update with example of getting a cert to use

terraform/implementation/ecs/_variable.tf

@@ -7,7 +7,7 @@ variable "availability_zones" {
 variable "internal" {
   description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)."
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "owner" {

terraform/implementation/ecs/main.tf

@@ -1,3 +1,9 @@
+data "aws_acm_certificate" "this" {
+  domain   = "streamline.dibbs.cloud"
+  types = ["AMAZON_ISSUED"] # or ["ISSUED"] or ["PRIVATE"]
+  statuses = ["ISSUED"]
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.16.0"
@@ -16,7 +22,8 @@ module "vpc" {
 
 module "ecs" {
   source  = "CDCgov/dibbs-ecr-viewer/aws"
-  version = "0.1.2"
+  version = "0.2.1"
+  # source = "../../../../terraform-aws-dibbs-ecr-viewer"
 
   public_subnet_ids  = flatten(module.vpc.public_subnets)
   private_subnet_ids = flatten(module.vpc.private_subnets)
@@ -31,13 +38,31 @@ module "ecs" {
   # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
   # disable_ecr = true
 
-  # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
-  # non_integrated_viewer = "true"
-
   # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
   # This requires an internet gateway to be present in the VPC.
   internal = var.internal
 
+  # If the intent is to use a custom domain, set certificate_domain to the domain name (default is "")
+  certificate_arn = data.aws_acm_certificate.this.arn
+
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
   # ecr_viewer_app_env = "test"
+
+  # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver)
+  # Postgresql database example
+  postgres_database_data = {
+    non_integrated_viewer = "true"
+    metadata_database_type = "postgres"
+    metadata_database_schema = "core" # (core or extended)
+    secrets_manager_postgres_database_url_name = "prod/testSecret"
+  }
+  # SqlServer database example
+  # sqlserver_database_data = {
+  #   non_integrated_viewer = "true"
+  #   metadata_database_type = "sqlserver"
+  #   metadata_database_schema = "core" # (core or extended)
+  #   secrets_manager_sqlserver_user_name = "prod/testSecret"
+  #   secrets_manager_sqlserver_password_name = "prod/testSecret"
+  #   secrets_manager_sqlserver_host_name = "prod/testSecret"
+  # }
 }

terraform/implementation/setup/README.md

@@ -5,7 +5,6 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.70.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.56.1 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6.3 |
 

terraform/implementation/setup/backend.tf

@@ -3,10 +3,20 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "=5.70.0"
+      version = "~> 5.56.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6.3"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.0"
     }
   }
+  required_version = "~> 1.9.0"
 }
+
 provider "aws" {
   region = "us-east-1"
   default_tags {

terraform/modules/oidc/_data.tf

@@ -236,10 +236,12 @@ data "aws_iam_policy_document" "resource_tags_update_actions" {
       "ec2:AttachInternetGateway",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:ReplaceRouteTableAssociation",
       "ec2:RevokeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:AssociateRouteTable",
       "ec2:ModifyVpcAttribute",
+      "ec2:CreateTags",
       "elasticloadbalancing:AddTags",
       "elasticloadbalancing:ModifyLoadBalancerAttributes",
       "elasticloadbalancing:ModifyTargetGroupAttributes",