From b138888fd1a59a2c0bcd7042e611030559b1c688 Mon Sep 17 00:00:00 2001
From: DecFox <mehul707gulati@gmail.com>
Date: Tue, 19 Mar 2024 16:49:24 +0530
Subject: [PATCH] feat: add oonith service

Add oonith_service and oonith_service_deployer
to deploy the oonihelperd service from ooni/backend
This is the final step in https://github.com/ooni/devops/issues/29
---
 tf/environments/dev/main.tf                   |  42 ++-
 tf/modules/oonith_service/main.tf             | 222 ++++++++++++++
 tf/modules/oonith_service/outputs.tf          |  15 +
 .../templates/profile_policy.json             |  51 ++++
 tf/modules/oonith_service/variables.tf        |  72 +++++
 tf/modules/oonith_service_deployer/main.tf    | 273 ++++++++++++++++++
 tf/modules/oonith_service_deployer/outputs.tf |   0
 .../templates/codepipeline_policy.json        | 162 +++++++++++
 .../oonith_service_deployer/variables.tf      |  36 +++
 9 files changed, 872 insertions(+), 1 deletion(-)
 create mode 100644 tf/modules/oonith_service/main.tf
 create mode 100644 tf/modules/oonith_service/outputs.tf
 create mode 100644 tf/modules/oonith_service/templates/profile_policy.json
 create mode 100644 tf/modules/oonith_service/variables.tf
 create mode 100644 tf/modules/oonith_service_deployer/main.tf
 create mode 100644 tf/modules/oonith_service_deployer/outputs.tf
 create mode 100644 tf/modules/oonith_service_deployer/templates/codepipeline_policy.json
 create mode 100644 tf/modules/oonith_service_deployer/variables.tf

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index c73e0f4c..b0a79029 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -235,7 +235,7 @@ resource "aws_codestarconnections_connection" "ooniapi" {
 }
 
 resource "aws_codestarconnections_connection" "oonith" {
-  name          = "oonith"
+  name = "oonith"
   provider_type = "GitHub"
 
   depends_on = [module.adm_iam_roles]
@@ -434,3 +434,43 @@ module "ooniapi_frontend" {
     { Name = "ooni-tier0-api-frontend" }
   )
 }
+
+#### OONI oohelperd service
+
+module "oonith_oohelperd_deployer" {
+  source = "../../modules/oonith_service_deployer"
+  
+  service_name            = "oohelperd"
+  repo                    = "ooni/backend"
+  branch_name             = "master"
+  buildspec_path          = "oonith/buildspec.yml"
+  codestar_connection_arn = aws_codestarconnections_connection.oonith.arn
+
+  codepipeline_bucket = aws_s3_bucket.oonith_codepipeline_bucket.bucket
+
+  ecs_service_name = module.oonith_oohelperd.ecs_service_name
+  ecs_cluster_name = module.oonith_cluster.cluster_name
+}
+
+module "oonith_oohelperd" {
+  source = "../../modules/oonith_service"
+
+  vpc_id     = module.network.vpc_id
+  subnet_ids = module.network.vpc_subnet[*].id
+
+  service_name             = "oonhelperd"
+  default_docker_image_url = "ooni/oonith-oohelperd:latest"
+  stage                    = local.environment
+  dns_zone_ooni_io         = local.dns_zone_ooni_io
+  key_name                 = module.adm_iam_roles.oonidevops_key_name
+  ecs_cluster_id           = module.oonith_cluster.cluster_id
+
+  oonith_service_security_groups = [
+    module.oonith_cluster.web_security_group_id
+  ]
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-oohelperd" }
+  )
+}
diff --git a/tf/modules/oonith_service/main.tf b/tf/modules/oonith_service/main.tf
new file mode 100644
index 00000000..d4d1c80d
--- /dev/null
+++ b/tf/modules/oonith_service/main.tf
@@ -0,0 +1,222 @@
+locals {
+  name = "oonith-service-${var.service_name}"
+}
+
+resource "aws_iam_role" "oonith_service_task" {
+  name = "${local.name}-task-role"
+
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "oonith_service_task" {
+  name = "${local.name}-task-role"
+  role = aws_iam_role.oonith_service_task.name
+
+  policy = templatefile("${path.module}/templates/profile_policy.json", {})
+}
+
+resource "aws_cloudwatch_log_group" "oonith_service" {
+  name = "ooni-ecs-group/${local.name}"
+}
+
+
+locals {
+  container_port = 80
+}
+
+data "aws_ecs_task_definition" "oonith_service_current" {
+  task_definition = "${local.name}-td"
+}
+
+resource "aws_ecs_task_definition" "oonith_service" {
+  family = "${local.name}-td"
+  container_definitions = jsonencode([
+    {
+      cpu       = var.task_cpu,
+      essential = true,
+      image = try(
+        jsondecode(data.aws_ecs_task_definition.oonith_service_current.task_definition).ContainerDefinitions[0].image,
+        var.default_docker_image_url
+      ),
