From b2078873805c417cdce0659867992c6ded5826e7 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 13 Feb 2024 14:47:43 -0700 Subject: [PATCH 1/7] add task role to id-broker for AppConfig access --- terraform/040-id-broker/main.tf | 52 +++++++++++++++++++++++++++++++++ terraform/040-id-broker/vars.tf | 12 +++++++- 2 files changed, 63 insertions(+), 1 deletion(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 7ab72b4..f19ef53 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -202,6 +202,7 @@ module "ecsservice" { tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" lb_container_port = "80" + task_role_arn = aws_iam_role.app_config.arn } /* @@ -421,6 +422,57 @@ data "cloudflare_zone" "domain" { } +/* + * Create role for access to SES + */ +resource "aws_iam_role" "app_config" { + name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "ECSAssumeRoleAppConfig" + Effect = "Allow" + Principal = { + Service = [ + "ecs-tasks.amazonaws.com", + ] + } + Action = "sts:AssumeRole" + Condition = { + ArnLike = { + "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*" + } + StringEquals = { + "aws:SourceAccount" = local.aws_account + } + } + } + ] + }) +} + +resource "aws_iam_role_policy" "app_config" { + name = "app_config" + role = aws_iam_role.app_config.id + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${var.config_id}" + } + ] + }) +} + /* * AWS data */ diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index c7f6afa..0c658fa 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -25,7 +25,7 @@ variable "app_name" { } variable "aws_region" { - description = "This is deprecated. The region is more reliably determined from the aws_region data source." + description = "This is not used. The region is more reliably determined from the aws_region data source." type = string default = "" } @@ -580,3 +580,13 @@ variable "vpc_id" { variable "wildcard_cert_arn" { type = string } + +variable "app_id" { + default = "" +} +variable "env_id" { + default = "" +} +variable "config_id" { + default = "" +} From a9ec25b243b3007f21b22c6ba7cb48780e9d31c1 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 13 Feb 2024 14:50:42 -0700 Subject: [PATCH 2/7] add AppConfig variables to id-broker task definition --- terraform/040-id-broker/main.tf | 6 ++++++ terraform/040-id-broker/task-definition.json | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index f19ef53..b391eb9 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -79,6 +79,9 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = var.config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url @@ -210,6 +213,9 @@ module "ecsservice" { */ locals { task_def_cron = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = var.config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url diff --git a/terraform/040-id-broker/task-definition.json b/terraform/040-id-broker/task-definition.json index dc3e202..a49ba34 100644 --- a/terraform/040-id-broker/task-definition.json +++ b/terraform/040-id-broker/task-definition.json @@ -21,6 +21,18 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "ABANDONED_USER_abandonedPeriod", "value": "${abandoned_user_abandoned_period}" From 0692867def1acae9cd891c2d1fa566d00776412d Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 29 Feb 2024 07:51:11 -0700 Subject: [PATCH 3/7] add AWS_REGION to broker task definition for AppConfig --- terraform/040-id-broker/task-definition.json | 4 ++++ terraform/040-id-broker/vars.tf | 2 ++ 2 files changed, 6 insertions(+) diff --git a/terraform/040-id-broker/task-definition.json b/terraform/040-id-broker/task-definition.json index a49ba34..539bd11 100644 --- a/terraform/040-id-broker/task-definition.json +++ b/terraform/040-id-broker/task-definition.json @@ -25,6 +25,10 @@ "name": "APP_ID", "value": "${app_id}" }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, { "name": "ENV_ID", "value": "${env_id}" diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index 0c658fa..442299e 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -584,9 +584,11 @@ variable "wildcard_cert_arn" { variable "app_id" { default = "" } + variable "env_id" { default = "" } + variable "config_id" { default = "" } From ab6a2a8f071475bdc38281894334d32c1a50875c Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:14:40 -0700 Subject: [PATCH 4/7] create AppConfig resources --- .gitignore | 1 + terraform/000-core/main.tf | 23 +++++++++++++++++++++++ terraform/000-core/outputs.tf | 13 +++++++++++++ terraform/000-core/vars.tf | 17 +++++++++++++++++ terraform/040-id-broker/main.tf | 19 ++++++++++++++++--- terraform/040-id-broker/vars.tf | 12 ++++++------ 6 files changed, 76 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index ee59c8b..df6e070 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ *.env google-auth.json .terraform/ +.terraform.lock.hcl diff --git a/terraform/000-core/main.tf b/terraform/000-core/main.tf index 95289fa..c134498 100644 --- a/terraform/000-core/main.tf +++ b/terraform/000-core/main.tf @@ -93,3 +93,26 @@ resource "aws_acm_certificate_validation" "idp" { certificate_arn = aws_acm_certificate.idp[0].arn validation_record_fqdns = [cloudflare_record.idp-verification[0].hostname] } + +resource "aws_appconfig_application" "this" { + count = var.appconfig_app_name == "" ? 