From ca3fcccaf1d1ba8f1202c58f6bdb388946d975c5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 23 Feb 2022 12:27:27 -0500 Subject: [PATCH] initial --- examples/dice-centurion/README.md | 4 + examples/dice-centurion/certs.tf | 11 +++ examples/dice-centurion/dns.tf | 48 ++++++++++++ examples/dice-centurion/load-balancer.tf | 98 ++++++++++++++++++++++++ examples/dice-centurion/locals.tf | 19 +++++ examples/dice-centurion/outputs.tf | 20 +++++ examples/dice-centurion/region.tf | 3 + examples/dice-centurion/role.tf | 48 ++++++++++++ examples/dice-centurion/settings.tf | 27 +++++++ examples/dice-centurion/task.tf | 88 +++++++++++++++++++++ examples/dice-centurion/tf-run.data | 7 ++ examples/dice-mojo-new/README.md | 4 + examples/dice-mojo-new/certs.tf | 12 +++ examples/dice-mojo-new/dns.tf | 8 ++ examples/dice-mojo-new/load-balancer.tf | 98 ++++++++++++++++++++++++ examples/dice-mojo-new/locals.tf | 18 +++++ examples/dice-mojo-new/outputs.tf | 21 +++++ examples/dice-mojo-new/role.tf | 48 ++++++++++++ examples/dice-mojo-new/settings.tf | 28 +++++++ examples/dice-mojo-new/task.tf | 88 +++++++++++++++++++++ examples/dice-mojo-new/tf-run.data | 24 ++++++ examples/dice-mojo/README.md | 4 + examples/dice-mojo/certs.tf | 11 +++ examples/dice-mojo/dns.tf | 48 ++++++++++++ examples/dice-mojo/load-balancer.tf | 98 ++++++++++++++++++++++++ examples/dice-mojo/locals.tf | 19 +++++ examples/dice-mojo/outputs.tf | 20 +++++ examples/dice-mojo/region.tf | 3 + examples/dice-mojo/role.tf | 48 ++++++++++++ examples/dice-mojo/settings.tf | 27 +++++++ examples/dice-mojo/task.tf | 88 +++++++++++++++++++++ examples/dice-mojo/tf-run.data | 7 ++ 32 files changed, 1095 insertions(+) create mode 100644 examples/dice-centurion/README.md create mode 100644 examples/dice-centurion/certs.tf create mode 100644 examples/dice-centurion/dns.tf create mode 100644 examples/dice-centurion/load-balancer.tf create mode 100644 examples/dice-centurion/locals.tf create mode 100644 examples/dice-centurion/outputs.tf create mode 100644 examples/dice-centurion/region.tf create mode 100644 examples/dice-centurion/role.tf create mode 100644 examples/dice-centurion/settings.tf create mode 100644 examples/dice-centurion/task.tf create mode 100644 examples/dice-centurion/tf-run.data create mode 100644 examples/dice-mojo-new/README.md create mode 100644 examples/dice-mojo-new/certs.tf create mode 100644 examples/dice-mojo-new/dns.tf create mode 100644 examples/dice-mojo-new/load-balancer.tf create mode 100644 examples/dice-mojo-new/locals.tf create mode 100644 examples/dice-mojo-new/outputs.tf create mode 100644 examples/dice-mojo-new/role.tf create mode 100644 examples/dice-mojo-new/settings.tf create mode 100644 examples/dice-mojo-new/task.tf create mode 100644 examples/dice-mojo-new/tf-run.data create mode 100644 examples/dice-mojo/README.md create mode 100644 examples/dice-mojo/certs.tf create mode 100644 examples/dice-mojo/dns.tf create mode 100644 examples/dice-mojo/load-balancer.tf create mode 100644 examples/dice-mojo/locals.tf create mode 100644 examples/dice-mojo/outputs.tf create mode 100644 examples/dice-mojo/region.tf create mode 100644 examples/dice-mojo/role.tf create mode 100644 examples/dice-mojo/settings.tf create mode 100644 examples/dice-mojo/task.tf create mode 100644 examples/dice-mojo/tf-run.data diff --git a/examples/dice-centurion/README.md b/examples/dice-centurion/README.md new file mode 100644 index 0000000..a4927a1 --- /dev/null +++ b/examples/dice-centurion/README.md @@ -0,0 +1,4 @@ +submit CSR to tco +use email group: adep.mojo.development.list@census.gov + + diff --git a/examples/dice-centurion/certs.tf b/examples/dice-centurion/certs.tf new file mode 100644 index 0000000..2c1b61b --- /dev/null +++ b/examples/dice-centurion/certs.tf @@ -0,0 +1,11 @@ +module "cert" { + source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate" + + certificate_cn = local.app_alb_dns_name + certificate_download = local.app_cert_download + + tags = merge( + local.base_tags, + local.common_tags, + ) +} diff --git a/examples/dice-centurion/dns.tf b/examples/dice-centurion/dns.tf new file mode 100644 index 0000000..f8c2a07 --- /dev/null +++ b/examples/dice-centurion/dns.tf @@ -0,0 +1,48 @@ +resource "aws_route53_record" "app" { + zone_id = local.app_dns_zone_id + + name = local.app_alb_dns_name + type = "CNAME" + ttl = "900" + records = [aws_lb.app.dns_name] +} + +# # add certificate creation with dns name +# resource "aws_acm_certificate" "app" { +# domain_name = local.app_alb_dns_name +# validation_method = "DNS" +# +# tags = merge( +# local.common_tags, +# var.application_tags, +# local.base_tags, +# ) +# +# lifecycle { +# create_before_destroy = true +# } +# } + +# # domain validation +# resource "aws_route53_record" "app_validate" { +# for_each = { +# for dvo in aws_acm_certificate.app.domain_validation_options : dvo.domain_name => { +# name = dvo.resource_record_name +# record = dvo.resource_record_value +# type = dvo.resource_record_type +# } +# } +# +# allow_overwrite = true +# name = each.value.name +# records = [each.value.record] +# ttl = 60 +# type = each.value.type +# zone_id = local.app_dns_zone_id +# } + +# resource "aws_acm_certificate_validation" "app" { +# certificate_arn = aws_acm_certificate.app.arn +# validation_record_fqdns = [for record in aws_route53_record.app_validate: record.fqdn] +# } + diff --git a/examples/dice-centurion/load-balancer.tf b/examples/dice-centurion/load-balancer.tf new file mode 100644 index 0000000..f623fc3 --- /dev/null +++ b/examples/dice-centurion/load-balancer.tf @@ -0,0 +1,98 @@ +resource "aws_lb_target_group" "app" { + name = local.app_albtg_name + port = 8080 + protocol = "HTTP" + vpc_id = local.vpc_id + target_type = "ip" + + # stickiness { + # type = "lb_cookie" + # cookie_duration = 3600 + # enabled = true + # } + + health_check { + enabled = true + interval = 180 + port = "8080" + timeout = 120 + protocol = "HTTP" + path = local.app_lb_health_monitor_path + healthy_threshold = 3 + unhealthy_threshold = 5 + matcher = "200" + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_albtg_name), + ) +} + +resource "aws_lb" "app" { + name = local.app_alb_name + internal = true + load_balancer_type = "application" + security_groups = [local.sg_web_id] + subnets = local.lb_subnet_ids + enable_deletion_protection = true + idle_timeout = 300 + + access_logs { + bucket = data.terraform_remote_state.infrastructure_east.outputs.logs_id + prefix = "alb-logs/${local.app_alb_dns_name}" + enabled = true + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_alb_name), + ) +} + +resource "aws_lb_listener" "app_80" { + count = module.cert.certificate_arn == null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} + +resource "aws_lb_listener" "app_80_redirect" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "redirect" + + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb_listener" "app_443" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + certificate_arn = module.cert.certificate_arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} diff --git a/examples/dice-centurion/locals.tf b/examples/dice-centurion/locals.tf new file mode 100644 index 0000000..d3ff5e4 --- /dev/null +++ b/examples/dice-centurion/locals.tf @@ -0,0 +1,19 @@ +locals { + app_program = "dice" + app_project = "centurion" + app_environment = "dev" + + vpc_details = data.terraform_remote_state.vpc_east_vpc2.outputs + vpc_info = local.vpc_details.vpc_info + vpc_id = local.vpc_info["vpc_id"] + vpc_short_name = local.vpc_info["vpc_short_name"] + sg_web_id = local.vpc_details.sg_web_id + apps_subnet_ids = [for s in local.vpc_details.private_subnets_ids : s.id if length(regexall("^apps-", s.label)) > 0] + lb_subnet_ids = [for s in local.vpc_defailts.private_subnets_ids : s.id if length(regexall("^private-lb-", s.label)) > 0] + ecs_cluster_id = data.terraform_remote_state.vpc_east_vpc2_apps_dice-ecs-fargate.outputs.ecs_cluster_id + + base_tags = { + "boc:created_by" = "terraform" + "CostAllocation" = format("%v:%v:%v", local.app_program, local.app_environment, local.app_project) + } +} diff --git a/examples/dice-centurion/outputs.tf b/examples/dice-centurion/outputs.tf new file mode 100644 index 0000000..ede5b73 --- /dev/null +++ b/examples/dice-centurion/outputs.tf @@ -0,0 +1,20 @@ +output "app_info" { + description = "Application Info" + value = { + name = local.app_name + fullname = local.app_fullname + version = local.app_version + repo = local.app_repo + image = local.app_image + secret_name = local.app_secret_name + log_group = local.app_log_group + alb_name = local.app_alb_name + albtg_name = local.app_albtg_name + alb_dns_zone = local.app_alb_dns_zone + alb_dns_name = local.app_alb_dns_name + dns_zone_id = local.app_dns_zone_id + execution_role_arn = local.app_execution_role_arn + task_role_arn = local.app_task_role_arn + lb_health_monitor_path = local.app_lb_health_monitor_path + } +} diff --git a/examples/dice-centurion/region.tf b/examples/dice-centurion/region.tf new file mode 100644 index 0000000..4102602 --- /dev/null +++ b/examples/dice-centurion/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/dice-centurion/role.tf b/examples/dice-centurion/role.tf new file mode 100644 index 0000000..7ecdbba --- /dev/null +++ b/examples/dice-centurion/role.tf @@ -0,0 +1,48 @@ +#--- +# task role for api +# roles will be vpc and region specific +#--- +locals { + app_instance_base_format = "instance-%v-%v-%v-%v-%v-%v" + app_instance_base_name = format(local.app_instance_base_format, local.vpc_short_name, local.region, + local.app_program, local.app_project, local.app_environment, local.app_name) + app_attached_policies = [ + format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "service-role/AmazonEC2ContainerServiceforEC2Role"), + data.terraform_remote_state.common_apps_dice-mojo.outputs.app_policy_arn, + ] +} + +module "app_ecs_task_role" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = local.app_instance_base_name + role_description = format("Role for %v-%v-%v %v ECS instance", local.app_program, local.app_project, local.app_environment, local.app_name) + attached_policies = local.app_attached_policies + # assume_policy_document = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy + assume_policy_document = data.aws_iam_policy_document.app_ecs_task_assume.json + enable_instance_profile = true + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = local.app_instance_base_name }), + ) +} + + +data "aws_iam_policy_document" "app_ecs_task_assume" { + statement { + sid = "AWSECSTaskAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com", + "ecs-tasks.amazonaws.com", + ] + } + } +} diff --git a/examples/dice-centurion/settings.tf b/examples/dice-centurion/settings.tf new file mode 100644 index 0000000..c75d448 --- /dev/null +++ b/examples/dice-centurion/settings.tf @@ -0,0 +1,27 @@ +locals { + app_name = "tecmo" + app_fullname = format("%v-%v-%v", local.app_program, local.app_project, local.app_name) + # app_version = "1.0.0" + app_version = "latest" + app_repo = format("%v-%v/%v", local.app_program, local.app_project, local.app_name) + app_image = format("%v.dkr.ecr.%v.amazonaws.com/%v:%v", var.account_id, var.region, local.app_repo, local.app_version) + app_secret_name = format("/%v/%v/%v/%v/configs", local.app_program, local.app_project, local.app_environment, local.app_name) + app_log_group = format("/ecs/%v/%v/%v/%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_name = format("alb-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_albtg_name = format("albtg-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_dns_zone = format("%v.%v.census.gov", local.app_environment, local.app_program) + app_alb_dns_name = format("%v.%v.%v", local.app_project, local.app_name, local.app_alb_dns_zone) + app_dns_zone_id = data.terraform_remote_state.vpc_east_vpc2_apps_dns.outputs.domain_zone_id + # customize these two per app as needed + app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + # app_task_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + app_task_role_arn = module.app_ecs_task_role.role_arn + app_lb_health_monitor_path = "/api/actuator/health" + app_desired_count = 4 + app_health_check_grace = 30 + app_task_cpu = "512" + app_task_memory = "1024" + app_cert_download = true + app_cert_san = [local.app_alb_dns_name] + app_cert_exists = fileexists(format("${path.root}/certs/%v.crt", local.app_alb_dns_name)) +} diff --git a/examples/dice-centurion/task.tf b/examples/dice-centurion/task.tf new file mode 100644 index 0000000..ee93757 --- /dev/null +++ b/examples/dice-centurion/task.tf @@ -0,0 +1,88 @@ +#data "aws_ecr_image" "app_1" { +# repository_name = local.app_repo +# image_tag = local.app_version +#} + +resource "aws_ecs_task_definition" "app_1" { + container_definitions = jsonencode( + [{ + cpu = 0 + environment = [] + essential = true + image = local.app_image + environment = [ + { name = "AWS_SECRET_NAME", value = local.app_secret_name } + ] + logConfiguration = { + logDriver = "awslogs" + options = { + awslogs-group = local.app_log_group + awslogs-region = var.region + awslogs-stream-prefix = "ecs" + } + } + mountPoints = [] + name = local.app_fullname + portMappings = [ + { + containerPort = 8080 + hostPort = 8080 + protocol = "tcp" + } + ] + volumesFrom = [] + }] + ) + cpu = local.app_task_cpu + execution_role_arn = local.app_execution_role_arn + family = local.app_fullname + memory = local.app_task_memory + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE", ] + tags = merge( + local.common_tags, + var.application_tags, + local.base_tags, + ) + task_role_arn = local.app_task_role_arn +} + +resource "aws_cloudwatch_log_group" "app" { + name = local.app_log_group + retention_in_days = 14 +} + +resource "aws_ecs_service" "app" { + name = local.app_fullname + cluster = local.ecs_cluster_id + task_definition = aws_ecs_task_definition.app_1.arn + desired_count = local.app_desired_count + health_check_grace_period_seconds = local.app_health_check_grace + # iam_role = aws_iam_role.foo.arn + # depends_on = [aws_iam_role_policy.foo] + launch_type = "FARGATE" + network_configuration { + subnets = local.apps_subnet_ids + security_groups = [local.sg_web_id] + assign_public_ip = false + } + + propagate_tags = "TASK_DEFINITION" + + # ordered_placement_strategy { + # type = "binpack" + # field = "cpu" + # } + + load_balancer { + target_group_arn = aws_lb_target_group.app.arn + container_name = local.app_fullname + container_port = 8080 + } + + # placement_constraints { + # type = "memberOf" + # expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + # } +} + diff --git a/examples/dice-centurion/tf-run.data b/examples/dice-centurion/tf-run.data new file mode 100644 index 0000000..f8cad8e --- /dev/null +++ b/examples/dice-centurion/tf-run.data @@ -0,0 +1,7 @@ +VERSION 1.0.0 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/dice-mojo-new/README.md b/examples/dice-mojo-new/README.md new file mode 100644 index 0000000..a4927a1 --- /dev/null +++ b/examples/dice-mojo-new/README.md @@ -0,0 +1,4 @@ +submit CSR to tco +use email group: adep.mojo.development.list@census.gov + + diff --git a/examples/dice-mojo-new/certs.tf b/examples/dice-mojo-new/certs.tf new file mode 100644 index 0000000..549d2e1 --- /dev/null +++ b/examples/dice-mojo-new/certs.tf @@ -0,0 +1,12 @@ +module "cert" { + source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate" + + certificate_cn = local.app_alb_dns_name + certificate_download = local.app_cert_download + + tags = merge( + local.base_tags, + var.application_tags, + local.common_tags, + ) +} diff --git a/examples/dice-mojo-new/dns.tf b/examples/dice-mojo-new/dns.tf new file mode 100644 index 0000000..931281d --- /dev/null +++ b/examples/dice-mojo-new/dns.tf @@ -0,0 +1,8 @@ +resource "aws_route53_record" "app" { + zone_id = local.app_dns_zone_id + + name = local.app_alb_dns_name + type = "CNAME" + ttl = "900" + records = [aws_lb.app.dns_name] +} diff --git a/examples/dice-mojo-new/load-balancer.tf b/examples/dice-mojo-new/load-balancer.tf new file mode 100644 index 0000000..b7cbfb6 --- /dev/null +++ b/examples/dice-mojo-new/load-balancer.tf @@ -0,0 +1,98 @@ +resource "aws_lb_target_group" "app" { + name = local.app_albtg_name + port = 8080 + protocol = "HTTP" + vpc_id = local.vpc_id + target_type = "ip" + + # stickiness { + # type = "lb_cookie" + # cookie_duration = 3600 + # enabled = true + # } + + health_check { + enabled = true + interval = 180 + port = local.app_lb_target_port + timeout = 120 + protocol = "HTTP" + path = local.app_lb_health_monitor_path + healthy_threshold = 3 + unhealthy_threshold = 5 + matcher = "200" + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_albtg_name), + ) +} + +resource "aws_lb" "app" { + name = local.app_alb_name + internal = true + load_balancer_type = "application" + security_groups = [local.sg_web_id] + subnets = local.lb_subnet_ids + enable_deletion_protection = true + idle_timeout = 300 + + access_logs { + bucket = data.terraform_remote_state.infrastructure_east.outputs.logs_id + prefix = "alb-logs/${local.app_alb_dns_name}" + enabled = true + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_alb_name), + ) +} + +resource "aws_lb_listener" "app_80" { + count = module.cert.certificate_arn == null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} + +resource "aws_lb_listener" "app_80_redirect" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "redirect" + + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb_listener" "app_443" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + certificate_arn = module.cert.certificate_arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} diff --git a/examples/dice-mojo-new/locals.tf b/examples/dice-mojo-new/locals.tf new file mode 100644 index 0000000..8186bc5 --- /dev/null +++ b/examples/dice-mojo-new/locals.tf @@ -0,0 +1,18 @@ +locals { + region = var.region + app_program = "dice" + app_project = "mojo" + app_environment = "dev" + + vpc_id = data.terraform_remote_state.vpc_east_vpc2.outputs.vpc_id + vpc_short_name = data.terraform_remote_state.vpc_east_vpc2.outputs.vpc_info["vpc_short_name"] + sg_web_id = data.terraform_remote_state.vpc_east_vpc2.outputs.sg_web_id + apps_subnet_ids = [for s in data.terraform_remote_state.vpc_east_vpc2.outputs.private_subnets_ids : s.id if length(regexall("^apps-", s.label)) > 0] + lb_subnet_ids = [for s in data.terraform_remote_state.vpc_east_vpc2.outputs.private_subnets_ids : s.id if length(regexall("^private-lb-", s.label)) > 0] + ecs_cluster_id = data.terraform_remote_state.vpc_east_vpc2_apps_dice-ecs-fargate.outputs.ecs_cluster_id + + base_tags = { + "boc:created_by" = "terraform" + "CostAllocation" = format("%v:%v:%v", local.app_program, local.app_environment, local.app_project) + } +} diff --git a/examples/dice-mojo-new/outputs.tf b/examples/dice-mojo-new/outputs.tf new file mode 100644 index 0000000..0c050e7 --- /dev/null +++ b/examples/dice-mojo-new/outputs.tf @@ -0,0 +1,21 @@ +output "app_info" { + description = "Application Info" + value = { + name = local.app_name + fullname = local.app_fullname + version = local.app_version + repo = local.app_repo + image = local.app_image + secret_name = local.app_secret_name + log_group = local.app_log_group + alb_name = local.app_alb_name + albtg_name = local.app_albtg_name + alb_dns_zone = local.app_alb_dns_zone + alb_dns_name = local.app_alb_dns_name + dns_zone_id = local.app_dns_zone_id + execution_role_arn = local.app_execution_role_arn + task_role_arn = local.app_task_role_arn + lb_health_monitor_path = local.app_lb_health_monitor_path + lb_target_port = local.app_lb_target_port + } +} diff --git a/examples/dice-mojo-new/role.tf b/examples/dice-mojo-new/role.tf new file mode 100644 index 0000000..7ecdbba --- /dev/null +++ b/examples/dice-mojo-new/role.tf @@ -0,0 +1,48 @@ +#--- +# task role for api +# roles will be vpc and region specific +#--- +locals { + app_instance_base_format = "instance-%v-%v-%v-%v-%v-%v" + app_instance_base_name = format(local.app_instance_base_format, local.vpc_short_name, local.region, + local.app_program, local.app_project, local.app_environment, local.app_name) + app_attached_policies = [ + format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "service-role/AmazonEC2ContainerServiceforEC2Role"), + data.terraform_remote_state.common_apps_dice-mojo.outputs.app_policy_arn, + ] +} + +module "app_ecs_task_role" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = local.app_instance_base_name + role_description = format("Role for %v-%v-%v %v ECS instance", local.app_program, local.app_project, local.app_environment, local.app_name) + attached_policies = local.app_attached_policies + # assume_policy_document = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy + assume_policy_document = data.aws_iam_policy_document.app_ecs_task_assume.json + enable_instance_profile = true + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = local.app_instance_base_name }), + ) +} + + +data "aws_iam_policy_document" "app_ecs_task_assume" { + statement { + sid = "AWSECSTaskAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com", + "ecs-tasks.amazonaws.com", + ] + } + } +} diff --git a/examples/dice-mojo-new/settings.tf b/examples/dice-mojo-new/settings.tf new file mode 100644 index 0000000..4815412 --- /dev/null +++ b/examples/dice-mojo-new/settings.tf @@ -0,0 +1,28 @@ +locals { + app_name = "borg" + app_fullname = format("%v-%v-%v", local.app_program, local.app_project, local.app_name) + # app_version = "1.0.0" + app_version = "latest" + app_repo = format("%v-%v/%v", local.app_program, local.app_project, local.app_name) + app_image = format("%v.dkr.ecr.%v.amazonaws.com/%v:%v", var.account_id, var.region, local.app_repo, local.app_version) + app_secret_name = format("/%v/%v/%v/%v/configs", local.app_program, local.app_project, local.app_environment, local.app_name) + app_log_group = format("/ecs/%v/%v/%v/%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_name = format("alb-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_albtg_name = format("albtg-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_dns_zone = format("%v.%v.census.gov", local.app_environment, local.app_program) + app_alb_dns_name = format("%v.%v.%v", local.app_project, local.app_name, local.app_alb_dns_zone) + app_dns_zone_id = data.terraform_remote_state.vpc_east_vpc2_apps_dns.outputs.domain_zone_id + # customize these two per app as needed + app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + # app_task_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + app_task_role_arn = module.app_ecs_task_role.role_arn + app_lb_health_monitor_path = "/borg/health/" + app_lb_target_port = "8080" + app_desired_count = 4 + app_health_check_grace = 60 + app_task_cpu = "512" + app_task_memory = "1024" + app_cert_download = false + app_cert_san = [local.app_alb_dns_name] + app_cert_exists = fileexists(format("${path.root}/certs/%v.crt", local.app_alb_dns_name)) +} diff --git a/examples/dice-mojo-new/task.tf b/examples/dice-mojo-new/task.tf new file mode 100644 index 0000000..ee93757 --- /dev/null +++ b/examples/dice-mojo-new/task.tf @@ -0,0 +1,88 @@ +#data "aws_ecr_image" "app_1" { +# repository_name = local.app_repo +# image_tag = local.app_version +#} + +resource "aws_ecs_task_definition" "app_1" { + container_definitions = jsonencode( + [{ + cpu = 0 + environment = [] + essential = true + image = local.app_image + environment = [ + { name = "AWS_SECRET_NAME", value = local.app_secret_name } + ] + logConfiguration = { + logDriver = "awslogs" + options = { + awslogs-group = local.app_log_group + awslogs-region = var.region + awslogs-stream-prefix = "ecs" + } + } + mountPoints = [] + name = local.app_fullname + portMappings = [ + { + containerPort = 8080 + hostPort = 8080 + protocol = "tcp" + } + ] + volumesFrom = [] + }] + ) + cpu = local.app_task_cpu + execution_role_arn = local.app_execution_role_arn + family = local.app_fullname + memory = local.app_task_memory + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE", ] + tags = merge( + local.common_tags, + var.application_tags, + local.base_tags, + ) + task_role_arn = local.app_task_role_arn +} + +resource "aws_cloudwatch_log_group" "app" { + name = local.app_log_group + retention_in_days = 14 +} + +resource "aws_ecs_service" "app" { + name = local.app_fullname + cluster = local.ecs_cluster_id + task_definition = aws_ecs_task_definition.app_1.arn + desired_count = local.app_desired_count + health_check_grace_period_seconds = local.app_health_check_grace + # iam_role = aws_iam_role.foo.arn + # depends_on = [aws_iam_role_policy.foo] + launch_type = "FARGATE" + network_configuration { + subnets = local.apps_subnet_ids + security_groups = [local.sg_web_id] + assign_public_ip = false + } + + propagate_tags = "TASK_DEFINITION" + + # ordered_placement_strategy { + # type = "binpack" + # field = "cpu" + # } + + load_balancer { + target_group_arn = aws_lb_target_group.app.arn + container_name = local.app_fullname + container_port = 8080 + } + + # placement_constraints { + # type = "memberOf" + # expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + # } +} + diff --git a/examples/dice-mojo-new/tf-run.data b/examples/dice-mojo-new/tf-run.data new file mode 100644 index 0000000..d75ba9f --- /dev/null +++ b/examples/dice-mojo-new/tf-run.data @@ -0,0 +1,24 @@ +VERSION 1.0.3 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +module.cert +ALL +COMMENT submit certs/*.csr file for signature from enterprise PKI +COMMENT if provided a link, change app_cert_download to true and continue +COMMENT if provided a .cer or .crt file, drop it into certs/ and continue +COMMENT Add the certs files into git, and add the key into git-secret +COMMENT git add certs +COMMENT git-secret add certs/*.key +COMMENT git-secret hide -m +COMMENT git commit -a +COMMENT git push +COMMENT The branch should stil be open, so do another PR to push the newly created secret file to git. +STOP continue with %%NEXT%% only after the certificate signing is complete +module.cert +module.cert +ALL +COMMENT this second one is because the LB listener for port 80 could not be created to do redirect as the old one existed +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/dice-mojo/README.md b/examples/dice-mojo/README.md new file mode 100644 index 0000000..a4927a1 --- /dev/null +++ b/examples/dice-mojo/README.md @@ -0,0 +1,4 @@ +submit CSR to tco +use email group: adep.mojo.development.list@census.gov + + diff --git a/examples/dice-mojo/certs.tf b/examples/dice-mojo/certs.tf new file mode 100644 index 0000000..2c1b61b --- /dev/null +++ b/examples/dice-mojo/certs.tf @@ -0,0 +1,11 @@ +module "cert" { + source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate" + + certificate_cn = local.app_alb_dns_name + certificate_download = local.app_cert_download + + tags = merge( + local.base_tags, + local.common_tags, + ) +} diff --git a/examples/dice-mojo/dns.tf b/examples/dice-mojo/dns.tf new file mode 100644 index 0000000..f8c2a07 --- /dev/null +++ b/examples/dice-mojo/dns.tf @@ -0,0 +1,48 @@ +resource "aws_route53_record" "app" { + zone_id = local.app_dns_zone_id + + name = local.app_alb_dns_name + type = "CNAME" + ttl = "900" + records = [aws_lb.app.dns_name] +} + +# # add certificate creation with dns name +# resource "aws_acm_certificate" "app" { +# domain_name = local.app_alb_dns_name +# validation_method = "DNS" +# +# tags = merge( +# local.common_tags, +# var.application_tags, +# local.base_tags, +# ) +# +# lifecycle { +# create_before_destroy = true +# } +# } + +# # domain validation +# resource "aws_route53_record" "app_validate" { +# for_each = { +# for dvo in aws_acm_certificate.app.domain_validation_options : dvo.domain_name => { +# name = dvo.resource_record_name +# record = dvo.resource_record_value +# type = dvo.resource_record_type +# } +# } +# +# allow_overwrite = true +# name = each.value.name +# records = [each.value.record] +# ttl = 60 +# type = each.value.type +# zone_id = local.app_dns_zone_id +# } + +# resource "aws_acm_certificate_validation" "app" { +# certificate_arn = aws_acm_certificate.app.arn +# validation_record_fqdns = [for record in aws_route53_record.app_validate: record.fqdn] +# } + diff --git a/examples/dice-mojo/load-balancer.tf b/examples/dice-mojo/load-balancer.tf new file mode 100644 index 0000000..f623fc3 --- /dev/null +++ b/examples/dice-mojo/load-balancer.tf @@ -0,0 +1,98 @@ +resource "aws_lb_target_group" "app" { + name = local.app_albtg_name + port = 8080 + protocol = "HTTP" + vpc_id = local.vpc_id + target_type = "ip" + + # stickiness { + # type = "lb_cookie" + # cookie_duration = 3600 + # enabled = true + # } + + health_check { + enabled = true + interval = 180 + port = "8080" + timeout = 120 + protocol = "HTTP" + path = local.app_lb_health_monitor_path + healthy_threshold = 3 + unhealthy_threshold = 5 + matcher = "200" + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_albtg_name), + ) +} + +resource "aws_lb" "app" { + name = local.app_alb_name + internal = true + load_balancer_type = "application" + security_groups = [local.sg_web_id] + subnets = local.lb_subnet_ids + enable_deletion_protection = true + idle_timeout = 300 + + access_logs { + bucket = data.terraform_remote_state.infrastructure_east.outputs.logs_id + prefix = "alb-logs/${local.app_alb_dns_name}" + enabled = true + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + map("Name", local.app_alb_name), + ) +} + +resource "aws_lb_listener" "app_80" { + count = module.cert.certificate_arn == null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} + +resource "aws_lb_listener" "app_80_redirect" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "redirect" + + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb_listener" "app_443" { + count = module.cert.certificate_arn != null ? 1 : 0 + load_balancer_arn = aws_lb.app.arn + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + certificate_arn = module.cert.certificate_arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.app.arn + } +} diff --git a/examples/dice-mojo/locals.tf b/examples/dice-mojo/locals.tf new file mode 100644 index 0000000..d3ff5e4 --- /dev/null +++ b/examples/dice-mojo/locals.tf @@ -0,0 +1,19 @@ +locals { + app_program = "dice" + app_project = "centurion" + app_environment = "dev" + + vpc_details = data.terraform_remote_state.vpc_east_vpc2.outputs + vpc_info = local.vpc_details.vpc_info + vpc_id = local.vpc_info["vpc_id"] + vpc_short_name = local.vpc_info["vpc_short_name"] + sg_web_id = local.vpc_details.sg_web_id + apps_subnet_ids = [for s in local.vpc_details.private_subnets_ids : s.id if length(regexall("^apps-", s.label)) > 0] + lb_subnet_ids = [for s in local.vpc_defailts.private_subnets_ids : s.id if length(regexall("^private-lb-", s.label)) > 0] + ecs_cluster_id = data.terraform_remote_state.vpc_east_vpc2_apps_dice-ecs-fargate.outputs.ecs_cluster_id + + base_tags = { + "boc:created_by" = "terraform" + "CostAllocation" = format("%v:%v:%v", local.app_program, local.app_environment, local.app_project) + } +} diff --git a/examples/dice-mojo/outputs.tf b/examples/dice-mojo/outputs.tf new file mode 100644 index 0000000..ede5b73 --- /dev/null +++ b/examples/dice-mojo/outputs.tf @@ -0,0 +1,20 @@ +output "app_info" { + description = "Application Info" + value = { + name = local.app_name + fullname = local.app_fullname + version = local.app_version + repo = local.app_repo + image = local.app_image + secret_name = local.app_secret_name + log_group = local.app_log_group + alb_name = local.app_alb_name + albtg_name = local.app_albtg_name + alb_dns_zone = local.app_alb_dns_zone + alb_dns_name = local.app_alb_dns_name + dns_zone_id = local.app_dns_zone_id + execution_role_arn = local.app_execution_role_arn + task_role_arn = local.app_task_role_arn + lb_health_monitor_path = local.app_lb_health_monitor_path + } +} diff --git a/examples/dice-mojo/region.tf b/examples/dice-mojo/region.tf new file mode 100644 index 0000000..4102602 --- /dev/null +++ b/examples/dice-mojo/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/dice-mojo/role.tf b/examples/dice-mojo/role.tf new file mode 100644 index 0000000..7ecdbba --- /dev/null +++ b/examples/dice-mojo/role.tf @@ -0,0 +1,48 @@ +#--- +# task role for api +# roles will be vpc and region specific +#--- +locals { + app_instance_base_format = "instance-%v-%v-%v-%v-%v-%v" + app_instance_base_name = format(local.app_instance_base_format, local.vpc_short_name, local.region, + local.app_program, local.app_project, local.app_environment, local.app_name) + app_attached_policies = [ + format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "service-role/AmazonEC2ContainerServiceforEC2Role"), + data.terraform_remote_state.common_apps_dice-mojo.outputs.app_policy_arn, + ] +} + +module "app_ecs_task_role" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = local.app_instance_base_name + role_description = format("Role for %v-%v-%v %v ECS instance", local.app_program, local.app_project, local.app_environment, local.app_name) + attached_policies = local.app_attached_policies + # assume_policy_document = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy + assume_policy_document = data.aws_iam_policy_document.app_ecs_task_assume.json + enable_instance_profile = true + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = local.app_instance_base_name }), + ) +} + + +data "aws_iam_policy_document" "app_ecs_task_assume" { + statement { + sid = "AWSECSTaskAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com", + "ecs-tasks.amazonaws.com", + ] + } + } +} diff --git a/examples/dice-mojo/settings.tf b/examples/dice-mojo/settings.tf new file mode 100644 index 0000000..c75d448 --- /dev/null +++ b/examples/dice-mojo/settings.tf @@ -0,0 +1,27 @@ +locals { + app_name = "tecmo" + app_fullname = format("%v-%v-%v", local.app_program, local.app_project, local.app_name) + # app_version = "1.0.0" + app_version = "latest" + app_repo = format("%v-%v/%v", local.app_program, local.app_project, local.app_name) + app_image = format("%v.dkr.ecr.%v.amazonaws.com/%v:%v", var.account_id, var.region, local.app_repo, local.app_version) + app_secret_name = format("/%v/%v/%v/%v/configs", local.app_program, local.app_project, local.app_environment, local.app_name) + app_log_group = format("/ecs/%v/%v/%v/%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_name = format("alb-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_albtg_name = format("albtg-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name) + app_alb_dns_zone = format("%v.%v.census.gov", local.app_environment, local.app_program) + app_alb_dns_name = format("%v.%v.%v", local.app_project, local.app_name, local.app_alb_dns_zone) + app_dns_zone_id = data.terraform_remote_state.vpc_east_vpc2_apps_dns.outputs.domain_zone_id + # customize these two per app as needed + app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + # app_task_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1" + app_task_role_arn = module.app_ecs_task_role.role_arn + app_lb_health_monitor_path = "/api/actuator/health" + app_desired_count = 4 + app_health_check_grace = 30 + app_task_cpu = "512" + app_task_memory = "1024" + app_cert_download = true + app_cert_san = [local.app_alb_dns_name] + app_cert_exists = fileexists(format("${path.root}/certs/%v.crt", local.app_alb_dns_name)) +} diff --git a/examples/dice-mojo/task.tf b/examples/dice-mojo/task.tf new file mode 100644 index 0000000..ee93757 --- /dev/null +++ b/examples/dice-mojo/task.tf @@ -0,0 +1,88 @@ +#data "aws_ecr_image" "app_1" { +# repository_name = local.app_repo +# image_tag = local.app_version +#} + +resource "aws_ecs_task_definition" "app_1" { + container_definitions = jsonencode( + [{ + cpu = 0 + environment = [] + essential = true + image = local.app_image + environment = [ + { name = "AWS_SECRET_NAME", value = local.app_secret_name } + ] + logConfiguration = { + logDriver = "awslogs" + options = { + awslogs-group = local.app_log_group + awslogs-region = var.region + awslogs-stream-prefix = "ecs" + } + } + mountPoints = [] + name = local.app_fullname + portMappings = [ + { + containerPort = 8080 + hostPort = 8080 + protocol = "tcp" + } + ] + volumesFrom = [] + }] + ) + cpu = local.app_task_cpu + execution_role_arn = local.app_execution_role_arn + family = local.app_fullname + memory = local.app_task_memory + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE", ] + tags = merge( + local.common_tags, + var.application_tags, + local.base_tags, + ) + task_role_arn = local.app_task_role_arn +} + +resource "aws_cloudwatch_log_group" "app" { + name = local.app_log_group + retention_in_days = 14 +} + +resource "aws_ecs_service" "app" { + name = local.app_fullname + cluster = local.ecs_cluster_id + task_definition = aws_ecs_task_definition.app_1.arn + desired_count = local.app_desired_count + health_check_grace_period_seconds = local.app_health_check_grace + # iam_role = aws_iam_role.foo.arn + # depends_on = [aws_iam_role_policy.foo] + launch_type = "FARGATE" + network_configuration { + subnets = local.apps_subnet_ids + security_groups = [local.sg_web_id] + assign_public_ip = false + } + + propagate_tags = "TASK_DEFINITION" + + # ordered_placement_strategy { + # type = "binpack" + # field = "cpu" + # } + + load_balancer { + target_group_arn = aws_lb_target_group.app.arn + container_name = local.app_fullname + container_port = 8080 + } + + # placement_constraints { + # type = "memberOf" + # expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + # } +} + diff --git a/examples/dice-mojo/tf-run.data b/examples/dice-mojo/tf-run.data new file mode 100644 index 0000000..f8cad8e --- /dev/null +++ b/examples/dice-mojo/tf-run.data @@ -0,0 +1,7 @@ +VERSION 1.0.0 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +ALL +COMMAND tf-directory-setup.py -l s3