From f3943506c30acb0748403c0fc80399dac5fe10ba Mon Sep 17 00:00:00 2001 From: Alis Akers Date: Wed, 20 Nov 2024 14:40:35 -0800 Subject: [PATCH] update with example of getting a cert to use --- terraform/implementation/ecs/SERVICEDATA.md | 170 -------------------- terraform/implementation/ecs/_variable.tf | 2 +- terraform/implementation/ecs/main.tf | 33 +++- terraform/implementation/setup/README.md | 1 - terraform/implementation/setup/backend.tf | 12 +- terraform/implementation/setup/provider.tf | 17 -- terraform/modules/oidc/_data.tf | 2 + 7 files changed, 43 insertions(+), 194 deletions(-) delete mode 100644 terraform/implementation/ecs/SERVICEDATA.md delete mode 100644 terraform/implementation/setup/provider.tf diff --git a/terraform/implementation/ecs/SERVICEDATA.md b/terraform/implementation/ecs/SERVICEDATA.md deleted file mode 100644 index a28d0ea..0000000 --- a/terraform/implementation/ecs/SERVICEDATA.md +++ /dev/null @@ -1,170 +0,0 @@ -# Integrated ecr-viewer - -```hcl -service_data = { - ecr-viewer = { - short_name = "ecrv", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer", - app_version = var.phdi_version, - container_port = 3000, - host_port = 3000, - public = true - registry_url = local.registry_url - env_vars = [ - { - name = "AWS_REGION", - value = var.region - }, - { - name = "ECR_BUCKET_NAME", - value = local.s3_viewer_bucket_name - }, - { - name = "HOSTNAME", - value = "0.0.0.0" - }, - { - name = "NEXT_PUBLIC_NON_INTEGRATED_VIEWER", - value = var.non_integrated_viewer - }, - { - name = "SOURCE", - value = "s3" - }, - { - name = "APP_ENV", - value = var.ecr_viewer_app_env - }, - { - name = "NBS_PUB_KEY", - value = var.ecr_viewer_auth_pub_key - }, - { - name = "NEXT_PUBLIC_BASEPATH", - value = var.ecr_viewer_basepath - } - ] - }, - fhir-converter = { - short_name = "fhirc", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = false - registry_url = local.registry_url - env_vars = [] - }, - ingestion = { - short_name = "inge", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = false - registry_url = local.registry_url - env_vars = [] - }, - validation = { - short_name = "vali", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = false - registry_url = local.registry_url - env_vars = [] - }, - trigger-code-reference = { - short_name = "trigcr", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = false - registry_url = local.registry_url - env_vars = [] - }, - message-parser = { - short_name = "msgp", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = false - registry_url = local.registry_url - env_vars = [] - }, - orchestration = { - short_name = "orch", - fargate_cpu = 1024, - fargate_memory = 2048, - min_capacity = 1 - max_capacity = 5 - app_image = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration", - app_version = var.phdi_version, - container_port = 8080, - host_port = 8080, - public = true - registry_url = local.registry_url - env_vars = [ - { - name = "OTEL_METRICS", - value = "none" - }, - { - name = "OTEL_METRICS_EXPORTER", - value = "none" - }, - { - name = "INGESTION_URL", - value = "http://ingestion:8080" - }, - { - name = "VALIDATION_URL", - value = "http://validation:8080" - }, - { - name = "FHIR_CONVERTER_URL", - value = "http://fhir-converter:8080" - }, - { - name = "ECR_VIEWER_URL", - value = "http://ecr-viewer:3000${var.ecr_viewer_basepath}" - }, - { - name = "MESSAGE_PARSER_URL", - value = "http://message-parser:8080" - }, - { - name = "TRIGGER_CODE_REFERENCE_URL", - value = "http://trigger-code-reference:8080" - } - ] - } -} -``` \ No newline at end of file diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf index 9225797..57e819b 100644 --- a/terraform/implementation/ecs/_variable.tf +++ b/terraform/implementation/ecs/_variable.tf @@ -7,7 +7,7 @@ variable "availability_zones" { variable "internal" { description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)." type = bool - default = true + default = false } variable "owner" { diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf index