-
Notifications
You must be signed in to change notification settings - Fork 0
/
service.tf
155 lines (139 loc) · 4.4 KB
/
service.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
resource "aws_ecs_task_definition" "task_definition" {
family = var.application
container_definitions = jsonencode([{
environment : [
{
name = "BOOMI_ATOMNAME"
value = var.atom_name
},
{
name = "BOOMI_ENVIRONMENTID"
value = var.boomi_environment_id
},
{
name = "ATOM_LOCALHOSTID"
value = var.atom_name
}
],
secrets : [
{
valueFrom : module.secrets_manager.secret_arn,
name : "INSTALL_TOKEN"
}
]
name = local.container_name
image = "boomi/atom:${var.atom_version}"
essential = true,
portMappings = [
{
containerPort = var.container_port
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = aws_cloudwatch_log_group.logs.name
"awslogs-region" = var.aws_region
"awslogs-stream-prefix" = "ecs"
}
}
}])
cpu = 1024
memory = 2048
execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
task_role_arn = aws_iam_role.ecs_task_execution_role.arn
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
}
# Create security group for the task using the extra security group egress rules
resource "aws_security_group" "task_security_group" {
name = "${var.application}-task-sg"
description = "Security group for the Atom ECS task"
vpc_id = module.vpc.vpc_id
# dynamic egress
dynamic "egress" {
for_each = var.atom_security_group_egress
content {
from_port = egress.value.from_port
to_port = egress.value.to_port
protocol = egress.value.protocol
cidr_blocks = egress.value.cidr_blocks
}
}
}
resource "aws_ecs_service" "service" {
cluster = module.ecs.cluster_id
desired_count = 1
launch_type = "FARGATE"
name = "${var.application}-service"
task_definition = aws_ecs_task_definition.task_definition.arn
lifecycle {
ignore_changes = [desired_count] # Ignore changes to desired count
}
network_configuration {
security_groups = [module.vpc.default_security_group_id, aws_security_group.task_security_group.id]
subnets = module.vpc.private_subnets
assign_public_ip = false
}
}
resource "aws_cloudwatch_log_group" "logs" {
name = "/fargate/service/${var.application}"
retention_in_days = var.retention_in_days
}
resource "aws_iam_role" "ecs_task_execution_role" {
name = "${var.application}-execution-task-role"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
tags = {
Name = "${var.application}-iam-role"
Environment = var.environment
}
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
effect = "Allow"
}
}
data "aws_iam_policy_document" "task_permissions" {
statement {
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
effect = "Allow"
resources = ["${aws_cloudwatch_log_group.logs.arn}:*"]
}
}
resource "aws_iam_policy" "task_permissions" {
name = "${var.application}-task-permissions"
description = "Policy to allow ecs task execution role to write to cloudwatch logs"
policy = data.aws_iam_policy_document.task_permissions.json
}
resource "aws_iam_role_policy_attachment" "ecs_task_execution_log_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = aws_iam_policy.task_permissions.arn
}
// this policy doc should give the ecs task execution role read access to the secrets manager secret
data "aws_iam_policy_document" "ssm_policy" {
statement {
actions = [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
]
resources = [module.secrets_manager.secret_arn]
effect = "Allow"
}
}
resource "aws_iam_policy" "ssm_policy" {
name = "${var.application}-ssm-policy"
description = "Policy to allow ecs task execution role to read secrets manager secret"
policy = data.aws_iam_policy_document.ssm_policy.json
}
resource "aws_iam_role_policy_attachment" "ecs_task_execution_ssm_role_policy" {
role = aws_iam_role.ecs_task_execution_role.name
policy_arn = aws_iam_policy.ssm_policy.arn
}