added in policy for secrets manager to ecs task definition

bani-bellese · bani-bellese · commit 40edf2a330b5 · 2020-03-29T15:29:34.000-04:00
diff --git a/bin/deploy.sh b/bin/deploy.sh
@@ -52,8 +52,7 @@ docker run -it -v $(pwd):/app/ cfb-build-agent ./db-create
 $(docker run -it -v $(pwd):/app/ -v $(pwd)/docker/aws/:/root/.aws/ -e AWS_PROFILE=$AWS_PROFILE cfb-build-agent ecr-login | tr -d '\r')
 
 # Build the container image for the API
-docker build -f docker/Dockerfile-Bmore-Responsive -t bmore-responsive \
-                        --build-arg DB_URL=${DB_URL}  .
+docker build -f docker/Dockerfile-Bmore-Responsive -t bmore-responsive .
 # Get the address of the repository in AWS
 CFB_REPO=$(docker run -it -v $(pwd):/app/ -v $(pwd)/docker/aws/:/root/.aws/ -e AWS_PROFILE=$AWS_PROFILE cfb-build-agent output full-cluster bmore-responsive_registry | tr -d '\r')
 # Tag the image for pushing
diff --git a/bin/redeploy.sh b/bin/redeploy.sh
@@ -12,20 +12,21 @@ docker build -f docker/Dockerfile-Builder -t cfb-build-agent .
 
 
 # Rebuild the Java Projects
-docker run -it -v $(pwd):/app/ cfb-build-agent npm-build 
+#docker run -it -v $(pwd):/app/ cfb-build-agent npm-build 
 
 
 ### Building and Pushing Docker Images ###
 # Log into the ECS Repository first
 $(docker run -it -v $(pwd):/app/ -v $(pwd)/docker/aws/:/root/.aws/ -e AWS_PROFILE=$AWS_PROFILE cfb-build-agent ecr-login | tr -d '\r')
 
 # Build the container image 
-docker build -f docker/Dockerfile-Bmore-Responsive -t bmore-responsive \
-                        --build-arg DB_URL="postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_ENDPOINT}:${DB_PORT}/${DB_NAME}"  .
+docker build -f docker/Dockerfile-Bmore-Responsive -t bmore-responsive .
 # Get the address of the repository in AWS
 CFB_REPO=$(docker run -it -v $(pwd):/app/ -v $(pwd)/docker/aws/:/root/.aws/ -e AWS_PROFILE=$AWS_PROFILE cfb-build-agent output full-cluster bmore-responsive_registry | tr -d '\r')
+echo "CFB_REPO -> $CFB_REPO"
+
 # Tag the image for pushing
-docker tag bmore-responsive $CFB_REPO:latest
+docker tag bmore-responsive:latest $CFB_REPO:latest
 # Push the new docker image
 docker push $CFB_REPO
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,13 +1,13 @@
 version: '3'
 services:
   api:
-    build: .
+    image: 180104022864.dkr.ecr.us-east-2.amazonaws.com/bmore-responsive
     depends_on: 
       - db
     links:
       - "db: database"
     ports:
-      - '3000:3000'
+      - '8080:80'
     command:  >
       sh -c "npm run db-delete &&
             npm run db-create && 
diff --git a/docker/Dockerfile-Builder b/docker/Dockerfile-Builder
@@ -5,7 +5,7 @@ RUN apt-get update && apt-get install wget python3-pip -y
 
 # Download Terraform and make it executable.
 WORKDIR /tmp/
-RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip
+RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.12.24/terraform_0.12.24_linux_amd64.zip
 RUN unzip terraform.zip
 RUN mv terraform /usr/bin/terraform
 
diff --git a/docker/aws/config b/docker/aws/config
@@ -1,3 +1,3 @@
 [default]
-region=us-east-1
+region=us-east-2
 output=json
diff --git a/terraform/components/full-cluster/main.tf b/terraform/components/full-cluster/main.tf
@@ -40,7 +40,8 @@ data "template_file" "cfb_ecs_task_definition" {
 }
 
 resource "aws_secretsmanager_secret" "db_password" {
-  name = "db_password"
+  name_prefix = "db_password"
+  
 }
 
 resource "aws_secretsmanager_secret_version" "db_password" {
diff --git a/terraform/components/full-cluster/matching-container.json.tpl b/terraform/components/full-cluster/matching-container.json.tpl
diff --git a/terraform/components/full-cluster/policy.json b/terraform/components/full-cluster/policy.json
@@ -0,0 +1,16 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters",
+        "secretsmanager:GetSecretValue",
+        "kms:Decrypt"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/terraform/modules/ecs/main.tf b/terraform/modules/ecs/main.tf
@@ -148,13 +148,43 @@ EOF
 
 }
 
+resource "aws_iam_role" "task_execution_role" {
+  name                     = "ecsTaskExecutionRole"
+  assume_role_policy       =  <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${aws_iam_role.ecs_cluster.arn}"
+      },
+      "Action": [
+        "ssm:GetParameters",
+        "secretsmanager:GetSecretValue",
+        "kms:Decrypt"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_attachment" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" // AWS provided policy
+  role       = "${aws_iam_role.task_execution_role.name}"
+}
+
+
 resource "aws_ecs_cluster" "ecs_cluster" {
   name = var.cluster_name
 }
 
 resource "aws_ecs_task_definition" "bmore-responsive_ecs_task_definition" {
   family                = "bmore-responsive"
   container_definitions = var.bmore-responsive_container_definitions
+  task_role_arn      = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  execution_role_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_ecs_service" "pricer_ecs_service" {
diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,8 @@ data "template_file" "cfb_ecs_task_definition" {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`resource "aws_secretsmanager_secret" "db_password" {`
`43`		`- name = "db_password"`
	`43`	`+ name_prefix = "db_password"`
	`44`	`+`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`resource "aws_secretsmanager_secret_version" "db_password" {`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
++
 +terraform {
 +  required_version = ">= 0.12"
 +}