From bf49862530c2a225f31ddbea405e53b943f3ae14 Mon Sep 17 00:00:00 2001
From: Nuwan Rajika Kumarasiri <nuwan.kumarasiri@wisc.edu>
Date: Fri, 13 Mar 2020 18:27:09 -0500
Subject: [PATCH] Update to use an Amazon Linux 2 image - WISCALERTS-2
* In order to increase disk space allocated for Docker container utilize Amazon Linux 2. By default Amazon Linux 2 uses `overlay2` storage driver, which gives the base storage size of the space left on the disk.
* Removed SSM agent as it's shipped with all Amazon Linux 2 AMIs.
* Utilized `SSM` param store for storing `IICS` user credentials.
* Increased `EBS` volume size to allocate more disk space.
---
README.md | 12 ++-
terraform/autoscaling-group.tf | 13 +--
terraform/ecs.tf | 79 ++++++++++++++++---
terraform/iam.tf | 3 +-
terraform/security.tf | 2 +-
terraform/templates/container-definitions.tpl | 20 ++---
terraform/variables.tf | 15 ++--
7 files changed, 101 insertions(+), 43 deletions(-)
diff --git a/README.md b/README.md
index a1dad55..518115b 100644
--- a/README.md
+++ b/README.md
@@ -131,9 +131,15 @@ can be passed as a Terraform variable for `image_name`, see below for an example
in `infaagent.ini` using `InfaAgent.GroupName=aws-interop`).
* Terraform state files are stored in shared S3 buckets `test-interop-terraform-state` and `prod-interop-terraform-state`.
+### Informatica User
+Credentials for Informatica User (for test and prod instances) are stored in parameter store (in regions `us-east-1` and
+`us-east-2` respectively) and expected to be available with the following names:
+* username - `/iics/cicd_username`.
+* password - `/iics/cicd_password`.
+
### Credentials in Terraform
* It's recommended to define all variables values in a `*.tfvars` file and pass that to terraform using `-var-file` argument.
- This will avoid having Informatica credentials in bash history.
+ This will avoid having any sensitive parameters in bash history.
```shell script
$ cd terraform
@@ -155,8 +161,6 @@ $ terraform validate
# create `secure_agent.tfvars` with required variables.
$ cat secure_agent.tfvars
-informatica_username="<informatica-username>"
-informatica_password="<informatica-password>"
image_name="265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent:git-8f6f0d24"
$ terraform plan -out agent.tfplan -var-file=<path>/<to>/secure_agent.tfvars
@@ -164,7 +168,7 @@ $ terraform apply "agent.tfplan"
```
### Memory and CPU for Secure Agent
-* By default, Secure Agent is deployed on to a `t2.large` instance and container is given an 5GB of memory. `instance_type`
+* By default, Secure Agent is deployed on to a `t2.xlarge` instance and container is given an 15GB of memory. `instance_type`
and `container_memory` variables can be used to adjust these values. See [variables.tf](./terraform/variables.tf) for details.
### EFS Mounting, Accessing Secure Agent Configurations, Logs and Additional Debugging
diff --git a/terraform/autoscaling-group.tf b/terraform/autoscaling-group.tf
index 6dfc203..e5e0931 100644
--- a/terraform/autoscaling-group.tf
+++ b/terraform/autoscaling-group.tf
@@ -18,19 +18,13 @@ resource "aws_autoscaling_group" "secure-agent-autoscaling-group" {
}
}
-data "aws_ami" "ecs-optimized" {
- most_recent = true
- owners = ["amazon"]
-
- filter {
- name = "name"
- values = ["*-amazon-ecs-optimized"]
- }
+data "aws_ssm_parameter" "ecs-optimized" {
+ name = "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
}
resource "aws_launch_configuration" "secure-agent-launch-config" {
name = "secure-agnet-launch-configuration"
- image_id = data.aws_ami.ecs-optimized.image_id
+ image_id = data.aws_ssm_parameter.ecs-optimized.value
enable_monitoring = false
iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name
@@ -38,7 +32,6 @@ resource "aws_launch_configuration" "secure-agent-launch-config" {
user_data = <<EOF
#!/bin/bash
echo ECS_CLUSTER=${var.ecs_cluster_name} >> /etc/ecs/ecs.config
- sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
EOF
instance_type = var.instance_type
root_block_device {
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
index f5b522d..566d3bb 100644
--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
@@ -1,26 +1,81 @@
+locals {
+ informatica_username = format("arn:aws:ssm:%s:%s:parameter%s", var.aws_region, var.aws_account_id[0], "/iics/cicd_username")
+ informatica_password = format("arn:aws:ssm:%s:%s:parameter%s", var.aws_region, var.aws_account_id[0], "/iics/cicd_password")
+}
+
data "template_file" "container" {
template = file("./templates/container-definitions.tpl")
vars = {
- container_name = var.container_name
- image_name = var.image_name
