Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify mesh-task and controller #188

Merged
merged 27 commits into from
Aug 2, 2023
Merged

Modify mesh-task and controller #188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
c406ff3
Modify mesh-task and controller
Ganeshrockz Jul 24, 2023
0577f54
Fmt terraform
Ganeshrockz Jul 24, 2023
ff8cca6
Fix go lint
Ganeshrockz Jul 24, 2023
ffb26c8
Test basic test cases
Ganeshrockz Jul 24, 2023
0a4b568
Add non tls grpc port
Ganeshrockz Jul 24, 2023
42e85f9
Fix typo
Ganeshrockz Jul 24, 2023
22ef337
FMTed
Ganeshrockz Jul 24, 2023
b56f9e8
Test ACLs
Ganeshrockz Jul 24, 2023
de6addd
Fix issues
Ganeshrockz Jul 24, 2023
0f155b4
Fix tests
Ganeshrockz Jul 24, 2023
9c37a6d
Test fix
Ganeshrockz Jul 24, 2023
34fd370
Fix tests :(
Ganeshrockz Jul 24, 2023
41f4bc6
Try fix tests
Ganeshrockz Jul 24, 2023
48b5b95
Test enterprise
Ganeshrockz Jul 24, 2023
e10b031
Don't run E2E tests
Ganeshrockz Jul 24, 2023
1a93a7e
Fix all tests
Ganeshrockz Jul 24, 2023
d87e130
Fix variable names
Ganeshrockz Jul 25, 2023
e658725
Fix var names
Ganeshrockz Jul 25, 2023
96ed8f7
Address comments
Ganeshrockz Jul 26, 2023
f90a15a
Address comments
Ganeshrockz Jul 31, 2023
3f940f7
Terraform fmted
Ganeshrockz Jul 31, 2023
7562248
Fix tests
Ganeshrockz Jul 31, 2023
2bb4c2c
Fix go fmt
Ganeshrockz Jul 31, 2023
4931537
Fix golang ci
Ganeshrockz Jul 31, 2023
de756cc
Address comments
Ganeshrockz Aug 1, 2023
5e0735e
Add project to destroy
Ganeshrockz Aug 1, 2023
137ab4f
Fix tests
Ganeshrockz Aug 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 25 additions & 29 deletions .github/workflows/terraform-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
pull_request:
branches:
- 'main'
- 'ganeshrockz/dataplane-arch-changes' #TODO: Remove this when merging to main
- 'release/**'
env:
CONSUL_LICENSE: ${{ secrets.CONSUL_LICENSE }}
Expand Down Expand Up @@ -105,43 +106,36 @@ jobs:
# HCP is always disabled for tests on PRs.
matrix:
name:
- acceptance-1.15-FARGATE-HCP
- acceptance-1.14-FARGATE-HCP
- acceptance-1.13-FARGATE
- acceptance-1.15-EC2
- acceptance-1.14-EC2
- acceptance-1.13-EC2-HCP
# - acceptance-1.15-FARGATE-HCP
# - acceptance-1.14-FARGATE-HCP
# - acceptance-1.13-EC2-HCP
- acceptance-1.16-FARGATE
- acceptance-1.16-EC2
include:
- name: acceptance-1.15-FARGATE-HCP
consul-version: '1.15.4'
enable-hcp: true
launch-type: FARGATE
# - name: acceptance-1.15-FARGATE-HCP
# consul-version: '1.15.4'
# enable-hcp: true
# launch-type: FARGATE

- name: acceptance-1.14-FARGATE-HCP
consul-version: '1.14.7'
enable-hcp: true
launch-type: FARGATE
# - name: acceptance-1.14-FARGATE-HCP
# consul-version: '1.14.7'
# enable-hcp: true
# launch-type: FARGATE

- name: acceptance-1.13-FARGATE
consul-version: '1.13.9'
# - name: acceptance-1.13-EC2-HCP
# consul-version: '1.13.8'
# enable-hcp: true
# launch-type: EC2

- name: acceptance-1.16-FARGATE
consul-version: '1.16.0'
enable-hcp: false
launch-type: FARGATE

- name: acceptance-1.15-EC2
consul-version: '1.15.4'
enable-hcp: false
launch-type: EC2

- name: acceptance-1.14-EC2
consul-version: '1.14.8'
- name: acceptance-1.16-EC2
consul-version: '1.16.0'
enable-hcp: false
launch-type: EC2

- name: acceptance-1.13-EC2-HCP
consul-version: '1.13.8'
enable-hcp: true
launch-type: EC2

steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
Expand Down Expand Up @@ -182,6 +176,7 @@ jobs:
VARS="-var tags={\"build_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}"
VARS+=' -var launch_type=${{ matrix.launch-type }}'
VARS+=' -var consul_version=${{ matrix.consul-version }}'
VARS+=' -var hcp_project_id=${{ secrets.HCP_PROJECT_ID }}'
case $GITHUB_REF_NAME in
main | release/*) VARS+=" -var enable_hcp=${{ matrix.enable-hcp }}";;
*) VARS+=" -var enable_hcp=false";;
Expand All @@ -205,6 +200,7 @@ jobs:
VARS="-var tags={\"build_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}"
VARS+=' -var launch_type=${{ matrix.launch-type }}'
VARS+=' -var consul_version=${{ matrix.consul-version }}'
VARS+=' -var hcp_project_id=${{ secrets.HCP_PROJECT_ID }}'
case $GITHUB_REF_NAME in
main | release/*) VARS+=" -var enable_hcp=${{ matrix.enable-hcp }}";;
*) VARS+=" -var enable_hcp=false";;
Expand Down
6 changes: 0 additions & 6 deletions modules/acl-controller/README.md
View file
Open in desktop

This file was deleted.

