continue refactor on variables, refactor ecs and mesh implementation

terraform/implementation/ecs/local.tf → terraform/implementation/ecs/_local.tf

@@ -1,10 +1,11 @@
 locals {
   ecs_container_port = 8080
-  ecr_repos = [
+  ecr_repo_names = [
+    "ecr-viewer",
     "fhir-converter",
     "ingestion",
-    "message-parser",
-    "orchestration"
+    "orchestration",
+    "validation"
   ]
 
   ecs_alb_sg                   = "${var.ecs_alb_sg}-${var.owner}-${terraform.workspace}"
@@ -17,13 +18,11 @@ locals {
   ecs_app_task_family          = "${var.ecs_app_task_family}-${var.owner}-${terraform.workspace}"
   ecs_cluster_name             = "${var.ecs_cluster_name}-${var.owner}-${terraform.workspace}"
   s3_viewer_bucket_name        = "${var.s3_viewer_bucket_name}-${var.owner}-${terraform.workspace}"
-  s3_viewer_bucket_role_name        = "${var.s3_viewer_bucket_role_name}-${var.owner}-${terraform.workspace}"
-  s3_viewer_bucket_policy_name      = "${var.s3_viewer_bucket_policy_name}-${var.owner}-${terraform.workspace}"
+  s3_viewer_bucket_role_name   = "${var.s3_viewer_bucket_role_name}-${var.owner}-${terraform.workspace}"
+  s3_viewer_bucket_policy_name = "${var.s3_viewer_bucket_policy_name}-${var.owner}-${terraform.workspace}"
   vpc                          = "${var.vpc}-${var.owner}-${terraform.workspace}"
 
   enable_nat_gateway = var.enable_nat_gateway
   single_nat_gateway = var.single_nat_gateway
   availability_zones = var.availability_zones
-  ghcr_token         = var.ghcr_token
-  ghcr_username      = var.ghcr_username
 }

terraform/implementation/ecs/var.tf → terraform/implementation/ecs/_variable.tf

@@ -33,16 +33,6 @@ variable "ecs_alb_sg" {
   type        = string
   default     = "dibbs-ecs-albsg"
 }
-variable "ghcr_token" {
-  description = "The GitHub Container Registry token"
-  type        = string
-  default     = ""
-}
-variable "ghcr_username" {
-  description = "The GitHub Container Registry username"
-  type        = string
-  default     = ""
-}
 variable "cw_retention_in_days" {
   description = "The number of days to retain logs in CloudWatch"
   type        = number
@@ -91,7 +81,7 @@ variable "vpc_cidr" {
 variable "ecs_cloudwatch_log_group" {
   description = "The name of the CloudWatch log group"
   type        = string
-  default     = "dibbs-ecs-cwlg"
+  default     = "/dibbs-ecs-cwlg"
 }
 variable "enable_nat_gateway" {
   description = "Enable NAT Gateway"
@@ -117,4 +107,9 @@ variable "s3_viewer_bucket_policy_name" {
   description = "The policy name for the viewer bucket"
   type        = string
   default     = "dibbs-s3-viewer-policy"
+}
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
 }

terraform/implementation/ecs/ecs.sh

@@ -23,12 +23,12 @@ elif [ "$ENVIRONMENT" != "$PRODUCTION" ] && [ "$ENVIRONMENT" != "" ]; then
         -backend-config "bucket=dibbs-aws-tfstate-alis-default" \
         -backend-config "dynamodb_table=dibbs-aws-tfstate-lock-alis-default" \
         -backend-config "region=us-east-1"
-    terraform plan \
-        -var-file="$ENVIRONMENT.tfvars" \
-        -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs
+    # terraform plan \
+    #     -var-file="$ENVIRONMENT.tfvars" \
+    #     -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs
     terraform apply \
         -var-file="$ENVIRONMENT.tfvars" \
-        -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs
+        -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs -target=module.ecs
 else
     echo "Please provide a valid environment: $PRODUCTION or another string"
     exit 1

terraform/implementation/ecs/main.tf

@@ -22,11 +22,11 @@ module "ecr" {
   source                  = "../../modules/ecr"
   aws_caller_identity     = data.aws_caller_identity.current.account_id
   ecs_task_execution_role = module.iam.ecs_task_execution_role.arn
-  ecr_repos               = local.ecr_repos
+  ecr_repo_names               = local.ecr_repo_names
   ecs_cluster_name        = local.ecs_cluster_name
+  tags                    = {}
+  lifecycle_policy        = ""
   region                  = var.region
-  ghcr_token              = local.ghcr_token
-  ghcr_username           = local.ghcr_username
 }
 