0 : 1 + + name = var.appconfig_app_name +} + +resource "aws_appconfig_environment" "this" { + count = var.appconfig_app_name == "" ? 0 : 1 + + name = var.app_env + application_id = one(aws_appconfig_application.this[*].id) +} + +resource "aws_appconfig_deployment_strategy" "this" { + count = var.appconfig_app_name == "" ? 0 : 1 + + name = "immediate" + deployment_duration_in_minutes = 0 + growth_factor = 100 + growth_type = "LINEAR" + replicate_to = "NONE" +} diff --git a/terraform/000-core/outputs.tf b/terraform/000-core/outputs.tf index c91b3ea..9e76a93 100644 --- a/terraform/000-core/outputs.tf +++ b/terraform/000-core/outputs.tf @@ -45,3 +45,16 @@ output "ecsServiceRole_arn" { value = module.ecscluster.ecsServiceRole_arn } + +/* + * AppConfig outputs + */ +output "app_id" { + description = "AppConfig application ID" + value = one(aws_appconfig_application.this[*].id) +} + +output "env_id" { + description = "AppConfig environment ID" + value = one(aws_appconfig_environment.this[*].environment_id) +} diff --git a/terraform/000-core/vars.tf b/terraform/000-core/vars.tf index 6535a97..d201ca1 100644 --- a/terraform/000-core/vars.tf +++ b/terraform/000-core/vars.tf @@ -20,3 +20,20 @@ variable "create_cd_user" { default = true } + +/* + * Optional variables + */ + +variable "app_env" { + description = "The abbreviated version of the environment used for naming resources, typically either stg or prod. Default: 'prod'" + type = string + default = "prod" +} + +variable "appconfig_app_name" { + type = string + description = "The application name in AppConfig. If not specified, no AppConfig resources will be created." + default = "" +} + diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index b391eb9..66edd32 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -1,6 +1,7 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + config_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) } /* @@ -81,7 +82,7 @@ locals { task_def = templatefile("${path.module}/task-definition.json", { app_id = var.app_id env_id = var.env_id - config_id = var.config_id + config_id = local.config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url @@ -215,7 +216,7 @@ locals { task_def_cron = templatefile("${path.module}/task-definition.json", { app_id = var.app_id env_id = var.env_id - config_id = var.config_id + config_id = local.config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url @@ -473,12 +474,24 @@ resource "aws_iam_role_policy" "app_config" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${var.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" } ] }) } + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + /* * AWS data */ diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index 442299e..8a013a3 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -582,13 +582,13 @@ variable "wildcard_cert_arn" { } variable "app_id" { - default = "" + description = "AppConfig application ID" + type = string + default = "" } variable "env_id" { - default = "" -} - -variable "config_id" { - default = "" + description = "AppConfig environment ID" + type = string + default = "" } From fa340f7a4c6e0e6af5bef18e782eed4ea9f4c466 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:28:59 -0700 Subject: [PATCH 5/7] ensure config_id is not null --- terraform/040-id-broker/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 5030290..9672890 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -1,7 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name - config_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* From f6580774c32774d52a951bad3bd6cf000747091e Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:41:15 -0700 Subject: [PATCH 6/7] fix incorrect comment in 040-id-broker --- terraform/040-id-broker/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 9672890..5a1fc51 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -431,7 +431,7 @@ data "cloudflare_zone" "domain" { /* - * Create role for access to SES + * Create role for access to AppConfig */ resource "aws_iam_role" "app_config" { name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" From 9a5234cb4c920fd8f95b7c8f1a0d3776c778a70a Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Fri, 1 Mar 2024 09:06:22 -0700 Subject: [PATCH 7/7] do not create AppConfig resources in id-broker if app_id == "" --- terraform/040-id-broker/main.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 5a1fc51..03bf395 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -207,7 +207,7 @@ module "ecsservice" { tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" lb_container_port = "80" - task_role_arn = aws_iam_role.app_config.arn + task_role_arn = one(aws_iam_role.app_config[*].arn) } /* @@ -434,6 +434,8 @@ data "cloudflare_zone" "domain" { * Create role for access to AppConfig */ resource "aws_iam_role" "app_config" { + count = var.app_id == "" ? 0 : 1 + name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" assume_role_policy = jsonencode({ @@ -462,8 +464,10 @@ resource "aws_iam_role" "app_config" { } resource "aws_iam_role_policy" "app_config" { + count = var.app_id == "" ? 0 : 1 + name = "app_config" - role = aws_iam_role.app_config.id + role = one(aws_iam_role.app_config[*].id) policy = jsonencode( { Version = "2012-10-17"