LRNT-019: Disabling development service and ASG

Signed-off-by: Ulises Tirado Zatarain <[email protected]>
zatarain · Apr 28, 2024 · 9224d24 · 9224d24
1 parent efdff1b
commit 9224d24
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 46 deletions.
diff --git a/portfolio/alb.tf b/portfolio/alb.tf
@@ -1,3 +1,4 @@
+/**
 resource "aws_alb_target_group" "back-end" {
   name        = "${var.prefix}-back-end"
   port        = 80
@@ -63,3 +64,4 @@ resource "aws_alb_listener_rule" "front-end" {
     }
   }
 }
+/**/
diff --git a/portfolio/container-definition.json.tpl b/portfolio/container-definition.json.tpl
@@ -1,7 +1,7 @@
 {
 	"name": "${CONTAINER}",
 	"essential": true,
-	"memory": 384,
+	"memory": 512,
 	"cpu": 256,
 	"image": "${IMAGE}:${TAG}",
 	"environment": ${ENVIRONMENT},

diff --git a/portfolio/main.tf b/portfolio/main.tf
@@ -7,7 +7,6 @@ resource "aws_cloudwatch_log_group" "portfolio" {
   retention_in_days = 1
 }
 
-
 /**
 resource "aws_ecs_service" "website" {
   name    = "${var.prefix}-website"
@@ -51,7 +50,6 @@ resource "aws_ecs_service" "website" {
   }
 
   network_configuration {
-    # assign_public_ip = true
     subnets          = var.subnets
 
     security_groups = [

diff --git a/portfolio/roles.tf b/portfolio/roles.tf
@@ -19,6 +19,30 @@ resource "aws_iam_role_policy_attachment" "task-runner-policy" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+data "aws_iam_policy_document" "control-channel" {
+	statement {
+		effect = "Allow"
+		actions = [
+			"ssmmessages:CreateControlChannel",
+			"ssmmessages:CreateDataChannel",
+			"ssmmessages:OpenControlChannel",
+			"ssmmessages:OpenDataChannel",
+		]
+		resources = ["*"]
+	}
+}
+
+resource "aws_iam_policy" "data-control-channel" {
+	name        = "control-channel"
+	description = "Policy to allow control a task container"
+	policy      = data.aws_iam_policy_document.control-channel.json
+}
+
+resource "aws_iam_role_policy_attachment" "data-control-channel" {
+  role       = aws_iam_role.task-runner.name
+  policy_arn = aws_iam_policy.data-control-channel.arn
+}
+
 resource "aws_iam_role" "task-command-executor" {
   name               = "${var.prefix}-task-command-executor"
   assume_role_policy = data.aws_iam_policy_document.command-executor.json
@@ -65,3 +89,25 @@ resource "aws_iam_role_policy_attachment" "task-executor-access-to-secrets" {
   role       = aws_iam_role.task-runner.name
   policy_arn = aws_iam_policy.secrets-access.arn
 }
+
+data "aws_iam_policy_document" "ecs-worker" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs-worker" {
+  name_prefix        = "ecs-worker-"
+  assume_role_policy = data.aws_iam_policy_document.ecs-worker.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs-worker-policy" {
+  role       = aws_iam_role.ecs-worker.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+}
diff --git a/portfolio/security.tf b/portfolio/security.tf
@@ -35,14 +35,22 @@ resource "aws_security_group" "database-connection" {
   }
 }
 
-resource "aws_security_group" "node-output" {
-  name_prefix = "node-ouput-"
+resource "aws_security_group" "worker-task-connection" {
+  name_prefix = "worker-task-"
+  description = "Allow all traffic within the VPC"
   vpc_id      = var.network.id
 
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [var.network.cidr_block]
+  }
+
   egress {
     from_port   = 0
-    to_port     = 65535
-    protocol    = "tcp"
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
diff --git a/portfolio/task.tf b/portfolio/task.tf
@@ -116,12 +116,12 @@ data "template_file" "task-definition" {
 }
 
 resource "aws_ecs_task_definition" "website-run" {
-  family                   = var.name    # Naming our task
+  family                   = var.name     # Naming our task
   container_definitions    = data.template_file.task-definition.rendered
-  requires_compatibilities = ["EC2"]     # Stating that we are using EC2 Instances as ECS Nodes
-  network_mode             = "awsvpc"    # Using awsvpc as our network mode as this is required for Fargate
-  memory                   = 768         # Specifying the memory our swarm requires
-  cpu                      = 512         # Specifying the CPU our swarm requires
+  requires_compatibilities = ["EC2"]      # Stating that we are using EC2 Instances as ECS Nodes
+  network_mode             = "awsvpc"     # Using awsvpc as our network mode as this is required for Fargate
+  memory                   = 1024         # Specifying the memory our swarm requires
+  cpu                      = 512          # Specifying the CPU our swarm requires
   execution_role_arn       = aws_iam_role.task-runner.arn
   task_role_arn            = aws_iam_role.task-command-executor.arn
 }
diff --git a/portfolio/ecs-nodes.tf → portfolio/workers.tf b/portfolio/ecs-nodes.tf → portfolio/workers.tf
@@ -1,45 +1,26 @@
-data "aws_iam_policy_document" "ecs_node_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
-    effect  = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "ecs-node" {
-  name_prefix        = "demo-ecs-node-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_node_policy.json
-}
-
-resource "aws_iam_role_policy_attachment" "ecs-node-role-policy" {
-  role       = aws_iam_role.ecs-node.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
-}
-
-resource "aws_iam_instance_profile" "ecs-node" {
-  name_prefix = "ecs-node"
+resource "aws_iam_instance_profile" "ecs-worker" {
+  name_prefix = "ecs-worker"
   path        = "/ecs/instance/"
-  role        = aws_iam_role.ecs-node.name
+  role        = aws_iam_role.ecs-worker.name
 }
 
-# --- ECS Launch Template ---
-/**
 data "aws_ssm_parameter" "ecs-image" {
   name = "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
 }
 
+/**
 resource "aws_launch_template" "ecs-instance" {
   name_prefix            = "ecs-instance-"
   image_id               = data.aws_ssm_parameter.ecs-image.value
-  instance_type          = "t3.micro"
-  vpc_security_group_ids = [aws_security_group.node-output.id]
+  instance_type          = "t3.small"
+  vpc_security_group_ids = [var.alb-access.id]
 
   iam_instance_profile {
-    arn = aws_iam_instance_profile.ecs-node.arn
+    arn = aws_iam_instance_profile.ecs-worker.arn
+  }
+
+  metadata_options {
+    http_protocol_ipv6 = "disabled"
   }
 
   monitoring {
@@ -53,8 +34,7 @@ resource "aws_launch_template" "ecs-instance" {
   )
 }
 
-# --- ECS ASG ---
-
+/**
 resource "aws_autoscaling_group" "cluster" {
   name_prefix               = "${var.name}-"
   vpc_zone_identifier       = var.subnets
@@ -82,8 +62,6 @@ resource "aws_autoscaling_group" "cluster" {
   }
 }
 
-# --- ECS Capacity Provider ---
-
 resource "aws_ecs_capacity_provider" "portfolio" {
   name = var.name