster ID" + value = aws_ecs_cluster.ecs.id +} diff --git a/examples/fargate-cluster/prefixes.tf b/examples/fargate-cluster/prefixes.tf new file mode 100644 index 0000000..6517845 --- /dev/null +++ b/examples/fargate-cluster/prefixes.tf @@ -0,0 +1,40 @@ +locals { + _prefixes = { + "efs" = "v-efs-" + "s3" = "v-s3-" + "ebs" = "v-ebs-" + "kms" = "k-kms-" + "role" = "r-" + "policy" = "p-" + "group" = "g-" + "security-group" = "" # "sg-" + # VPC + "vpc" = "" + "dhcp-options" = "" + "vpc-peer" = "vpcp-" + "route-table" = "route-" + "subnet" = "" + "vpc-endpoint" = "vpce-" + "elastic-ip" = "eip-" + "nat-gateway" = "nat-" + "internet-gateway" = "igw-" + "network-acl" = "nacl-" + "customer-gateway" = "cgw-" + "vpn-gateway" = "vpcg-" + "vpn-connection" = "vpn_" + "log-group" = "lg-" + "log-stream" = "lgs-" + # EKS + "eks" = "eks-" + "eks-user" = "s-eks-" + "eks-role" = "r-eks-" + "eks-policy" = "p-eks-" + "eks-security-group" = "eks-" # "sg-eks-" + # ECS + "ecs" = "ecs-" + "ecs-user" = "s-ecs-" + "ecs-role" = "r-ecs-" + "ecs-policy" = "p-ecs-" + "ecs-security-group" = "ecs-" + } +} diff --git a/examples/fargate-cluster/region.tf b/examples/fargate-cluster/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/fargate-cluster/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/fargate-cluster/tf-run.data b/examples/fargate-cluster/tf-run.data new file mode 100644 index 0000000..e6a8325 --- /dev/null +++ b/examples/fargate-cluster/tf-run.data @@ -0,0 +1,10 @@ +VERSION 1.0.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +COMMAND ln -sf ../variables.vpc.tf +COMMAND ln -sf ../variables.vpc.auto.tfvars +POLICY +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/fargate-cluster/variables.application_tags.tf b/examples/fargate-cluster/variables.application_tags.tf new file mode 100644 index 0000000..a510cbf --- /dev/null +++ b/examples/fargate-cluster/variables.application_tags.tf @@ -0,0 +1,8 @@ +# include this link to bring in the variable +# include the link to the .tfvars to bring in the values + +variable "application_tags" { + description = "Default application tags to be used on non-infrastructure resources" + type = map(string) + default = {} +} diff --git a/examples/fargate-cluster/variables.cicd-deployer.tf b/examples/fargate-cluster/variables.cicd-deployer.tf new file mode 100644 index 0000000..9f1a42d --- /dev/null +++ b/examples/fargate-cluster/variables.cicd-deployer.tf @@ -0,0 +1,12 @@ +variable "cicd_user_name" { + description = "The user name of CICD Deployer" + type = string + default = "cicd-deployer" +} + +variable "cicd_group_name" { + description = "The Group name of CICD Deployer belongs to (excluding prefix for service account and cluster)" + type = string + default = "cicd-deployer" +} + diff --git a/examples/fargate-cluster/variables.ecs.tf b/examples/fargate-cluster/variables.ecs.tf new file mode 100644 index 0000000..ced4139 --- /dev/null +++ b/examples/fargate-cluster/variables.ecs.tf @@ -0,0 +1,18 @@ +variable "cluster_name" { + description = "Cluster name of form {program}-{env}-fargate or {org}-{project}-{env}-fargate" + type = string +} + +# examples: dice-qa-fargate +# examples: ditd-gups-test-fargate + +variable "ecs_vpc_filter" { + description = "VPC filter (ex.,, vpc4-*) for selecting the correct VPC for this cluster" + type = string +} + +variable "container_subnet_filter" { + description = "Container subnet filter (ex., *-container-*) to use to select the container subents in this VPC" + type = string +} + diff --git a/examples/fargate-cluster/versions.tf b/examples/fargate-cluster/versions.tf new file mode 100644 index 0000000..ed4a9b2 --- /dev/null +++ b/examples/fargate-cluster/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +}