diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md
index 076b333..bdb13b1 100644
--- a/terraform/implementation/ecs/README.md
+++ b/terraform/implementation/ecs/README.md
@@ -8,25 +8,29 @@
## Providers
-No providers.
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 5.56.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.1.2 |
+| [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.2.1 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.16.0 |
## Resources
-No resources.
+| Name | Type |
+|------|------|
+| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/acm_certificate) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | [
"us-east-1a",
"us-east-1b",
"us-east-1c"
]
| no |
-| [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
+| [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `false` | no |
| [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
| [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.6.9"` | no |
| [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | [
"176.24.1.0/24",
"176.24.3.0/24"
]
| no |
diff --git a/terraform/implementation/ecs/SERVICEDATA.md b/terraform/implementation/ecs/SERVICEDATA.md
deleted file mode 100644
index a28d0ea..0000000
--- a/terraform/implementation/ecs/SERVICEDATA.md
+++ /dev/null
@@ -1,170 +0,0 @@
-# Integrated ecr-viewer
-
-```hcl
-service_data = {
- ecr-viewer = {
- short_name = "ecrv",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer",
- app_version = var.phdi_version,
- container_port = 3000,
- host_port = 3000,
- public = true
- registry_url = local.registry_url
- env_vars = [
- {
- name = "AWS_REGION",
- value = var.region
- },
- {
- name = "ECR_BUCKET_NAME",
- value = local.s3_viewer_bucket_name
- },
- {
- name = "HOSTNAME",
- value = "0.0.0.0"
- },
- {
- name = "NEXT_PUBLIC_NON_INTEGRATED_VIEWER",
- value = var.non_integrated_viewer
- },
- {
- name = "SOURCE",
- value = "s3"
- },
- {
- name = "APP_ENV",
- value = var.ecr_viewer_app_env
- },
- {
- name = "NBS_PUB_KEY",
- value = var.ecr_viewer_auth_pub_key
- },
- {
- name = "NEXT_PUBLIC_BASEPATH",
- value = var.ecr_viewer_basepath
- }
- ]
- },
- fhir-converter = {
- short_name = "fhirc",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = false
- registry_url = local.registry_url
- env_vars = []
- },
- ingestion = {
- short_name = "inge",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = false
- registry_url = local.registry_url
- env_vars = []
- },
- validation = {
- short_name = "vali",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = false
- registry_url = local.registry_url
- env_vars = []
- },
- trigger-code-reference = {
- short_name = "trigcr",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = false
- registry_url = local.registry_url
- env_vars = []
- },
- message-parser = {
- short_name = "msgp",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = false
- registry_url = local.registry_url
- env_vars = []
- },
- orchestration = {
- short_name = "orch",
- fargate_cpu = 1024,
- fargate_memory = 2048,
- min_capacity = 1
- max_capacity = 5
- app_image = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration",
- app_version = var.phdi_version,
- container_port = 8080,
- host_port = 8080,
- public = true
- registry_url = local.registry_url
- env_vars = [
- {
- name = "OTEL_METRICS",
- value = "none"
- },
- {
- name = "OTEL_METRICS_EXPORTER",
- value = "none"
- },
- {
- name = "INGESTION_URL",
- value = "http://ingestion:8080"
- },
- {
- name = "VALIDATION_URL",
- value = "http://validation:8080"
- },
- {
- name = "FHIR_CONVERTER_URL",
- value = "http://fhir-converter:8080"
- },
- {
- name = "ECR_VIEWER_URL",
- value = "http://ecr-viewer:3000${var.ecr_viewer_basepath}"
- },
- {
- name = "MESSAGE_PARSER_URL",
- value = "http://message-parser:8080"
- },
- {
- name = "TRIGGER_CODE_REFERENCE_URL",
- value = "http://trigger-code-reference:8080"
- }
- ]
- }
-}
-```
\ No newline at end of file
diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf
index a42cea0..900799e 100644
--- a/terraform/implementation/ecs/main.tf
+++ b/terraform/implementation/ecs/main.tf
@@ -1,3 +1,9 @@
+data "aws_acm_certificate" "this" {
+ domain = "streamline.dibbs.cloud"
+ types = ["AMAZON_ISSUED"] # or ["ISSUED"] or ["PRIVATE"]
+ statuses = ["ISSUED"]
+}
+
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.16.0"
@@ -16,7 +22,8 @@ module "vpc" {
module "ecs" {
source = "CDCgov/dibbs-ecr-viewer/aws"
- version = "0.1.2"
+ version = "0.2.1"
+ # source = "../../../../terraform-aws-dibbs-ecr-viewer"
public_subnet_ids = flatten(module.vpc.public_subnets)
private_subnet_ids = flatten(module.vpc.private_subnets)
@@ -31,13 +38,31 @@ module "ecs" {
# If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
# disable_ecr = true
- # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
- # non_integrated_viewer = "true"