98 changes: 0 additions & 98 deletions modules/acl-controller/variables.tf
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions modules/controller/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ECS Controller

This module deploys a Consul ECS controller for managing tokens and Consul services for tasks on the Consul service mesh.

See https://developer.hashicorp.com/consul/docs/ecs for additional documentation.
40 changes: 40 additions & 0 deletions modules/controller/config.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

locals {
httpSettings = merge(
{
port = var.tls ? 8501 : 8500
https = var.tls
},
var.http_config
)

grpcSettings = merge(
{
port = var.tls ? 8503 : 8502
},
var.grpc_config
)

config = {
controller = {
iamRolePath = var.iam_role_path
partitionsEnabled = var.consul_partitions_enabled
partition = var.consul_partitions_enabled ? var.consul_partition : ""
}
bootstrapDir = "/consul"
consulServers = {
hosts = var.consul_server_hosts
skipServerWatch = var.skip_server_watch
defaults = {
tls = var.tls
tlsServerName = var.tls_server_name
}
http = local.httpSettings
grpc = local.grpcSettings
}
}

encoded_config = jsonencode(local.config)
}
76 changes: 51 additions & 25 deletions modules/acl-controller/main.tf → modules/controller/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

locals {
https_ca_cert_arn = var.consul_https_ca_cert_arn != "" ? var.consul_https_ca_cert_arn : var.consul_ca_cert_arn
grpc_ca_cert_arn = var.consul_grpc_ca_cert_arn != "" ? var.consul_grpc_ca_cert_arn : var.consul_ca_cert_arn
}

resource "aws_ecs_service" "this" {
name = "consul-acl-controller"
name = "consul-ecs-controller"
cluster = var.ecs_cluster_arn
task_definition = aws_ecs_task_definition.this.arn
desired_count = 1
Expand All @@ -16,7 +21,7 @@ resource "aws_ecs_service" "this" {
}

resource "aws_ecs_task_definition" "this" {
family = "${var.name_prefix}-consul-acl-controller"
family = "${var.name_prefix}-consul-ecs-controller"
requires_compatibilities = var.requires_compatibilities
network_mode = "awsvpc"
cpu = 256
Expand All @@ -25,37 +30,36 @@ resource "aws_ecs_task_definition" "this" {
execution_role_arn = aws_iam_role.this_execution.arn
container_definitions = jsonencode([
{
name = "consul-acl-controller"
name = "consul-ecs-controller"
image = var.consul_ecs_image
essential = true
logConfiguration = var.log_configuration,
command = concat(
[
"acl-controller", "-iam-role-path", var.iam_role_path,
],
var.consul_partitions_enabled ? [
"-partitions-enabled",
"-partition", var.consul_partition
] : [],
)
command = ["controller"]
linuxParameters = {
initProcessEnabled = true
}
secrets = concat([
{
name = "CONSUL_HTTP_TOKEN",
name = "CONSUL_HTTP_TOKEN"
valueFrom = var.consul_bootstrap_token_secret_arn
}],
var.consul_server_ca_cert_arn != "" ? [
local.grpc_ca_cert_arn != "" ? [
{
name = "CONSUL_GRPC_CACERT_PEM"
valueFrom = local.grpc_ca_cert_arn
}
] : [],
local.https_ca_cert_arn != "" ? [
{
name = "CONSUL_CACERT_PEM",
valueFrom = var.consul_server_ca_cert_arn
name = "CONSUL_HTTPS_CACERT_PEM"
valueFrom = local.https_ca_cert_arn
}
] : [])
] : [],
)
environment = [
{
name = "CONSUL_HTTP_ADDR"
value = var.consul_server_http_addr
name = "CONSUL_ECS_CONFIG_JSON"
value = local.encoded_config
}
]
readonlyRootFilesystem = true
Expand All @@ -64,7 +68,7 @@ resource "aws_ecs_task_definition" "this" {
}

resource "aws_iam_role" "this_task" {
name = "${var.name_prefix}-consul-acl-controller-task"
name = "${var.name_prefix}-consul-ecs-controller-task"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
Expand Down Expand Up @@ -103,7 +107,7 @@ resource "aws_iam_role" "this_task" {
}

resource "aws_iam_policy" "this_execution" {
name = "${var.name_prefix}-consul-acl-controller-execution"
name = "${var.name_prefix}-consul-ecs-controller-execution"
path = "/ecs/"
description = "Consul controller execution"

Expand All @@ -120,14 +124,36 @@ resource "aws_iam_policy" "this_execution" {
"${var.consul_bootstrap_token_secret_arn}"
]
},
%{if var.consul_server_ca_cert_arn != ""~}
%{if var.consul_ca_cert_arn != ""~}
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"${var.consul_ca_cert_arn}"
]
},
%{endif~}
%{if var.consul_https_ca_cert_arn != ""~}
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"${var.consul_https_ca_cert_arn}"
]
},
%{endif~}
%{if var.consul_grpc_ca_cert_arn != ""~}
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"${var.consul_server_ca_cert_arn}"
"${var.consul_grpc_ca_cert_arn}"
]
},
%{endif~}
Expand All @@ -145,7 +171,7 @@ EOF
}

resource "aws_iam_role" "this_execution" {
name = "${var.name_prefix}-consul-acl-controller-execution"
name = "${var.name_prefix}-consul-ecs-controller-execution"
path = "/ecs/"

assume_role_policy = <<EOF
Expand Down Expand Up @@ -174,4 +200,4 @@ resource "aws_iam_role_policy_attachment" "additional_execution_policies" {
count = length(var.additional_execution_role_policies)
role = aws_iam_role.this_execution.id
policy_arn = var.additional_execution_role_policies[count.index]
}
}
Loading