parameterize arns, clean up variable and tpl usage

terraform/implementation/ecs/backend.tf

@@ -6,12 +6,13 @@ terraform {
     }
   }
 
-  # backend "s3" {
-  #   key = "remote_tfstate"
-  # dynamodb_table
-  # bucket
-  # region
-  # }
+  backend "s3" {
+    key     = "remote_tfstate"
+    encrypt = true
+    # dynamodb_table
+    # bucket
+    # region
+  }
 }
 
 # Credentials should be provided by using the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

terraform/implementation/ecs/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

terraform/implementation/ecs/ecs.sh

@@ -17,9 +17,18 @@ if [ "$ENVIRONMENT" == "$PRODUCTION" ]; then
     terraform plan -var-file="$PRODUCTION.tfvars"
 elif [ "$ENVIRONMENT" != "$PRODUCTION" ] && [ "$ENVIRONMENT" != "" ]; then
     echo "$ENVIRONMENT"
-    terraform init -migrate-state -var-file="$ENVIRONMENT.tfvars"
-    terraform plan -var-file="$ENVIRONMENT.tfvars" -target=module.vpc
-    terraform apply -var-file="$ENVIRONMENT.tfvars" -target=module.vpc
+    terraform init \
+        -migrate-state \
+        -var-file="$ENVIRONMENT.tfvars" \
+        -backend-config "bucket=dibbs-aws-tfstate-alis-default" \
+        -backend-config "dynamodb_table=dibbs-aws-tfstate-lock-alis-default" \
+        -backend-config "region=us-east-1"
+    terraform plan \
+        -var-file="$ENVIRONMENT.tfvars" \
+        -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs
+    terraform apply \
+        -var-file="$ENVIRONMENT.tfvars" \
+        -target=module.vpc -target=module.iam -target=module.ecr -target=module.s3 -target=module.ecs
 else
     echo "Please provide a valid environment: $PRODUCTION or another string"
     exit 1

terraform/implementation/ecs/locals.tf → terraform/implementation/ecs/local.tf

@@ -15,6 +15,10 @@ locals {
   ecs_cloudwatch_log_group     = "${var.ecs_cloudwatch_log_group}-${var.owner}-${terraform.workspace}"
   ecs_target_group_name        = "${var.ecs_target_group_name}-${var.owner}-${terraform.workspace}"
   ecs_app_task_family          = "${var.ecs_app_task_family}-${var.owner}-${terraform.workspace}"
+  ecs_cluster_name             = "${var.ecs_cluster_name}-${var.owner}-${terraform.workspace}"
+  s3_viewer_bucket_name        = "${var.s3_viewer_bucket_name}-${var.owner}-${terraform.workspace}"
+  s3_viewer_bucket_role_name        = "${var.s3_viewer_bucket_role_name}-${var.owner}-${terraform.workspace}"
+  s3_viewer_bucket_policy_name      = "${var.s3_viewer_bucket_policy_name}-${var.owner}-${terraform.workspace}"
   vpc                          = "${var.vpc}-${var.owner}-${terraform.workspace}"
 
   enable_nat_gateway = var.enable_nat_gateway

terraform/implementation/ecs/main.tf

@@ -11,21 +11,31 @@ module "vpc" {
 }
 
 module "iam" {
-  source                  = "../../modules/iam"
+  source                       = "../../modules/iam"
   ecs_task_execution_role_name = local.ecs_task_execution_role_name
+  ecs_cluster_name             = local.ecs_cluster_name
+  aws_caller_identity          = data.aws_caller_identity.current.account_id
+  region                       = var.region
 }
 
-module "ecrRepo" {
+module "ecr" {
   source                  = "../../modules/ecr"
+  aws_caller_identity     = data.aws_caller_identity.current.account_id
   ecs_task_execution_role = module.iam.ecs_task_execution_role.arn
   ecr_repos               = local.ecr_repos
+  ecs_cluster_name        = local.ecs_cluster_name
+  region                  = var.region
   ghcr_token              = local.ghcr_token
   ghcr_username           = local.ghcr_username
 }
 
 module "s3" {
   source                 = "../../modules/s3"
   ecs_assume_role_policy = module.iam.ecr_viewer_and_s3_assume_role_policy
+  region                 = var.region
+  s3_viewer_bucket_name  = local.s3_viewer_bucket_name
+  s3_viewer_bucket_role_name  = local.s3_viewer_bucket_role_name
+  s3_viewer_bucket_policy_name = local.s3_viewer_bucket_policy_name
 }
 
 module "ecs" {
@@ -36,7 +46,8 @@ module "ecs" {
   cidr                        = module.vpc.vpc_cidr_block
   availability_zones          = module.vpc.azs
   ecs_task_execution_role_arn = module.iam.ecs_task_execution_role.arn
-  ecr_repo_url                = module.ecrRepo.repository_url
+  ecr_repo_url                = module.ecr.repository_url
+  ecs_cluster_name            = local.ecs_cluster_name
   ecs_s3_bucket_name          = module.s3.ecs_s3_bucket_name
   app_service_name            = local.ecs_app_service_name
   app_task_name               = local.ecs_app_task_name
@@ -47,5 +58,5 @@ module "ecs" {
   ecs_app_task_family         = local.ecs_app_task_family
   target_group_name           = local.ecs_target_group_name
   retention_in_days           = var.cw_retention_in_days
-  aws_region                  = var.region
+  region                      = var.region
 }

