tui behind LB

Alok G Singh · Alok G Singh · commit 61c1f5326422 · 2025-03-09T11:48:55.000+08:00
diff --git a/infra/cd.tf b/infra/cd.tf
@@ -75,14 +75,16 @@ resource "aws_iam_role" "ter" {
   name = "ter"
   path = "/cd/"
 
-  inline_policy {
-    name   = "extra-ter"
-    policy = data.aws_iam_policy_document.extra.json
-  }
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
   #managed_policy_arns = ["arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy"]
 }
 
+resource "aws_iam_role_policy" "extra" {
+  name   = "extra-ter"
+  role   = aws_iam_role.ter.id
+  policy = data.aws_iam_policy_document.extra.json
+}
+
 # ecr_rw_tyk is created in base but ter is created here. We need to
 # know ter so that we can give ecr_rw_tyk the minimum permission
 # boundary
@@ -145,7 +147,7 @@ resource "aws_ssm_parameter" "ter" {
   value       = aws_iam_role.ter.arn
 }
 
-resource "aws_s3_bucket_policy" "deptrack_lb_logs" {
+resource "aws_s3_bucket_policy" "lb_logs" {
   bucket = data.terraform_remote_state.base.outputs.assets
   policy = <<-EOF
 {
@@ -158,6 +160,14 @@ resource "aws_s3_bucket_policy" "deptrack_lb_logs" {
       },
       "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::${data.terraform_remote_state.base.outputs.assets}/deptrack-lb/AWSLogs/754489498669/*"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::054676820928:root"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${data.terraform_remote_state.base.outputs.assets}/tui-lb/AWSLogs/754489498669/*"
     }
   ]
 }
diff --git a/infra/gromit.tf b/infra/gromit.tf
@@ -28,35 +28,6 @@ resource "aws_ssm_parameter" "tui_credentials" {
   value       = data.sops_file.secrets.data["tui_credentials"]
 }
 
-# API server for test UI
-module "tui" {
-  source = "./modules/fg-service"
-
-  cluster = aws_ecs_cluster.internal.arn
-  cdt     = "templates/cd-awsvpc.tpl"
-  # Container definition
-  cd = {
-    name      = "tui",
-    port      = 80,
-    log_group = "internal",
-    image     = var.gromit_image,
-    command   = ["--textlogs=false", "policy", "serve", "--save=/shared", "--port=:80"],
-    mounts = [
-      { src = "shared", dest = "/shared", readonly = false },
-    ],
-    env = [],
-    secrets = [
-      { name = "CREDENTIALS", valueFrom = aws_ssm_parameter.tui_credentials.arn }
-    ],
-    region = data.aws_region.current.name
-  }
-  trarn      = aws_iam_role.ter.arn
-  tearn      = aws_iam_role.ter.arn
-  vpc        = data.terraform_remote_state.base.outputs.vpc.id
-  subnets    = data.terraform_remote_state.base.outputs.vpc.public_subnets
-  volume_map = { shared = { fs_id = data.terraform_remote_state.base.outputs.shared_efs, root = "/tui" } }
-}
-
 # Refresh dash license
 module "licenser" {
   source = "./modules/fg-sched-task"
diff --git a/infra/modules/fg-service/main.tf b/infra/modules/fg-service/main.tf
@@ -28,16 +28,9 @@ resource "aws_ecs_task_definition" "td" {
 
 resource "aws_security_group" "sg" {
   name        = var.cd.name
-  description = "One TCP port from anywhere, full outbound access"
+  description = format("For service %s", var.cd.name)
   vpc_id      = var.vpc
 
-  ingress {
-    from_port   = var.cd.port
-    to_port     = var.cd.port
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
   egress {
     from_port   = 0
     to_port     = 0
@@ -46,6 +39,26 @@ resource "aws_security_group" "sg" {
   }
 }
 
