Merge branch 'ssm-role' into 'master'

Add SSM agent policy to instance profile, add name tag to autoscaling group

See merge request !11

terraform/autoscaling-group.tf

 resource "aws_autoscaling_group" "secure-agent-autoscaling-group" {
   # as per our current licesning in IICS, each docker instance that
   # runs on EC2 will treat at as a new license.
-  name = "secure-agent-autoscaling-group"
+  name             = "secure-agent-autoscaling-group"
   desired_capacity = 1
-  max_size = 1
-  min_size = 1
+  max_size         = 1
+  min_size         = 1
 
   # make sure deployed EC2 instance is in the same AZ as the EFS
   # see https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html
-  vpc_zone_identifier = [sort(data.aws_subnet_ids.subnets.ids)[0]]
-  health_check_type = "EC2"
+  vpc_zone_identifier  = [sort(data.aws_subnet_ids.subnets.ids)[0]]
+  health_check_type    = "EC2"
   launch_configuration = aws_launch_configuration.secure-agent-launch-config.name
+  tag {
+    key                 = "Name"
+    value               = "IICS Secure Agent"
+    propagate_at_launch = true
+  }
 }
 
 data "aws_ami" "ecs-optimized" {
@@ -24,19 +29,19 @@ data "aws_ami" "ecs-optimized" {
 }
 
 resource "aws_launch_configuration" "secure-agent-launch-config" {
-  name = "secure-agnet-launch-configuration"
-  image_id      = data.aws_ami.ecs-optimized.image_id
+  name              = "secure-agnet-launch-configuration"
+  image_id          = data.aws_ami.ecs-optimized.image_id
   enable_monitoring = false
 
   iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name
-  security_groups = [data.aws_security_group.sec-group.id]
-  user_data = <<EOF
+  security_groups      = [data.aws_security_group.sec-group.id]
+  user_data            = <<EOF
               #!/bin/bash
               echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config
               sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
               EOF
-  instance_type = var.instance_type
+  instance_type        = var.instance_type
   lifecycle {
     create_before_destroy = true
   }
-}
\ No newline at end of file
+}

terraform/ecs.tf

 data "template_file" "container" {
   template = file("./templates/container-definitions.tpl")
-  vars     = {
+  vars = {
     container_name            = var.container_name
     image_name                = var.image_name
     container_memory          = var.container_memory
@@ -19,12 +19,12 @@ data "aws_iam_role" "ecs-task-execution" {
 }
 
 resource "aws_ecs_task_definition" "task" {
-  family                   = var.ecs_task_name
-  execution_role_arn       = data.aws_iam_role.ecs-task-execution.arn
-  network_mode             = var.container_network_mode
+  family             = var.ecs_task_name
+  execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+  network_mode       = var.container_network_mode
   requires_compatibilities = [
-    "EC2"]
-  container_definitions    = data.template_file.container.rendered
+  "EC2"]
+  container_definitions = data.template_file.container.rendered
   volume {
     name = "agent-configs-path"
     docker_volume_configuration {
@@ -39,7 +39,7 @@ resource "aws_ecs_task_definition" "task" {
       }
     }
   }
-  tags                     = var.ecs_task_tags
+  tags = var.ecs_task_tags
 }
 
 resource "aws_ecs_service" "service" {
@@ -48,7 +48,7 @@ resource "aws_ecs_service" "service" {
   task_definition = aws_ecs_task_definition.task.arn
   desired_count   = 1
   # secure agent configs and logs are persisted into an EFS volume.
-  launch_type     = "EC2"
+  launch_type = "EC2"
 }
 
 resource "aws_ecs_cluster" "cluster" {

terraform/efs.tf

@@ -7,8 +7,8 @@ output "aws_efs_token" {
 }
 
 resource "aws_efs_mount_target" "secure-agent-fs-mount" {
-  file_system_id  = aws_efs_file_system.secure-agent-fs.id
-  subnet_id       = sort(data.aws_subnet_ids.subnets.ids)[0]
+  file_system_id = aws_efs_file_system.secure-agent-fs.id
+  subnet_id      = sort(data.aws_subnet_ids.subnets.ids)[0]
   security_groups = [
-    data.aws_security_group.sec-group.id]
+  data.aws_security_group.sec-group.id]
 }
\ No newline at end of file

terraform/iam.tf

@@ -2,11 +2,11 @@
 data "aws_iam_policy_document" "ecs-agent" {
   statement {
     actions = [
-      "sts:AssumeRole"]
+    "sts:AssumeRole"]
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = [
-        "ec2.amazonaws.com"]
+      "ec2.amazonaws.com"]
     }
   }
 }
@@ -23,8 +23,14 @@ resource "aws_iam_role_policy_attachment" "ecs-agent" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
 }
 