terraform/implementation/ecs/variables.tf → terraform/implementation/ecs/var.tf

@@ -48,6 +48,11 @@ variable "cw_retention_in_days" {
   type        = number
   default     = 30
 }
+variable "ecs_cluster_name" {
+  description = "The name of the target group"
+  type        = string
+  default     = "ecs-cluster"
+}
 variable "ecs_target_group_name" {
   description = "The name of the target group"
   type        = string
@@ -97,4 +102,19 @@ variable "single_nat_gateway" {
   description = "Single NAT Gateway"
   type        = bool
   default     = true
+}
+variable "s3_viewer_bucket_name" {
+  description = "The name of the viewer bucket"
+  type        = string
+  default     = "dibbs-s3-viewer"
+}
+variable "s3_viewer_bucket_role_name" {
+  description = "The role for the viewer bucket"
+  type        = string
+  default     = "dibbs-s3-viewer-role"
+}
+variable "s3_viewer_bucket_policy_name" {
+  description = "The policy name for the viewer bucket"
+  type        = string
+  default     = "dibbs-s3-viewer-policy"
 }

terraform/modules/ecr/data.tf

@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "ecr_policy" {
       "ecr:BatchGetImage",
     ]
 
-    resources = ["arn:aws:ecs:us-east-1:339712971032:cluster/dibbs-ecs-cluster/${each.value}}"]
+    resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.value}"]
   }
 }
 

terraform/modules/ecr/locals.tf

@@ -1,6 +1,11 @@
 locals {
   # Use our standard lifecycle policy if none passed in.
-  images = var.images
+  images = {
+    "fhir-converter" = "${var.aws_caller_identity}.dkr.${var.region}.amazonaws.com/fhir-converter"
+    "ingestion"      = "${var.aws_caller_identity}.dkr.${var.region}.amazonaws.com/ingestion"
+    "message-parser" = "${var.aws_caller_identity}.dkr.ecr.${var.region}.amazonaws.com/message-parser"
+    "orchestration"  = "${var.aws_caller_identity}.dkr.ecr.${var.region}.amazonaws.com/orchestration"
+  }
 
   policy = var.lifecycle_policy == "" ? file("${path.module}/ecr-lifecycle-policy.json") : var.lifecycle_policy
 

terraform/modules/ecr/provider.tf

@@ -26,14 +26,11 @@ provider "docker" {
 
     config_file_content = jsonencode({
       "auths" = {
-        "339712971032.dkr.ecr.us-east-1.amazonaws.com" = {}
+        "${var.aws_caller_identity}.dkr.ecr.${var.region}.amazonaws.com" = {}
       }
       "credHelpers" = {
-        "339712971032.dkr.ecr.us-east-1.amazonaws.com" = "ecr-login"
+        "${var.aws_caller_identity}.dkr.ecr.${var.region}.amazonaws.com" = "ecr-login"
       }
     })
   }
 }
-
-data "aws_ecr_authorization_token" "token" {
-}

terraform/modules/ecr/variables.tf

@@ -20,15 +20,9 @@ variable "ecs_task_execution_role" {
   description = "ECS Task Execution Role"
 }
 
-variable "images" {
-  description = "ECR image for DIBBS applications"
-  type        = map(string)
-  default = {
-    "fhir-converter" = "339712971032.dkr.us-east-1.amazonaws.com/fhir-converter"
-    "ingestion"      = "339712971032.dkr.us-east-1.amazonaws.com/ingestion"
-    "message-parser" = "339712971032.dkr.ecr.us-east-1.amazonaws.com/message-parser"
-    "orchestration"  = "339712971032.dkr.ecr.us-east-1.amazonaws.com/orchestration"
-  }
+variable "ecs_cluster_name" {
+  type        = string
+  description = "ECS Cluster Name"
 }
 
 variable "lifecycle_policy" {
@@ -65,16 +59,6 @@ variable "tags" {
   default     = {}
 }
 
-######################
-### DOCKER PROVIDER ##
-######################
-
-variable "ecr_address" {
-  type        = string
-  description = "Elastic Container Registry Address"
-  default     = "https://339712971032.dkr.ecr.us-east-1.amazonaws.com"
-}
-
 ######################
 ###### GHCR INFO #####
 ######################
@@ -88,3 +72,13 @@ variable "ghcr_token" {
   type        = string
   description = "GitHub Container Registry token."
 }
+
+variable "aws_caller_identity" {
+  type        = string
+  description = "AWS Caller Identity"
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region"
+}

terraform/modules/ecs/alb.tf

@@ -8,7 +8,7 @@ resource "aws_alb" "main" {
   enable_deletion_protection = false
 
