Skip to content
Snippets Groups Projects
Commit 44d31ef3 authored by Jared Kosanovic's avatar Jared Kosanovic Committed by Nuwan Rajika Kumarasiri
Browse files

Add SSM agent policy to instance profile, add name tag to autoscaling group

parent d75c1f80
No related branches found
No related tags found
No related merge requests found
resource "aws_autoscaling_group" "secure-agent-autoscaling-group" { resource "aws_autoscaling_group" "secure-agent-autoscaling-group" {
# as per our current licesning in IICS, each docker instance that # as per our current licesning in IICS, each docker instance that
# runs on EC2 will treat at as a new license. # runs on EC2 will treat at as a new license.
name = "secure-agent-autoscaling-group" name = "secure-agent-autoscaling-group"
desired_capacity = 1 desired_capacity = 1
max_size = 1 max_size = 1
min_size = 1 min_size = 1
# make sure deployed EC2 instance is in the same AZ as the EFS # make sure deployed EC2 instance is in the same AZ as the EFS
# see https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html # see https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html
vpc_zone_identifier = [sort(data.aws_subnet_ids.subnets.ids)[0]] vpc_zone_identifier = [sort(data.aws_subnet_ids.subnets.ids)[0]]
health_check_type = "EC2" health_check_type = "EC2"
launch_configuration = aws_launch_configuration.secure-agent-launch-config.name launch_configuration = aws_launch_configuration.secure-agent-launch-config.name
tag {
key = "Name"
value = "IICS Secure Agent"
propagate_at_launch = true
}
} }
data "aws_ami" "ecs-optimized" { data "aws_ami" "ecs-optimized" {
...@@ -24,19 +29,19 @@ data "aws_ami" "ecs-optimized" { ...@@ -24,19 +29,19 @@ data "aws_ami" "ecs-optimized" {
} }
resource "aws_launch_configuration" "secure-agent-launch-config" { resource "aws_launch_configuration" "secure-agent-launch-config" {
name = "secure-agnet-launch-configuration" name = "secure-agnet-launch-configuration"
image_id = data.aws_ami.ecs-optimized.image_id image_id = data.aws_ami.ecs-optimized.image_id
enable_monitoring = false enable_monitoring = false
iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name
security_groups = [data.aws_security_group.sec-group.id] security_groups = [data.aws_security_group.sec-group.id]
user_data = <<EOF user_data = <<EOF
#!/bin/bash #!/bin/bash
echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
EOF EOF
instance_type = var.instance_type instance_type = var.instance_type
lifecycle { lifecycle {
create_before_destroy = true create_before_destroy = true
} }
} }
\ No newline at end of file
data "template_file" "container" { data "template_file" "container" {
template = file("./templates/container-definitions.tpl") template = file("./templates/container-definitions.tpl")
vars = { vars = {
container_name = var.container_name container_name = var.container_name
image_name = var.image_name image_name = var.image_name
container_memory = var.container_memory container_memory = var.container_memory
...@@ -19,12 +19,12 @@ data "aws_iam_role" "ecs-task-execution" { ...@@ -19,12 +19,12 @@ data "aws_iam_role" "ecs-task-execution" {
} }
resource "aws_ecs_task_definition" "task" { resource "aws_ecs_task_definition" "task" {
family = var.ecs_task_name family = var.ecs_task_name
execution_role_arn = data.aws_iam_role.ecs-task-execution.arn execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
network_mode = var.container_network_mode network_mode = var.container_network_mode
requires_compatibilities = [ requires_compatibilities = [
"EC2"] "EC2"]
container_definitions = data.template_file.container.rendered container_definitions = data.template_file.container.rendered
volume { volume {
name = "agent-configs-path" name = "agent-configs-path"
docker_volume_configuration { docker_volume_configuration {
...@@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "task" { ...@@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "task" {
} }
} }
} }
tags = var.ecs_task_tags tags = var.ecs_task_tags
} }
resource "aws_ecs_service" "service" { resource "aws_ecs_service" "service" {
...@@ -48,7 +48,7 @@ resource "aws_ecs_service" "service" { ...@@ -48,7 +48,7 @@ resource "aws_ecs_service" "service" {
task_definition = aws_ecs_task_definition.task.arn task_definition = aws_ecs_task_definition.task.arn
desired_count = 1 desired_count = 1
# secure agent configs and logs are persisted into an EFS volume. # secure agent configs and logs are persisted into an EFS volume.
launch_type = "EC2" launch_type = "EC2"
} }
resource "aws_ecs_cluster" "cluster" { resource "aws_ecs_cluster" "cluster" {
......
