add tf-upgrade

terraform-modules · Oct 28, 2022 · f9683f9 · f9683f9
1 parent 66e62f2
commit f9683f9
Show file tree

Hide file tree

Showing 13 changed files with 526 additions and 0 deletions.
diff --git a/examples/fargate-cluster-tf-upgrade/README.md b/examples/fargate-cluster-tf-upgrade/README.md
@@ -0,0 +1,38 @@
+# About
+
+This directory constructs the appropriate resources for the ECS used for DICE.
+
+# Application Information
+
+* Application: DICE
+* Organization: ADSD
+* Project: DICE Mojo and Centurion
+* Point of Contact(s): 
+* Creation Date: YYYY-MM-DD
+* References:
+  * Requirements: 
+  * Remedy Ticket: 
+  * Other: {url}
+* Related Configurations:
+  * {directory-path}
+
+# Application Requirements
+
+# Terraform Directions
+
+* Rsync the `examples/fargate-cluster-tf-upgrade` to your new directory
+* Update the file `variables.ecs.auto.tfvars`
+* Replace placeholders
+  * {ENV} with environment name in lowercase (ite, uat, etc)
+  * {NUMBER} with the VPC number (4, 5, etc) associated with the specific VPC
+* execute
+
+```script
+tf-run apply
+```
+
+# Details
+
+<!-- BEGIN_TF_DOCS -->
+{{ .Content }}
+<!-- END_TF_DOCS -->
diff --git a/examples/fargate-cluster-tf-upgrade/cicd-deployer.tf b/examples/fargate-cluster-tf-upgrade/cicd-deployer.tf
@@ -0,0 +1,154 @@
+locals {
+  cicd_iam_username      = format("%v%v-%v", local._prefixes["ecs-user"], var.cluster_name, var.cicd_group_name)
+  policy_cicd_group_name = replace(local.cicd_iam_username, local._prefixes["ecs-user"], local._prefixes["ecs-policy"])
+  role_cicd_group_name   = replace(local.cicd_iam_username, local._prefixes["ecs-user"], "")
+  cicd_group_name        = local.role_cicd_group_name
+  iam_policies_cicd      = ["p-inf-manage-access-keys"]
+}
+
+data "aws_iam_policy" "cicd_deployer_policies" {
+  for_each = toset(local.iam_policies_cicd)
+  name     = each.key
+}
+
+module "service_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-user.git"
+
+  iam_username        = local.cicd_iam_username
+  username            = ""
+  email_address       = ""
+  groups              = ["g-inf-ip-restriction"]
+  generate_password   = false
+  service_account     = true
+  enable_sending_mail = false
+  create_access_keys  = false
+  attached_policies   = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "role_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+
+  role_name              = local.role_cicd_group_name
+  role_description       = "Role for ECS cluster ${var.cluster_name} for access by ${var.cicd_group_name}"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.cicd_deployer_allow_sts.json
+  attached_policies      = [aws_iam_policy.cicd_deployer.arn]
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+resource "aws_iam_policy" "cicd_deployer" {
+  name        = local.policy_cicd_group_name
+  path        = "/"
+  description = "Policy for ECS ${var.cluster_name} IAM access ${var.cicd_group_name}"
+  policy      = data.aws_iam_policy_document.cicd_deployer.json
+}
+
+locals {
+  cicd_deployer_policy_statements = {
+    ECRRead = {
+      actions = [
+        "ecr:Describe*",
+        "ecr:Get*",
+        "ecr:ListImages",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+      resources = ["*"]
+    }
+    ECRWrite = {
+      #      effect = "Deny"
+      actions = [
+        "ecr:BatchDeleteImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart"
+      ]
+      not_resources = [
+        format(local.common_arn, "ecr", "repository/eks/*"),
+      ]
+    }
+    ECSRead = {
+      actions = [
+        "ecs:ListClusters",
+      ]
+      resources = ["*"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cicd_deployer" {
+  dynamic "statement" {
+    for_each = local.cicd_deployer_policy_statements
+    iterator = s
+    content {
+      sid           = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key)
+      effect        = lookup(s.value, "effect", "Allow")
+      actions       = lookup(s.value, "actions", [])
+      resources     = lookup(s.value, "resources", [])
+      not_resources = lookup(s.value, "not_resources", [])
+    }
+  }
+}
+
+# allow anyone in this account to assume the role, if they have the permission to do so
+data "aws_iam_policy_document" "cicd_deployer_allow_sts" {
+  statement {
+    sid     = "AllowSTSAssume"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        format(local.iam_arn, "root"),
