Skip to content

Commit

Permalink
Deploy dataapi pg (#9)
Browse files Browse the repository at this point in the history 
This was deployed
  • Loading branch information
@hellais
hellais authored Feb 27, 2024
1 parent 420d11c commit 1878f1b
Show file tree
Hide file tree
Showing 5 changed files with 98 additions and 59 deletions.
64 changes: 37 additions & 27 deletions tf/environments/prod/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,10 +351,11 @@ resource "aws_ecs_task_definition" "dataapi" {
container_name = local.container_name,
container_port = 80,
log_group_region = var.aws_region,
log_group_name = aws_cloudwatch_log_group.app.name
log_group_name = aws_cloudwatch_log_group.app.name,
})

tags = local.tags
execution_role_arn = aws_iam_role.ecs_task.arn
tags = local.tags
}

resource "aws_ecs_service" "dataapi" {
Expand Down Expand Up @@ -390,20 +391,22 @@ resource "aws_ecs_service" "dataapi" {

## IAM

resource "aws_iam_role" "ecs_service" {
name = "ooni_ecs_role"


resource "aws_iam_role" "ecs_task" {
name = "ooni_ecs_task_role"

tags = local.tags

assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
Expand All @@ -412,31 +415,42 @@ resource "aws_iam_role" "ecs_service" {
EOF
}

resource "aws_iam_role_policy" "ecs_service" {
name = "ooni_ecs_policy"
role = aws_iam_role.ecs_service.name
resource "aws_iam_role_policy" "ecs_task" {
name = "ooni_ecs_task_policy"
role = aws_iam_role.ecs_task.name

policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
}

resource "aws_iam_role" "ecs_service" {
name = "ooni_ecs_role"

tags = local.tags

policy = <<EOF
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}

resource "aws_iam_role_policy" "ecs_service" {
name = "ooni_ecs_policy"
role = aws_iam_role.ecs_service.name

policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
}

resource "aws_iam_instance_profile" "app" {
name = "tf-ecs-instprofile"
role = aws_iam_role.app_instance.name
Expand Down Expand Up @@ -467,13 +481,9 @@ EOF
}

resource "aws_iam_role_policy" "instance" {
name = "TfEcsOONIInstanceRole"
role = aws_iam_role.app_instance.name
policy = templatefile("${path.module}/templates/instance_profile_policy.json", {
app_log_group_arn = aws_cloudwatch_log_group.app.arn,
ecs_log_group_arn = aws_cloudwatch_log_group.ecs.arn
})

name = "TfEcsOONIInstanceRole"
role = aws_iam_role.app_instance.name
policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
}

## ALB
Expand Down
3 changes: 0 additions & 3 deletions tf/environments/prod/templates/ecs-setup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,3 @@ ECS_CONTAINER_INSTANCE_TAGS=${jsonencode(ecs_cluster_tags)}
ECS_ENABLE_TASK_IAM_ROLE=true
EOF

# Install datadog agent
DD_API_KEY=${datadog_api_key} DD_SITE="datadoghq.eu" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"

78 changes: 50 additions & 28 deletions tf/environments/prod/templates/instance_profile_policy.json
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,51 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ecsInstanceRole",
"Effect": "Allow",
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:Submit*",
"ecs:StartTelemetrySession"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudWatchLogsFullAccess",
"Effect": "Allow",
"Action": [
"logs:*",
"cloudwatch:GenerateQuery"
],
"Resource": "*"
}
]
}
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ecsInstanceRole",
"Effect": "Allow",
"Action": [
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:Submit*",
"ecs:StartTelemetrySession"
],
"Resource": ["*"]
},
{
"Sid": "CloudWatchLogsFullAccess",
"Effect": "Allow",
"Action": ["logs:*", "cloudwatch:GenerateQuery"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
}
]
}
10 changes: 10 additions & 0 deletions tf/environments/prod/templates/task_definition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,16 @@
"hostPort": 0
}
],
"secrets": [
{
"name": "POSTGRESQL_URL",
"valueFrom": "arn:aws:secretsmanager:eu-central-1:082866812839:secret:OONI_PROD_POSTGRES_URL-IQyNqP"
},
{
"name": "JWT_ENCRYPTION_KEY",
"valueFrom": "arn:aws:secretsmanager:eu-central-1:082866812839:secret:OONI_PROD_JWT_ENCRYPTION_KEY-euqdD9"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
Expand Down
2 changes: 1 addition & 1 deletion tf/environments/prod/terraform.tfvars.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"ooni_service_config": {
"dataapi_version": "v0.3.0.dev1"
"dataapi_version": "20240226-f3c84e02"
}
}

0 comments on commit 1878f1b

Please sign in to comment.