tofu-modules-aws-fargate-service/main.tf at main · codeforamerica/tofu-modules-aws-fargate-service · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
module "ecr" {
  source  = "terraform-aws-modules/ecr/aws"
  version = "~> 2.2"

  for_each = var.create_repository ? toset(["this"]) : toset([])

  repository_name                 = local.prefix
  repository_image_scan_on_push   = true
  repository_encryption_type      = "KMS"
  repository_force_delete         = var.force_delete
  repository_image_tag_mutability = var.image_tags_mutable ? "MUTABLE" : "IMMUTABLE"
  repository_kms_key              = aws_kms_key.fargate.arn
  repository_lifecycle_policy = jsonencode(yamldecode(templatefile(
    "${path.module}/templates/repository-lifecycle.yaml.tftpl", {
      untagged_image_retention : var.untagged_image_retention
    }
  )))

  tags = var.tags
}

resource "aws_ssm_parameter" "version" {
  for_each = var.create_version_parameter ? toset(["this"]) : []

  name           = "/${var.project}/${var.environment}/${var.service}/version"
  description    = "Current version of ${var.project} - ${var.environment} ${var.service}"
  type           = "String"
  insecure_value = var.image_tag

  tags = var.tags

  lifecycle {
    ignore_changes = [insecure_value]
  }
}

# Prefix lists can be pretty big and count towards the security group rule
# limit. To avoid hitting that limit, we create a dedicated security group
# that only has rules for the prefix lists on port 443.
module "prefix_security_group" {
  for_each = length(var.ingress_prefix_list_ids) > 0 ? toset(["this"]) : toset([])

  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.1"

  name                    = "${local.prefix}-endpoint-prefix"
  description             = "Prefix list access for the ${var.project} load balancer."
  vpc_id                  = var.vpc_id
  ingress_prefix_list_ids = var.ingress_prefix_list_ids
  ingress_rules           = ["https-443-tcp"]
}

# If this is a public load balancer, we need to allow all traffic.
#trivy:ignore:avd-aws-0107
module "endpoint_security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.1"

  name        = "${local.prefix}-endpoint"
  description = "Access for the ${var.project} load balancer."
  vpc_id      = var.vpc_id

  # Ingress for HTTP
  ingress_cidr_blocks = concat(
    [var.public ? "0.0.0.0/0" : data.aws_vpc.current.cidr_block],
    var.ingress_cidrs
  )
  ingress_rules = ["http-80-tcp", "https-443-tcp"]

  # Allow all egress
  egress_cidr_blocks      = [data.aws_vpc.current.cidr_block]
  egress_rules            = ["all-all"]
  egress_ipv6_cidr_blocks = []
  egress_with_cidr_blocks = var.oidc_settings == null ? [] : [
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      description = "IdP access for OIDC authentication."
      cidr_blocks = "0.0.0.0/0"
    }
  ]

  tags = var.tags
}

# TODO: Determine how we can best restrict the egress rules.
#trivy:ignore:avd-aws-0104
module "task_security_group" {
  source     = "terraform-aws-modules/security-group/aws"
  version    = "~> 5.1"
  depends_on = [module.endpoint_security_group.security_group_id]

  name   = "${local.prefix}-endpoint"
  vpc_id = var.vpc_id

  ingress_with_source_security_group_id = [{
    from_port                = var.container_port
    to_port                  = var.container_port
    protocol                 = "tcp"
    description              = "${var.service} access from the load balancer."
    source_security_group_id = module.endpoint_security_group.security_group_id
  }]

  # Allow all egress.
  egress_cidr_blocks      = ["0.0.0.0/0"]
  egress_ipv6_cidr_blocks = ["::/0"]
  egress_rules            = ["all-all"]

  tags = var.tags
}

module "ecs" {
  source  = "HENNGE/ecs/aws"
  version = "~> 5.5"

  name                        = local.prefix
  capacity_providers          = ["FARGATE"]
  enable_container_insights   = true
  container_insights_enhanced = var.enable_container_insights_enhanced

  tags = var.tags
}

module "ecs_service" {
  source     = "HENNGE/ecs/aws//modules/simple/fargate"
  version    = "~> 5.5"
  depends_on = [module.alb, module.ecs]

  name                              = local.prefix
  cluster                           = module.ecs.arn
  container_port                    = var.container_port
  container_name                    = local.prefix
  cpu                               = var.cpu
  memory                            = var.memory
  desired_count                     = var.desired_containers
  vpc_subnets                       = var.private_subnets
  target_group_arn                  = var.create_endpoint ? module.alb["this"].target_groups["endpoint"].arn : null
  security_groups                   = [module.task_security_group.security_group_id]
  iam_daemon_role                   = aws_iam_role.execution.arn
  iam_task_role                     = aws_iam_role.task.arn
  enable_execute_command            = var.enable_execute_command
  health_check_grace_period_seconds = var.health_check_grace_period
  force_delete                      = var.force_delete

  enable_deployment_circuit_breaker_with_rollback    = var.enable_circuit_breaker && var.enable_circuit_breaker_rollback
  enable_deployment_circuit_breaker_without_rollback = var.enable_circuit_breaker && !var.enable_circuit_breaker_rollback

  force_new_deployment  = var.force_new_deployment
  triggers              = { redeploy = var.force_new_deployment ? plantimestamp() : "false" }
  wait_for_steady_state = var.wait_for_steady_state

  container_definitions = jsonencode(yamldecode(templatefile(
    "${path.module}/templates/container_definitions.yaml.tftpl", {
      name              = local.prefix
      cpu               = var.cpu - 256
      memory            = var.memory - 512
      image             = "${local.image_url}:${local.image_tag}"
      container_command = var.container_command
      container_port    = var.container_port
      log_group         = aws_cloudwatch_log_group.this["service"].name
      region            = data.aws_region.current.name
      namespace         = "${var.project}/${var.service}"
      env_vars          = var.environment_variables
      otel_log_level    = var.otel_log_level
      otel_secrets      = var.otel_secrets
      otel_ssm_arn      = aws_ssm_parameter.otel_config.arn
      otel_version      = var.otel_collector_version
      volumes           = var.volumes

      enable_appconfig_agent   = var.enable_appconfig_agent
      appconfig_agent_version  = var.appconfig_agent_version
      appconfig_agent_port     = var.appconfig_agent_port
      appconfig_agent_env_vars = var.appconfig_agent_environment_variables

      # Split defined secrets on ":" and use the name to get the arn.
      env_secrets = {
        for key, value in var.environment_secrets :
        key => split(":", value)[0] == "arn"
        ? (length(split(":", value)) > 7 ? "${value}::" : value)
        : "${module.secrets_manager[split(":", value)[0]].secret_arn}:${split(":", value)[1]}::"
      }
    }
  )))

  task_volume_configurations = [for k, v in var.volumes : {
    name = k
    efs_volume_configuration = {
      file_system_id        = module.efs[k].id
      root_directory        = "/"
      transition_encryption = "ENABLED"
    }
    }
  ]

  tags = var.tags
}