update with example of getting a cert to use (#46)

CDCgov · Nov 26, 2024 · 21325f5 · 21325f5
1 parent a3658a3
commit 21325f5
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 197 deletions.
diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md
@@ -8,25 +8,29 @@
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.56.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ecs"></a> [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.1.2 |
+| <a name="module_ecs"></a> [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.2.1 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.16.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/acm_certificate) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
-| <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `false` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
 | <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.6.9"` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |

diff --git a/terraform/implementation/ecs/SERVICEDATA.md b/terraform/implementation/ecs/SERVICEDATA.md
diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf
@@ -1,3 +1,9 @@
+data "aws_acm_certificate" "this" {
+  domain   = "streamline.dibbs.cloud"
+  types    = ["AMAZON_ISSUED"] # or ["ISSUED"] or ["PRIVATE"]
+  statuses = ["ISSUED"]
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.16.0"
@@ -16,7 +22,8 @@ module "vpc" {
 
 module "ecs" {
   source  = "CDCgov/dibbs-ecr-viewer/aws"
-  version = "0.1.2"
+  version = "0.2.1"
+  # source = "../../../../terraform-aws-dibbs-ecr-viewer"
 
   public_subnet_ids  = flatten(module.vpc.public_subnets)
   private_subnet_ids = flatten(module.vpc.private_subnets)
@@ -31,13 +38,31 @@ module "ecs" {
   # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
   # disable_ecr = true
 
-  # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
-  # non_integrated_viewer = "true"
-
   # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
   # This requires an internet gateway to be present in the VPC.
   internal = var.internal
 
+  # If the intent is to enable https and port 443, pass the arn of the cert in AWS certificate manager. This cert will be applied to the load balancer. (default is "")
+  certificate_arn = data.aws_acm_certificate.this.arn
+
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
   # ecr_viewer_app_env = "test"
+
+  # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver)
+  # Postgresql database example
+  # postgres_database_data = {
+  #   non_integrated_viewer = "true"
+  #   metadata_database_type = "postgres"
+  #   metadata_database_schema = "core" # (core or extended)
+  #   secrets_manager_postgres_database_url_name = "prod/testSecret"
+  # }
+  # SqlServer database example
+  # sqlserver_database_data = {
+  #   non_integrated_viewer = "true"
+  #   metadata_database_type = "sqlserver"
+  #   metadata_database_schema = "core" # (core or extended)
+  #   secrets_manager_sqlserver_user_name = "prod/testSecret"
+  #   secrets_manager_sqlserver_password_name = "prod/testSecret"
+  #   secrets_manager_sqlserver_host_name = "prod/testSecret"
+  # }
 }
diff --git a/terraform/implementation/setup/README.md b/terraform/implementation/setup/README.md
@@ -4,7 +4,6 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.70.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.56.1 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6.3 |

diff --git a/terraform/implementation/setup/backend.tf b/terraform/implementation/setup/backend.tf
@@ -3,10 +3,20 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "=5.70.0"
+      version = "~> 5.56.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6.3"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.0"
     }
   }
+  required_version = "~> 1.9.0"
 }
+
 provider "aws" {
   region = "us-east-1"
   default_tags {

diff --git a/terraform/implementation/setup/provider.tf b/terraform/implementation/setup/provider.tf
diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf
@@ -50,6 +50,10 @@ data "aws_iam_policy_document" "storage" {
 data "aws_iam_policy_document" "wildcard" {
   statement {
     actions = [
+      "acm:ListCertificates",
+      "acm:DescribeCertificate",
+      "acm:GetCertificate",
+      "acm:ListTagsForCertificate",
       "ec2:DescribeAddresses",
       "ec2:DescribeVpcEndpoints",
       "ec2:DescribePrefixLists",
@@ -76,6 +80,7 @@ data "aws_iam_policy_document" "wildcard" {
       "elasticloadbalancing:DescribeTargetGroups",
       "iam:ListPolicies",
       "route53:CreateHostedZone",
+      "secretsmanager:GetSecretValue",
     ]
     resources = [
       "*"
@@ -236,10 +241,12 @@ data "aws_iam_policy_document" "resource_tags_update_actions" {
       "ec2:AttachInternetGateway",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:ReplaceRouteTableAssociation",
       "ec2:RevokeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:AssociateRouteTable",
       "ec2:ModifyVpcAttribute",
+      "ec2:CreateTags",
       "elasticloadbalancing:AddTags",
       "elasticloadbalancing:ModifyLoadBalancerAttributes",
       "elasticloadbalancing:ModifyTargetGroupAttributes",