+      memory = var.task_memory,
+      name   = local.name,
+      portMappings = [
+        {
+          containerPort = local.container_port,
+          hostPort      = 0
+        }
+      ],
+      environment = [
+        for k, v in var.task_environment : {
+          name  = k,
+          value = v
+        }
+      ],
+      secrets = [
+        for k, v in var.task_secrets : {
+          name      = k,
+          valueFrom = v
+        }
+      ],
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          awslogs-group  = aws_cloudwatch_log_group.oonith_service.name,
+          awslogs-region = var.aws_region
+        }
+      }
+    }
+  ])
+  execution_role_arn = aws_iam_role.oonith_service_task.arn
+  tags               = var.tags
+}
+
+resource "aws_ecs_service" "oonith_service" {
+  name            = local.name
+  cluster         = var.ecs_cluster_id
+  task_definition = aws_ecs_task_definition.oonith_service.arn
+  desired_count   = var.service_desired_count
+
+  deployment_minimum_healthy_percent = 50
+  deployment_maximum_percent         = 100
+
+  load_balancer {
+    target_group_arn = aws_alb_target_group.oonith_service_direct.id
+    container_name   = local.name
+    container_port   = "80"
+  }
+
+  load_balancer {
+    target_group_arn = aws_alb_target_group.oonith_service_mapped.id
+    container_name   = local.name
+    container_port   = "80"
+  }
+
+  depends_on = [
+    aws_alb_listener.oonith_service_http,
+  ]
+
+  force_new_deployment = true
+
+  tags = var.tags
+}
+
+# The direct
+resource "aws_alb_target_group" "oonith_service_direct" {
+  name     = "${local.name}-direct"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  tags = var.tags
+}
+
+# The mapped target group is used for mapping it in the main TH load balancer
+resource "aws_alb_target_group" "oonith_service_mapped" {
+  name     = "${local.name}-mapped"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  tags = var.tags
+}
+
+resource "aws_alb" "oonith_service" {
+  name            = local.name
+  subnets         = var.subnet_ids
+  security_groups = var.oonith_service_security_groups
+
+  tags = var.tags
+}
+
+resource "aws_alb_listener" "oonith_service_http" {
+  load_balancer_arn = aws_alb.oonith_service.id
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    target_group_arn = aws_alb_target_group.oonith_service_direct.id
+    type             = "forward"
+  }
+
+  tags = var.tags
+}
+
+resource "aws_alb_listener" "front_end_https" {
+  load_balancer_arn = aws_alb.oonith_service.id
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate.oonith_service.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.oonith_service_direct.id
+    type             = "forward"
+  }
+
+  tags = var.tags
+}
+
+resource "aws_route53_record" "oonith_service" {
+  zone_id = var.dns_zone_ooni_io
+  name    = "${var.service_name}.api.${var.stage}.ooni.io"
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.oonith_service.dns_name
+    zone_id                = aws_alb.oonith_service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_acm_certificate" "oonith_service" {
+  domain_name       = "${var.service_name}.api.${var.stage}.ooni.io"
+  validation_method = "DNS"
+
+  tags = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "oonith_service_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.oonith_service.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_zone_ooni_io
+}
+
+resource "aws_acm_certificate_validation" "oonith_service" {
+  certificate_arn         = aws_acm_certificate.oonith_service.arn
+  validation_record_fqdns = [for record in aws_route53_record.oonith_service_validation : record.fqdn]
+  depends_on = [
+    aws_route53_record.oonith_service
+  ]
+}
diff --git a/tf/modules/oonith_service/outputs.tf b/tf/modules/oonith_service/outputs.tf
new file mode 100644
index 00000000..bd538c49
--- /dev/null
+++ b/tf/modules/oonith_service/outputs.tf
@@ -0,0 +1,15 @@
+output "ooni_io_fqdn" {
+  value = aws_route53_record.oonith_service.name
+}
+
+output "dns_name" {
+  value = aws_alb.oonith_service.dns_name
+}
+
+output "ecs_service_name" {
+  value = aws_ecs_service.oonith_service.name
+}
+
+output "alb_target_group_id" {
+  value = aws_alb_target_group.oonith_service_mapped.id
+}
diff --git a/tf/modules/oonith_service/templates/profile_policy.json b/tf/modules/oonith_service/templates/profile_policy.json
new file mode 100644
index 00000000..5857ee55
--- /dev/null
