Merge branch 'container' into 'master'

Pass informatica username/password into terraform and update docker image tags to be immutable See merge request interop/iics_secure_agent!7

Merge branch 'container' into 'master'
1ccd0bd8 · Nuwan Rajika Kumarasiri · 29969755 · a450d1d7 · 1ccd0bd8 · 29969755
Commit 1ccd0bd8 authored 5 years ago by Nuwan Rajika Kumarasiri
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ container startup, these configurations can be used to start subsequent containe
 * `data` - contains the configuration data for mapping and integration components.
 * `conf` - contains Secure Agent runtime configuration files.
   1. `infaagent.ini` - contains the registration information for the secure agent(this will be populated by Secure Agent during start up).
-   2. `proxy.ini` - proxy configurations for Secure Agent, if running behind a [proxy](https://kb.informatica.com/howto/6/pages/20/512361.aspx) server.  
+   2. `proxy.ini` - proxy configurations for Secure Agent, if running behind a [proxy](https://docs.informatica.com/integration-cloud/cloud-platform/current-version/administrator/runtime-environments/secure-agents/configuring-a-proxy-to-exclude-non-proxy-hosts.html) server.  
 Following ports(among others) in Secure Agents can be mapped to host for externalized control. 
 * `7080` - Process Engine shutdown port.
@@ -112,16 +112,28 @@ Secure Agent containers are deployed in following tiers in interop/AWS account.
 | prod      | us-east-2(Ohio)|
-## Terraform
+## CI/CD and Terraform
 * Infrastructure is available as code in terraform. 
 * Before disposing and create a new instance of Informatica Secure Agent, existing live connections to various targets(for e.g. databases) 
 should be reviewed and terminated. Due to this reason this is not part of CI/CD pipeline and can be executed as per necessity.
 * Various configurations can be overridden using  `-var=`, see [variables.tf](./terraform/variables.tf) for available parameters.
-```
+See Terraform doc on [variables](https://www.terraform.io/docs/configuration/variables.html) to see how to pass command line arguments.
+* Secure Agent Docker images are tagged using the value, `git-${CI_COMMIT_SHA:0:8}`, and push to ECR registry in `us-east-1`. The same 
+image can be used for production set up.
+### Credentials in Terraform
+* It's recommended that to avoid having Informatica credentials in bash history, all the variables can be defined in a `*.tfvars` 
+file and pass to terraform using `-var-file` argument to terraform.  
+```shell script
 $ cd terraform
 $ terraform init
 $ terraform validate
-$ terraform plan -out agent.tfplan
+$ terraform plan -out agent.tfplan \ 
+    -var="aws_shared_cred_file=<aws-credentials-file>" \
+    -var="aws_profile=<aws-profile>" \
+    -var="informatica_username=<informatica-username>" \
+    -var="informatica_password=<informatica-password>" \
+    -var="image_name=265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent:<tag>"
 $ terraform apply "agent.tfplan"
 ```
-* See Terraform doc on [variables](https://www.terraform.io/docs/configuration/variables.html) to see how to pass command line arguments.
\ No newline at end of file
\ No newline at end of file
--- a/terraform/ecr.tf
+++ b/terraform/ecr.tf
-# this repository is being used by
-# .gitlab-ci.yml to publish the image
-resource "aws_ecr_repository" "foo" {
-  name                 = var.ecr_repository_name
-  tags = var.ecr_repository_tags
-}
\ No newline at end of file
--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
 data "template_file" "container" {
  template = file("./templates/container.tpl")
  vars     = {
-    container_name = var.container_name
+    container_name       = var.container_name
-    image_name     = var.image_name
+    image_name           = var.image_name
-    fargate_cpu    = var.fargate_cpu
+    fargate_cpu          = var.fargate_cpu
-    fargate_memory = var.fargate_memory
+    fargate_memory       = var.fargate_memory
-    app_port1      = var.container_app_port[0]
+    app_port1            = var.container_app_port[0]
-    app_port2      = var.container_app_port[1]
+    app_port2            = var.container_app_port[1]
-    app_port3      = var.container_app_port[2]
+    app_port3            = var.container_app_port[2]
-    network_mode   = var.container_network_mode
+    network_mode         = var.container_network_mode
+    informatica_username = var.informatica_username
+    informatica_password = var.informatica_password
  }
 }

--- a/terraform/provider.tf
+++ b/terraform/provider.tf
 provider "aws" {
-  access_key          = var.aws_access_key
+  region                  = var.aws_region
-  secret_key          = var.aws_secret_key
+  shared_credentials_file = var.aws_shared_cred_file
-  region              = var.aws_region
+  profile                 = var.aws_profile
-  allowed_account_ids = [
-    var.aws_account_id]
 }
\ No newline at end of file
--- a/terraform/templates/container.tpl
+++ b/terraform/templates/container.tpl
@@ -18,6 +18,16 @@
        "containerPort": ${app_port3},
        "hostPort": ${app_port3}
      }
+    ],
+    "environment": [
+        {
+            "name": "INFORMATICA_USER",
+            "value": "${informatica_username}"
+        },
+        {
+            "name": "INFORMATICA_PASSWORD",
+            "value": "${informatica_password}"
+        }
    ]
  }
 ]
\ No newline at end of file
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
-variable "aws_access_key" {}
+variable "aws_shared_cred_file" {}
-variable "aws_secret_key" {}
+variable "aws_profile" {
-variable "aws_account_id" {
+  default = "default"
-  default = "265723766240"
 }
 variable "aws_region" {
-  default = "us-east-1"
  # test tier
+  default = "us-east-1"
 }
 variable "vpc_tags" {
@@ -32,11 +31,13 @@ variable "security_group" {
  }
 }
+# see git tagging in .gitlab-ci.yml for image name.
 variable "image_name" {
-  default = "265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent"
+  description = "Secure Agent image name publish by .gitlab-ci.yml."
 }
 variable "container_name" {
+  description = "Container name for Secure Agent image."
  default = "iics-secure-agent-test"
 }
 variable "container_network_mode" {
@@ -59,12 +60,12 @@ variable "container_count" {
 # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html
 # see Secure Agent resource requirements for these numbers.
 variable "fargate_cpu" {
-	# 1 vCPU = 1024 CPU units
+  # 1 vCPU = 1024 CPU units
-	default = "4096"
+  default = "4096"
 }
 variable "fargate_memory" {
-	# in MiB
+  # in MiB
-	default = "8192"
+  default = "8192"
 }
 # ecs
@@ -88,14 +89,5 @@ variable "ecs_service_name" {
  default = "iics-agent-service"
 }
-variable "ecr_repository_name" {
+variable "informatica_username" {}
-  default = "265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent"
+variable "informatica_password" {}
-}
\ No newline at end of file
-variable "ecr_repository_tags" {
-  type    = map(string)
-  default = {
-    Name = "iics-agent-repository"
-    tier = "test"
-  }
-}
\ No newline at end of file