From 354a245fcc3e5165e71b53496c7abaea212aaf70 Mon Sep 17 00:00:00 2001 From: Alis Akers Date: Mon, 5 Aug 2024 15:28:21 -0700 Subject: [PATCH] Set ALB to internal by default, can be overridden during module call --- terraform/implementation/ecs/README.md | 1 + terraform/implementation/ecs/_variable.tf | 6 ++ terraform/implementation/ecs/main.tf | 1 + terraform/implementation/setup/README.md | 10 +++- terraform/implementation/setup/iam.tf | 68 +++++++++++------------ terraform/implementation/setup/main.tf | 18 +++--- terraform/modules/ecs/README.md | 1 + terraform/modules/ecs/_variable.tf | 5 ++ terraform/modules/ecs/alb.tf | 2 +- 9 files changed, 67 insertions(+), 45 deletions(-) diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md index 9291c8c2..cf1c7bc8 100644 --- a/terraform/implementation/ecs/README.md +++ b/terraform/implementation/ecs/README.md @@ -31,6 +31,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [alb\_internal](#input\_alb\_internal) | Whether the ALB is public or private | `bool` | `true` | no | | [appmesh\_name](#input\_appmesh\_name) | The name of the App Mesh | `string` | `"appmesh"` | no | | [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | 
[
  "us-east-1a",
  "us-east-1b",
  "us-east-1c"
]
| no | | [cloudmap\_namespace\_name](#input\_cloudmap\_namespace\_name) | The name of the CloudMap namespace | `string` | `"cloudmap-service-connect"` | no | diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf index 87950090..7ee7505c 100644 --- a/terraform/implementation/ecs/_variable.tf +++ b/terraform/implementation/ecs/_variable.tf @@ -1,3 +1,9 @@ +variable "alb_internal" { + description = "Whether the ALB is public or private" + type = bool + default = true +} + variable "appmesh_name" { description = "The name of the App Mesh" type = string diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf index c2e89171..b42785a0 100644 --- a/terraform/implementation/ecs/main.tf +++ b/terraform/implementation/ecs/main.tf @@ -38,6 +38,7 @@ module "ecs" { private_subnet_ids = flatten(module.vpc.private_subnets) vpc_id = module.vpc.vpc_id + alb_internal = var.alb_internal cw_retention_in_days = var.cw_retention_in_days region = var.region } diff --git a/terraform/implementation/setup/README.md b/terraform/implementation/setup/README.md index 1984253c..2b92a598 100644 --- a/terraform/implementation/setup/README.md +++ b/terraform/implementation/setup/README.md @@ -22,7 +22,6 @@ No modules. | [aws_dynamodb_table.tfstate_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | | [aws_iam_policy.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | @@ -31,6 +30,15 @@ No modules. | [local_file.setup_env](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.setup](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.amazon_dynamodb_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.amazon_ec2_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.amazon_route53_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.amazon_vpc_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_appmesh_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_iam_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_logs_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_s3_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.elastic_load_balancing_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy_document.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.github_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf index 362decae..5774f835 100644 --- a/terraform/implementation/setup/iam.tf +++ b/terraform/implementation/setup/iam.tf @@ -67,39 +67,39 @@ data "aws_iam_policy_document" "github_assume_role" { # trivy:ignore:AVD-AWS-0057 data "aws_iam_policy_document" "github" { statement { - actions = [ - "ecr:GetAuthorizationToken", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:DescribeImages", - "ecr:GetDownloadUrlForLayer", - "ecr:InitiateLayerUpload", - "ecr:ListTagsForResource", - "ecr:ListImages", - "ecr:PutImage", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:DescribeClusters", - "ecs:DescribeTaskDefinition", - "ecs:DescribeServices", - "ecs:UpdateService", - "ecs:TagResource", - "ecs:CreateService", - "ecs:RegisterTaskDefinition", - "servicediscovery:GetNamespace", - "servicediscovery:ListTagsForResource", - "servicediscovery:GetService", - "servicediscovery:CreatePrivateDnsNamespace", - "servicediscovery:TagResource", - "servicediscovery:GetOperation", - ] - resources = [ - "*" - ] + actions = [ + "ecr:GetAuthorizationToken", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:DescribeImages", + "ecr:GetDownloadUrlForLayer", + "ecr:InitiateLayerUpload", + "ecr:ListTagsForResource", + "ecr:ListImages", + "ecr:PutImage", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:TagResource", + "ecs:CreateCluster", + "ecs:DescribeClusters", + "ecs:DescribeTaskDefinition", + "ecs:DescribeServices", + "ecs:UpdateService", + "ecs:TagResource", + "ecs:CreateService", + "ecs:RegisterTaskDefinition", + "servicediscovery:GetNamespace", + "servicediscovery:ListTagsForResource", + "servicediscovery:GetService", + "servicediscovery:CreatePrivateDnsNamespace", + "servicediscovery:TagResource", + "servicediscovery:GetOperation", + ] + resources = [ + "*" + ] } } @@ -109,7 +109,7 @@ resource "aws_iam_policy" "github" { } resource "aws_iam_role" "github" { - name = "${var.project}-github-role-${var.owner}-${random_string.setup.result}" + name = "${var.project}-github-role-${var.owner}-${random_string.setup.result}" managed_policy_arns = [ aws_iam_policy.github.arn, data.aws_iam_policy.amazon_vpc_full_access.arn, diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf index efafb51a..f427d16e 100644 --- a/terraform/implementation/setup/main.tf +++ b/terraform/implementation/setup/main.tf @@ -65,21 +65,21 @@ resource "aws_dynamodb_table" "tfstate_lock" { resource "local_file" "setup_env" { content = <<-EOT - WORKSPACE=${terraform.workspace} - BUCKET=${aws_s3_bucket.tfstate.bucket} - DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id} - REGION=${var.region} - TERRAFORM_ROLE=${aws_iam_role.github.arn} + WORKSPACE="${terraform.workspace}" + BUCKET="${aws_s3_bucket.tfstate.bucket}" + DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}" + REGION="${var.region}" + TERRAFORM_ROLE="${aws_iam_role.github.arn}" EOT filename = ".env" } resource "local_file" "ecs_env" { content = <<-EOT - BUCKET=${aws_s3_bucket.tfstate.bucket} - DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id} - REGION=${var.region} - TERRAFORM_ROLE=${aws_iam_role.github.arn} + BUCKET="${aws_s3_bucket.tfstate.bucket}" + DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}" + REGION="${var.region}" + TERRAFORM_ROLE="${aws_iam_role.github.arn}" EOT filename = "../ecs/.env" } diff --git a/terraform/modules/ecs/README.md b/terraform/modules/ecs/README.md index 1c67d5a8..2d5feb4c 100644 --- a/terraform/modules/ecs/README.md +++ b/terraform/modules/ecs/README.md @@ -56,6 +56,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [alb\_internal](#input\_alb\_internal) | Flag to determine if the ALB is public | `bool` | `true` | no | | [appmesh\_name](#input\_appmesh\_name) | Name of the AWS App Mesh | `string` | n/a | yes | | [cloudmap\_namespace\_name](#input\_cloudmap\_namespace\_name) | Name of the AWS Cloud Map namespace | `string` | n/a | yes | | [cloudmap\_service\_name](#input\_cloudmap\_service\_name) | Name of the AWS Cloud Map service | `string` | n/a | yes | diff --git a/terraform/modules/ecs/_variable.tf b/terraform/modules/ecs/_variable.tf index 8b44f1ba..4fa9d1cf 100644 --- a/terraform/modules/ecs/_variable.tf +++ b/terraform/modules/ecs/_variable.tf @@ -1,3 +1,8 @@ +variable "alb_internal" { + type = bool + description = "Flag to determine if the ALB is public" + default = true +} variable "appmesh_name" { type = string description = "Name of the AWS App Mesh" diff --git a/terraform/modules/ecs/alb.tf b/terraform/modules/ecs/alb.tf index 3f24eb6d..7752971f 100644 --- a/terraform/modules/ecs/alb.tf +++ b/terraform/modules/ecs/alb.tf @@ -2,7 +2,7 @@ # trivy:ignore:AVD-AWS-0053 resource "aws_alb" "ecs" { name = var.ecs_alb_name - internal = false + internal = var.alb_internal load_balancer_type = "application" subnets = flatten([var.public_subnet_ids]) security_groups = [aws_security_group.alb.id]