From 171a3526a8414fdb82649a0ff8084fe5449ce672 Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Mon, 15 Jul 2024 22:16:28 +0900 Subject: [PATCH 1/8] =?UTF-8?q?Feature/ecs=E3=81=AE=E5=AE=9A=E7=BE=A9?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3=20(#20)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 --- modules/ecs/main.tf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/modules/ecs/main.tf b/modules/ecs/main.tf index f522c28..989ebb6 100644 --- a/modules/ecs/main.tf +++ b/modules/ecs/main.tf @@ -166,6 +166,29 @@ resource "aws_lb_listener" "app" { } } +resource "aws_iam_role" "ecs_service_linked_role" { + name = "${var.project_name}-ecs-service-role" + assume_role_policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ecs.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + EOF +} + +resource "aws_iam_role_policy_attachment" "ecs_service_linked_role_attachment" { + role = aws_iam_role.ecs_service_linked_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSServiceRolePolicy" +} + resource "aws_ecs_service" "this" { for_each = aws_ecs_task_definition.ecs_task_definitions name = "${var.project_name}-${each.key}-service" From 62df69a164de6191586b06d69f1da9751daba772 Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Mon, 15 Jul 2024 22:31:15 +0900 Subject: [PATCH 2/8] =?UTF-8?q?Feature/ecs=E3=81=AE=E5=AE=9A=E7=BE=A9?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3=20(#21)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 --- modules/ecs/main.tf | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/modules/ecs/main.tf b/modules/ecs/main.tf index 989ebb6..00f96d6 100644 --- a/modules/ecs/main.tf +++ b/modules/ecs/main.tf @@ -184,9 +184,44 @@ resource "aws_iam_role" "ecs_service_linked_role" { EOF } +resource "aws_iam_policy" "ecs_custom_service_policy" { + name = "${var.project_name}-ecs-service-policy" + description = "Custom policy for ECS service role" + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeleteCluster", + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:StartTelemetrySession", + "ecs:Submit*", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:Describe*", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] + }) +} + resource "aws_iam_role_policy_attachment" "ecs_service_linked_role_attachment" { role = aws_iam_role.ecs_service_linked_role.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSServiceRolePolicy" + policy_arn = aws_iam_policy.ecs_custom_service_policy.arn } resource "aws_ecs_service" "this" { From d438235c17c5da7eddefd45d9935d3e441e6aaca Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Mon, 15 Jul 2024 22:45:38 +0900 Subject: [PATCH 3/8] =?UTF-8?q?Feature/ecs=E3=81=AE=E5=AE=9A=E7=BE=A9?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3=20(#22)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 --- modules/ecs/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/ecs/main.tf b/modules/ecs/main.tf index 00f96d6..d29fcbb 100644 --- a/modules/ecs/main.tf +++ b/modules/ecs/main.tf @@ -231,6 +231,7 @@ resource "aws_ecs_service" "this" { task_definition = each.value.arn desired_count = 1 launch_type = "EC2" + iam_role = aws_iam_role.ecs_service_linked_role.arn load_balancer { target_group_arn = aws_lb_target_group.app.arn From 338a248b95e6f9535c1bec7b005d9dff0cb6307e Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Mon, 15 Jul 2024 22:50:42 +0900 Subject: [PATCH 4/8] =?UTF-8?q?Feature/ecs=E3=81=AE=E5=AE=9A=E7=BE=A9?