 module "s3" {
@@ -52,9 +52,9 @@ module "ecs" {
   app_service_name            = local.ecs_app_service_name
   app_task_name               = local.ecs_app_task_name
   alb_name                    = local.ecs_alb_name
-  aws_cloudwatch_log_group    = local.ecs_cloudwatch_log_group
+  ecs_cloudwatch_log_group    = local.ecs_cloudwatch_log_group
   container_port              = local.ecs_container_port
-  ecr_repos                   = local.ecr_repos
+  ecr_repo_names                   = local.ecr_repo_names
   ecs_app_task_family         = local.ecs_app_task_family
   target_group_name           = local.ecs_target_group_name
   retention_in_days           = var.cw_retention_in_days

terraform/implementation/ecs/unlock.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+terraform force-unlock $1
+
+aws ecr get-login-password | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com

terraform/implementation/setup/terraform.tfvars.example

@@ -5,6 +5,8 @@
 * The 'owner' variable specifies the owner of the resources that will be provisioned and is included in resource naming and tagging.
 * The 'region' variable specifies the AWS region where the resources will be provisioned.
 * The new file you create will not be tracked in git by default, so make sure you store it in a secure location for later use.
+* required:
+* optional:
 */
 owner = "JurrasicPark"
 region = "us-east-1"

terraform/modules/ecr/data.tf → terraform/modules/ecr/_data.tf

@@ -1,6 +1,6 @@
 data "aws_iam_policy_document" "ecr_policy" {
 
-  for_each = var.ecr_repos
+  for_each = var.ecr_repo_names
   statement {
     actions = [
       "ecr:GetAuthorizationToken",
@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "ecr_policy" {
 }
 
 data "docker_registry_image" "ghcr_data" {
-  for_each = local.images
+  for_each = var.ecr_repo_names
   name     = "ghcr.io/cdcgov/phdi/${each.key}:${local.phdi_version}"
 }
 

terraform/modules/ecr/_local.tf

@@ -0,0 +1,9 @@
+locals {
+  policy = var.lifecycle_policy == "" ? file("${path.module}/ecr-lifecycle-policy.json") : var.lifecycle_policy
+  repo_name = var.ecr_repo_names
+  tags = {
+    Automation = "Terraform"
+  }
+  # NOTE: The version may need to be changed with updates
+  phdi_version = "v1.4.4"
+}

terraform/modules/ecr/_variable.tf

@@ -0,0 +1,42 @@
+variable "ecr_repo_names" {
+  type = set(string)
+  # default = [
+  #   "fhir-converter",
+  #   "ingestion",
+  #   "ecr-viewer",
+  #   "validation",
+  #   "orchestration"
+  # ]
+}
+
+variable "ecs_task_execution_role" {
+  type        = string
+  description = "ECS Task Execution Role"
+}
+
+variable "ecs_cluster_name" {
+  type        = string
+  description = "ECS Cluster Name"
+}
+
+variable "lifecycle_policy" {
+  type        = string
+  description = "ECR repository lifecycle policy document. Used to override the default policy."
+  # default     = ""
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Additional tags to apply."
+  # default     = {}
+}
+
+variable "aws_caller_identity" {
+  type        = string
+  description = "AWS Caller Identity"
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region"
+}

terraform/modules/ecr/docker.tf

@@ -4,20 +4,21 @@ resource "time_static" "now" {}
 
 # NOTE: This pulls image down from the docker registry
 resource "docker_image" "ghcr_image" {
-  for_each      = local.images
+  for_each      = var.ecr_repo_names
   name          = data.docker_registry_image.ghcr_data[each.key].name
   keep_locally  = true
   pull_triggers = [data.docker_registry_image.ghcr_data[each.key].sha256_digest]
+  force_remove  = true
 }
 
 resource "docker_tag" "tag_for_aws" {
-  for_each     = local.images
+  for_each     = var.ecr_repo_names
   source_image = docker_image.ghcr_image[each.key].name
   target_image = "${aws_ecr_repository.repo[each.key].repository_url}:${local.phdi_version}"
 }
 
 resource "docker_registry_image" "my_docker_image" {
-  for_each      = local.images
+  for_each      = var.ecr_repo_names
   name          = "${aws_ecr_repository.repo[each.key].repository_url}:${local.phdi_version}"
   depends_on    = [docker_tag.tag_for_aws, aws_ecr_repository.repo]
   keep_remotely = true

terraform/modules/ecr/ecr.tf

@@ -1,4 +1,4 @@
 resource "aws_ecr_repository" "repo" {
-  for_each = var.ecr_repos
+  for_each = var.ecr_repo_names
   name     = each.key
 }

terraform/modules/ecr/provider.tf

@@ -12,12 +12,6 @@ provider "docker" {
   # Docker daemon using the default Unix socket 
   host = "unix:///var/run/docker.sock"
 
-  registry_auth {
-    address  = "ghcr.io"
-    username = var.ghcr_username
-    password = var.ghcr_token
-  }
-
   registry_auth {
 
     address  = data.aws_ecr_authorization_token.container_registry_token.proxy_endpoint