   tags = {
-    Name = "dibbs-ecs-alb"
+    Name = var.alb_name
   }
 }
 

terraform/modules/ecs/data.tf

@@ -3,60 +3,70 @@
 ##########################
 
 data "template_file" "fhir_converter_app" {
-  template = file("../../modules/ecs/templates/fhir_converter_app.json.tpl")
+  template = file("../../modules/ecs/templates/app.json.tpl")
   vars = {
+    name                    = "fhir-converter"
     app_image                = var.app_image
     app_port                 = var.app_port
+    region                   = var.region
     fargate_cpu              = var.fargate_cpu
     fargate_memory           = var.fargate_memory
-    aws_region               = var.aws_region
     aws_cloudwatch_log_group = var.aws_cloudwatch_log_group
   }
 }
 
 data "template_file" "ingestion_app" {
-  template = file("../../modules/ecs/templates/ingestion_app.json.tpl")
+  template = file("../../modules/ecs/templates/app.json.tpl")
 
   vars = {
-    app_image      = var.app_image
-    app_port       = var.app_port
-    fargate_cpu    = var.fargate_cpu
-    fargate_memory = var.fargate_memory
-    #aws_region     = var.aws_region
+    name                    = "ingestion"
+    app_image                = var.app_image
+    app_port                 = var.app_port
+    region                   = var.region
+    fargate_cpu              = var.fargate_cpu
+    fargate_memory           = var.fargate_memory
+    aws_cloudwatch_log_group = var.aws_cloudwatch_log_group
   }
 }
 
 data "template_file" "validation_app" {
-  template = file("../../modules/ecs/templates/validation_app.json.tpl")
+  template = file("../../modules/ecs/templates/app.json.tpl")
 
   vars = {
-    app_image      = var.app_image
-    app_port       = var.app_port
-    fargate_cpu    = var.fargate_cpu
-    fargate_memory = var.fargate_memory
-    #aws_region     = var.aws_region
+    name                    = "validation"    
+    app_image                = var.app_image
+    app_port                 = var.app_port
+    region                   = var.region
+    fargate_cpu              = var.fargate_cpu
+    fargate_memory           = var.fargate_memory
+    aws_cloudwatch_log_group = var.aws_cloudwatch_log_group
   }
 }
 
 data "template_file" "orchestration_app" {
   template = file("../../modules/ecs/templates/orchestration_app.json.tpl")
 
   vars = {
-    app_image      = var.app_image
-    app_port       = var.app_port
-    fargate_cpu    = var.fargate_cpu
-    fargate_memory = var.fargate_memory
+    name                    = "orchestration"
+    app_image                = var.app_image
+    app_port                 = var.app_port
+    region                   = var.region
+    fargate_cpu              = var.fargate_cpu
+    fargate_memory           = var.fargate_memory
+    aws_cloudwatch_log_group = var.aws_cloudwatch_log_group
   }
 }
 
 data "template_file" "ecr_viewer_app" {
-  template = file("../../modules/ecs/templates/ecr_viewer_app.json.tpl")
+  template = file("../../modules/ecs/templates/app.json.tpl")
 
   vars = {
-    app_image      = var.app_image
-    app_port       = var.app_port
-    fargate_cpu    = var.fargate_cpu
-    fargate_memory = var.fargate_memory
-    #aws_region     = var.aws_region
+    name                    = "ecr-viewer"
+    app_image                = var.app_image
+    app_port                 = var.app_port
+    region                   = var.region
+    fargate_cpu              = var.fargate_cpu
+    fargate_memory           = var.fargate_memory
+    aws_cloudwatch_log_group = var.aws_cloudwatch_log_group
   }
 }

terraform/modules/ecs/templates/ingestion_app.json.tpl → terraform/modules/ecs/templates/app.json.tpl

@@ -1,15 +1,15 @@
 [
     {
-    "name": "ingestion-app",
-    "image": "ghcr.io/cdcgov/phdi/ingestion:v1.4.4",
+    "name": "${name}",
+    "image": "${app_image}",
     "cpu": ${fargate_cpu},
     "memory": ${fargate_memory},
     "networkMode": "awsvpc",
     "logConfiguration": {
         "logDriver": "awslogs",
         "options": {
           "awslogs-group": "/ecs-cloudwatch-logs",
-          "awslogs-region": "us-east-1",
+          "awslogs-region": "${region}",
           "awslogs-stream-prefix": "ecs"
         }
     },

terraform/modules/ecs/templates/validation_app.json.tpl → terraform/modules/ecs/templates/dibbs_app.json.tpl

@@ -1,15 +1,15 @@
 [
     {
-    "name": "validation-app",
-    "image": "ghcr.io/cdcgov/phdi/validation:v1.4.4",
+    "name": "${name}",
+    "image": "${app_image}",
     "cpu": ${fargate_cpu},
     "memory": ${fargate_memory},
     "networkMode": "awsvpc",
     "logConfiguration": {
         "logDriver": "awslogs",
         "options": {
           "awslogs-group": "/ecs-cloudwatch-logs",
-          "awslogs-region": "us-east-1",
+          "awslogs-region": "${region}",
           "awslogs-stream-prefix": "ecs"
         }
     },