Skip to content

Commit

Permalink
feat: add support of TLS/DB encryption/custom SG rules
Browse files Browse the repository at this point in the history
  • Loading branch information
leroyguillaume committed Nov 15, 2023
1 parent 664d281 commit 0ca788a
Show file tree
Hide file tree
Showing 15 changed files with 541 additions and 281 deletions.
10 changes: 5 additions & 5 deletions modules/aws_ec2_standalone/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,14 @@ provider "aws" {

data "aws_ami" "this" {
most_recent = true # get the latest version
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
name = "virtualization-type"
values = ["hvm"]
}

owners = [
Expand Down
4 changes: 2 additions & 2 deletions modules/aws_ecs/ecs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ resource "aws_ecs_cluster_capacity_providers" "this" {
# Required setup for EC2 instances (if not using Fargate)
data "aws_ami" "this" {
most_recent = true # get the latest version
name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$"
name_regex = "^amzn2-ami-ecs-hvm-\\d\\.\\d\\.\\d{8}-x86_64-ebs$"

filter {
name = "virtualization-type"
Expand Down Expand Up @@ -67,7 +67,7 @@ resource "aws_launch_configuration" "this" {

# Allow the EC2 instances to access AWS resources on your behalf, using this instance profile and the permissions defined there
iam_instance_profile = aws_iam_instance_profile.ec2[0].arn

lifecycle {
create_before_destroy = true
}
Expand Down
43 changes: 38 additions & 5 deletions modules/aws_ecs/loadbalancers.tf
Original file line number Diff line number Diff line change
@@ -1,24 +1,57 @@
resource "aws_lb" "this" {
name = "${var.deployment_name}-alb"
idle_timeout = var.alb_idle_timeout
internal = var.alb_internal

security_groups = [aws_security_group.alb.id]
subnets = var.subnet_ids
subnets = var.alb_subnet_ids != null ? var.alb_subnet_ids : var.subnet_ids
}

resource "aws_lb_listener" "this" {
resource "aws_lb_listener" "http" {
load_balancer_arn = aws_lb.this.arn
port = 80
protocol = "HTTP"

dynamic "default_action" {
for_each = var.alb_certificate_arn == null ? [1] : []

content {
type = "forward"
target_group_arn = aws_lb_target_group.this.arn
}
}

dynamic "default_action" {
for_each = var.alb_certificate_arn != null ? [1] : []

content {
type = "redirect"

redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
}

resource "aws_lb_listener" "https" {
count = var.alb_certificate_arn != null ? 1 : 0
certificate_arn = var.alb_certificate_arn
load_balancer_arn = aws_lb.this.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"

default_action {
type = "forward"
target_group_arn = aws_lb_target_group.this.arn
type = "forward"
}
}

resource "aws_lb_listener_rule" "this" {
listener_arn = aws_lb_listener.this.arn
listener_arn = var.alb_certificate_arn != null ? aws_lb_listener.https[0].arn : aws_lb_listener.http.arn
priority = 1

action {
Expand Down Expand Up @@ -49,4 +82,4 @@ resource "aws_lb_target_group" "this" {
healthy_threshold = 3
unhealthy_threshold = 2
}
}
}
44 changes: 22 additions & 22 deletions modules/aws_ecs/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,40 +49,40 @@ locals {
},
# Workflows-specific
{
"name": "WORKFLOW_BACKEND_HOST",
"value": "http://workflow-backend.retoolsvc:3000"
"name" : "WORKFLOW_BACKEND_HOST",
"value" : "http://workflow-backend.retoolsvc:3000"
},
{
"name": "WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE",
"value": var.temporal_cluster_config.namespace
"name" : "WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE",
"value" : var.temporal_cluster_config.namespace
},
{
"name": "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST",
"value": var.temporal_cluster_config.host
"name" : "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST",
"value" : var.temporal_cluster_config.host
},
{
"name": "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT",
"value": var.temporal_cluster_config.port
"name" : "WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT",
"value" : var.temporal_cluster_config.port
},
{
"name": "WORKFLOW_TEMPORAL_TLS_ENABLED",
"value": tostring(var.temporal_cluster_config.tls_enabled)
"name" : "WORKFLOW_TEMPORAL_TLS_ENABLED",
"value" : tostring(var.temporal_cluster_config.tls_enabled)
}
]
)

temporal_mtls_config = (
var.temporal_cluster_config.tls_enabled && var.temporal_cluster_config.tls_crt != null && var.temporal_cluster_config.tls_key != null ?
[
{
"name": "WORKFLOW_TEMPORAL_TLS_CRT",
"value": var.temporal_cluster_config.tls_crt
},
{
"name": "WORKFLOW_TEMPORAL_TLS_KEY",
"value": var.temporal_cluster_config.tls_key
}
] :
[]
var.temporal_cluster_config.tls_enabled && var.temporal_cluster_config.tls_crt != null && var.temporal_cluster_config.tls_key != null ?
[
{
"name" : "WORKFLOW_TEMPORAL_TLS_CRT",
"value" : var.temporal_cluster_config.tls_crt
},
{
"name" : "WORKFLOW_TEMPORAL_TLS_KEY",
"value" : var.temporal_cluster_config.tls_key
}
] :
[]
)
}
113 changes: 62 additions & 51 deletions modules/aws_ecs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ resource "aws_cloudwatch_log_group" "this" {
}

resource "aws_db_subnet_group" "this" {
name = "${var.deployment_name}-retool"
name = "${var.deployment_name}-retool"
subnet_ids = var.subnet_ids
}

resource "aws_db_instance" "this" {
identifier = "${var.deployment_name}-rds-instance"
identifier = "${var.deployment_name}-rds-instance"
allocated_storage = 80
instance_class = var.rds_instance_class
engine = "postgres"
Expand All @@ -35,9 +35,17 @@ resource "aws_db_instance" "this" {
vpc_security_group_ids = [aws_security_group.rds.id]
db_subnet_group_name = aws_db_subnet_group.this.id
performance_insights_enabled = var.rds_performance_insights_enabled

skip_final_snapshot = true
apply_immediately = true
kms_key_id = var.rds_kms_key_id
storage_encrypted = var.rds_kms_key_id != null
backup_window = var.rds_backup_window
backup_retention_period = var.rds_backup_retention_in_days

skip_final_snapshot = true
apply_immediately = true

lifecycle {
ignore_changes = [engine_version]
}
}

resource "aws_ecs_service" "retool" {
Expand Down Expand Up @@ -65,7 +73,7 @@ resource "aws_ecs_service" "retool" {
dynamic "network_configuration" {
for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])

content {
content {
subnets = var.subnet_ids
security_groups = [
aws_security_group.containers.id
Expand All @@ -92,7 +100,7 @@ resource "aws_ecs_service" "jobs_runner" {

for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])

content {
content {
subnets = var.subnet_ids
security_groups = [
aws_security_group.containers.id
Expand All @@ -108,7 +116,7 @@ resource "aws_ecs_service" "workflows_backend" {
cluster = aws_ecs_cluster.this.id
desired_count = 1
task_definition = aws_ecs_task_definition.retool_workflows_backend[0].arn

# Need to explictly set this in aws_ecs_service to avoid destructive behavior: https://github.com/hashicorp/terraform-provider-aws/issues/22823
capacity_provider_strategy {
base = 1
Expand All @@ -123,7 +131,7 @@ resource "aws_ecs_service" "workflows_backend" {

for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])

content {
content {
subnets = var.subnet_ids
security_groups = [
aws_security_group.containers.id
Expand All @@ -150,7 +158,7 @@ resource "aws_ecs_service" "workflows_worker" {

for_each = var.launch_type == "FARGATE" ? toset([1]) : toset([])

content {
content {
subnets = var.subnet_ids
security_groups = [
aws_security_group.containers.id
Expand All @@ -161,13 +169,13 @@ resource "aws_ecs_service" "workflows_worker" {
}