+resource "aws_vpc_security_group_ingress_rule" "ing_port" {
+  security_group_id = aws_security_group.sg.id
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = var.cd.port
+  to_port           = var.cd.port
+  ip_protocol       = "tcp"
+}
+
+data "aws_vpc" "vpc" {
+  id = var.vpc
+}
+
+resource "aws_vpc_security_group_ingress_rule" "efs" {
+  security_group_id = aws_security_group.sg.id
+  cidr_ipv4         = data.aws_vpc.vpc.cidr_block
+  from_port         = 2049
+  to_port           = 2049
+  ip_protocol       = "tcp"
+}
+
 resource "aws_ecs_service" "service" {
   name            = var.cd.name
   cluster         = var.cluster
@@ -56,6 +69,6 @@ resource "aws_ecs_service" "service" {
   network_configuration {
     subnets          = var.subnets
     security_groups  = [aws_security_group.sg.id]
-    assign_public_ip = true
+    assign_public_ip = var.public_ip
   }
 }
diff --git a/infra/modules/fg-service/outputs.tf b/infra/modules/fg-service/outputs.tf
@@ -0,0 +1,4 @@
+output "sg_id" {
+  value       = aws_security_group.sg.id
+  description = "security group id for the task, use in LB"
+}
diff --git a/infra/modules/fg-service/variables.tf b/infra/modules/fg-service/variables.tf
@@ -50,3 +50,9 @@ variable "volume_map" {
   description = "map of volume name to EFS id"
   type        = map(object({ fs_id = string, root = string }))
 }
+
+variable "public_ip" {
+  description = "assign public IP"
+  type        = bool
+  default     = false
+}
diff --git a/infra/tui.tf b/infra/tui.tf
@@ -0,0 +1,160 @@
+# tui.dev
+
+module "tui" {
+  source = "terraform-aws-modules/ecs/aws//modules/service"
+
+  name             = "tui"
+  cluster_arn      = aws_ecs_cluster.internal.arn
+  assign_public_ip = false
+  launch_type      = "FARGATE"
+
+  volume = {
+    tui_shared = {
+      efs_volume_configuration = {
+        file_system_id = data.terraform_remote_state.base.outputs.shared_efs
+        root_directory = "/tui"
+      }
+
+    }
+  }
+
+  cpu           = 256 # 0.25 vCPU
+  memory        = 512
+  desired_count = 1
+  container_definitions = {
+    tui = {
+      cpu     = 256
+      memory  = 512
+      image   = var.gromit_image
+      command = ["--textlogs=false", "policy", "serve", "--save=/shared", "--port=:80"]
+
+      environment = []
+      secrets = [
+        { name = "CREDENTIALS", valueFrom = aws_ssm_parameter.tui_credentials.arn }
+      ]
+      port_mappings = [
+        {
+          name          = "tui"
+          containerPort = 80
+          hostPort      = 80
+          protocol      = "tcp"
+        }
+      ]
+      mount_points = [
+        {
+          sourceVolume  = "tui_shared"
+          containerPath = "/shared"
+        }
+      ]
+      health_check = {
+        command     = ["CMD-SHELL", "curl -f http://localhost/ping || exit 1"]
+        interval    = 300
+        timeout     = 5
+        retries     = 3
+        startPeriod = 30
+      }
+      log_configuration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = "internal"
+          awslogs-region        = "eu-central-1"
+          awslogs-stream-prefix = "tui"
+        }
+      }
+    }
+  }
+  subnet_ids = data.terraform_remote_state.base.outputs.vpc.public_subnets
+  load_balancer = {
+    service = {
+      target_group_arn = aws_lb_target_group.tui.arn
+      container_name   = "tui"
+      container_port   = 80
+    }
+  }
+
+  create_task_exec_iam_role = false
+  create_task_exec_policy   = false
+  task_exec_iam_role_arn    = aws_iam_role.ter.arn
+  create_security_group     = false
+  security_group_ids        = [aws_security_group.tui.id]
+}
+
+resource "aws_security_group" "tui" {
+  name        = "tui"
+  description = "EFS, http"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "http" {
+  security_group_id = aws_security_group.tui.id
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = 80
+  to_port           = 80
+  ip_protocol       = "tcp"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "efs_tui" {
+  security_group_id = aws_security_group.tui.id
+  cidr_ipv4         = data.terraform_remote_state.base.outputs.vpc.cidr
+  from_port         = 2049
+  to_port           = 2049
+  ip_protocol       = "tcp"
+}
+
+resource "aws_lb_target_group" "tui" {
+  name        = "tui"
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc.id
+}
+
+resource "aws_lb" "tui" {
+  name               = "tui"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.tui.id]
+  subnets            = data.terraform_remote_state.base.outputs.vpc.public_subnets
+
+  # FIXME: enable before making public
+  enable_deletion_protection = false
+
+  access_logs {
+    bucket  = data.terraform_remote_state.base.outputs.assets
+    prefix  = "tui-lb"
+    enabled = true
+  }
+
+  connection_logs {
+    bucket  = data.terraform_remote_state.base.outputs.assets
+    prefix  = "tui-lb"
+    enabled = true
+  }
+}
+
+resource "aws_lb_listener" "tui" {
+  load_balancer_arn = aws_lb.tui.arn
+  port              = "80"
+  protocol          = "HTTP"
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tui.arn
+  }
+}
+
+resource "aws_route53_record" "tui" {
+  zone_id = data.terraform_remote_state.base.outputs.dns.zone_id
+
+  name = "tui.internal"
+  type = "CNAME"
+  ttl  = "300"
+
+  records = [aws_lb.tui.dns_name]
+}