-
# If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
# This requires an internet gateway to be present in the VPC.
internal = var.internal
+ # If the intent is to enable https and port 443, pass the arn of the cert in AWS certificate manager. This cert will be applied to the load balancer. (default is "")
+ certificate_arn = data.aws_acm_certificate.this.arn
+
# If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
# ecr_viewer_app_env = "test"
+
+ # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver)
+ # Postgresql database example
+ # postgres_database_data = {
+ # non_integrated_viewer = "true"
+ # metadata_database_type = "postgres"
+ # metadata_database_schema = "core" # (core or extended)
+ # secrets_manager_postgres_database_url_name = "prod/testSecret"
+ # }
+ # SqlServer database example
+ # sqlserver_database_data = {
+ # non_integrated_viewer = "true"
+ # metadata_database_type = "sqlserver"
+ # metadata_database_schema = "core" # (core or extended)
+ # secrets_manager_sqlserver_user_name = "prod/testSecret"
+ # secrets_manager_sqlserver_password_name = "prod/testSecret"
+ # secrets_manager_sqlserver_host_name = "prod/testSecret"
+ # }
}
diff --git a/terraform/implementation/setup/README.md b/terraform/implementation/setup/README.md
index eafd7a4..98e6074 100644
--- a/terraform/implementation/setup/README.md
+++ b/terraform/implementation/setup/README.md
@@ -4,7 +4,6 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.9.0 |
-| [aws](#requirement\_aws) | =5.70.0 |
| [aws](#requirement\_aws) | ~> 5.56.1 |
| [local](#requirement\_local) | ~> 2.5.0 |
| [random](#requirement\_random) | ~> 3.6.3 |
diff --git a/terraform/implementation/setup/backend.tf b/terraform/implementation/setup/backend.tf
index 17efe2e..3c14f16 100644
--- a/terraform/implementation/setup/backend.tf
+++ b/terraform/implementation/setup/backend.tf
@@ -3,10 +3,20 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "=5.70.0"
+ version = "~> 5.56.1"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.6.3"
+ }
+ local = {
+ source = "hashicorp/local"
+ version = "~> 2.5.0"
}
}
+ required_version = "~> 1.9.0"
}
+
provider "aws" {
region = "us-east-1"
default_tags {
diff --git a/terraform/implementation/setup/provider.tf b/terraform/implementation/setup/provider.tf
deleted file mode 100644
index 59f5270..0000000
--- a/terraform/implementation/setup/provider.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-terraform {
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = "~> 5.56.1"
- }
- random = {
- source = "hashicorp/random"
- version = "~> 3.6.3"
- }
- local = {
- source = "hashicorp/local"
- version = "~> 2.5.0"
- }
- }
- required_version = "~> 1.9.0"
-}
diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf
index ee079ee..90f82e1 100644
--- a/terraform/modules/oidc/_data.tf
+++ b/terraform/modules/oidc/_data.tf
@@ -50,6 +50,10 @@ data "aws_iam_policy_document" "storage" {
data "aws_iam_policy_document" "wildcard" {
statement {
actions = [
+ "acm:ListCertificates",
+ "acm:DescribeCertificate",
+ "acm:GetCertificate",
+ "acm:ListTagsForCertificate",
"ec2:DescribeAddresses",
"ec2:DescribeVpcEndpoints",
"ec2:DescribePrefixLists",
@@ -76,6 +80,7 @@ data "aws_iam_policy_document" "wildcard" {
"elasticloadbalancing:DescribeTargetGroups",
"iam:ListPolicies",
"route53:CreateHostedZone",
+ "secretsmanager:GetSecretValue",
]
resources = [
"*"
@@ -236,10 +241,12 @@ data "aws_iam_policy_document" "resource_tags_update_actions" {
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
+ "ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AssociateRouteTable",
"ec2:ModifyVpcAttribute",
+ "ec2:CreateTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",