resource "aws_ecs_task_definition" "retool_jobs_runner" {
family = "retool-jobs-runner"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
family = "retool-jobs-runner"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["jobs_runner"]["memory"] : null
container_definitions = jsonencode(
[
{
Expand Down Expand Up @@ -211,13 +219,13 @@ resource "aws_ecs_task_definition" "retool_jobs_runner" {
)
}
resource "aws_ecs_task_definition" "retool" {
family = "retool"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
family = "retool"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["main"]["memory"] : null
container_definitions = jsonencode(
[
{
Expand Down Expand Up @@ -266,14 +274,14 @@ resource "aws_ecs_task_definition" "retool" {
}

resource "aws_ecs_task_definition" "retool_workflows_backend" {
count = var.workflows_enabled ? 1 : 0
family = "retool-workflows-backend"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
count = var.workflows_enabled ? 1 : 0
family = "retool-workflows-backend"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_backend"]["memory"] : null
container_definitions = jsonencode(
[
{
Expand Down Expand Up @@ -321,14 +329,14 @@ resource "aws_ecs_task_definition" "retool_workflows_backend" {
)
}
resource "aws_ecs_task_definition" "retool_workflows_worker" {
count = var.workflows_enabled ? 1 : 0
family = "retool-workflows-worker"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
count = var.workflows_enabled ? 1 : 0
family = "retool-workflows-worker"
task_role_arn = aws_iam_role.task_role.arn
execution_role_arn = var.launch_type == "FARGATE" ? aws_iam_role.execution_role[0].arn : null
requires_compatibilities = var.launch_type == "FARGATE" ? ["FARGATE"] : null
network_mode = var.launch_type == "FARGATE" ? "awsvpc" : "bridge"
cpu = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["cpu"] : null
memory = var.launch_type == "FARGATE" ? var.ecs_task_resource_map["workflows_worker"]["memory"] : null
container_definitions = jsonencode(
[
{
Expand Down Expand Up @@ -381,13 +389,13 @@ resource "aws_ecs_task_definition" "retool_workflows_worker" {
}

resource "aws_service_discovery_private_dns_namespace" "retoolsvc" {
count = var.workflows_enabled ? 1 : 0
count = var.workflows_enabled ? 1 : 0
name = "retoolsvc"
description = "Service Discovery namespace for Retool deployment"
vpc = var.vpc_id
}

resource "aws_service_discovery_service" "retool_workflow_backend_service" {
resource "aws_service_discovery_service" "retool_workflow_backend_service" {
count = var.workflows_enabled ? 1 : 0
name = "workflow-backend"

Expand All @@ -408,17 +416,20 @@ resource "aws_service_discovery_service" "retool_workflow_backend_service" {
}

module "temporal" {
count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
count = var.workflows_enabled && !var.use_exising_temporal_cluster ? 1 : 0
source = "./temporal"
deployment_name = "${var.deployment_name}-temporal"
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
aws_region = var.aws_region
aws_ecs_cluster_id = aws_ecs_cluster.this.id
launch_type = var.launch_type
container_sg_id = aws_security_group.containers.id

deployment_name = "${var.deployment_name}-temporal"
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
private_dns_namespace_id = aws_service_discovery_private_dns_namespace.retoolsvc[0].id
aws_cloudwatch_log_group_id = aws_cloudwatch_log_group.this.id
aws_region = var.aws_region
aws_ecs_cluster_id = aws_ecs_cluster.this.id
launch_type = var.launch_type
container_sg_id = aws_security_group.containers.id
aws_ecs_capacity_provider_name = var.launch_type == "EC2" ? aws_ecs_capacity_provider.this[0].name : null
kms_key_id = var.temporal_aurora_kms_key_id
backup_window = var.temporal_aurora_backup_window
backup_retention_in_days = var.temporal_aurora_backup_retention_in_days
}
4 changes: 4 additions & 0 deletions modules/aws_ecs/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,7 @@ output "rds_instance_name" {
value = aws_db_instance.this.db_name
description = "Name of RDS instance"
}

output "sg_containers_id" {
value = aws_security_group.containers.id
}
Loading

0 comments on commit 0ca788a

Please sign in to comment.