Add initial terraform scripts for automating infra. for Informatica Secure Agent

Since our licensing restrict us from more than 1 instance of Secure Agent, before deploying a new instance existing instance need to be shutdown (after adjusting any resources that depends on that instance). Due to this reason terraform is not part of CI/CD.

.gitignore

-*.idea
 .env
 volumes/
+credentials.tf
+*.svg
+*_credentials.tf
+sandbox
+.DS_Store
+.vscode
+*.tfstate
+*.tfstate.backup
+.terraform
+*.tfvars
+.idea/
+*.backup

README.md

@@ -61,3 +61,17 @@ Minimum Hardware Specs
 ## Known Issues
 
 * Doesn't seem to be able to run in host network mode because it won't be able to talk to internal ports.  It would probably work if you expose those ports.
+
+## Terraform
+* Infrastructure is available as code in terraform. 
+* Before disposing and create a new instance of Informatica Secure Agent, existing live connections to various targets(for e.g. databases) 
+should be reviewed and terminated. Due to this reason this is not part of CI/CD pipeline and can be executed as per necessity.
+* Various configurations can be overridden using  `-var=`, see [variables.tf](./terraform/variables.tf) for available parameters.
+```
+$ cd terraform
+$ terraform init
+$ terraform validate
+$ terraform plan -out agent.tfplan
+$ terraform apply "agent.tfplan"
+```
+* See Terraform doc on [variables](https://www.terraform.io/docs/configuration/variables.html) to see how to pass command line arguments.
\ No newline at end of file

terraform/ecs.tf

 data "template_file" "container" {
   template = file("./templates/container.tpl")
-  vars = {
+  vars     = {
     container_name = var.container_name
-    image_name = var.image_name
-    fargate_cpu = var.fargate_cpu
+    image_name     = var.image_name
+    fargate_cpu    = var.fargate_cpu
     fargate_memory = var.fargate_memory
-    app_port1 = var.container_app_port[0]
-    app_port2 = var.container_app_port[1]
-    app_port3 = var.container_app_port[2]
-    network_mode = var.container_network_mode
+    app_port1      = var.container_app_port[0]
+    app_port2      = var.container_app_port[1]
+    app_port3      = var.container_app_port[2]
+    network_mode   = var.container_network_mode
   }
 }
 
@@ -17,26 +17,28 @@ data "aws_iam_role" "ecs-task-execution" {
 }
 
 resource "aws_ecs_task_definition" "task" {
-  family = var.ecs_task_name
-  execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
-  network_mode = var.container_network_mode
-  requires_compatibilities = ["FARGATE"]
-  cpu = var.fargate_cpu
-  memory = var.fargate_memory
-  container_definitions = data.template_file.container.rendered
+  family                   = var.ecs_task_name
+  execution_role_arn       = data.aws_iam_role.ecs-task-execution.arn
+  network_mode             = var.container_network_mode
+  requires_compatibilities = [
+    "FARGATE"]
+  cpu                      = var.fargate_cpu
+  memory                   = var.fargate_memory
+  container_definitions    = data.template_file.container.rendered
 }
 
 resource "aws_ecs_service" "service" {
-  name = var.ecs_service_name
-  cluster = aws_ecs_cluster.cluster.id
+  name            = var.ecs_service_name
+  cluster         = aws_ecs_cluster.cluster.id
   task_definition = aws_ecs_task_definition.task.arn
-  desired_count = 1
-  launch_type = "FARGATE"
+  desired_count   = 1
+  launch_type     = "FARGATE"
 
   network_configuration {
+    security_groups  = [
+      data.aws_security_group.sec-group.id]
+    subnets          = data.aws_subnet_ids.subnets.ids
     assign_public_ip = false
-    subnets = [data.aws_subnet_ids.subnet-a.id,data.aws_subnet_ids.subnet-b.id]
-    security_groups = [data.aws_security_group.sec-group.id]
   }
 }
 

terraform/network.tf

@@ -2,17 +2,16 @@ data "aws_vpc" "vpc" {
   tags = var.vpc_tags
 }
 
-data "aws_subnet_ids" "subnet-a" {
+data "aws_subnet_ids" "subnets" {
   vpc_id = data.aws_vpc.vpc.id
-  tags = var.private_subnet_a_tags
-}
-
-data "aws_subnet_ids" "subnet-b" {
-  vpc_id = data.aws_vpc.vpc.id
-  tags = var.private_subnet_b_tags
+  filter {
+    name   = "tag:Name"
+    values = [
+      var.private_subnets_filter["Name"]]
+  }
 }
 
