diff --git a/services/terraform/remote/task_sync_identity_search.tf b/services/terraform/remote/task_sync_identity_search.tf new file mode 100644 --- /dev/null +++ b/services/terraform/remote/task_sync_identity_search.tf @@ -0,0 +1,123 @@ +locals { + # Run every day at midnight UTC + sync_identity_search_enabled = true + sync_identity_search_schedule = "cron(0 0 * * ? *)" +} + +resource "aws_ecs_task_definition" "sync_identity_search" { + family = "sync-identity-search-task-def" + container_definitions = jsonencode([ + { + essential = true + name = local.identity_service_container_name + image = local.identity_service_server_image + command = ["identity", "sync-identity-search"] + environment = [ + { + name = "RUST_LOG" + value = local.is_staging ? "info,identity=trace,comm_lib=debug" : "info" + }, + { + name = "OPENSEARCH_ENDPOINT" + value = "${module.shared.opensearch_domain_identity.endpoint}" + } + ] + secrets = [ + { + # This is exposed as an environment variable in the container + name = "OPAQUE_SERVER_SETUP" + valueFrom = data.aws_secretsmanager_secret.identity_server_setup.arn + } + ] + logConfiguration = { + "logDriver" = "awslogs" + "options" = { + "awslogs-create-group" = "true" + "awslogs-group" = "/ecs/sync-identity-search" + "awslogs-region" = "us-east-2" + "awslogs-stream-prefix" = "ecs" + } + } + } + ]) + task_role_arn = aws_iam_role.services_ddb_full_access.arn + execution_role_arn = aws_iam_role.ecs_task_execution.arn + network_mode = "awsvpc" + cpu = "256" + memory = "512" + requires_compatibilities = ["FARGATE"] + skip_destroy = false +} + +resource "aws_scheduler_schedule" "sync_identity_search" { + name = "sync-identity-search-schedule" + group_name = "default" + + schedule_expression = local.sync_identity_search_schedule + state = local.sync_identity_search_enabled ? "ENABLED" : "DISABLED" + + # Task can run within 15 minutes window of the scheduled time + flexible_time_window { + mode = "FLEXIBLE" + maximum_window_in_minutes = 15 + } + + target { + arn = aws_ecs_cluster.comm_services.arn + role_arn = aws_iam_role.task_scheduler.arn + + ecs_parameters { + task_definition_arn = aws_ecs_task_definition.sync_identity_search.arn_without_revision + launch_type = "FARGATE" + + network_configuration { + assign_public_ip = true + security_groups = [aws_security_group.identity_service.id] + subnets = [ + aws_subnet.public_a.id, + aws_subnet.public_b.id, + aws_subnet.public_c.id, + ] + } + } + + retry_policy { + maximum_event_age_in_seconds = 300 + maximum_retry_attempts = 5 + } + } +} + +resource "aws_iam_role_policy_attachment" "sync_identity_search_scheduler" { + policy_arn = aws_iam_policy.sync_identity_search_scheduler.arn + role = aws_iam_role.task_scheduler.name +} + +resource "aws_iam_policy" "sync_identity_search_scheduler" { + name = "cron-sync-identity-search-scheduler-policy" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + # Allow scheduler to execute the task + { + + Effect = "Allow", + Action = [ + "ecs:RunTask" + ] + Resource = aws_ecs_task_definition.sync_identity_search.arn_without_revision + }, + # Allow scheduler to set the IAM roles of the ECS task + { + Effect = "Allow", + Action = [ + "iam:PassRole" + ] + Resource = [ + aws_ecs_task_definition.sync_identity_search.execution_role_arn, + aws_ecs_task_definition.sync_identity_search.task_role_arn + ] + }, + ] + }) +}