...@@ -7,8 +7,8 @@ output "aws_efs_token" { ...@@ -7,8 +7,8 @@ output "aws_efs_token" {
} }
resource "aws_efs_mount_target" "secure-agent-fs-mount" { resource "aws_efs_mount_target" "secure-agent-fs-mount" {
file_system_id = aws_efs_file_system.secure-agent-fs.id file_system_id = aws_efs_file_system.secure-agent-fs.id
subnet_id = sort(data.aws_subnet_ids.subnets.ids)[0] subnet_id = sort(data.aws_subnet_ids.subnets.ids)[0]
security_groups = [ security_groups = [
data.aws_security_group.sec-group.id] data.aws_security_group.sec-group.id]
} }
\ No newline at end of file
...@@ -2,11 +2,11 @@ ...@@ -2,11 +2,11 @@
data "aws_iam_policy_document" "ecs-agent" { data "aws_iam_policy_document" "ecs-agent" {
statement { statement {
actions = [ actions = [
"sts:AssumeRole"] "sts:AssumeRole"]
principals { principals {
type = "Service" type = "Service"
identifiers = [ identifiers = [
"ec2.amazonaws.com"] "ec2.amazonaws.com"]
} }
} }
} }
...@@ -23,8 +23,14 @@ resource "aws_iam_role_policy_attachment" "ecs-agent" { ...@@ -23,8 +23,14 @@ resource "aws_iam_role_policy_attachment" "ecs-agent" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
} }
# grant access for systems manager to access the EC2 instance
resource "aws_iam_role_policy_attachment" "ssm-policy" {
role = aws_iam_role.ecs-agent.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
# allow instance profile to assume this role # allow instance profile to assume this role
resource "aws_iam_instance_profile" "ecs-instance-profile" { resource "aws_iam_instance_profile" "ecs-instance-profile" {
name = var.iam_instance_profile name = var.iam_instance_profile
role = aws_iam_role.ecs-agent.name role = aws_iam_role.ecs-agent.name
} }
\ No newline at end of file
...@@ -5,8 +5,8 @@ data "aws_vpc" "vpc" { ...@@ -5,8 +5,8 @@ data "aws_vpc" "vpc" {
data "aws_subnet_ids" "subnets" { data "aws_subnet_ids" "subnets" {
vpc_id = data.aws_vpc.vpc.id vpc_id = data.aws_vpc.vpc.id
filter { filter {
name = "tag:Name" name = "tag:Name"
values = [ values = [
var.private_subnets_filter["Name"]] var.private_subnets_filter["Name"]]
} }
} }
\ No newline at end of file
provider "aws" { provider "aws" {
region = var.aws_region region = var.aws_region
profile = var.aws_profile profile = var.aws_profile
} }
\ No newline at end of file
...@@ -11,10 +11,10 @@ resource "aws_security_group" "secure-agent-efs-sg" { ...@@ -11,10 +11,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
// NFS // NFS
ingress { ingress {
security_groups = [ security_groups = [
data.aws_security_group.sec-group.id] data.aws_security_group.sec-group.id]
from_port = 2049 from_port = 2049
to_port = 2049 to_port = 2049
protocol = "tcp" protocol = "tcp"
} }
# allow SSH connections from configured security group, # allow SSH connections from configured security group,
...@@ -29,10 +29,10 @@ resource "aws_security_group" "secure-agent-efs-sg" { ...@@ -29,10 +29,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
egress { egress {
security_groups = [ security_groups = [
data.aws_security_group.sec-group.id] data.aws_security_group.sec-group.id]
from_port = 0 from_port = 0
to_port = 0 to_port = 0
protocol = "-1" protocol = "-1"
} }
tags = var.secure_agent_sg_tags tags = var.secure_agent_sg_tags
......
...@@ -18,7 +18,7 @@ variable "aws_region" { ...@@ -18,7 +18,7 @@ variable "aws_region" {
} }
variable "vpc_tags" { variable "vpc_tags" {
type = map(string) type = map(string)
default = { default = {
Name = "test-tier" Name = "test-tier"
tier = "test" tier = "test"
...@@ -27,14 +27,14 @@ variable "vpc_tags" { ...@@ -27,14 +27,14 @@ variable "vpc_tags" {
# needs at least two subnets # needs at least two subnets
variable "private_subnets_filter" { variable "private_subnets_filter" {
type = map(string) type = map(string)
default = { default = {
Name = "test-private-*" Name = "test-private-*"
} }
} }
variable "security_group" { variable "security_group" {
type = map(string) type = map(string)
default = { default = {
tier = "test" tier = "test"
Name = "internal" Name = "internal"
...@@ -48,7 +48,7 @@ variable "image_name" { ...@@ -48,7 +48,7 @@ variable "image_name" {
variable "container_name" { variable "container_name" {
description = "Container name for Secure Agent image." description = "Container name for Secure Agent image."
default = "iics-secure-agent-test" default = "iics-secure-agent-test"
} }
variable "container_network_mode" { variable "container_network_mode" {
# in order to pass a container hostname bridge network mode is used # in order to pass a container hostname bridge network mode is used
...@@ -65,11 +65,11 @@ variable "container_memory" { ...@@ -65,11 +65,11 @@ variable "container_memory" {
} }
variable "container_app_port" { variable "container_app_port" {
type = list(string) type = list(string)
default = [ default = [
7080, 7080,
7443, 7443,
5432] 5432]
} }
# note that as per our licesning model each # note that as per our licesning model each
...@@ -94,7 +94,7 @@ variable "ecs_cluster_name" { ...@@ -94,7 +94,7 @@ variable "ecs_cluster_name" {
} }
variable "ecs_cluster_tags" { variable "ecs_cluster_tags" {
type = map(string) type = map(string)
default = { default = {
Name = "iics-agent-cluster" Name = "iics-agent-cluster"
tier = "test" tier = "test"
...@@ -106,7 +106,7 @@ variable "ecs_task_name" { ...@@ -106,7 +106,7 @@ variable "ecs_task_name" {
} }
variable "ecs_task_tags" { variable "ecs_task_tags" {
type = map(string) type = map(string)
default = { default = {
Name = "iics-secure-agent" Name = "iics-secure-agent"
tier = "test" tier = "test"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment