From b19b1b91426fb63db097c18407a19133fd8181da Mon Sep 17 00:00:00 2001
From: Nuwan Rajika Kumarasiri <nuwan.kumarasiri@wisc.edu>
Date: Wed, 22 Jan 2020 14:47:10 -0600
Subject: [PATCH] Add initial terraform scripts for automating infra. for
Informatica Secure Agent
---
.gitignore | 1 +
terraform/ecs.tf | 46 ++++++++++++++++
terraform/network.tf | 18 ++++++
terraform/provider.tf | 6 ++
terraform/security.tf | 4 ++
terraform/templates/container.tpl | 23 ++++++++
terraform/variables.tf | 91 +++++++++++++++++++++++++++++++
7 files changed, 189 insertions(+)
create mode 100644 terraform/ecs.tf
create mode 100644 terraform/network.tf
create mode 100644 terraform/provider.tf
create mode 100644 terraform/security.tf
create mode 100644 terraform/templates/container.tpl
create mode 100644 terraform/variables.tf
diff --git a/.gitignore b/.gitignore
index 9df269f..e121dfb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+*.idea
.env
volumes/
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
new file mode 100644
index 0000000..2f8fcd3
--- /dev/null
+++ b/terraform/ecs.tf
@@ -0,0 +1,46 @@
+data "template_file" "container" {
+ template = file("./templates/container.tpl")
+ vars = {
+ container_name = var.container_name
+ image_name = var.image_name
+ fargate_cpu = var.fargate_cpu
+ fargate_memory = var.fargate_memory
+ app_port1 = var.container_app_port[0]
+ app_port2 = var.container_app_port[1]
+ app_port3 = var.container_app_port[2]
+ network_mode = var.container_network_mode
+ }
+}
+
+data "aws_iam_role" "ecs-task-execution" {
+ name = "ecsTaskExecutionRole"
+}
+
+resource "aws_ecs_task_definition" "task" {
+ family = var.ecs_task_name
+ execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+ network_mode = var.container_network_mode
+ requires_compatibilities = ["FARGATE"]
+ cpu = var.fargate_cpu
+ memory = var.fargate_memory
+ container_definitions = data.template_file.container.rendered
+}
+
+resource "aws_ecs_service" "service" {
+ name = var.ecs_service_name
+ cluster = aws_ecs_cluster.cluster.id
+ task_definition = aws_ecs_task_definition.task.arn
+ desired_count = 1
+ launch_type = "FARGATE"
+
+ network_configuration {
+ assign_public_ip = false
+ subnets = [data.aws_subnet_ids.subnet-a.id,data.aws_subnet_ids.subnet-b.id]
+ security_groups = [data.aws_security_group.sec-group.id]
+ }
+}
+
+resource "aws_ecs_cluster" "cluster" {
+ name = var.ecs_cluster_name
+ tags = var.ecs_cluster_tags
+}
\ No newline at end of file
diff --git a/terraform/network.tf b/terraform/network.tf
new file mode 100644
index 0000000..8eeba97
--- /dev/null
+++ b/terraform/network.tf
@@ -0,0 +1,18 @@
+data "aws_vpc" "vpc" {
+ tags = var.vpc_tags
+}
+
+data "aws_subnet_ids" "subnet-a" {
+ vpc_id = data.aws_vpc.vpc.id
+ tags = var.private_subnet_a_tags
+}
+
+data "aws_subnet_ids" "subnet-b" {
+ vpc_id = data.aws_vpc.vpc.id
+ tags = var.private_subnet_b_tags
+}
+
+data "aws_security_group" "sec-group" {
+ vpc_id = data.aws_vpc.vpc.id
+ tags = var.security_group
+}
\ No newline at end of file
diff --git a/terraform/provider.tf b/terraform/provider.tf
new file mode 100644
index 0000000..cf30454
--- /dev/null
+++ b/terraform/provider.tf
@@ -0,0 +1,6 @@
+provider "aws" {
+ access_key = var.aws_access_key
+ secret_key = var.aws_secret_key
+ region = var.aws_region
+ allowed_account_ids = [var.aws_account_id]
+}
\ No newline at end of file
diff --git a/terraform/security.tf b/terraform/security.tf
new file mode 100644
index 0000000..0b37138
--- /dev/null
+++ b/terraform/security.tf
@@ -0,0 +1,4 @@
+data "aws_security_group" "secgroup" {
+ vpc_id = data.aws_vpc.vpc.id
+ tags = var.security_group
+}
\ No newline at end of file
diff --git a/terraform/templates/container.tpl b/terraform/templates/container.tpl
new file mode 100644
index 0000000..a85158e
--- /dev/null
+++ b/terraform/templates/container.tpl
@@ -0,0 +1,23 @@
+[
+ {
+ "name": "${container_name}",
+ "image": "${image_name}",
+ "cpu": ${fargate_cpu},
+ "memory": ${fargate_memory},
+ "networkMode": "${network_mode}",
+ "portMappings": [
+ {
+ "containerPort": ${app_port1},
+ "hostPort": ${app_port1}
+ },
+ {
+ "containerPort": ${app_port2},
+ "hostPort": ${app_port2}
+ },
+ {
+ "containerPort": ${app_port2},
+ "hostPort": ${app_port2}
+ }
+ ]
+ }
+]
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..df2b4d9
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,91 @@
+variable "aws_access_key" {}
+variable "aws_secret_key" {}
+variable "aws_account_id" {
+ default = "265723766240"
+}
+variable "aws_region" {
+ default = "us-east-1" # test tier
+}
+
+variable "vpc_tags" {
+ type = map(string)
+ default = {
+ Name = "test-tier"
+ tier = "test"
+ }
+}
+
+# needs at least two subnets
+variable "private_subnet_a_tags" {
+ type = map(string)
+ default = {
+ Name = "test-private-a"
+ tier = "test"
+ network = "private"
+ }
+}
+variable "private_subnet_b_tags" {
+ type = map(string)
+ default = {
+ Name = "test-private-b"
+ tier = "test"
+ network = "private"
+ }
+}
+
+variable "security_group" {
+ type = map(string)
+ default = {
+ tier = "test"
+ Name = "internal"
+ }
+}
+
+variable "image_name" {
+ default = "265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent"
+}
+
+variable "container_name" {
+ default = "iics-secure-agent-test"
+}
+variable "container_network_mode" {
+ default = "awsvpc"
+}
+variable "container_app_port" {
+ type = list(string)
+ default = [7080, 7443, 5432]
+}
+
+# note that as per our licesning model each
+# container would be an extran instance
+variable "container_count" {
+ default = 1
+}
+
+variable "fargate_cpu" {
+ default = "4096" # 1 vCPU = 1024 CPU units
+}
+variable "fargate_memory" {
+ default = "4095" # in MiB
+}
+
+# ecs
+variable "ecs_cluster_name" {
+ default = "iics-agent-cluster"
+}
+
+variable "ecs_cluster_tags" {
+ type = map(string)
+ default = {
+ Name = "iics-agent-cluster"
+ tier = "test"
+ }
+}
+
+variable "ecs_task_name" {
+ default = "iics-secure-agent-test"
+}
+
+variable "ecs_service_name" {
+ default = "iics-secure-agent-test"
+}
\ No newline at end of file
--
GitLab