diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf --- a/services/terraform/self-host/keyserver_primary.tf +++ b/services/terraform/self-host/keyserver_primary.tf @@ -1,10 +1,10 @@ locals { keyserver_service_image_tag = "1.0" keyserver_service_server_image = "wyilio/keyserver:${local.keyserver_service_image_tag}" - keyserver_service_container_name = "keyserver-primary" + keyserver_primary_container_name = "keyserver-primary" } -resource "aws_cloudwatch_log_group" "ecs_log_group" { +resource "aws_cloudwatch_log_group" "keyserver_primary_service" { name = "/ecs/keyserver-primary-task-def" retention_in_days = 7 } @@ -13,7 +13,7 @@ value = aws_db_instance.mariadb.address } -resource "aws_ecs_task_definition" "keyserver_service" { +resource "aws_ecs_task_definition" "keyserver_primary_service" { network_mode = "awsvpc" family = "keyserver-primary-task-def" requires_compatibilities = ["FARGATE"] @@ -28,7 +28,7 @@ container_definitions = jsonencode([ { - name = local.keyserver_service_container_name + name = local.keyserver_primary_container_name image = local.keyserver_service_server_image essential = true portMappings = [ @@ -45,6 +45,10 @@ name = "REDIS_URL" value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379" }, + { + name = "COMM_NODE_ROLE" + value = "primary" + }, { name = "COMM_LISTEN_ADDR" value = "0.0.0.0" @@ -110,7 +114,7 @@ "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" - "awslogs-group" = aws_cloudwatch_log_group.ecs_log_group.name + "awslogs-group" = aws_cloudwatch_log_group.keyserver_primary_service.name "awslogs-stream-prefix" = "ecs" "awslogs-region" = "${var.region}" } @@ -134,7 +138,7 @@ name = "keyserver-primary-service" cluster = aws_ecs_cluster.keyserver_cluster.id - task_definition = aws_ecs_task_definition.keyserver_service.arn + task_definition = aws_ecs_task_definition.keyserver_primary_service.arn launch_type = "FARGATE" enable_execute_command = true enable_ecs_managed_tags = true @@ -152,7 +156,7 @@ load_balancer { target_group_arn = aws_lb_target_group.keyserver_service.arn - container_name = local.keyserver_service_container_name + container_name = local.keyserver_primary_container_name container_port = 3000 } diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_secondary.tf copy from services/terraform/self-host/keyserver_primary.tf copy to services/terraform/self-host/keyserver_secondary.tf --- a/services/terraform/self-host/keyserver_primary.tf +++ b/services/terraform/self-host/keyserver_secondary.tf @@ -1,21 +1,17 @@ locals { - keyserver_service_image_tag = "1.0" - keyserver_service_server_image = "wyilio/keyserver:${local.keyserver_service_image_tag}" - keyserver_service_container_name = "keyserver-primary" + keyserver_secondary_container_name = "keyserver-secondary" } -resource "aws_cloudwatch_log_group" "ecs_log_group" { - name = "/ecs/keyserver-primary-task-def" +resource "aws_cloudwatch_log_group" "keyserver_secondary_service" { + name = "/ecs/keyserver-secondary-task-def" retention_in_days = 7 } -output "mariadb_address" { - value = aws_db_instance.mariadb.address -} +resource "aws_ecs_task_definition" "keyserver_secondary_service" { + depends_on = [aws_ecs_service.keyserver_primary_service] -resource "aws_ecs_task_definition" "keyserver_service" { network_mode = "awsvpc" - family = "keyserver-primary-task-def" + family = "keyserver-secondary-task-def" requires_compatibilities = ["FARGATE"] task_role_arn = aws_iam_role.ecs_task_role.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn @@ -28,7 +24,7 @@ container_definitions = jsonencode([ { - name = local.keyserver_service_container_name + name = local.keyserver_secondary_container_name image = local.keyserver_service_server_image essential = true portMappings = [ @@ -45,6 +41,10 @@ name = "REDIS_URL" value = "rediss://${aws_elasticache_serverless_cache.redis.endpoint[0].address}:6379" }, + { + name = "COMM_NODE_ROLE" + value = "secondary" + }, { name = "COMM_LISTEN_ADDR" value = "0.0.0.0" @@ -77,12 +77,6 @@ "usingIdentityCredentials" : "${var.using_identity_credentials}" }) }, - { - name = "COMM_JSONCONFIG_facts_webapp_cors" - value = jsonencode({ - "domain" : "https://web.comm.app" - }) - }, { name = "COMM_JSONCONFIG_facts_keyserver_url" value = jsonencode({ @@ -93,6 +87,12 @@ "proxy" : "none" }) }, + { + name = "COMM_JSONCONFIG_facts_webapp_cors" + value = jsonencode({ + "domain" : "https://web.comm.app" + }) + }, { name = "COMM_JSONCONFIG_secrets_identity_service_config", value = jsonencode({ @@ -102,7 +102,7 @@ { name = "COMM_JSONCONFIG_facts_authoritative_keyserver", value = jsonencode({ - "authoritativeKeyserverID" : "${var.authoritative_keyserver_user_id}" + "authoritativeKeyserverID" : "${var.authoritative_keyserver_id}" }), } ] @@ -110,7 +110,7 @@ "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" - "awslogs-group" = aws_cloudwatch_log_group.ecs_log_group.name + "awslogs-group" = aws_cloudwatch_log_group.keyserver_secondary_service.name "awslogs-stream-prefix" = "ecs" "awslogs-region" = "${var.region}" } @@ -129,20 +129,17 @@ skip_destroy = false } -resource "aws_ecs_service" "keyserver_primary_service" { - depends_on = [null_resource.create_comm_database] - - name = "keyserver-primary-service" - cluster = aws_ecs_cluster.keyserver_cluster.id - task_definition = aws_ecs_task_definition.keyserver_service.arn - launch_type = "FARGATE" - enable_execute_command = true - enable_ecs_managed_tags = true - force_new_deployment = true - desired_count = 1 - deployment_maximum_percent = 100 - deployment_minimum_healthy_percent = 0 +resource "aws_ecs_service" "keyserver_secondary_service" { + depends_on = [aws_ecs_service.keyserver_primary_service] + name = "keyserver-secondary-service" + cluster = aws_ecs_cluster.keyserver_cluster.id + task_definition = aws_ecs_task_definition.keyserver_secondary_service.arn + launch_type = "FARGATE" + enable_execute_command = true + enable_ecs_managed_tags = true + force_new_deployment = true + desired_count = 1 network_configuration { subnets = local.vpc_subnets @@ -152,7 +149,7 @@ load_balancer { target_group_arn = aws_lb_target_group.keyserver_service.arn - container_name = local.keyserver_service_container_name + container_name = local.keyserver_secondary_container_name container_port = 3000 } @@ -161,38 +158,3 @@ rollback = true } } - -resource "aws_security_group" "keyserver_service" { - name = "keyserver-service-ecs-sg" - vpc_id = local.vpc_id - - # Allow all inbound traffic on port 3000 - ingress { - from_port = 3000 - to_port = 3000 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "Allow inbound traffic from any IPv6 address" - from_port = 3000 - to_port = 3000 - protocol = "tcp" - ipv6_cidr_blocks = ["::/0"] - } - - # Allow all outbound traffic - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - lifecycle { - create_before_destroy = true - } -} - -