a42cea0..44c19fc 100644 --- a/terraform/implementation/ecs/main.tf +++ b/terraform/implementation/ecs/main.tf @@ -1,3 +1,9 @@ +data "aws_acm_certificate" "this" { + domain = "streamline.dibbs.cloud" + types = ["AMAZON_ISSUED"] # or ["ISSUED"] or ["PRIVATE"] + statuses = ["ISSUED"] +} + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.16.0" @@ -16,7 +22,8 @@ module "vpc" { module "ecs" { source = "CDCgov/dibbs-ecr-viewer/aws" - version = "0.1.2" + version = "0.2.1" + # source = "../../../../terraform-aws-dibbs-ecr-viewer" public_subnet_ids = flatten(module.vpc.public_subnets) private_subnet_ids = flatten(module.vpc.private_subnets) @@ -31,13 +38,31 @@ module "ecs" { # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false) # disable_ecr = true - # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false) - # non_integrated_viewer = "true" - # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) # This requires an internet gateway to be present in the VPC. internal = var.internal + # If the intent is to use a custom domain, set certificate_domain to the domain name (default is "") + certificate_arn = data.aws_acm_certificate.this.arn + # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod") # ecr_viewer_app_env = "test" + + # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver) + # Postgresql database example + postgres_database_data = { + non_integrated_viewer = "true" + metadata_database_type = "postgres" + metadata_database_schema = "core" # (core or extended) + secrets_manager_postgres_database_url_name = "prod/testSecret" + } + # SqlServer database example + # sqlserver_database_data = { + # non_integrated_viewer = "true" + # metadata_database_type = "sqlserver" + # metadata_database_schema = "core" # (core or extended) + # secrets_manager_sqlserver_user_name = "prod/testSecret" + # secrets_manager_sqlserver_password_name = "prod/testSecret" + # secrets_manager_sqlserver_host_name = "prod/testSecret" + # } } diff --git a/terraform/implementation/setup/README.md b/terraform/implementation/setup/README.md index eafd7a4..0127949 100644 --- a/terraform/implementation/setup/README.md +++ b/terraform/implementation/setup/README.md @@ -5,7 +5,6 @@ |------|---------| | [terraform](#requirement\_terraform) | ~> 1.9.0 | | [aws](#requirement\_aws) | =5.70.0 | -| [aws](#requirement\_aws) | ~> 5.56.1 | | [local](#requirement\_local) | ~> 2.5.0 | | [random](#requirement\_random) | ~> 3.6.3 | diff --git a/terraform/implementation/setup/backend.tf b/terraform/implementation/setup/backend.tf index 17efe2e..3c14f16 100644 --- a/terraform/implementation/setup/backend.tf +++ b/terraform/implementation/setup/backend.tf @@ -3,10 +3,20 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "=5.70.0" + version = "~> 5.56.1" + } + random = { + source = "hashicorp/random" + version = "~> 3.6.3" + } + local = { + source = "hashicorp/local" + version = "~> 2.5.0" } } + required_version = "~> 1.9.0" } + provider "aws" { region = "us-east-1" default_tags { diff --git a/terraform/implementation/setup/provider.tf b/terraform/implementation/setup/provider.tf deleted file mode 100644 index 59f5270..0000000 --- a/terraform/implementation/setup/provider.tf +++ /dev/null @@ -1,17 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.56.1" - } - random = { - source = "hashicorp/random" - version = "~> 3.6.3" - } - local = { - source = "hashicorp/local" - version = "~> 2.5.0" - } - } - required_version = "~> 1.9.0" -} diff --git a/terraform/modules/oidc/_data.tf b/terraform/modules/oidc/_data.tf index ee079ee..6c981ec 100644 --- a/terraform/modules/oidc/_data.tf +++ b/terraform/modules/oidc/_data.tf @@ -236,10 +236,12 @@ data "aws_iam_policy_document" "resource_tags_update_actions" { "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", + "ec2:ReplaceRouteTableAssociation", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AssociateRouteTable", "ec2:ModifyVpcAttribute", + "ec2:CreateTags", "elasticloadbalancing:AddTags", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes",