terraform ui module

Author: oavdeev

aws/terraform/modules/metaflow/README.md

@@ -22,6 +22,7 @@ This module requires an Amazon VPC to be set up by the module user beforehand. T
 | <a name="module_metaflow-datastore"></a> [metaflow-datastore](#module\_metaflow-datastore) | ./modules/datastore | n/a |
 | <a name="module_metaflow-metadata-service"></a> [metaflow-metadata-service](#module\_metaflow-metadata-service) | ./modules/metadata-service | n/a |
 | <a name="module_metaflow-step-functions"></a> [metaflow-step-functions](#module\_metaflow-step-functions) | ./modules/step-functions | n/a |
+| <a name="module_metaflow-ui"></a> [metaflow-ui](#module\_metaflow-ui) | ./modules/ui | n/a |
 
 ## Inputs
 
@@ -36,12 +37,15 @@ This module requires an Amazon VPC to be set up by the module user beforehand. T
 | <a name="input_compute_environment_min_vcpus"></a> [compute\_environment\_min\_vcpus](#input\_compute\_environment\_min\_vcpus) | Minimum VCPUs for Batch Compute Environment [0-16] for EC2 Batch Compute Environment (ignored for Fargate) | `number` | `8` | no |
 | <a name="input_enable_custom_batch_container_registry"></a> [enable\_custom\_batch\_container\_registry](#input\_enable\_custom\_batch\_container\_registry) | Provisions infrastructure for custom Amazon ECR container registry if enabled | `bool` | `false` | no |
 | <a name="input_enable_step_functions"></a> [enable\_step\_functions](#input\_enable\_step\_functions) | Provisions infrastructure for step functions if enabled | `bool` | n/a | yes |
+| <a name="input_extra_ui_backend_env_vars"></a> [extra\_ui\_backend\_env\_vars](#input\_extra\_ui\_backend\_env\_vars) | Additional environment variables for UI backend container | `map(string)` | `{}` | no |
+| <a name="input_extra_ui_static_env_vars"></a> [extra\_ui\_static\_env\_vars](#input\_extra\_ui\_static\_env\_vars) | Additional environment variables for UI static app | `map(string)` | `{}` | no |
 | <a name="input_iam_partition"></a> [iam\_partition](#input\_iam\_partition) | IAM Partition (Select aws-us-gov for AWS GovCloud, otherwise leave as is) | `string` | `"aws"` | no |
 | <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | string prefix for all resources | `string` | `"metaflow"` | no |
 | <a name="input_resource_suffix"></a> [resource\_suffix](#input\_resource\_suffix) | string suffix for all resources | `string` | `""` | no |
 | <a name="input_subnet1_id"></a> [subnet1\_id](#input\_subnet1\_id) | First subnet used for availability zone redundancy | `string` | n/a | yes |
 | <a name="input_subnet2_id"></a> [subnet2\_id](#input\_subnet2\_id) | Second subnet used for availability zone redundancy | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | aws tags | `map(string)` | n/a | yes |
+| <a name="input_ui_certificate_arn"></a> [ui\_certificate\_arn](#input\_ui\_certificate\_arn) | SSL certificate for UI | `string` | n/a | yes |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The VPC CIDR block that we'll access list on our Metadata Service API to allow all internal communications | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The id of the single VPC we stood up for all Metaflow resources to exist in. | `string` | n/a | yes |
 
@@ -67,4 +71,5 @@ This module requires an Amazon VPC to be set up by the module user beforehand. T
 | <a name="output_metaflow_s3_bucket_arn"></a> [metaflow\_s3\_bucket\_arn](#output\_metaflow\_s3\_bucket\_arn) | The ARN of the bucket we'll be using as blob storage |
 | <a name="output_metaflow_s3_bucket_name"></a> [metaflow\_s3\_bucket\_name](#output\_metaflow\_s3\_bucket\_name) | The name of the bucket we'll be using as blob storage |
 | <a name="output_migration_function_arn"></a> [migration\_function\_arn](#output\_migration\_function\_arn) | ARN of DB Migration Function |
+| <a name="output_ui_alb_dns_name"></a> [ui\_alb\_dns\_name](#output\_ui\_alb\_dns\_name) | UI ALB DNS name |
 <!-- END_TF_DOCS -->

aws/terraform/modules/metaflow/main.tf

@@ -37,6 +37,33 @@ module "metaflow-metadata-service" {
   standard_tags = var.tags
 }
 
+module "metaflow-ui" {
+  source = "./modules/ui"
+
+  resource_prefix = local.resource_prefix
+  resource_suffix = local.resource_suffix
+
+  database_password               = module.metaflow-datastore.database_password
+  database_username               = module.metaflow-datastore.database_username
+  datastore_s3_bucket_kms_key_arn = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+  fargate_execution_role_arn      = module.metaflow-computation.ecs_execution_role_arn
+  iam_partition                   = var.iam_partition
+  metaflow_vpc_id                 = var.vpc_id
+  rds_master_instance_endpoint    = module.metaflow-datastore.rds_master_instance_endpoint
+  s3_bucket_arn                   = module.metaflow-datastore.s3_bucket_arn
+  subnet1_id                      = var.subnet1_id
+  subnet2_id                      = var.subnet2_id
+  vpc_cidr_block                  = var.vpc_cidr_block
+
+  METAFLOW_DATASTORE_SYSROOT_S3   = module.metaflow-datastore.METAFLOW_DATASTORE_SYSROOT_S3
+  certificate_arn = var.ui_certificate_arn
+  metadata_service_security_group_id  = module.metaflow-metadata-service.metadata_service_security_group_id
+
+  extra_ui_static_env_vars = var.extra_ui_static_env_vars
+  extra_ui_backend_env_vars = var.extra_ui_backend_env_vars
+  standard_tags = var.tags
+}
+
 module "metaflow-computation" {
   source = "./modules/computation"
 

aws/terraform/modules/metaflow/modules/metadata-service/iam.tf

@@ -47,11 +47,13 @@ data "aws_iam_policy_document" "custom_s3_batch" {
     effect = "Allow"
 
     actions = [
-      "s3:GetObject"
+      "s3:GetObject",
+      "s3:ListBucket"
     ]
 
     resources = [
-      "${var.s3_bucket_arn}/*"
+      "${var.s3_bucket_arn}/*",
+      "${var.s3_bucket_arn}"
     ]
   }
 }

aws/terraform/modules/metaflow/modules/step-functions/README.md

@@ -1,6 +1,6 @@
 # Step Functions configuration for Metaflow
 
-This module sets up the infrastructure to use AWS Step Functions with Metaflow. 
+This module sets up the infrastructure to use AWS Step Functions with Metaflow.
 
 This builds on top of the functionality provided by the `computation` module, which allows to execute Metaflow step code on AWS Batch. If you use `computation` module alone, the orchestration is done by the Metaflow task scheduler that itself needs to runs somewhere (often, your laptop, or a dedicated server). Step Functions support in Metaflow allows you to replace that scheduler by compiling your Flows to a AWS Step Functions State Machine, and deploying it to AWS.
 

