Merge branch 'ebs2' into 'master'

Update to use an Amazon Linux 2 image - WISCALERTS-2 See merge request !15

Merge branch 'ebs2' into 'master'
37ba1ab7 · Nuwan Rajika Kumarasiri · a3f74dd9 · 1b98efb5 · 37ba1ab7 · 37ba1ab7
Commit 37ba1ab7 authored 5 years ago by Nuwan Rajika Kumarasiri
--- a/README.md
+++ b/README.md
@@ -131,9 +131,15 @@ can be passed as a Terraform variable for `image_name`, see below for an example
 in `infaagent.ini` using `InfaAgent.GroupName=aws-interop`).
 * Terraform state files are stored in shared S3 buckets `test-interop-terraform-state` and `prod-interop-terraform-state`.

+### Informatica User
+Credentials for Informatica User (for test and prod instances) are stored in parameter store (in regions `us-east-1` and 
+`us-east-2` respectively) and expected to be available with the following names: 
+* username - `/iics/cicd_username`.
+* password - `/iics/cicd_password`. 
+
 ### Credentials in Terraform
 * It's recommended to define all variables values in a `*.tfvars` file and pass that to terraform using `-var-file` argument.
- This will avoid having Informatica credentials in bash history. 
+ This will avoid having any sensitive parameters in bash history. 

 ```shell script
 $ cd terraform
@@ -155,8 +161,6 @@ $ terraform validate

 # create `secure_agent.tfvars` with required variables. 
 $ cat secure_agent.tfvars
-informatica_username="<informatica-username>"
-informatica_password="<informatica-password>"
 image_name="265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent:git-8f6f0d24"

 $ terraform plan -out agent.tfplan -var-file=<path>/<to>/secure_agent.tfvars
@@ -164,7 +168,7 @@ $ terraform apply "agent.tfplan"
 ```

 ### Memory and CPU for Secure Agent
-* By default, Secure Agent is deployed on to a `t2.large` instance and container is given an 5GB of memory. `instance_type` 
+* By default, Secure Agent is deployed on to a `t2.xlarge` instance and container is given an 15GB of memory. `instance_type` 
 and `container_memory` variables can be used to adjust these values. See [variables.tf](./terraform/variables.tf) for details.

 ### EFS Mounting, Accessing Secure Agent Configurations, Logs and Additional Debugging

--- a/terraform/autoscaling-group.tf
+++ b/terraform/autoscaling-group.tf
@@ -18,19 +18,13 @@ resource "aws_autoscaling_group" "secure-agent-autoscaling-group" {
  }
 }

-data "aws_ami" "ecs-optimized" {
-  most_recent = true
-  owners      = ["amazon"]
-
-  filter {
-    name   = "name"
-    values = ["*-amazon-ecs-optimized"]
-  }
+data "aws_ssm_parameter" "ecs-optimized" {
+  name = "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
 }

 resource "aws_launch_configuration" "secure-agent-launch-config" {
  name              = "secure-agnet-launch-configuration"
-  image_id          = data.aws_ami.ecs-optimized.image_id
+  image_id          = data.aws_ssm_parameter.ecs-optimized.value
  enable_monitoring = false

  iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name
@@ -38,7 +32,6 @@ resource "aws_launch_configuration" "secure-agent-launch-config" {
  user_data            = <<EOF
              #!/bin/bash
              echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config
-              sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
              EOF
  instance_type        = var.instance_type
  root_block_device {

--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
+data "aws_ssm_parameter" "informatica-username" {
+  name = "/iics/cicd_username"
+}
+
+data "aws_ssm_parameter" "informatica-password" {
+  name = "/iics/cicd_password"
+}
+
 data "template_file" "container" {
  template = file("./templates/container-definitions.tpl")
  vars = {
-    container_name            = var.container_name
-    image_name                = var.image_name
-    container_memory          = var.container_memory
-    container_hostname        = var.container_hostname
-    app_port1                 = var.container_app_port[0]
-    app_port2                 = var.container_app_port[1]
-    app_port3                 = var.container_app_port[2]
-    informatica_username      = var.informatica_username
-    informatica_password      = var.informatica_password
+    container_name          = var.container_name
+    image_name              = var.image_name
+    container_memory        = var.container_memory
+    container_hostname      = var.container_hostname
+    app_port1               = var.container_app_port[0]
+    app_port2               = var.container_app_port[1]
+    app_port3               = var.container_app_port[2]
+    informatica_username    = data.aws_ssm_parameter.informatica-username.arn
+    informatica_password    = data.aws_ssm_parameter.informatica-password.arn
    secure_agent_mount_path = var.secure_agent_mount_path
  }
 }

