diff --git a/terraform/autoscaling-group.tf b/terraform/autoscaling-group.tf
index 9e6562b9fc11f2f5a2edb7b6b39feb238249a80b..2e34ca0666004f855081edc4d7269425051c1f2e 100644
--- a/terraform/autoscaling-group.tf
+++ b/terraform/autoscaling-group.tf
@@ -1,16 +1,21 @@
resource "aws_autoscaling_group" "secure-agent-autoscaling-group" {
# as per our current licesning in IICS, each docker instance that
# runs on EC2 will treat at as a new license.
- name = "secure-agent-autoscaling-group"
+ name = "secure-agent-autoscaling-group"
desired_capacity = 1
- max_size = 1
- min_size = 1
+ max_size = 1
+ min_size = 1
# make sure deployed EC2 instance is in the same AZ as the EFS
# see https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html
- vpc_zone_identifier = [sort(data.aws_subnet_ids.subnets.ids)[0]]
- health_check_type = "EC2"
+ vpc_zone_identifier = [sort(data.aws_subnet_ids.subnets.ids)[0]]
+ health_check_type = "EC2"
launch_configuration = aws_launch_configuration.secure-agent-launch-config.name
+ tag {
+ key = "Name"
+ value = "IICS Secure Agent"
+ propagate_at_launch = true
+ }
}
data "aws_ami" "ecs-optimized" {
@@ -24,19 +29,19 @@ data "aws_ami" "ecs-optimized" {
}
resource "aws_launch_configuration" "secure-agent-launch-config" {
- name = "secure-agnet-launch-configuration"
- image_id = data.aws_ami.ecs-optimized.image_id
+ name = "secure-agnet-launch-configuration"
+ image_id = data.aws_ami.ecs-optimized.image_id
enable_monitoring = false
iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name
- security_groups = [data.aws_security_group.sec-group.id]
- user_data = <<EOF
+ security_groups = [data.aws_security_group.sec-group.id]
+ user_data = <<EOF
#!/bin/bash
echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
EOF
- instance_type = var.instance_type
+ instance_type = var.instance_type
lifecycle {
create_before_destroy = true
}
-}
\ No newline at end of file
+}
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
index 8ee65907e3f52a1b4d94373627ca25d3156887fe..7b2806a83630819a66097f6f839df50ede6c31f7 100644
--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
@@ -1,6 +1,6 @@
data "template_file" "container" {
template = file("./templates/container-definitions.tpl")
- vars = {
+ vars = {
container_name = var.container_name
image_name = var.image_name
container_memory = var.container_memory
@@ -19,12 +19,12 @@ data "aws_iam_role" "ecs-task-execution" {
}
resource "aws_ecs_task_definition" "task" {
- family = var.ecs_task_name
- execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
- network_mode = var.container_network_mode
+ family = var.ecs_task_name
+ execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+ network_mode = var.container_network_mode
requires_compatibilities = [
- "EC2"]
- container_definitions = data.template_file.container.rendered
+ "EC2"]
+ container_definitions = data.template_file.container.rendered
volume {
name = "agent-configs-path"