 data "aws_security_group" "sec-group" {
   vpc_id = data.aws_vpc.vpc.id
-  tags = var.security_group
+  tags   = var.security_group
 }
\ No newline at end of file

terraform/provider.tf

 provider "aws" {
-	access_key = var.aws_access_key
-	secret_key = var.aws_secret_key
-	region     = var.aws_region
-	allowed_account_ids = [var.aws_account_id]
+  access_key          = var.aws_access_key
+  secret_key          = var.aws_secret_key
+  region              = var.aws_region
+  allowed_account_ids = [
+    var.aws_account_id]
 }
\ No newline at end of file

terraform/security.tf

 data "aws_security_group" "secgroup" {
   vpc_id = data.aws_vpc.vpc.id
-  tags = var.security_group
+  tags   = var.security_group
 }
\ No newline at end of file

terraform/templates/container.tpl

@@ -15,8 +15,8 @@
         "hostPort": ${app_port2}
       },
       {
-        "containerPort": ${app_port2},
-        "hostPort": ${app_port2}
+        "containerPort": ${app_port3},
+        "hostPort": ${app_port3}
       }
     ]
   }

terraform/variables.tf

 variable "aws_access_key" {}
 variable "aws_secret_key" {}
 variable "aws_account_id" {
-	default = "265723766240"
+  default = "265723766240"
 }
 variable "aws_region" {
-	default = "us-east-1" # test tier
+  default = "us-east-1"
+  # test tier
 }
 
 variable "vpc_tags" {
-	type = map(string)
-	default = {
-		Name = "test-tier"
-		tier = "test"
-	}
+  type    = map(string)
+  default = {
+    Name = "test-tier"
+    tier = "test"
+  }
 }
 
 # needs at least two subnets
-variable "private_subnet_a_tags" {
-	type = map(string)
-	default = {
-		Name = "test-private-a"
-		tier = "test"
-		network = "private"
-	}
-}
-variable "private_subnet_b_tags" {
-	type = map(string)
-	default = {
-		Name = "test-private-b"
-		tier = "test"
-		network = "private"
-	}
+variable "private_subnets_filter" {
+  type    = map(string)
+  default = {
+    Name = "test-private-*"
+  }
 }
 
 variable "security_group" {
-	type = map(string)
-	default = {
-		tier = "test"
-		Name = "internal"
-	}
+  type    = map(string)
+  default = {
+    tier = "test"
+    Name = "internal"
+  }
 }
 
 variable "image_name" {
-	default = "265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent"
+  default = "265723766240.dkr.ecr.us-east-1.amazonaws.com/enterprise-integrations/iics_secure_agent"
 }
 
 variable "container_name" {
-	default = "iics-secure-agent-test"
+  default = "iics-secure-agent-test"
 }
 variable "container_network_mode" {
-	default = "awsvpc"
+  default = "awsvpc"
 }
 variable "container_app_port" {
-	type = list(string)
-	default = [7080, 7443, 5432]
+  type    = list(string)
+  default = [
+    7080,
+    7443,
+    5432]
 }
 
 # note that as per our licesning model each
 # container would be an extran instance
 variable "container_count" {
-	default = 1
+  default = 1
 }
 
+# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html
+# see Secure Agent resource requirements for these numbers.
 variable "fargate_cpu" {
-	default = "4096" # 1 vCPU = 1024 CPU units
+	# 1 vCPU = 1024 CPU units
+	default = "4096"
 }
 variable "fargate_memory" {
-	default = "4095" # in MiB
+	# in MiB
+	default = "8192"
 }
 
 # ecs
 variable "ecs_cluster_name" {
-	default = "iics-agent-cluster"
+  default = "iics-agent-cluster"
 }
 
 variable "ecs_cluster_tags" {
-	type = map(string)
-	default = {
-		Name = "iics-agent-cluster"
-		tier = "test"
-	}
+  type    = map(string)
+  default = {
+    Name = "iics-agent-cluster"
+    tier = "test"
+  }
 }
 
 variable "ecs_task_name" {
-	default = "iics-secure-agent-test"
+  default = "iics-agent-task"
 }
 
 variable "ecs_service_name" {
-	default = "iics-secure-agent-test"
+  default = "iics-agent-service"
 }
\ No newline at end of file