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3=20(#23)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 * 一度リソースを削除してみる --- environments/prod/tokyo/collects.yaml | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/environments/prod/tokyo/collects.yaml b/environments/prod/tokyo/collects.yaml index 92323a7..b9a05aa 100644 --- a/environments/prod/tokyo/collects.yaml +++ b/environments/prod/tokyo/collects.yaml @@ -1,19 +1,19 @@ collects: { - binance: { - # spot: [ - # "btcjpy", - # "btcusdt", - # "ethjpy", - # "ethusdt", - # "soljpy" - # "solusdt", - # ], - usdt_perpetual: [ - # "btcusdt", - # "ethusdt", - "solusdt" - ], - }, + # binance: { + # # spot: [ + # # "btcjpy", + # # "btcusdt", + # # "ethjpy", + # # "ethusdt", + # # "soljpy" + # # "solusdt", + # # ], + # usdt_perpetual: [ + # # "btcusdt", + # # "ethusdt", + # "solusdt" + # ], + # }, # bitflyer: { # spot: [ # "BTC_JPY", From cae69e9376c7857da38fa30cb957edb248893d64 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 28 Jul 2024 14:27:42 +0900 Subject: [PATCH 5/8] Automated Release - 2024-07-28 14:27:10 (#24) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 * 一度リソースを削除してみる * ストリームの構成を変更 --------- Co-authored-by: XxxKMSxxX Co-authored-by: k6s <31524505+XxxKMSxxX@users.noreply.github.com> --- .vscode/settings.json | 12 ++++++++++++ environments/prod/tokyo/kinesis/terragrunt.hcl | 2 +- modules/kinesis/locals.tf | 13 ------------- modules/kinesis/main.tf | 13 ++----------- modules/kinesis/outputs.tf | 4 ++-- modules/kinesis/variables.tf | 6 +++--- 6 files changed, 20 insertions(+), 30 deletions(-) create mode 100644 .vscode/settings.json delete mode 100644 modules/kinesis/locals.tf diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..efd597e --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,12 @@ +{ + "[terraform]": { + "editor.defaultFormatter": "hashicorp.terraform", + "editor.formatOnSave": true, + "editor.formatOnSaveMode": "file" + }, + "[terraform-vars]": { + "editor.defaultFormatter": "hashicorp.terraform", + "editor.formatOnSave": true, + "editor.formatOnSaveMode": "file" + } +} \ No newline at end of file diff --git a/environments/prod/tokyo/kinesis/terragrunt.hcl b/environments/prod/tokyo/kinesis/terragrunt.hcl index 0fa49ff..ee99ae9 100644 --- a/environments/prod/tokyo/kinesis/terragrunt.hcl +++ b/environments/prod/tokyo/kinesis/terragrunt.hcl @@ -10,5 +10,5 @@ terraform { inputs = { project_name = include.root.locals.conf.project_name - collects = include.root.locals.conf.collects + stream_name = "${include.root.locals.conf.project_name}-collector" } diff --git a/modules/kinesis/locals.tf b/modules/kinesis/locals.tf deleted file mode 100644 index 69548e7..0000000 --- a/modules/kinesis/locals.tf +++ /dev/null @@ -1,13 +0,0 @@ -locals { - streams = flatten([ - for exchange_name, exchange in var.collects : [ - for contract_type, symbols in exchange : [ - for symbol in symbols : { - exchange = exchange_name, - contract_type = contract_type, - symbol = symbol - } - ] - ] - ]) -} \ No newline at end of file diff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf index 0e34f12..0d2c76e 100644 --- a/modules/kinesis/main.tf +++ b/modules/kinesis/main.tf @@ -1,10 +1,5 @@ -resource "aws_kinesis_stream" "kinesis_streams" { - for_each = { - for stream in local.streams : - lower("${stream.exchange}-${stream.contract_type}-${stream.symbol}") => stream - } - - name = each.key +resource "aws_kinesis_stream" "this" { + name = var.stream_name shard_count = 1 retention_period = 24 @@ -17,8 +12,4 @@ resource "aws_kinesis_stream" "kinesis_streams" { "ReadProvisionedThroughputExceeded", "IteratorAgeMilliseconds", ] - - tags = { - Name = each.key - } } diff --git a/modules/kinesis/outputs.tf b/modules/kinesis/outputs.tf index c39dd11..a8be84e 100644 --- a/modules/kinesis/outputs.tf +++ b/modules/kinesis/outputs.tf @@ -1,4 +1,4 @@ output "kinesis_stream_names" { - description = "Names of the created Kinesis streams" - value = [for k, v in aws_kinesis_stream.kinesis_streams : v.name] + description = "Name of the created Kinesis streams" + value = aws_kinesis_stream.this.name } diff --git a/modules/kinesis/variables.tf b/modules/kinesis/variables.tf index ebc197e..5db91b3 100644 --- a/modules/kinesis/variables.tf +++ b/modules/kinesis/variables.tf @@ -3,7 +3,7 @@ variable "project_name" { type = string } -variable "collects" { - description = "The collects configuration" - type = map(map(list(string))) +variable "stream_name" { + description = "The name of stream" + type = string } From 2a77ee6b8590365de30469213ac8f1dc2b41063b Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Sun, 28 Jul 2024 14:50:03 +0900 Subject: [PATCH 6/8] =?UTF-8?q?Tag=E3=81=AE=E6=94=B9=E5=96=84=20(#25)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 * 一度リソースを削除してみる * ストリームの構成を変更 * タグを共通化 --- environments/prod/tokyo/ecr/terragrunt.hcl | 1 + environments/prod/tokyo/kinesis/terragrunt.hcl | 1 + environments/terragrunt.hcl | 11 ++++++----- modules/ecr/main.tf | 5 ++++- modules/ecr/variables.tf | 6 ++++++ modules/kinesis/main.tf | 1 + modules/kinesis/variables.tf | 6 ++++++ 7 files changed, 25 insertions(+), 6 deletions(-) diff --git a/environments/prod/tokyo/ecr/terragrunt.hcl b/environments/prod/tokyo/ecr/terragrunt.hcl index 033bfc5..18458d8 100644 --- a/environments/prod/tokyo/ecr/terragrunt.hcl +++ b/environments/prod/tokyo/ecr/terragrunt.hcl @@ -10,4 +10,5 @@ terraform { inputs = { repository_name = "${include.root.locals.conf.project_name}-collector" + tags = include.root.locals.conf.tags } diff --git a/environments/prod/tokyo/kinesis/terragrunt.hcl b/environments/prod/tokyo/kinesis/terragrunt.hcl index ee99ae9..732201c 100644 --- a/environments/prod/tokyo/kinesis/terragrunt.hcl +++ b/environments/prod/tokyo/kinesis/terragrunt.hcl @@ -11,4 +11,5 @@ terraform { inputs = { project_name = include.root.locals.conf.project_name stream_name = "${include.root.locals.conf.project_name}-collector" + tags = include.root.locals.conf.tags } diff --git a/environments/terragrunt.hcl b/environments/terragrunt.hcl index 63e22f7..f7e0f7a 100644 --- a/environments/terragrunt.hcl +++ b/environments/terragrunt.hcl @@ -5,6 +5,11 @@ locals { try(yamldecode(file(find_in_parent_folders("region.yaml"))), {}), try(yamldecode(file(find_in_parent_folders("collects.yaml"))), {}), ) + tags = { + Project = local.conf.project_name + Environment = local.conf.environment + Terraform = "true" + } } remote_state { @@ -18,11 +23,7 @@ remote_state { key = "${path_relative_to_include()}/terraform.tfstate" region = local.conf.region encrypt = true - s3_bucket_tags = { - "Terraform" = "true" - "Environment" = local.conf.environment - "Project" = local.conf.project_name - } + s3_bucket_tags = local.tags } } diff --git a/modules/ecr/main.tf b/modules/ecr/main.tf index 7807893..5b1e98d 100644 --- a/modules/ecr/main.tf +++ b/modules/ecr/main.tf @@ -1,7 +1,10 @@ resource "aws_ecr_repository" "this" { name = var.repository_name image_tag_mutability = "MUTABLE" + image_scanning_configuration { scan_on_push = true } -} \ No newline at end of file + + tags = var.tags +} diff --git a/modules/ecr/variables.tf b/modules/ecr/variables.tf index ad06f99..feaf91d 100644 --- a/modules/ecr/variables.tf +++ b/modules/ecr/variables.tf @@ -2,3 +2,9 @@ variable "repository_name" { description = "The name of the ECR repository" type = string } + +variable "tags" { + description = "A map of tags to assign to the repository" + type = map(string) + default = {} +} diff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf index 0d2c76e..e9d6f64 100644 --- a/modules/kinesis/main.tf +++ b/modules/kinesis/main.tf @@ -12,4 +12,5 @@ resource "aws_kinesis_stream" "this" { "ReadProvisionedThroughputExceeded", "IteratorAgeMilliseconds", ] + tags = var.tags } diff --git a/modules/kinesis/variables.tf b/modules/kinesis/variables.tf index 5db91b3..93fa611 100644 --- a/modules/kinesis/variables.tf +++ b/modules/kinesis/variables.tf @@ -7,3 +7,9 @@ variable "stream_name" { description = "The name of stream" type = string } + +variable "tags" { + description = "A map of tags to assign to the repository" + type = map(string) + default = {} +} From 62d9fc300c738c449e6d3f958e481b3b2eda22d2 Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Sun, 28 Jul 2024 14:54:59 +0900 Subject: [PATCH 7/8] =?UTF-8?q?Tag=E3=81=AE=E6=94=B9=E5=96=84=20(#26)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 * 一度リソースを削除してみる * ストリームの構成を変更 * タグを共通化 * タグの定義参照をリバイス --- environments/prod/tokyo/ecr/terragrunt.hcl | 2 +- environments/prod/tokyo/kinesis/terragrunt.hcl | 2 +- modules/kinesis/main.tf | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/environments/prod/tokyo/ecr/terragrunt.hcl b/environments/prod/tokyo/ecr/terragrunt.hcl index 18458d8..7be404e 100644 --- a/environments/prod/tokyo/ecr/terragrunt.hcl +++ b/environments/prod/tokyo/ecr/terragrunt.hcl @@ -10,5 +10,5 @@ terraform { inputs = { repository_name = "${include.root.locals.conf.project_name}-collector" - tags = include.root.locals.conf.tags + tags = include.root.locals.tags } diff --git a/environments/prod/tokyo/kinesis/terragrunt.hcl b/environments/prod/tokyo/kinesis/terragrunt.hcl index 732201c..4fb4ced 100644 --- a/environments/prod/tokyo/kinesis/terragrunt.hcl +++ b/environments/prod/tokyo/kinesis/terragrunt.hcl @@ -11,5 +11,5 @@ terraform { inputs = { project_name = include.root.locals.conf.project_name stream_name = "${include.root.locals.conf.project_name}-collector" - tags = include.root.locals.conf.tags + tags = include.root.locals.tags } diff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf index e9d6f64..297e975 100644 --- a/modules/kinesis/main.tf +++ b/modules/kinesis/main.tf @@ -12,5 +12,6 @@ resource "aws_kinesis_stream" "this" { "ReadProvisionedThroughputExceeded", "IteratorAgeMilliseconds", ] + tags = var.tags } From 8c103f4195dafcf2983f75acb0e575d504ced3f9 Mon Sep 17 00:00:00 2001 From: k6s <31524505+XxxKMSxxX@users.noreply.github.com> Date: Sun, 28 Jul 2024 15:04:54 +0900 Subject: [PATCH 8/8] =?UTF-8?q?Firehose=E3=81=8B=E3=82=89=E5=87=BA?= =?UTF-8?q?=E5=8A=9B=E3=81=99=E3=82=8Bs3=E3=83=90=E3=82=B1=E3=83=83?= =?UTF-8?q?=E3=83=88=E3=81=AE=E4=BD=9C=E6=88=90=20(#27)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 初回だけエラーが発生するようなので、再度実行してい見る InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists * serviceロール名を変更 * policyも自前で作成 * iam_roleを追加 * 一度リソースを削除してみる * ストリームの構成を変更 * タグを共通化 * タグの定義参照をリバイス * バケット定義を追加 --- environments/prod/tokyo/s3/terragrunt.hcl | 18 ++++++++++++++++++ modules/s3/main.tf | 10 ++++++++++ modules/s3/outputs.tf | 7 +++++++ modules/s3/variables.tf | 10 ++++++++++ 4 files changed, 45 insertions(+) create mode 100644 environments/prod/tokyo/s3/terragrunt.hcl create mode 100644 modules/s3/main.tf create mode 100644 modules/s3/outputs.tf create mode 100644 modules/s3/variables.tf diff --git a/environments/prod/tokyo/s3/terragrunt.hcl b/environments/prod/tokyo/s3/terragrunt.hcl new file mode 100644 index 0000000..e86eb37 --- /dev/null +++ b/environments/prod/tokyo/s3/terragrunt.hcl @@ -0,0 +1,18 @@ +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name + + versioning { + enabled = true + } + + tags = var.tags +} + +resource "aws_s3_bucket_public_access_block" "this" { + bucket = aws_s3_bucket.this.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/modules/s3/main.tf b/modules/s3/main.tf new file mode 100644 index 0000000..862616b --- /dev/null +++ b/modules/s3/main.tf @@ -0,0 +1,10 @@ +resource "aws_kinesis_firehose_delivery_stream" "firehose" { + name = var.stream_name + destination = "s3" + + s3_configuration { + role_arn = var.role_arn + bucket_arn = var.bucket_arn + prefix = var.s3_prefix + } +} diff --git a/modules/s3/outputs.tf b/modules/s3/outputs.tf new file mode 100644 index 0000000..c0d48a0 --- /dev/null +++ b/modules/s3/outputs.tf @@ -0,0 +1,7 @@ +output "bucket_arn" { + value = aws_s3_bucket.this.arn +} + +output "bucket_name" { + value = aws_s3_bucket.this.bucket +} diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf new file mode 100644 index 0000000..6672ec5 --- /dev/null +++ b/modules/s3/variables.tf @@ -0,0 +1,10 @@ +variable "bucket_name" { + description = "The name of the S3 bucket" + type = string +} + +variable "tags" { + description = "A map of tags to assign to the bucket" + type = map(string) + default = {} +}