+++ b/tf/modules/oonith_service/templates/profile_policy.json
@@ -0,0 +1,51 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ecsInstanceRole",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DeregisterContainerInstance",
+        "ecs:DiscoverPollEndpoint",
+        "ecs:Poll",
+        "ecs:RegisterContainerInstance",
+        "ecs:Submit*",
+        "ecs:StartTelemetrySession"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "CloudWatchLogsFullAccess",
+      "Effect": "Allow",
+      "Action": ["logs:*", "cloudwatch:GenerateQuery"],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "secretsmanager:ListSecrets",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:Describe*",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:Describe*",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:RegisterTargets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/tf/modules/oonith_service/variables.tf b/tf/modules/oonith_service/variables.tf
new file mode 100644
index 00000000..6eb49bb9
--- /dev/null
+++ b/tf/modules/oonith_service/variables.tf
@@ -0,0 +1,72 @@
+variable "aws_region" {
+  description = "The AWS region to create things in."
+  default     = "eu-central-1"
+}
+
+variable "key_name" {
+  description = "Name of AWS key pair"
+}
+
+variable "service_name" {
+  description = "short service name. will become the first part of the fqdn eg. <service_name>.prod.ooni.io"
+}
+
+variable "stage" {
+  default = "one of dev, stage, test, prod"
+}
+
+variable "vpc_id" {
+  description = "the id of the VPC to deploy the instance into"
+}
+
+variable "subnet_ids" {
+  description = "the ids of the subnet of the subnets to deploy the instance into"
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
+
+variable "service_desired_count" {
+  description = "Desired numbers of instances in the ecs service"
+  default     = 2
+}
+
+variable "task_cpu" {
+  default     = 256
+  description = "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size"
+}
+
+variable "task_memory" {
+  default     = 512
+  description = "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+
+variable "default_docker_image_url" {
+  description = "the url to the default docker image unless there is one already defined in the task definition"
+}
+
+variable "ecs_cluster_id" {
+  description = "id of the cluster to deploy into"
+}
+
+variable "task_secrets" {
+  default = {}
+  type    = map(string)
+}
+
+variable "task_environment" {
+  default = {}
+  type    = map(string)
+}
+
+variable "ooniapi_service_security_groups" {
+  description = "the shared web security group from the ecs cluster"
+  type        = list(string)
+}
diff --git a/tf/modules/oonith_service_deployer/main.tf b/tf/modules/oonith_service_deployer/main.tf
new file mode 100644
index 00000000..44a11b0d
--- /dev/null
+++ b/tf/modules/oonith_service_deployer/main.tf
@@ -0,0 +1,273 @@
+
+## CodeBuild and CodePipeline for OONI TH Services
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_iam_policy" "codebuild" {
+  description = "Policy used in trust relationship with CodeBuild"
+  name        = "codebuild-${var.service_name}-${var.aws_region}"
+  path        = "/service-role/"
+
+  policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:logs:${var.aws_region}:${local.account_id}:log-group:/aws/codebuild/oonith-${var.service_name}",
+        "arn:aws:logs:${var.aws_region}:${local.account_id}:log-group:/aws/codebuild/oonith-${var.service_name}:*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:GetObjectVersion",
+        "s3:GetBucketAcl",
+        "s3:GetBucketLocation"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::codepipeline-oonith-${var.aws_region}-*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codebuild:CreateReportGroup",
+        "codebuild:CreateReport",
+        "codebuild:UpdateReport",
+        "codebuild:BatchPutTestCases",
+        "codebuild:BatchPutCodeCoverages"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:codebuild:${var.aws_region}:${local.account_id}:report-group/oonith-${var.service_name}-*"
+      ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": "codestar-connections:UseConnection",
+        "Resource": "${var.codestar_connection_arn}"
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}
+
+resource "aws_iam_role" "codebuild" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  managed_policy_arns = [
+    aws_iam_policy.codebuild.arn,
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
+    "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+  ]
+  max_session_duration = "3600"
+  name                 = "codebuild-oonith-${var.service_name}"
+  path                 = "/service-role/"
+}
+
+resource "aws_codebuild_project" "oonith" {
+  artifacts {
+    encryption_disabled    = "false"
+    override_artifact_name = "false"
+    type                   = "NO_ARTIFACTS"
+  }
+
+  badge_enabled = "false"
+  build_timeout = "60"
+
+  cache {
+    type = "NO_CACHE"
+  }
+
+  concurrent_build_limit = "1"
+  encryption_key         = "arn:aws:kms:${var.aws_region}:${local.account_id}:alias/aws/s3"
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "aws/codebuild/standard:7.0"
+    image_pull_credentials_type = "CODEBUILD"
+    privileged_mode             = "true"
+    type                        = "LINUX_CONTAINER"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status = "ENABLED"
+    }
+
+    s3_logs {
+      encryption_disabled = "false"
+      status              = "DISABLED"
+    }
+  }
+
+  name               = "oonith-${var.service_name}"
+  project_visibility = "PRIVATE"
+  queued_timeout     = "480"
+  service_role       = aws_iam_role.codebuild.arn
+
+  source {
+    buildspec       = var.buildspec_path
+    git_clone_depth = "1"
+
+    git_submodules_config {
+      fetch_submodules = "false"
+    }
+
+    insecure_ssl        = "false"
+    location            = "https://github.com/${var.repo}.git"
+    report_build_status = "false"
+    type                = "GITHUB"
+  }
+}
+
+resource "aws_iam_policy" "codepipeline" {
+  description = "Policy used in trust relationship with CodePipeline"
+  name        = "codepipeline-oonith-${var.service_name}"
+  path        = "/service-role/"
+
+  policy = templatefile("${path.module}/templates/codepipeline_policy.json", {})
+}
+
+resource "aws_iam_role" "codepipeline" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  managed_policy_arns = [
+    aws_iam_policy.codepipeline.arn,
+  ]
+  max_session_duration = "3600"
+  name                 = "codepipeline-oonith-${var.service_name}"
+  path                 = "/service-role/"
+}
+
+resource "aws_codepipeline" "oonith" {
+  name          = "oonith-${var.service_name}"
+  pipeline_type = "V2"
+  role_arn      = aws_iam_role.codepipeline.arn
+
+  artifact_store {
+    location = var.codepipeline_bucket
+    type     = "S3"
+  }
+
+  depends_on = [
+    aws_codebuild_project.oonith
+  ]
+
+  stage {
+    action {
+
+      name             = "Source"
+      category         = "Source"
+      namespace        = "SourceVariables"
+      output_artifacts = ["SourceArtifact"]
+      owner            = "AWS"
+      provider         = "CodeStarSourceConnection"
+      region           = var.aws_region
+      run_order        = "1"
+      version          = "1"
+
+      configuration = {
+        ConnectionArn        = var.codestar_connection_arn
+        FullRepositoryId     = var.repo
+        BranchName           = var.branch_name
+        DetectChanges        = "true"
+        OutputArtifactFormat = "CODEBUILD_CLONE_REF"
+      }
+    }
+
+    name = "Source"
+  }
+
+  stage {
+    action {
+      category = "Build"
+
+      configuration = {
+        ProjectName = "oonith-${var.service_name}"
+      }
+
+      input_artifacts  = ["SourceArtifact"]
+      name             = "Build"
+      namespace        = "BuildVariables"
+      output_artifacts = ["BuildArtifact"]
+      owner            = "AWS"
+      provider         = "CodeBuild"
+      region           = var.aws_region
+      run_order        = "1"
+      version          = "1"
+    }
+
+    name = "Build"
+  }
+
+  stage {
+    action {
+      category = "Deploy"
+
+      configuration = {
+        ClusterName = var.ecs_cluster_name
+        ServiceName = var.ecs_service_name
+      }
+
+      input_artifacts = ["BuildArtifact"]
+      name            = "Deploy"
+      namespace       = "DeployVariables"
+      owner           = "AWS"
+      provider        = "ECS"
+      region          = var.aws_region
+      run_order       = "1"
+      version         = "1"
+    }
+
+    name = "Deploy"
+  }
+}
diff --git a/tf/modules/oonith_service_deployer/outputs.tf b/tf/modules/oonith_service_deployer/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/tf/modules/oonith_service_deployer/templates/codepipeline_policy.json b/tf/modules/oonith_service_deployer/templates/codepipeline_policy.json
new file mode 100644
