diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index d9c13b8..f35cef5 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -55,50 +57,44 @@ resource "random_id" "access_token_idsync" { byte_length = 16 } + /* - * Create role for access to SES + * Create ECS role */ -resource "aws_iam_role" "ses" { - name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "ECSAssumeRoleSES" - Effect = "Allow" - Principal = { - Service = [ - "ses.amazonaws.com", - "ecs-tasks.amazonaws.com", - ] - } - Action = "sts:AssumeRole" - } - ] - }) +module "ecs_role" { + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = local.ecs_role_policy } -resource "aws_iam_role_policy" "ses" { - name = "ses" - role = aws_iam_role.ses.id - policy = jsonencode( +locals { + ecs_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = concat(local.ses_policy_statement, local.appconfig_policy_statement) + }) + ses_policy_statement = [{ + Sid = "SendEmail" + Effect = "Allow" + Action = "ses:SendEmail" + Resource = "*" + Condition = { + StringEquals = { + "ses:FromAddress" = var.from_email + } + } + }] + appconfig_policy_statement = var.app_id == "" ? [] : [ { - Version = "2012-10-17" - Statement = [ - { - Sid = "SendEmail" - Effect = "Allow" - Action = "ses:SendEmail" - Resource = "*" - Condition = { - StringEquals = { - "ses:FromAddress" = var.from_email - } - } - } + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", ] - }) + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + }, + ] } /* @@ -108,6 +104,9 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def_api = templatefile("${path.module}/task-definition-api.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -143,13 +142,16 @@ module "ecsservice_api" { container_def_json = local.task_def_api desired_count = var.desired_count_api tg_arn = aws_alb_target_group.email.arn - task_role_arn = aws_iam_role.ses.arn + task_role_arn = module.ecs_role.role_arn lb_container_name = "api" lb_container_port = "80" } locals { task_def_cron = templatefile("${path.module}/task-definition-cron.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -182,7 +184,7 @@ module "ecsservice_cron" { service_name = "${var.idp_name}-${var.app_name}-cron" service_env = var.app_env container_def_json = local.task_def_cron - task_role_arn = aws_iam_role.ses.arn + task_role_arn = module.ecs_role.role_arn desired_count = var.enable_cron ? 1 : 0 } @@ -201,6 +203,19 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/031-email-service/task-definition-api.json b/terraform/031-email-service/task-definition-api.json index e0ca1a9..ec517dc 100644 --- a/terraform/031-email-service/task-definition-api.json +++ b/terraform/031-email-service/task-definition-api.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "API_ACCESS_KEYS", "value": "${api_access_keys}" diff --git a/terraform/031-email-service/task-definition-cron.json b/terraform/031-email-service/task-definition-cron.json index ce4cbc1..f3bff57 100644 --- a/terraform/031-email-service/task-definition-cron.json +++ b/terraform/031-email-service/task-definition-cron.json @@ -15,6 +15,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "API_ACCESS_KEYS", "value": "${api_access_keys}" diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf index bf53b18..a72a76a 100644 --- a/terraform/031-email-service/vars.tf +++ b/terraform/031-email-service/vars.tf @@ -160,3 +160,15 @@ variable "wildcard_cert_arn" { variable "enable_cron" { default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 03bf395..d92909a 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -207,7 +207,7 @@ module "ecsservice" { tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" lb_container_port = "80" - task_role_arn = one(aws_iam_role.app_config[*].arn) + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -431,43 +431,13 @@ data "cloudflare_zone" "domain" { /* - * Create role for access to AppConfig + * Create ECS role */ -resource "aws_iam_role" "app_config" { - count = var.app_id == "" ? 0 : 1 - - name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "ECSAssumeRoleAppConfig" - Effect = "Allow" - Principal = { - Service = [ - "ecs-tasks.amazonaws.com", - ] - } - Action = "sts:AssumeRole" - Condition = { - ArnLike = { - "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*" - } - StringEquals = { - "aws:SourceAccount" = local.aws_account - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "app_config" { - count = var.app_id == "" ? 0 : 1 +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" - name = "app_config" - role = one(aws_iam_role.app_config[*].id) + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index 37b6cb6..e60dd4b 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -2,6 +2,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -60,6 +62,9 @@ locals { api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition-api.