+# grant access for systems manager to access the EC2 instance
+resource "aws_iam_role_policy_attachment" "ssm-policy" {
+  role       = aws_iam_role.ecs-agent.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
 # allow instance profile to assume this role
 resource "aws_iam_instance_profile" "ecs-instance-profile" {
   name = var.iam_instance_profile
   role = aws_iam_role.ecs-agent.name
-}
\ No newline at end of file
+}

terraform/network.tf

@@ -5,8 +5,8 @@ data "aws_vpc" "vpc" {
 data "aws_subnet_ids" "subnets" {
   vpc_id = data.aws_vpc.vpc.id
   filter {
-    name   = "tag:Name"
+    name = "tag:Name"
     values = [
-      var.private_subnets_filter["Name"]]
+    var.private_subnets_filter["Name"]]
   }
 }
\ No newline at end of file

terraform/provider.tf

 provider "aws" {
-  region                  = var.aws_region
-  profile                 = var.aws_profile
+  region  = var.aws_region
+  profile = var.aws_profile
 }
\ No newline at end of file

terraform/security.tf

@@ -11,10 +11,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
   // NFS
   ingress {
     security_groups = [
-      data.aws_security_group.sec-group.id]
-    from_port       = 2049
-    to_port         = 2049
-    protocol        = "tcp"
+    data.aws_security_group.sec-group.id]
+    from_port = 2049
+    to_port   = 2049
+    protocol  = "tcp"
   }
 
   # allow SSH connections from configured security group,
@@ -29,10 +29,10 @@ resource "aws_security_group" "secure-agent-efs-sg" {
 
   egress {
     security_groups = [
-      data.aws_security_group.sec-group.id]
-    from_port       = 0
-    to_port         = 0
-    protocol        = "-1"
+    data.aws_security_group.sec-group.id]
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
   }
 
   tags = var.secure_agent_sg_tags

terraform/variables.tf

@@ -18,7 +18,7 @@ variable "aws_region" {
 }
 
 variable "vpc_tags" {
-  type    = map(string)
+  type = map(string)
   default = {
     Name = "test-tier"
     tier = "test"
@@ -27,14 +27,14 @@ variable "vpc_tags" {
 
 # needs at least two subnets
 variable "private_subnets_filter" {
-  type    = map(string)
+  type = map(string)
   default = {
     Name = "test-private-*"
   }
 }
 
 variable "security_group" {
-  type    = map(string)
+  type = map(string)
   default = {
     tier = "test"
     Name = "internal"
@@ -48,7 +48,7 @@ variable "image_name" {
 
 variable "container_name" {
   description = "Container name for Secure Agent image."
-  default = "iics-secure-agent-test"
+  default     = "iics-secure-agent-test"
 }
 variable "container_network_mode" {
   # in order to pass a container hostname bridge network mode is used
@@ -65,11 +65,11 @@ variable "container_memory" {
 }
 
 variable "container_app_port" {
-  type    = list(string)
+  type = list(string)
   default = [
     7080,
     7443,
-    5432]
+  5432]
 }
 
 # note that as per our licesning model each
@@ -94,7 +94,7 @@ variable "ecs_cluster_name" {
 }
 
 variable "ecs_cluster_tags" {
-  type    = map(string)
+  type = map(string)
   default = {
     Name = "iics-agent-cluster"
     tier = "test"
@@ -106,7 +106,7 @@ variable "ecs_task_name" {
 }
 
 variable "ecs_task_tags" {
-  type    = map(string)
+  type = map(string)
   default = {
     Name = "iics-secure-agent"
     tier = "test"