aws/terraform/modules/metaflow/modules/ui/README.md

@@ -0,0 +1,38 @@
+# UI
+
+Metaflow operational UI
+
+<!-- BEGIN_TF_DOCS -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_METAFLOW_DATASTORE_SYSROOT_S3"></a> [METAFLOW\_DATASTORE\_SYSROOT\_S3](#input\_METAFLOW\_DATASTORE\_SYSROOT\_S3) | METAFLOW\_DATASTORE\_SYSROOT\_S3 value | `string` | n/a | yes |
+| <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | SSL certificate ARN | `string` | n/a | yes |
+| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The database password | `string` | n/a | yes |
+| <a name="input_database_username"></a> [database\_username](#input\_database\_username) | The database username | `string` | n/a | yes |
+| <a name="input_datastore_s3_bucket_kms_key_arn"></a> [datastore\_s3\_bucket\_kms\_key\_arn](#input\_datastore\_s3\_bucket\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the Metaflow datastore S3 bucket | `string` | n/a | yes |
+| <a name="input_extra_ui_backend_env_vars"></a> [extra\_ui\_backend\_env\_vars](#input\_extra\_ui\_backend\_env\_vars) | Additional environment variables for UI backend container | `map(string)` | `{}` | no |
+| <a name="input_extra_ui_static_env_vars"></a> [extra\_ui\_static\_env\_vars](#input\_extra\_ui\_static\_env\_vars) | Additional environment variables for UI static app | `map(string)` | `{}` | no |
+| <a name="input_fargate_execution_role_arn"></a> [fargate\_execution\_role\_arn](#input\_fargate\_execution\_role\_arn) | The IAM role that grants access to ECS and Batch services which we'll use as our Metadata Service API's execution\_role for our Fargate instance | `string` | n/a | yes |
+| <a name="input_iam_partition"></a> [iam\_partition](#input\_iam\_partition) | IAM Partition (Select aws-us-gov for AWS GovCloud, otherwise leave as is) | `string` | `"aws"` | no |
+| <a name="input_is_gov"></a> [is\_gov](#input\_is\_gov) | Set to true if IAM partition is 'aws-us-gov' | `bool` | `false` | no |
+| <a name="input_metadata_service_security_group_id"></a> [metadata\_service\_security\_group\_id](#input\_metadata\_service\_security\_group\_id) | The security group ID used by the MetaData service. We'll grant this access to our DB. | `string` | n/a | yes |
+| <a name="input_metaflow_vpc_id"></a> [metaflow\_vpc\_id](#input\_metaflow\_vpc\_id) | ID of the Metaflow VPC this SageMaker notebook instance is to be deployed in | `string` | n/a | yes |
+| <a name="input_rds_master_instance_endpoint"></a> [rds\_master\_instance\_endpoint](#input\_rds\_master\_instance\_endpoint) | The database connection endpoint in address:port format | `string` | n/a | yes |
+| <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | Prefix given to all AWS resources to differentiate between applications | `string` | n/a | yes |
+| <a name="input_resource_suffix"></a> [resource\_suffix](#input\_resource\_suffix) | Suffix given to all AWS resources to differentiate between environment and workspace | `string` | n/a | yes |
+| <a name="input_s3_bucket_arn"></a> [s3\_bucket\_arn](#input\_s3\_bucket\_arn) | The ARN of the bucket we'll be using as blob storage | `string` | n/a | yes |
+| <a name="input_standard_tags"></a> [standard\_tags](#input\_standard\_tags) | The standard tags to apply to every AWS resource. | `map(string)` | n/a | yes |
+| <a name="input_subnet1_id"></a> [subnet1\_id](#input\_subnet1\_id) | First private subnet used for availability zone redundancy | `string` | n/a | yes |
+| <a name="input_subnet2_id"></a> [subnet2\_id](#input\_subnet2\_id) | Second private subnet used for availability zone redundancy | `string` | n/a | yes |
+| <a name="input_ui_backend_container_image"></a> [ui\_backend\_container\_image](#input\_ui\_backend\_container\_image) | Container image for UI backend | `string` | `"netflixoss/metaflow_metadata_service:2.1.0"` | no |
+| <a name="input_ui_static_container_image"></a> [ui\_static\_container\_image](#input\_ui\_static\_container\_image) | Container image for UI static app | `string` | `"public.ecr.aws/outerbounds/metaflow_ui:v1.0.1"` | no |
+| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The VPC CIDR block that we'll access list on our Metadata Service API to allow all internal communications | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_alb_dns_name"></a> [alb\_dns\_name](#output\_alb\_dns\_name) | UI ALB DNS name |
+<!-- END_TF_DOCS -->

aws/terraform/modules/metaflow/modules/ui/cloudwatch.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "this" {
+  name = "${var.resource_prefix}ui${var.resource_suffix}"
+
+  tags = var.standard_tags
+}

aws/terraform/modules/metaflow/modules/ui/data.tf

@@ -0,0 +1,8 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_security_group" "vpc_default" {
+  name   = "default"
+  vpc_id = var.metaflow_vpc_id
+}

aws/terraform/modules/metaflow/modules/ui/ec2.tf

@@ -0,0 +1,144 @@
+resource "aws_security_group" "fargate_security_group" {
+  name        = local.ui_backend_security_group_name
+  description = "Security Group for Fargate which runs the UI Backend."
+  vpc_id      = var.metaflow_vpc_id
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    security_groups = [ aws_security_group.ui_lb_security_group.id ]
+  }
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    self        = true
+    description = "Internal communication"
+  }
+
+  # egress to anywhere
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1" # all
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all external communication"
+  }
+
+  tags = merge(
+    var.standard_tags,
+    {
+      Metaflow = "true"
+    }
+  )
+}
+
+resource "aws_security_group" "ui_lb_security_group" {
+  name        = local.alb_security_group_name
+  description = "Security Group for ALB"
+  vpc_id      = var.metaflow_vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow public HTTPS"
+  }
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    self        = true
+    description = "Internal communication"
+  }
+
+  # egress to anywhere
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1" # all
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all external communication"
+  }
+
+  tags = merge(
+    var.standard_tags,
+    {
+      Metaflow = "true"
+    }
+  )
+}
+
+resource "aws_lb" "this" {
+  name               = "${var.resource_prefix}alb${var.resource_suffix}"
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = [var.subnet1_id, var.subnet2_id]
+  security_groups =  [
+    aws_security_group.ui_lb_security_group.id
+  ]
+
+  tags = var.standard_tags
+}
+
+resource "aws_lb_target_group" "ui_backend" {
+  name        = "${var.resource_prefix}ui-backend${var.resource_suffix}"
+  port        = 8083
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.metaflow_vpc_id
+
+  health_check {
+    protocol            = "HTTP"
+    port                = 8083
+    path = "/api/ping"
+    interval            = 10
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+  }
+
+  tags = var.standard_tags
+}
+
+resource "aws_lb_target_group" "ui_static" {
+  name        = "${var.resource_prefix}ui-static${var.resource_suffix}"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.metaflow_vpc_id
+  tags = var.standard_tags
+}
+
+resource "aws_lb_listener" "this" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = "443"
+  protocol          = "HTTPS"
+
+  certificate_arn = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ui_static.id
+    order = 100
+  }
+}
+
+resource "aws_lb_listener_rule" "ui_backend" {
+  listener_arn = aws_lb_listener.this.arn
+  priority     = 1
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ui_backend.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/api/*"]
+    }
+  }
+}

aws/terraform/modules/metaflow/modules/ui/ecs.tf

@@ -0,0 +1,11 @@
+resource "aws_ecs_cluster" "this" {
+  name = local.ecs_cluster_name
+
+  tags = merge(
+    var.standard_tags,
+    {
+      Name     = local.ecs_cluster_name
+      Metaflow = "true"
+    }
+  )
+}

aws/terraform/modules/metaflow/modules/ui/ecs_ui_backend.tf

@@ -0,0 +1,73 @@
+
+resource "aws_ecs_task_definition" "ui_backend" {
+  family = "${var.resource_prefix}ui_backend${var.resource_suffix}" # Unique name for task definition
+
+  container_definitions = jsonencode([
+    {
+      name      = "${var.resource_prefix}ui_backend${var.resource_suffix}"
+      image     = var.ui_backend_container_image
+      essential = true
+      cpu       = 2048
+      memory    = 16384
+      portMappings = [
+        {
+          containerPort = 8083
+          hostPort      = 8083
+        }
+      ]
+      environment = [for k, v in merge(local.default_ui_backend_env_vars, var.extra_ui_backend_env_vars): {name = k, value=v}]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group" : "${aws_cloudwatch_log_group.this.name}"
+          "awslogs-region" : "${data.aws_region.current.name}"
+          "awslogs-stream-prefix" : "ui_backend"
+        }
+      }
+    }
+  ])
+
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  task_role_arn            = aws_iam_role.metadata_ui_ecs_task_role.arn
+  execution_role_arn       = var.fargate_execution_role_arn
+  cpu                      = 2048
+  memory                   = 16384
+
+  ephemeral_storage {
+    size_in_gib = 100
+  }
+
+  tags = merge(
+    var.standard_tags,
+    {
+      Metaflow = "true"
+    }
+  )
+}
+
+resource "aws_ecs_service" "ui_backend" {
+  name            = "${var.resource_prefix}ui_backend${var.resource_suffix}"
+  cluster         = aws_ecs_cluster.this.id
+  task_definition = aws_ecs_task_definition.ui_backend.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups  = [aws_security_group.fargate_security_group.id, var.metadata_service_security_group_id]
+    assign_public_ip = true
+    subnets          = [var.subnet1_id, var.subnet2_id]
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.ui_backend.arn
+    container_name   = "${var.resource_prefix}ui_backend${var.resource_suffix}"
+    container_port   = 8083
+  }
+
+  lifecycle {
+    ignore_changes = [desired_count]
+  }
+
+  tags = var.standard_tags
+}