diff --git a/keyserver/src/user/checks.js b/keyserver/src/user/checks.js --- a/keyserver/src/user/checks.js +++ b/keyserver/src/user/checks.js @@ -1,6 +1,9 @@ // @flow import { getCommConfig } from 'lib/utils/comm-config.js'; + +// changes here should be reflected for keyserver_user_credentials in +// services/terraform/self-host/variables.tf export type UserCredentials = { +username: string, +password: string, diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf --- a/services/terraform/self-host/aws_db.tf +++ b/services/terraform/self-host/aws_db.tf @@ -5,6 +5,13 @@ vpc_id = local.vpc_id # Inbound rules + ingress { + from_port = 3307 + to_port = 3307 + protocol = "tcp" + security_groups = [aws_security_group.keyserver_service.id] + } + ingress { from_port = 3307 to_port = 3307 diff --git a/services/terraform/self-host/aws_ecs.tf b/services/terraform/self-host/aws_ecs.tf new file mode 100644 --- /dev/null +++ b/services/terraform/self-host/aws_ecs.tf @@ -0,0 +1,27 @@ +resource "aws_ecs_cluster" "keyserver_cluster" { + name = "keyserver-cluster" + + configuration { + execute_command_configuration { + logging = "DEFAULT" + } + } + + service_connect_defaults { + namespace = aws_service_discovery_http_namespace.keyserver_cluster.arn + } +} + +# Namespace for services to be able to communicate with each other +# by their hostnames. Similar to docker compose network. +resource "aws_service_discovery_http_namespace" "keyserver_cluster" { + name = "keyserver-cluster-http-namespace" + tags = { + "AmazonECSManaged" = "true" + } +} + +resource "aws_ecs_cluster_capacity_providers" "keyserver_cluster" { + cluster_name = aws_ecs_cluster.keyserver_cluster.name + capacity_providers = ["FARGATE"] +} diff --git a/services/terraform/self-host/aws_iam.tf b/services/terraform/self-host/aws_iam.tf new file mode 100644 --- /dev/null +++ b/services/terraform/self-host/aws_iam.tf @@ -0,0 +1,85 @@ +resource "aws_iam_role" "ecs_task_role" { + name = "ecs-iam_role" + description = "Allows to SSH into ECS containers" + assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json + + managed_policy_arns = [ + aws_iam_policy.allow_ecs_exec.arn, + ] +} + +data "aws_iam_policy_document" "assume_role_ecs_ec2" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com", + "ecs-tasks.amazonaws.com" + ] + } + } +} + +resource "aws_iam_policy" "allow_ecs_exec" { + name = "allow-ecs-exec" + description = "Adds SSM permissions to enable ECS Exec" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ] + Resource = "*" + } + ] + }) +} + +resource "aws_iam_role" "fargate_execution_role" { + assume_role_policy = <