-data "aws_iam_role" "ecs-task-execution" {
-  name = "ecsTaskExecutionRole"
+resource "aws_iam_role" "ecs-task-execution" {
+  name               = var.ecs_execution_role
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect":"Allow"
+    }
+  ]
+}
+EOF
+  tags = {
+    Name = "iics-ecs-execution-role"
+  }
+}
+
+# grant role permission for ECS task execution
+resource "aws_iam_role_policy_attachment" "ecs-task-execution" {
+  role       = aws_iam_role.ecs-task-execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# grant access for SSM for credentails look up
+resource "aws_iam_policy" "iics-ssm-policy" {
+  name   = var.iics_secret_access_policy
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": [
+          "${data.aws_ssm_parameter.informatica-username.arn}",
+          "${data.aws_ssm_parameter.informatica-password.arn}"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "credentails" {
+  role       = aws_iam_role.ecs-task-execution.name
+  policy_arn = aws_iam_policy.iics-ssm-policy.arn
 }

 resource "aws_ecs_task_definition" "task" {
  family             = var.ecs_task_name
-  execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+  execution_role_arn = aws_iam_role.ecs-task-execution.arn
  network_mode       = var.container_network_mode
  requires_compatibilities = [
  "EC2"]

--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -6,7 +6,8 @@ data "aws_iam_policy_document" "ecs-agent" {
    principals {
      type = "Service"
      identifiers = [
-      "ec2.amazonaws.com"]
+        "ec2.amazonaws.com",
+      "ecs-tasks.amazonaws.com"]
    }
  }
 }

--- a/terraform/security.tf
+++ b/terraform/security.tf
@@ -5,7 +5,7 @@ data "aws_security_group" "sec-group" {

 data "aws_security_group" "default" {
  vpc_id = data.aws_vpc.vpc.id
-  name = "default"
+  name   = "default"
 }

 // open port 2049 for NFSv4

--- a/terraform/templates/container-definitions.tpl
+++ b/terraform/templates/container-definitions.tpl
@@ -18,21 +18,21 @@
        "hostPort": ${app_port3}
      }
    ],
-    "environment": [
-        {
-            "name": "INFORMATICA_USER",
-            "value": "${informatica_username}"
-        },
-        {
-            "name": "INFORMATICA_PASSWORD",
-            "value": "${informatica_password}"
-        }
-    ],
    "mountPoints": [
        {
            "containerPath": "${secure_agent_mount_path}",
            "sourceVolume": "agent-configs-path"
        }
+    ],
+    "secrets":[
+        {
+            "name":"INFORMATICA_USER",
+            "valueFrom":"${informatica_username}"
+        },
+        {
+            "name":"INFORMATICA_PASSWORD",
+            "valueFrom":"${informatica_password}"
+        }
    ]
  }
 ]
\ No newline at end of file
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
-variable "informatica_username" {}
-variable "informatica_password" {}
-
 variable "aws_profile" {
  default = "default"
 }
@@ -65,7 +62,7 @@ variable "container_memory" {
 }

 variable "instance_ebs_size" {
-  default = 40 # 40GB
+  default = 250 # 250GB
 }

 # see Secure Agent system requirements, before changing instance type, see the
@@ -93,6 +90,10 @@ variable "ecs_iam_role" {
  default = "iics-secure-agent-iam-role-test"
 }

+variable "ecs_execution_role" {
+  default = "iics-secure-agent-ecs-execution-role-test"
+}
+
 variable "ecs_cluster_name" {
  default = "iics-agent-cluster"
 }
@@ -130,7 +131,7 @@ variable "efs_tags" {
 }

 variable "secure_agent_mount_path" {
-  default = "/home/agent/infaagent/"
+  default = "/home/agent/infaagent/apps/agentcore/"
 }

 variable "secure_agent_sg_tags" {
@@ -146,4 +147,8 @@ variable "iam_instance_profile" {

 variable "secure_agent_efs_sg" {
  default = "secure-agent-efs-sg"
+}
+
+variable "iics_secret_access_policy" {
+  default = "iics-secret-access-policy-test"
 }
\ No newline at end of file