docker_volume_configuration {
@@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "task" {
}
}
}
- tags = var.ecs_task_tags
+ tags = var.ecs_task_tags
}
resource "aws_ecs_service" "service" {
@@ -48,7 +48,7 @@ resource "aws_ecs_service" "service" {
task_definition = aws_ecs_task_definition.task.arn
desired_count = 1
# secure agent configs and logs are persisted into an EFS volume.
- launch_type = "EC2"
+ launch_type = "EC2"
}
resource "aws_ecs_cluster" "cluster" {
diff --git a/terraform/efs.tf b/terraform/efs.tf
index 4673276616a27ae58da79b4598c7227175d0afb9..392ada5315fcbe1b9156a5fdc93e234e036944c8 100644
--- a/terraform/efs.tf
+++ b/terraform/efs.tf
@@ -7,8 +7,8 @@ output "aws_efs_token" {
}
resource "aws_efs_mount_target" "secure-agent-fs-mount" {
- file_system_id = aws_efs_file_system.secure-agent-fs.id
- subnet_id = sort(data.aws_subnet_ids.subnets.ids)[0]
+ file_system_id = aws_efs_file_system.secure-agent-fs.id
+ subnet_id = sort(data.aws_subnet_ids.subnets.ids)[0]
security_groups = [
- data.aws_security_group.sec-group.id]
+ data.aws_security_group.sec-group.id]
}
\ No newline at end of file
diff --git a/terraform/iam.tf b/terraform/iam.tf
index ca5a8d8ef48742fb7d2d6bc2a2b823e7acc3d281..20c2cc27fb6f80b38907b802618ff491f6676ea2 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -2,11 +2,11 @@
data "aws_iam_policy_document" "ecs-agent" {
statement {
actions = [
- "sts:AssumeRole"]
+ "sts:AssumeRole"]
principals {
- type = "Service"
+ type = "Service"
identifiers = [
- "ec2.amazonaws.com"]
+ "ec2.amazonaws.com"]
}
}
}
@@ -23,8 +23,14 @@ resource "aws_iam_role_policy_attachment" "ecs-agent" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}
+# grant access for systems manager to access the EC2 instance
+resource "aws_iam_role_policy_attachment" "ssm-policy" {
+ role = aws_iam_role.ecs-agent.name
+ policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
# allow instance profile to assume this role
resource "aws_iam_instance_profile" "ecs-instance-profile" {
name = var.iam_instance_profile
role = aws_iam_role.ecs-agent.name
-}
\ No newline at end of file
+}
diff --git a/terraform/network.tf b/terraform/network.tf
index 9e946540d15178aa5bec72d477b83800092fd0cd..589ed6f514e92d79c477e2fbd5a7ebfe7c5f4d3d 100644
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -5,8 +5,8 @@ data "aws_vpc" "vpc" {
data "aws_subnet_ids" "subnets" {
vpc_id = data.aws_vpc.vpc.id
filter {
- name = "tag:Name"
+ name = "tag:Name"
values = [
- var.private_subnets_filter["Name"]]
+ var.private_subnets_filter["Name"]]
}
}
\ No newline at end of file
diff --git a/terraform/provider.tf b/terraform/provider.tf
index 0404be2ae06aac83bc2f752e23376835820c647e..f38be9249174c61661e042dbb5df48214aefdb54 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -1,4 +1,4 @@
provider "aws" {
- region = var.aws_region
- profile = var.aws_profile
+ region = var.aws_region
+ profile = var.aws_profile
}
\ No newline at end of file
diff --git a/terraform/security.tf b/terraform/security.tf
index 4873a135308665f7e449ff50529961a82ebb5517..d459e3d1b87e5cbb221ad7286e6ed03bc49535eb 100644
--- a/terraform/security.tf
+++ b/terraform/security.tf
@@ -11,10 +11,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
// NFS
ingress {
security_groups = [
- data.aws_security_group.sec-group.id]
- from_port = 2049
- to_port = 2049
- protocol = "tcp"
+ data.aws_security_group.sec-group.id]
+ from_port = 2049
+ to_port = 2049
+ protocol = "tcp"
}
# allow SSH connections from configured security group,
@@ -29,10 +29,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
egress {
security_groups = [
- data.aws_security_group.sec-group.id]
- from_port = 0
- to_port = 0
- protocol = "-1"
+ data.aws_security_group.sec-group.id]
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
}
tags = var.secure_agent_sg_tags
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 8cbcac97ec3a0155a228e1d56373b819461b314d..92648e30845830c27506d0636921b2ad69c90b77 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -18,7 +18,7 @@ variable "aws_region" {
}
variable "vpc_tags" {
- type = map(string)
+ type = map(string)
default = {
Name = "test-tier"
tier = "test"
@@ -27,14 +27,14 @@ variable "vpc_tags" {
# needs at least two subnets
variable "private_subnets_filter" {
- type = map(string)
+ type = map(string)
default = {
Name = "test-private-*"
}
}
variable "security_group" {
- type = map(string)
+ type = map(string)
default = {
tier = "test"
Name = "internal"
@@ -48,7 +48,7 @@ variable "image_name" {
variable "container_name" {
description = "Container name for Secure Agent image."
- default = "iics-secure-agent-test"
+ default = "iics-secure-agent-test"
}
variable "container_network_mode" {
# in order to pass a container hostname bridge network mode is used
@@ -65,11 +65,11 @@ variable "container_memory" {
}
variable "container_app_port" {
- type = list(string)
+ type = list(string)
default = [
7080,
7443,
- 5432]
+ 5432]
}
# note that as per our licesning model each
@@ -94,7 +94,7 @@ variable "ecs_cluster_name" {
}
variable "ecs_cluster_tags" {
- type = map(string)
+ type = map(string)
default = {
Name = "iics-agent-cluster"
tier = "test"
@@ -106,7 +106,7 @@ variable "ecs_task_name" {
}
variable "ecs_task_tags" {
- type = map(string)
+ type = map(string)
default = {
Name = "iics-secure-agent"
tier = "test"