add AppConfig to other services

silinternational · Mar 26, 2024 · 09b2ca1 · 09b2ca1
1 parent e6f2105
commit 09b2ca1
Show file tree

Hide file tree

Showing 17 changed files with 382 additions and 76 deletions.
diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf
@@ -1,6 +1,8 @@
 locals {
   aws_account = data.aws_caller_identity.this.account_id
   aws_region  = data.aws_region.current.name
+  cfg_id      = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id)
+  config_id   = local.cfg_id == null ? "" : local.cfg_id
 }
 
 /*
@@ -55,50 +57,44 @@ resource "random_id" "access_token_idsync" {
   byte_length = 16
 }
 
+
 /*
- * Create role for access to SES
+ * Create ECS role
  */
-resource "aws_iam_role" "ses" {
-  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid    = "ECSAssumeRoleSES"
-        Effect = "Allow"
-        Principal = {
-          Service = [
-            "ses.amazonaws.com",
-            "ecs-tasks.amazonaws.com",
-          ]
-        }
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
+module "ecs_role" {
+  source = "../ecs-role"
+
+  name   = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
+  policy = local.ecs_role_policy
 }
 
-resource "aws_iam_role_policy" "ses" {
-  name = "ses"
-  role = aws_iam_role.ses.id
-  policy = jsonencode(
+locals {
+  ecs_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = concat(local.ses_policy_statement, local.appconfig_policy_statement)
+  })
+  ses_policy_statement = [{
+    Sid      = "SendEmail"
+    Effect   = "Allow"
+    Action   = "ses:SendEmail"
+    Resource = "*"
+    Condition = {
+      StringEquals = {
+        "ses:FromAddress" = var.from_email
+      }
+    }
+  }]
+  appconfig_policy_statement = var.app_id == "" ? [] : [
     {
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Sid      = "SendEmail"
-          Effect   = "Allow"
-          Action   = "ses:SendEmail"
-          Resource = "*"
-          Condition = {
-            StringEquals = {
-              "ses:FromAddress" = var.from_email
-            }
-          }
-        }
+      Sid    = "AppConfig"
+      Effect = "Allow"
+      Action = [
+        "appconfig:GetLatestConfiguration",
+        "appconfig:StartConfigurationSession",
       ]
-  })
+      Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}"
+    },
+  ]
 }
 
 /*
@@ -108,6 +104,9 @@ locals {
   subdomain_with_region = "${var.subdomain}-${local.aws_region}"
 
   task_def_api = templatefile("${path.module}/task-definition-api.json", {
+    app_id                    = var.app_id
+    env_id                    = var.env_id
+    config_id                 = local.config_id
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
@@ -143,13 +142,16 @@ module "ecsservice_api" {
   container_def_json = local.task_def_api
   desired_count      = var.desired_count_api
   tg_arn             = aws_alb_target_group.email.arn
-  task_role_arn      = aws_iam_role.ses.arn
+  task_role_arn      = module.ecs_role.role_arn
   lb_container_name  = "api"
   lb_container_port  = "80"
 }
 
 locals {
   task_def_cron = templatefile("${path.module}/task-definition-cron.json", {
+    app_id                    = var.app_id
+    env_id                    = var.env_id
+    config_id                 = local.config_id
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
@@ -182,7 +184,7 @@ module "ecsservice_cron" {
   service_name       = "${var.idp_name}-${var.app_name}-cron"
   service_env        = var.app_env
   container_def_json = local.task_def_cron
-  task_role_arn      = aws_iam_role.ses.arn
+  task_role_arn      = module.ecs_role.role_arn
   desired_count      = var.enable_cron ? 1 : 0
 }
 
@@ -201,6 +203,19 @@ data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
 
+
+/*
+ * Create AppConfig configuration profile
+ */
+resource "aws_appconfig_configuration_profile" "this" {
+  count = var.app_id == "" ? 0 : 1
+
+  application_id = var.app_id
+  name           = "${var.app_name}-${var.app_env}"
+  location_uri   = "hosted"
+}
+
+
 /*
  * AWS data
  */

diff --git a/terraform/031-email-service/task-definition-api.json b/terraform/031-email-service/task-definition-api.json
@@ -21,6 +21,22 @@
     "ulimits": null,
     "dockerSecurityOptions": null,
     "environment": [
+      {
+        "name": "APP_ID",
+        "value": "${app_id}"
+      },
+      {
+        "name": "AWS_REGION",
+        "value": "${aws_region}"
+      },
+      {
+        "name": "ENV_ID",
+        "value": "${env_id}"
+      },
+      {
+        "name": "CONFIG_ID",
+        "value": "${config_id}"
+      },
       {
         "name": "API_ACCESS_KEYS",
         "value": "${api_access_keys}"

diff --git a/terraform/031-email-service/task-definition-cron.json b/terraform/031-email-service/task-definition-cron.json
@@ -15,6 +15,22 @@
     "ulimits": null,
     "dockerSecurityOptions": null,
     "environment": [
+      {
+        "name": "APP_ID",
+        "value": "${app_id}"
+      },
+      {
+        "name": "AWS_REGION",
+        "value": "${aws_region}"
+      },
+      {
+        "name": "ENV_ID",
+        "value": "${env_id}"
+      },
+      {
+        "name": "CONFIG_ID",
+        "value": "${config_id}"
+      },
       {
         "name": "API_ACCESS_KEYS",
         "value": "${api_access_keys}"

diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf
@@ -160,3 +160,15 @@ variable "wildcard_cert_arn" {
 variable "enable_cron" {
   default = true
 }
+
+variable "app_id" {
+  description = "AppConfig application ID"
+  type        = string
+  default     = ""
+}
+
+variable "env_id" {
+  description = "AppConfig environment ID"
+  type        = string
+  default     = ""
+}
diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf
@@ -207,7 +207,7 @@ module "ecsservice" {
   tg_arn             = aws_alb_target_group.broker.arn
   lb_container_name  = "web"
   lb_container_port  = "80"
-  task_role_arn      = one(aws_iam_role.app_config[*].arn)
+  task_role_arn      = one(module.ecs_role[*].role_arn)
 }
 
 /*
@@ -431,43 +431,13 @@ data "cloudflare_zone" "domain" {
 
 
 /*
- * Create role for access to AppConfig
+ * Create ECS role
  */
-resource "aws_iam_role" "app_config" {
-  count = var.app_id == "" ? 0 : 1
-
-  name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid    = "ECSAssumeRoleAppConfig"
-        Effect = "Allow"
-        Principal = {
-          Service = [
-            "ecs-tasks.amazonaws.com",
-          ]
-        }
-        Action = "sts:AssumeRole"
-        Condition = {
-          ArnLike = {
-            "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*"
-          }
-          StringEquals = {
-            "aws:SourceAccount" = local.aws_account
-          }
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy" "app_config" {
-  count = var.app_id == "" ? 0 : 1
+module "ecs_role" {
+  count  = var.app_id == "" ? 0 : 1
+  source = "../ecs-role"
 
-  name = "app_config"
-  role = one(aws_iam_role.app_config[*].id)
+  name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
   policy = jsonencode(
     {
       Version = "2012-10-17"

diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf
@@ -2,6 +2,8 @@ locals {
   aws_account = data.aws_caller_identity.this.account_id
   aws_region  = data.aws_region.current.name
   ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}"
+  cfg_id      = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id)
+  config_id   = local.cfg_id == null ? "" : local.cfg_id
 }
 
 /*
@@ -60,6 +62,9 @@ locals {
   api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}"
 
   task_def = templatefile("${path.module}/task-definition-api.json", {
+    app_id                              = var.app_id
+    env_id                              = var.env_id
+    config_id                           = local.config_id
     access_token_hash                   = random_id.access_token_hash.hex
     alerts_email                        = var.alerts_email
     alerts_email_enabled                = var.alerts_email_enabled
@@ -126,6 +131,7 @@ module "ecsservice" {
   lb_container_name  = "web"
   lb_container_port  = "80"
   ecsServiceRole_arn = var.ecsServiceRole_arn
+  task_role_arn      = one(module.ecs_role[*].role_arn)
 }
 
 /*
@@ -153,6 +159,44 @@ data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
 
+
+/*
+ * Create ECS role
+ */
+module "ecs_role" {
+  count  = var.app_id == "" ? 0 : 1
+  source = "../ecs-role"
+
+  name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
+  policy = jsonencode(
+    {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "AppConfig"
+          Effect = "Allow"
+          Action = [
+            "appconfig:GetLatestConfiguration",
+            "appconfig:StartConfigurationSession",
+          ]
+          Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}"
+        }
+      ]
+  })
+}
+
+
+/*
+ * Create AppConfig configuration profile
+ */
+resource "aws_appconfig_configuration_profile" "this" {
+  count = var.app_id == "" ? 0 : 1
+
+  application_id = var.app_id
+  name           = "${var.app_name}-${var.app_env}"
+  location_uri   = "hosted"
+}
+
 /*
  * AWS data
  */

diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json
@@ -21,6 +21,22 @@
     "ulimits": null,
     "dockerSecurityOptions": null,
     "environment": [
+      {
+        "name": "APP_ID",
+        "value": "${app_id}"
+      },
+      {
+        "name": "AWS_REGION",
+        "value": "${aws_region}"
+      },
+      {
+        "name": "ENV_ID",
+        "value": "${env_id}"
+      },
+      {
+        "name": "CONFIG_ID",
+        "value": "${config_id}"
+      },
       {
         "name": "ACCESS_TOKEN_HASH_KEY",
         "value": "${access_token_hash}"

diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf
@@ -285,3 +285,15 @@ variable "create_dns_record" {
   type        = bool
   default     = true
 }
+
+variable "app_id" {
+  description = "AppConfig application ID"
+  type        = string
+  default     = ""
+}
+
+variable "env_id" {
+  description = "AppConfig environment ID"
+  type        = string
+  default     = ""
+}