Fixed format and docs.

Author: cshamrick

terraform/components/full-cluster/cfb-container.json.tpl

@@ -7,23 +7,20 @@
     "essential": true,
     "portMappings": [
       {
-        "containerPort": 8080,
+        "containerPort": 3000,
         "hostPort": 0
       }
     ],
     "environment": [
       { "name" : "VUE_APP_BASE_API_URL", "value" : "${vue_app_base_api_url}" },
       { "name" : "NODE_ENV", "value" : "${node_env}" },
       { "name" : "DATABASE_HOST", "value" : "${database_host}" },
-      { "name" : "DATABASE_USER", "value" : "${database_user}" },
+      { "name" : "DATABASE_USERNAME", "value" : "${database_user}" },
       { "name" : "DATABASE_PORT", "value" : "${database_port}" },
       { "name" : "DATABASE_NAME", "value" : "${database_name}" },
       { "name" : "JWT_KEY", "value" : "${jwt_key}" },
-      { "name" : "BYPASS_LOGIN", "value" : "${bypass_login}" }
-    ],
-    "secrets": [{
-      "name": "DATABASE_PASSWORD",
-      "valueFrom": "${database_password_arn}"
-    }]
+      { "name" : "BYPASS_LOGIN", "value" : "${bypass_login}" },
+      { "name" : "DATABASE_PASSWORD", "value" : "${database_password}" }
+    ]
   }
 ]

terraform/components/full-cluster/main.tf

@@ -25,23 +25,25 @@ module "s3" {
 data "template_file" "cfb_ecs_task_definition" {
   template = file("cfb-container.json.tpl")
   vars = {
-    image_address         = module.ecs_cluster.cfb_registry
-    s3_bucket             = module.s3.output_bucket_name
-    vue_app_base_api_url  = "bmoreres.codeforbaltimore.org"
-    node_env              = "development"
-    database_host         = module.db.this_db_instance_address
-    database_user         = module.db.this_db_instance_username
-    database_password_arn = aws_secretsmanager_secret_version.db_password.arn
-    database_port         = module.db.this_db_instance_port
-    database_name         = "healthcareRollcallDB"
-    jwt_key               = "abc123"
-    bypass_login          = "false"
+    image_address        = "codeforbaltimore/bmore-responsive"
+    s3_bucket            = module.s3.output_bucket_name
+    vue_app_base_api_url = "bmoreres.codeforbaltimore.org"
+    node_env             = "development"
+    database_host        = module.db.this_db_instance_address
+    database_user        = module.db.this_db_instance_username
+    //    database_password_arn = aws_secretsmanager_secret_version.db_password.arn
+    database_port     = module.db.this_db_instance_port
+    database_name     = "healthcareRollcallDB"
+    jwt_key           = "abc123"
+    bypass_login      = "false"
+    aws_region        = var.aws_region
+    database_password = var.db_password
   }
 }
 
 resource "aws_secretsmanager_secret" "db_password" {
   name_prefix = "db_password"
-  
+
 }
 
 resource "aws_secretsmanager_secret_version" "db_password" {
@@ -96,7 +98,7 @@ module "alb" {
   vpc_id          = module.vpc.vpc-id
   vpc_subnets     = module.vpc.public-subnet-ids
   lb_sg           = module.sg.alb-sg-id
-  cfb_app_port    = 8080
+  cfb_app_port    = 3000
   certificate_arn = module.certificate.certificate_arn
 }
 
@@ -114,8 +116,9 @@ module "ecs_cluster" {
   bmore-responsive_desired_count         = "3"
   bmore-responsive_target_group_arn      = module.alb.tg-cfb-arn
   bmore-responsive_container_name        = "bmore-responsive"
-  bmore-responsive_container_port        = "8080"
+  bmore-responsive_container_port        = "3000"
   bmore-responsive_container_definitions = data.template_file.cfb_ecs_task_definition.rendered
+  aws_region                             = var.aws_region
 }
 
 module "asg" {

terraform/components/full-cluster/userdata.sh.tpl

@@ -1,8 +1,3 @@
 #!/bin/bash
 
-# Install the SSM Agent RPM
-yum install -y amazon-ssm-agent
-
-yum install -y postgresql-server postgresql-devel
-
 echo ECS_CLUSTER=${cluster_name} >> /etc/ecs/ecs.config

terraform/modules/ecs/README.md

@@ -11,6 +11,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:-----:|
+| aws\_region | n/a | `any` | n/a | yes |
 | bmore-responsive\_container\_definitions | The Rendered JSON of a container definition array. See example-container.json for a sample of valid JSON input. | `string` | n/a | yes |
 | bmore-responsive\_container\_name | The name of the container to associate with the Load Balancer. Must equal the container name in the container definition JSON | `string` | n/a | yes |
 | bmore-responsive\_container\_port | The port on the container to associate with the Load Balancer | `string` | n/a | yes |

terraform/modules/ecs/main.tf

@@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs_cluster_asg_policy" {
   }
 }
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_iam_role" "ecs_cluster" {
   path = "/"
   name = "bmore-responsive_ecs_cluster_role"
@@ -148,31 +150,62 @@ EOF
 
 }
 
-resource "aws_iam_role" "task_execution_role" {
-  name                     = "ecsTaskExecutionRole"
-  assume_role_policy       =  <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "${aws_iam_role.ecs_cluster.arn}"
-      },
-      "Action": [
-        "ssm:GetParameters",
-        "secretsmanager:GetSecretValue",
-        "kms:Decrypt"
-      ]
+data "aws_iam_policy_document" "task_execution_role_permission_policy_document" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameters",
+      "secretsmanager:GetSecretValue",
+      "kms:Decrypt"
+    ]
+    resources = [
+      "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/*",
+      "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:*",
+      "arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*"
+    ]
+  }
+
+  statement {
+
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "task_execution_role_permission_policy" {
+  name_prefix = "secrets-manager-access-"
+  policy      = data.aws_iam_policy_document.task_execution_role_permission_policy_document.json
+}
+
+data "aws_iam_policy_document" "task_execution_role_assume_role_policy_document" {
+  statement {
+    effect = "Allow"
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
     }
-  ]
+    actions = ["sts:AssumeRole"]
+  }
 }
-EOF
+
+resource "aws_iam_role" "task_execution_role" {
+  name               = "ecsTaskExecutionRole"
+  assume_role_policy = data.aws_iam_policy_document.task_execution_role_assume_role_policy_document.json
 }
 
 resource "aws_iam_role_policy_attachment" "task_execution_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" // AWS provided policy
-  role       = "${aws_iam_role.task_execution_role.name}"
+  role       = aws_iam_role.task_execution_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_permissions_policy_attachment" {
+  policy_arn = aws_iam_policy.task_execution_role_permission_policy.arn
+  role       = aws_iam_role.task_execution_role.name
 }
 
 
@@ -183,8 +216,8 @@ resource "aws_ecs_cluster" "ecs_cluster" {
 resource "aws_ecs_task_definition" "bmore-responsive_ecs_task_definition" {
   family                = "bmore-responsive"
   container_definitions = var.bmore-responsive_container_definitions
-  task_role_arn      = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-  execution_role_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  //  task_role_arn         = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  execution_role_arn = aws_iam_role.task_execution_role.arn
 }
 
 resource "aws_ecs_service" "pricer_ecs_service" {

terraform/modules/ecs/variables.tf

@@ -33,3 +33,4 @@ variable "output_bucket_arn" {
   type        = string
 }
 
+variable "aws_region" {}