index 00000000..6d465479
--- /dev/null
+++ b/tf/modules/oonith_service_deployer/templates/codepipeline_policy.json
@@ -0,0 +1,162 @@
+{
+  "Statement": [
+    {
+      "Action": ["iam:PassRole"],
+      "Condition": {
+        "StringEqualsIfExists": {
+          "iam:PassedToService": [
+            "cloudformation.amazonaws.com",
+            "elasticbeanstalk.amazonaws.com",
+            "ec2.amazonaws.com",
+            "ecs-tasks.amazonaws.com"
+          ]
+        }
+      },
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codecommit:CancelUploadArchive",
+        "codecommit:GetBranch",
+        "codecommit:GetCommit",
+        "codecommit:GetRepository",
+        "codecommit:GetUploadArchiveStatus",
+        "codecommit:UploadArchive"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codedeploy:CreateDeployment",
+        "codedeploy:GetApplication",
+        "codedeploy:GetApplicationRevision",
+        "codedeploy:GetDeployment",
+        "codedeploy:GetDeploymentConfig",
+        "codedeploy:RegisterApplicationRevision"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["codestar-connections:UseConnection"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "elasticbeanstalk:*",
+        "ec2:*",
+        "elasticloadbalancing:*",
+        "autoscaling:*",
+        "cloudwatch:*",
+        "s3:*",
+        "sns:*",
+        "cloudformation:*",
+        "rds:*",
+        "sqs:*",
+        "ecs:*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["lambda:InvokeFunction", "lambda:ListFunctions"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "opsworks:CreateDeployment",
+        "opsworks:DescribeApps",
+        "opsworks:DescribeCommands",
+        "opsworks:DescribeDeployments",
+        "opsworks:DescribeInstances",
+        "opsworks:DescribeStacks",
+        "opsworks:UpdateApp",
+        "opsworks:UpdateStack"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:UpdateStack",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:ExecuteChangeSet",
+        "cloudformation:SetStackPolicy",
+        "cloudformation:ValidateTemplate"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codebuild:BatchGetBuilds",
+        "codebuild:StartBuild",
+        "codebuild:BatchGetBuildBatches",
+        "codebuild:StartBuildBatch"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "devicefarm:ListProjects",
+        "devicefarm:ListDevicePools",
+        "devicefarm:GetRun",
+        "devicefarm:GetUpload",
+        "devicefarm:CreateUpload",
+        "devicefarm:ScheduleRun"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "servicecatalog:ListProvisioningArtifacts",
+        "servicecatalog:CreateProvisioningArtifact",
+        "servicecatalog:DescribeProvisioningArtifact",
+        "servicecatalog:DeleteProvisioningArtifact",
+        "servicecatalog:UpdateProduct"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["cloudformation:ValidateTemplate"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["ecr:DescribeImages"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "states:DescribeExecution",
+        "states:DescribeStateMachine",
+        "states:StartExecution"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "appconfig:StartDeployment",
+        "appconfig:StopDeployment",
+        "appconfig:GetDeployment"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ],
+  "Version": "2012-10-17"
+}
diff --git a/tf/modules/oonith_service_deployer/variables.tf b/tf/modules/oonith_service_deployer/variables.tf
new file mode 100644
index 00000000..ff2b7c4c
--- /dev/null
+++ b/tf/modules/oonith_service_deployer/variables.tf
@@ -0,0 +1,36 @@
+variable "aws_region" {
+  description = "The AWS region to create things in."
+  default     = "eu-central-1"
+}
+
+variable "service_name" {
+  description = "short service name. will become the first part of the fqdn eg. <service_name>.prod.ooni.io"
+}
+
+variable "buildspec_path" {
+  description = "relative path in the repo to the buildspec eg. api/fastapi/buildspec.yml"
+}
+
+variable "codepipeline_bucket" {
+  description = "specify a unique bucket to store build artifacts"
+}
+
+variable "codestar_connection_arn" {
+}
+
+variable "branch_name" {
+  default = "main"
+}
+
+variable "repo" {
+  default = "ooni/backend"
+}
+
+variable "ecs_cluster_name" {
+  description = "id of the cluster to deploy into"
+}
+
+variable "ecs_service_name" {
+  description = "id of the service in the cluster to deploy"
+}
+