style(infrastructure): fixed format and docs

Author: cshamrick

terraform/modules/ecs/main.tf

@@ -5,6 +5,37 @@ terraform {
 # Set up necessary IAM Roles for ECS Hosts
 
 data "aws_iam_policy_document" "ecs_cluster_asg_policy" {
+  statement {
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel"
+    ]
+    effect = "Allow"
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "s3:GetEncryptionConfiguration"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
+  statement {
+
+    actions = [
+      "kms:Decrypt"
+    ]
+
+    effect = "Allow"
+
+    resources = ["*"]
+  }
+
   statement {
     actions = [
       "ecs:DeregisterContainerInstance",
@@ -66,6 +97,11 @@ resource "aws_iam_role_policy" "ecs_cluster_asg_policy" {
   policy      = data.aws_iam_policy_document.ecs_cluster_asg_policy.json
 }
 
+resource "aws_iam_role_policy_attachment" "ssm_policy_attachment" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  role       = aws_iam_role.ecs_cluster.name
+}
+
 resource "aws_iam_instance_profile" "ecs_cluster_asg_profile" {
   name_prefix = "ecs_cluster_asg_profile-"
   role        = aws_iam_role.ecs_cluster.name

terraform/modules/sg/README.md

@@ -11,6 +11,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:-----:|
+| db\_ingress\_cidrs | n/a | `list(string)` | n/a | yes |
 | mytags | Tags to include on the resources | `map` | `{}` | no |
 | vpc\_id | VPC ID | `any` | n/a | yes |
 
@@ -20,6 +21,7 @@
 |------|-------------|
 | alb-sg-id | ALB Security Group ID |
 | ecs\_sg\_id | ECS Security Group ID |
+| sg\_postgresql\_id | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

terraform/modules/sg/main.tf

@@ -54,4 +54,31 @@ resource "aws_security_group" "sg-ecs" {
   }
 }
 
+resource "aws_security_group" "sg_postgresql" {
+  name   = "bmore-responsive-db-access"
+  vpc_id = var.vpc_id
+
+  # Merge tags from environment tfvars and create name tag
+  tags = merge(map("Name", "bmore-responsive-db-access"), var.mytags)
+
+  ingress {
+    # TLS (change to whatever ports you need)
+    from_port = 5432
+    to_port   = 5432
+    protocol  = "tcp"
+
+    # We open to 0.0.0.0/0 here to support the testing activities.
+    # In a production environment, these connections would be limited to
+    # approved internal IPs. (10.x.x.x/x block(s))
+    cidr_blocks = var.db_ingress_cidrs
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 # TODO: Add SG Rules for ECS ASG and Load Balancer.

terraform/modules/sg/outputs.tf

@@ -7,3 +7,7 @@ output "alb-sg-id" {
   description = "ALB Security Group ID"
   value       = aws_security_group.sg-alb.id
 }
+
+output "sg_postgresql_id" {
+  value = aws_security_group.sg_postgresql.id
+}

terraform/modules/sg/variables.tf

@@ -7,3 +7,7 @@ variable "mytags" {
   type        = "map"
   default     = {}
 }
+
+variable "db_ingress_cidrs" {
+  type = list(string)
+}

terraform/modules/vpc/README.md

@@ -21,6 +21,7 @@
 
 | Name | Description |
 |------|-------------|
+| private\_subnet\_cidrs | n/a |
 | public-subnet-ids | Subnet IDs |
 | subnet\_ids | Subnet IDs |
 | vpc-id | VPC ID |

terraform/modules/vpc/outputs.tf

@@ -10,4 +10,8 @@ output "subnet_ids" {
 output "public-subnet-ids" {
   description = "Subnet IDs"
   value       = aws_subnet.public-subnet.*.id
+}
+
+output "private_subnet_cidrs" {
+  value = var.private_subnet_cidrs
 }