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id access_token_hash = random_id.access_token_hash.hex alerts_email = var.alerts_email alerts_email_enabled = var.alerts_email_enabled @@ -126,6 +131,7 @@ module "ecsservice" { lb_container_name = "web" lb_container_port = "80" ecsServiceRole_arn = var.ecsServiceRole_arn + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -153,6 +159,44 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + /* * AWS data */ diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index bd77fd4..c077e45 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "ACCESS_TOKEN_HASH_KEY", "value": "${access_token_hash}" diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index 5183023..33fc06a 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -285,3 +285,15 @@ variable "create_dns_record" { type = bool default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 5db472f..0e1feca 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -66,6 +68,9 @@ locals { secret_salt = var.secret_salt == "" ? random_id.secretsalt.hex : var.secret_salt task_def = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id memory = var.memory cpu = var.cpu admin_email = var.admin_email @@ -121,6 +126,7 @@ module "ecsservice" { lb_container_name = "web" lb_container_port = "80" ecsServiceRole_arn = var.ecsServiceRole_arn + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -148,6 +154,45 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/060-simplesamlphp/task-definition.json b/terraform/060-simplesamlphp/task-definition.json index 1a8ee99..fb47dad 100644 --- a/terraform/060-simplesamlphp/task-definition.json +++ b/terraform/060-simplesamlphp/task-definition.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "ADMIN_EMAIL", "value": "${admin_email}" diff --git a/terraform/060-simplesamlphp/vars.tf b/terraform/060-simplesamlphp/vars.tf index fb41de2..742c8c3 100644 --- a/terraform/060-simplesamlphp/vars.tf +++ b/terraform/060-simplesamlphp/vars.tf @@ -202,3 +202,15 @@ variable "create_dns_record" { type = bool default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 27d8eee..48f0772 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id /* * Create ECS service @@ -13,6 +15,9 @@ locals { ) task_def = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id app_env = var.app_env app_name = var.app_name aws_region = local.aws_region @@ -98,6 +103,7 @@ resource "aws_ecs_task_definition" "cron_td" { family = "${var.idp_name}-${var.app_name}-cron-${var.app_env}" container_definitions = local.task_def network_mode = "bridge" + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -129,6 +135,41 @@ resource "aws_cloudwatch_event_target" "id_sync_event_target" { } } +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/070-id-sync/task-definition.json b/terraform/070-id-sync/task-definition.json index e90ff0f..94651c4 100644 --- a/terraform/070-id-sync/task-definition.json +++ b/terraform/070-id-sync/task-definition.json @@ -14,6 +14,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "APP_ENV", "value": "${app_env}" diff --git a/terraform/070-id-sync/vars.tf b/terraform/070-id-sync/vars.tf index 79de5ee..09e1f5f 100644 --- a/terraform/070-id-sync/vars.tf +++ b/terraform/070-id-sync/vars.tf @@ -149,3 +149,15 @@ variable "heartbeat_method" { type = string default = "" } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf new file mode 100644 index 0000000..c21dc8c --- /dev/null +++ b/terraform/ecs-role/main.tf @@ -0,0 +1,50 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + +/* + * Create ECS role + */ +resource "aws_iam_role" "this" { + name = var.name + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "ECSAssumeRoleAppConfig" + Effect = "Allow" + Principal = { + Service = [ + "ecs-tasks.amazonaws.com", + ] + } + Action = "sts:AssumeRole" + Condition = { + ArnLike = { + "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*" + } + StringEquals = { + "aws:SourceAccount" = local.aws_account + } + } + } + ] + }) +} + +resource "aws_iam_role_policy" "this" { + name = var.name + role = one(aws_iam_role.this[*].id) + policy = var.policy +} + + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/ecs-role/outputs.tf b/terraform/ecs-role/outputs.tf new file mode 100644 index 0000000..0bbb668 --- /dev/null +++ b/terraform/ecs-role/outputs.tf @@ -0,0 +1,4 @@ + +output "role_arn" { + value = aws_iam_role.this.arn +} diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf new file mode 100644 index 0000000..fc490a3 --- /dev/null +++ b/terraform/ecs-role/variables.tf @@ -0,0 +1,9 @@ +variable "name" { + description = "name of role and role policy" + type = string +} + +variable "policy" { + description = "ECS role policy" + type = string +}