- container_memory = var.container_memory
- container_hostname = var.container_hostname
- app_port1 = var.container_app_port[0]
- app_port2 = var.container_app_port[1]
- app_port3 = var.container_app_port[2]
- informatica_username = var.informatica_username
- informatica_password = var.informatica_password
+ container_name = var.container_name
+ image_name = var.image_name
+ container_memory = var.container_memory
+ container_hostname = var.container_hostname
+ app_port1 = var.container_app_port[0]
+ app_port2 = var.container_app_port[1]
+ app_port3 = var.container_app_port[2]
+ informatica_username = local.informatica_username
+ informatica_password = local.informatica_password
secure_agent_mount_path = var.secure_agent_mount_path
}
}
-data "aws_iam_role" "ecs-task-execution" {
- name = "ecsTaskExecutionRole"
+resource "aws_iam_role" "ecs-task-execution" {
+ name = var.ecs_execution_role
+ assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": "ecs-tasks.amazonaws.com"
+ },
+ "Effect":"Allow"
+ }
+ ]
+}
+EOF
+ tags = {
+ Name = "iics-ecs-execution-role"
+ }
+}
+
+# grant role permission for ECS task execution
+resource "aws_iam_role_policy_attachment" "ecs-task-execution" {
+ role = aws_iam_role.ecs-task-execution.name
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# grant access for SSM for credentails look up
+resource "aws_iam_policy" "iics-ssm-policy" {
+ name = var.iics_secret_access_policy
+ policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ssm:GetParameters"
+ ],
+ "Resource": [
+ "${local.informatica_username}",
+ "${local.informatica_password}"
+ ]
+ }
+ ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "credentails" {
+ role = aws_iam_role.ecs-task-execution.name
+ policy_arn = aws_iam_policy.iics-ssm-policy.arn
}
resource "aws_ecs_task_definition" "task" {
family = var.ecs_task_name
- execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+ execution_role_arn = aws_iam_role.ecs-task-execution.arn
network_mode = var.container_network_mode
requires_compatibilities = [
"EC2"]
diff --git a/terraform/iam.tf b/terraform/iam.tf
index 20c2cc2..a37eeca 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -6,7 +6,8 @@ data "aws_iam_policy_document" "ecs-agent" {
principals {
type = "Service"
identifiers = [
- "ec2.amazonaws.com"]
+ "ec2.amazonaws.com",
+ "ecs-tasks.amazonaws.com"]
}
}
}
diff --git a/terraform/security.tf b/terraform/security.tf
index 900795e..c854a31 100644
--- a/terraform/security.tf
+++ b/terraform/security.tf
@@ -5,7 +5,7 @@ data "aws_security_group" "sec-group" {
data "aws_security_group" "default" {
vpc_id = data.aws_vpc.vpc.id
- name = "default"
+ name = "default"
}
// open port 2049 for NFSv4
diff --git a/terraform/templates/container-definitions.tpl b/terraform/templates/container-definitions.tpl
index 0102cd9..a736e8e 100644
--- a/terraform/templates/container-definitions.tpl
+++ b/terraform/templates/container-definitions.tpl
@@ -18,21 +18,21 @@
"hostPort": ${app_port3}
}
],
- "environment": [
- {
- "name": "INFORMATICA_USER",
- "value": "${informatica_username}"
- },
- {
- "name": "INFORMATICA_PASSWORD",
- "value": "${informatica_password}"
- }
- ],
"mountPoints": [
{
"containerPath": "${secure_agent_mount_path}",
"sourceVolume": "agent-configs-path"
}
+ ],
+ "secrets":[
+ {
+ "name":"INFORMATICA_USER",
+ "valueFrom":"${informatica_username}"
+ },
+ {
+ "name":"INFORMATICA_PASSWORD",
+ "valueFrom":"${informatica_password}"
+ }
]
}
]
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 687c457..5e88ecf 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,6 +1,3 @@
-variable "informatica_username" {}
-variable "informatica_password" {}
-
variable "aws_profile" {
default = "default"
}
@@ -65,7 +62,7 @@ variable "container_memory" {
}
variable "instance_ebs_size" {
- default = 40 # 40GB
+ default = 250 # 250GB
}
# see Secure Agent system requirements, before changing instance type, see the
@@ -93,6 +90,10 @@ variable "ecs_iam_role" {
default = "iics-secure-agent-iam-role-test"
}
+variable "ecs_execution_role" {
+ default = "iics-secure-agent-ecs-execution-role-test"
+}
+
variable "ecs_cluster_name" {
default = "iics-agent-cluster"
}
@@ -130,7 +131,7 @@ variable "efs_tags" {
}
variable "secure_agent_mount_path" {
- default = "/home/agent/infaagent/"
+ default = "/home/agent/infaagent/apps/agentcore/"
}
variable "secure_agent_sg_tags" {
@@ -146,4 +147,8 @@ variable "iam_instance_profile" {
variable "secure_agent_efs_sg" {
default = "secure-agent-efs-sg"
+}
+
+variable "iics_secret_access_policy" {
+ default = "iics-secret-access-policy-test"
}
\ No newline at end of file
--
GitLab