+      ]
+    }
+  }
+}
+
+# output "service_cicd_deployer_arn" {
+#   description = "CICD Deployer user ARN"
+#   value       = module.service_cicd_deployer.user_arn
+# }
+# 
+# output "service_cicd_deployer_username" {
+#   description = "CICD Deployer username"
+#   value       = module.service_cicd_deployer.user_name
+# }
+
+module "group_cicd_deployer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git"
+
+  group_name        = local.cicd_group_name
+  attached_policies = flatten(concat([for k, v in data.aws_iam_policy.cicd_deployer_policies : v.arn], [aws_iam_policy.cicd_deployer.arn]))
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+output "info_cicd_deployer" {
+  description = "CID Deployer IAM details"
+  value = {
+    user_name  = module.service_cicd_deployer.user_name
+    user_arn   = module.service_cicd_deployer.user_arn
+    group_name = module.group_cicd_deployer.group_name
+    group_arn  = module.group_cicd_deployer.group_arn
+  }
+}
diff --git a/examples/fargate-cluster-tf-upgrade/cluster.tf b/examples/fargate-cluster-tf-upgrade/cluster.tf
@@ -0,0 +1,34 @@
+resource "aws_ecs_cluster" "ecs" {
+  name = var.cluster_name
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+  #capacity_providers = ["FARGATE"]
+
+  # default_capacity_provider_strategy = {
+  #    capacity_provider
+  #    weight
+  #    base
+  # }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    { "Name" = format("ecs-%v", var.cluster_name) },
+  )
+}
+
+resource "aws_ecs_cluster_capacity_providers" "ecs" {
+  cluster_name = aws_ecs_cluster.ecs.name
+
+  capacity_providers = ["FARGATE"]
+
+#  default_capacity_provider_strategy {
+#    base              = 1
+#    weight            = 100
+#    capacity_provider = "FARGATE"
+#  }
+}
+
diff --git a/examples/fargate-cluster-tf-upgrade/data.tf b/examples/fargate-cluster-tf-upgrade/data.tf
@@ -0,0 +1,22 @@
+data "aws_vpc" "ecs_vpc" {
+  filter {
+    name   = "tag:Name"
+    values = [var.ecs_vpc_filter]
+  }
+}
+
+data "aws_subnets" "container_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.ecs_vpc.id]
+  }
+  filter {
+    name   = "tag:Name"
+    values = [var.ecs_container_subnet_filter]
+  }
+}
+
+data "aws_subnet" "container_subnets" {
+  for_each = toset(data.aws_subnets.container_subnets.ids)
+  id       = each.key
+}
diff --git a/examples/fargate-cluster-tf-upgrade/locals.tf b/examples/fargate-cluster-tf-upgrade/locals.tf
@@ -0,0 +1,9 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+
+  base_arn   = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
+  iam_arn    = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+  common_arn = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
+}
diff --git a/examples/fargate-cluster-tf-upgrade/outputs.tf b/examples/fargate-cluster-tf-upgrade/outputs.tf
@@ -0,0 +1,4 @@
+output "ecs_cluster_id" {
+  description = "ECS Cluster ID"
+  value       = aws_ecs_cluster.ecs.id
+}
diff --git a/examples/fargate-cluster-tf-upgrade/prefixes.tf b/examples/fargate-cluster-tf-upgrade/prefixes.tf
@@ -0,0 +1,40 @@
+locals {
+  _prefixes = {
+    "efs"            = "v-efs-"
+    "s3"             = "v-s3-"
+    "ebs"            = "v-ebs-"
+    "kms"            = "k-kms-"
+    "role"           = "r-"
+    "policy"         = "p-"
+    "group"          = "g-"
+    "security-group" = "" # "sg-"
+    # VPC
+    "vpc"              = ""
+    "dhcp-options"     = ""
+    "vpc-peer"         = "vpcp-"
+    "route-table"      = "route-"
+    "subnet"           = ""
+    "vpc-endpoint"     = "vpce-"
+    "elastic-ip"       = "eip-"
+    "nat-gateway"      = "nat-"
+    "internet-gateway" = "igw-"
+    "network-acl"      = "nacl-"
+    "customer-gateway" = "cgw-"
+    "vpn-gateway"      = "vpcg-"
+    "vpn-connection"   = "vpn_"
+    "log-group"        = "lg-"
+    "log-stream"       = "lgs-"
+    # EKS
+    "eks"                = "eks-"
+    "eks-user"           = "s-eks-"
+    "eks-role"           = "r-eks-"
+    "eks-policy"         = "p-eks-"
+    "eks-security-group" = "eks-" # "sg-eks-"
+    # ECS
+    "ecs"                = "ecs-"
+    "ecs-user"           = "s-ecs-"
+    "ecs-role"           = "r-ecs-"
+    "ecs-policy"         = "p-ecs-"
+    "ecs-security-group" = "ecs-"
+  }
+}
diff --git a/examples/fargate-cluster-tf-upgrade/region.tf b/examples/fargate-cluster-tf-upgrade/region.tf
@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}