From 1878f1be36b32307ccded2911b3f894d6bd649b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Tue, 27 Feb 2024 08:58:59 +0100
Subject: [PATCH] Deploy dataapi pg (#9)

This was deployed
---
 tf/environments/prod/main.tf                  | 64 ++++++++-------
 tf/environments/prod/templates/ecs-setup.sh   |  3 -
 .../templates/instance_profile_policy.json    | 78 ++++++++++++-------
 .../prod/templates/task_definition.json       | 10 +++
 tf/environments/prod/terraform.tfvars.json    |  2 +-
 5 files changed, 98 insertions(+), 59 deletions(-)

diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index 0f696d16..73fb6b8b 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -351,10 +351,11 @@ resource "aws_ecs_task_definition" "dataapi" {
     container_name   = local.container_name,
     container_port   = 80,
     log_group_region = var.aws_region,
-    log_group_name   = aws_cloudwatch_log_group.app.name
+    log_group_name   = aws_cloudwatch_log_group.app.name,
   })
 
-  tags = local.tags
+  execution_role_arn = aws_iam_role.ecs_task.arn
+  tags               = local.tags
 }
 
 resource "aws_ecs_service" "dataapi" {
@@ -390,20 +391,22 @@ resource "aws_ecs_service" "dataapi" {
 
 ## IAM
 
-resource "aws_iam_role" "ecs_service" {
-  name = "ooni_ecs_role"
+
+
+resource "aws_iam_role" "ecs_task" {
+  name = "ooni_ecs_task_role"
 
   tags = local.tags
 
   assume_role_policy = <<EOF
 {
-  "Version": "2008-10-17",
+  "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
-        "Service": "ecs.amazonaws.com"
+        "Service": "ecs-tasks.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
     }
@@ -412,31 +415,42 @@ resource "aws_iam_role" "ecs_service" {
 EOF
 }
 
-resource "aws_iam_role_policy" "ecs_service" {
-  name = "ooni_ecs_policy"
-  role = aws_iam_role.ecs_service.name
+resource "aws_iam_role_policy" "ecs_task" {
+  name = "ooni_ecs_task_policy"
+  role = aws_iam_role.ecs_task.name
+
+  policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
+}
+
+resource "aws_iam_role" "ecs_service" {
+  name = "ooni_ecs_role"
+
+  tags = local.tags
 
-  policy = <<EOF
+  assume_role_policy = <<EOF
 {
-  "Version": "2012-10-17",
+  "Version": "2008-10-17",
   "Statement": [
     {
+      "Sid": "",
       "Effect": "Allow",
-      "Action": [
-        "ec2:Describe*",
-        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-        "elasticloadbalancing:DeregisterTargets",
-        "elasticloadbalancing:Describe*",
-        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
-        "elasticloadbalancing:RegisterTargets"
-      ],
-      "Resource": "*"
+      "Principal": {
+        "Service": "ecs.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
     }
   ]
 }
 EOF
 }
 
+resource "aws_iam_role_policy" "ecs_service" {
+  name = "ooni_ecs_policy"
+  role = aws_iam_role.ecs_service.name
+
+  policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
+}
+
 resource "aws_iam_instance_profile" "app" {
   name = "tf-ecs-instprofile"
   role = aws_iam_role.app_instance.name
@@ -467,13 +481,9 @@ EOF
 }
 
 resource "aws_iam_role_policy" "instance" {
-  name = "TfEcsOONIInstanceRole"
-  role = aws_iam_role.app_instance.name
-  policy = templatefile("${path.module}/templates/instance_profile_policy.json", {
-    app_log_group_arn = aws_cloudwatch_log_group.app.arn,
-    ecs_log_group_arn = aws_cloudwatch_log_group.ecs.arn
-  })
-
+  name   = "TfEcsOONIInstanceRole"
+  role   = aws_iam_role.app_instance.name
+  policy = templatefile("${path.module}/templates/instance_profile_policy.json", {})
 }
 
 ## ALB
diff --git a/tf/environments/prod/templates/ecs-setup.sh b/tf/environments/prod/templates/ecs-setup.sh
index 00acf10d..48efb837 100644
--- a/tf/environments/prod/templates/ecs-setup.sh
+++ b/tf/environments/prod/templates/ecs-setup.sh
@@ -7,6 +7,3 @@ ECS_CONTAINER_INSTANCE_TAGS=${jsonencode(ecs_cluster_tags)}
 ECS_ENABLE_TASK_IAM_ROLE=true
 EOF
 
-# Install datadog agent
-DD_API_KEY=${datadog_api_key} DD_SITE="datadoghq.eu" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"
-
diff --git a/tf/environments/prod/templates/instance_profile_policy.json b/tf/environments/prod/templates/instance_profile_policy.json
index aa80651e..5857ee55 100644
--- a/tf/environments/prod/templates/instance_profile_policy.json
+++ b/tf/environments/prod/templates/instance_profile_policy.json
@@ -1,29 +1,51 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "ecsInstanceRole",
-        "Effect": "Allow",
-        "Action": [
-          "ecs:DeregisterContainerInstance",
-          "ecs:DiscoverPollEndpoint",
-          "ecs:Poll",
-          "ecs:RegisterContainerInstance",
-          "ecs:Submit*",
-          "ecs:StartTelemetrySession"
-        ],
-        "Resource": [
-          "*"
-        ]
-      },
-      {
-        "Sid": "CloudWatchLogsFullAccess",
-        "Effect": "Allow",
-        "Action": [
-          "logs:*",
-          "cloudwatch:GenerateQuery"
-        ],
-        "Resource": "*"
-      }
-    ]
-  }
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ecsInstanceRole",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DeregisterContainerInstance",
+        "ecs:DiscoverPollEndpoint",
+        "ecs:Poll",
+        "ecs:RegisterContainerInstance",
+        "ecs:Submit*",
+        "ecs:StartTelemetrySession"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "CloudWatchLogsFullAccess",
+      "Effect": "Allow",
+      "Action": ["logs:*", "cloudwatch:GenerateQuery"],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "secretsmanager:ListSecrets",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:Describe*",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:Describe*",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:RegisterTargets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/tf/environments/prod/templates/task_definition.json b/tf/environments/prod/templates/task_definition.json
index 81d5d7ff..b82b2abc 100644
--- a/tf/environments/prod/templates/task_definition.json
+++ b/tf/environments/prod/templates/task_definition.json
@@ -11,6 +11,16 @@
         "hostPort": 0
       }
     ],
+    "secrets": [
+        {
+            "name": "POSTGRESQL_URL",
+            "valueFrom": "arn:aws:secretsmanager:eu-central-1:082866812839:secret:OONI_PROD_POSTGRES_URL-IQyNqP"
+        },
+        {
+            "name": "JWT_ENCRYPTION_KEY",
+            "valueFrom": "arn:aws:secretsmanager:eu-central-1:082866812839:secret:OONI_PROD_JWT_ENCRYPTION_KEY-euqdD9"
+        }
+    ],
     "logConfiguration": {
         "logDriver": "awslogs",
         "options": {
diff --git a/tf/environments/prod/terraform.tfvars.json b/tf/environments/prod/terraform.tfvars.json
index d6409d1e..328562d9 100644
--- a/tf/environments/prod/terraform.tfvars.json
+++ b/tf/environments/prod/terraform.tfvars.json
@@ -1,5 +1,5 @@
 {
   "ooni_service_config": {
-    "dataapi_version": "v0.3.0.dev1"
+    "dataapi_version": "20240226-f3c84e02"
   }
 }