diff --git a/services/terraform/remote/service_backup.tf b/services/terraform/remote/service_backup.tf --- a/services/terraform/remote/service_backup.tf +++ b/services/terraform/remote/service_backup.tf @@ -17,108 +17,7 @@ backup_fargate_url = "http://${local.backup_sc_dns_name}-fargate:${local.backup_service_container_http_port}" } -resource "aws_ecs_task_definition" "backup_service" { - family = "backup-service-task-def" - container_definitions = jsonencode([ - { - name = local.backup_service_container_name - image = local.backup_service_server_image - essential = true - portMappings = [ - { - name = local.backup_sc_port_name - containerPort = local.backup_service_container_http_port - protocol = "tcp" - appProtocol = "http" - }, - ] - environment = [ - { - name = "RUST_LOG" - value = local.is_staging ? "info,backup=debug,comm_lib=debug" : "info" - }, - { - name = "BLOB_SERVICE_URL", - value = local.blob_local_url - # If this ever fails, we can fallback to blob public URL: - # "https://${local.blob_service_domain_name}" - }, - { - name = "IDENTITY_SERVICE_ENDPOINT", - value = local.identity_local_url - }, - { - name = "COMM_SERVICES_DISABLE_CSAT_VERIFICATION", - value = local.is_staging ? "false" : "true" - }, - { - name = "COMM_SERVICES_USE_JSON_LOGS", - value = local.comm_services_use_json_logs - } - ] - logConfiguration = { - "logDriver" = "awslogs" - "options" = { - "awslogs-create-group" = "true" - "awslogs-group" = "/ecs/backup-service-task-def" - "awslogs-region" = "us-east-2" - "awslogs-stream-prefix" = "ecs" - } - } - } - ]) - task_role_arn = aws_iam_role.backup_service.arn - execution_role_arn = aws_iam_role.ecs_task_execution.arn - network_mode = "bridge" - cpu = "1024" - memory = "4096" - requires_compatibilities = ["EC2"] - # Set this to true if you want to keep old revisions - # when this definition is changed - skip_destroy = false -} - -resource "aws_ecs_service" "backup_service" { - name = "backup-service" - cluster = aws_ecs_cluster.comm_services.id - launch_type = "EC2" - - task_definition = aws_ecs_task_definition.backup_service.arn - force_new_deployment = true - - desired_count = 0 - lifecycle { - ignore_changes = [desired_count] - } - - service_connect_configuration { - enabled = true - service { - discovery_name = local.backup_sc_dns_name - port_name = local.backup_sc_port_name - client_alias { - port = local.backup_service_container_http_port - dns_name = local.backup_sc_dns_name - } - } - } - - # HTTP - load_balancer { - target_group_arn = aws_lb_target_group.backup_service_http.arn - container_name = local.backup_service_container_name - container_port = local.backup_service_container_http_port - } - - deployment_circuit_breaker { - enable = true - rollback = true - } - - enable_execute_command = true - enable_ecs_managed_tags = true -} # Security group to configure access to the service resource "aws_security_group" "backup_service" { @@ -146,24 +45,6 @@ } } -resource "aws_lb_target_group" "backup_service_http" { - name = "backup-service-ecs-http-tg" - port = local.backup_service_container_http_port - protocol = "HTTP" - vpc_id = aws_vpc.default.id - - target_type = "instance" - - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - - protocol = "HTTP" - path = "/health" - matcher = "200-204" - } -} # Load Balancer resource "aws_lb" "backup_service" { diff --git a/services/terraform/remote/service_blob.tf b/services/terraform/remote/service_blob.tf --- a/services/terraform/remote/service_blob.tf +++ b/services/terraform/remote/service_blob.tf @@ -21,105 +21,7 @@ blob_service_s3_bucket = "commapp-blob${local.s3_bucket_name_suffix}" } -resource "aws_ecs_task_definition" "blob_service" { - family = "blob-service-task-def" - container_definitions = jsonencode([ - { - name = local.blob_service_container_name - image = local.blob_service_server_image - essential = true - portMappings = [ - { - name = local.blob_sc_port_name - containerPort = local.blob_service_container_http_port - protocol = "tcp" - appProtocol = "http" - } - ] - environment = [ - { - name = "RUST_LOG" - value = local.is_staging ? "info,blob=debug,comm_lib=debug" : "info" - }, - { - name = "BLOB_S3_BUCKET_NAME", - value = local.blob_service_s3_bucket - }, - { - name = "IDENTITY_SERVICE_ENDPOINT", - value = local.identity_local_url - }, - { - name = "COMM_SERVICES_DISABLE_CSAT_VERIFICATION", - value = local.is_staging ? "false" : "true" - }, - { - name = "COMM_SERVICES_USE_JSON_LOGS", - value = local.comm_services_use_json_logs - } - ] - logConfiguration = { - "logDriver" = "awslogs" - "options" = { - "awslogs-create-group" = "true" - "awslogs-group" = "/ecs/blob-service-task-def" - "awslogs-region" = "us-east-2" - "awslogs-stream-prefix" = "ecs" - } - } - } - ]) - task_role_arn = aws_iam_role.services_ddb_full_access.arn - execution_role_arn = aws_iam_role.ecs_task_execution.arn - network_mode = "bridge" - cpu = "512" - memory = local.is_staging ? "512" : "2048" - requires_compatibilities = ["EC2"] - - # Set this to true if you want to keep old revisions - # when this definition is changed - skip_destroy = false -} - -resource "aws_ecs_service" "blob_service" { - name = "blob-service" - cluster = aws_ecs_cluster.comm_services.id - launch_type = "EC2" - - task_definition = aws_ecs_task_definition.blob_service.arn - force_new_deployment = true - - desired_count = 0 - - lifecycle { - ignore_changes = [desired_count] - } - - # Expose Blob service to other services in the cluster - service_connect_configuration { - enabled = true - service { - discovery_name = local.blob_sc_dns_name - port_name = local.blob_sc_port_name - client_alias { - port = local.blob_service_container_http_port - dns_name = local.blob_sc_dns_name - } - } - } - # HTTP - load_balancer { - target_group_arn = aws_lb_target_group.blob_service_http.arn - container_name = local.blob_service_container_name - container_port = local.blob_service_container_http_port - } - - deployment_circuit_breaker { - enable = true - rollback = true - } -} # Security group to configure access to the service resource "aws_security_group" "blob_service" { @@ -147,25 +49,6 @@ } } -resource "aws_lb_target_group" "blob_service_http" { - name = "blob-service-ecs-http-tg" - port = local.blob_service_container_http_port - protocol = "HTTP" - vpc_id = aws_vpc.default.id - - # ECS Fargate requires target type set to IP - target_type = "instance" - - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - - protocol = "HTTP" - path = "/health" - matcher = "200-499" - } -} # Load Balancer resource "aws_lb" "blob_service" { diff --git a/services/terraform/remote/service_identity.tf b/services/terraform/remote/service_identity.tf --- a/services/terraform/remote/service_identity.tf +++ b/services/terraform/remote/service_identity.tf @@ -47,141 +47,7 @@ name = local.opaque_server_setup_secret_name } -resource "aws_ecs_task_definition" "identity_service" { - family = "identity-service-task-def" - container_definitions = jsonencode([ - { - name = local.identity_service_container_name - image = local.identity_service_server_image - essential = true - portMappings = [ - { - name = local.identity_sc_port_name - containerPort = local.identity_service_container_grpc_port - protocol = "tcp" - appProtocol = "grpc" - }, - { - name = local.identity_sc_ws_port_name - containerPort = local.identity_service_container_ws_port - protocol = "tcp" - appProtocol = "http" - } - ] - environment = [ - { - name = "RUST_LOG" - value = local.is_staging ? "info,identity=debug,comm_lib=debug" : "info" - }, - { - name = "KEYSERVER_PUBLIC_KEY" - value = nonsensitive(local.secrets["keyserverPublicKey"]) - }, - { - name = "TUNNELBROKER_GRPC_ENDPOINT" - value = local.tunnelbroker_local_grpc_url - }, - { - name = "BACKUP_SERVICE_URL", - value = local.backup_local_url - }, - { - name = "BLOB_SERVICE_URL", - value = local.blob_local_url - }, - { - name = "OPENSEARCH_ENDPOINT" - value = module.shared.opensearch_domain_identity.endpoint - }, - { - name = "ALLOW_ORIGIN_LIST" - value = local.is_staging ? local.staging_allow_origin_list : local.production_allow_origin_list - }, - { - name = "COMM_SERVICES_USE_JSON_LOGS", - value = local.comm_services_use_json_logs - }, - { - name = "REDACT_SENSITIVE_DATA", - value = local.is_staging ? "false" : "true" - } - ] - secrets = [ - { - # This is exposed as an environment variable in the container - name = "OPAQUE_SERVER_SETUP" - valueFrom = data.aws_secretsmanager_secret.identity_server_setup.arn - } - ] - logConfiguration = { - "logDriver" = "awslogs" - "options" = { - "awslogs-create-group" = "true" - "awslogs-group" = "/ecs/identity-service-task-def" - "awslogs-region" = "us-east-2" - "awslogs-stream-prefix" = "ecs" - } - } - linuxParameters = { - initProcessEnabled = true - } - } - ]) - task_role_arn = aws_iam_role.services_ddb_full_access.arn - execution_role_arn = aws_iam_role.ecs_task_execution.arn - network_mode = "bridge" - cpu = "512" - memory = "2048" - requires_compatibilities = ["EC2"] - # Set this to true if you want to keep old revisions - # when this definition is changed - skip_destroy = false -} - -resource "aws_ecs_service" "identity_service" { - name = "identity-service" - cluster = aws_ecs_cluster.comm_services.id - launch_type = "EC2" - - task_definition = aws_ecs_task_definition.identity_service.arn - force_new_deployment = true - - desired_count = 0 - - # Expose Identity service to other services in the cluster - service_connect_configuration { - enabled = true - service { - discovery_name = local.identity_sc_dns_name - port_name = local.identity_sc_port_name - client_alias { - port = local.identity_service_container_grpc_port - dns_name = local.identity_sc_dns_name - } - } - } - - load_balancer { - target_group_arn = aws_lb_target_group.identity_service_ws.arn - container_name = local.identity_service_container_name - container_port = local.identity_service_container_ws_port - } - - load_balancer { - target_group_arn = aws_lb_target_group.identity_service_grpc.arn - container_name = local.identity_service_container_name - container_port = local.identity_service_container_grpc_port - } - - deployment_circuit_breaker { - enable = true - rollback = true - } - - enable_execute_command = true - enable_ecs_managed_tags = true -} # Security group to configure access to the service resource "aws_security_group" "identity_service" { @@ -217,48 +83,7 @@ } } -resource "aws_lb_target_group" "identity_service_grpc" { - name = "identity-service-ecs-grpc-tg" - port = local.identity_service_container_grpc_port - protocol = "HTTP" - protocol_version = "HTTP2" - vpc_id = aws_vpc.default.id - - # The "bridge" network mode requires target type set to instance - target_type = "instance" - - stickiness { - type = "lb_cookie" - cookie_duration = 10 # Duration in seconds - enabled = true - } - - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - } -} - -resource "aws_lb_target_group" "identity_service_ws" { - name = "identity-service-ecs-ws-tg" - port = local.identity_service_container_ws_port - protocol = "HTTP" - protocol_version = "HTTP1" - vpc_id = aws_vpc.default.id - target_type = "instance" - - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - protocol = "HTTP" - path = "/health" - matcher = "200" - - } -} # Load Balancer resource "aws_lb" "identity_service" { diff --git a/services/terraform/remote/service_tunnelbroker.tf b/services/terraform/remote/service_tunnelbroker.tf --- a/services/terraform/remote/service_tunnelbroker.tf +++ b/services/terraform/remote/service_tunnelbroker.tf @@ -67,154 +67,7 @@ amqp_endpoint = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].endpoints[0] } -# Task definition - defines container resources, ports, -# environment variables, docker image etc. -resource "aws_ecs_task_definition" "tunnelbroker" { - family = "tunnelbroker-task-def" - container_definitions = jsonencode([ - { - name = local.tunnelbroker_config.container_name - image = local.tunnelbroker_docker_image - essential = true - portMappings = [ - { - name = "tunnelbroker_ws" - containerPort = local.tunnelbroker_config.websocket_port - protocol = "tcp" - appProtocol = "http" - }, - { - name = local.tunnelbroker_config.grpc_port_name - containerPort = local.tunnelbroker_config.grpc_port - protocol = "tcp" - appProtocol = "grpc" - } - ] - environment = [ - { - name = "RUST_LOG" - value = local.is_staging ? "info,tunnelbroker=debug,comm_lib=debug" : "info" - }, - { - name = "AMQP_URI", - value = local.amqp_endpoint - }, - { - name = "AMQP_USERNAME" - value = "comm" - }, - { - name = "AMQP_PASSWORD" - value = nonsensitive(local.rabbitmq_password) - }, - { - name = "COMM_TUNNELBROKER_IDENTITY_ENDPOINT", - value = local.identity_local_url - }, - { - name = "BLOB_SERVICE_URL", - value = local.blob_local_url - }, - { - name = "BLOB_SERVICE_PUBLIC_URL", - value = "https://${local.blob_service_domain_name}" - }, - { - name = "COMM_SERVICES_USE_JSON_LOGS", - value = local.comm_services_use_json_logs - }, - { - name = "REDACT_SENSITIVE_DATA", - value = local.is_staging ? "false" : "true" - } - ] - secrets = [ - { - name = "APNS_CONFIG" - valueFrom = data.aws_secretsmanager_secret.tunnelbroker_apns.arn - }, - { - name = "FCM_CONFIG" - valueFrom = data.aws_secretsmanager_secret.tunnelbroker_fcm.arn - }, - { - name = "WEB_PUSH_CONFIG" - valueFrom = data.aws_secretsmanager_secret.tunnelbroker_web_push.arn - }, - { - name = "WNS_CONFIG" - valueFrom = data.aws_secretsmanager_secret.tunnelbroker_wns.arn - } - ] - logConfiguration = { - "logDriver" = "awslogs" - "options" = { - "awslogs-create-group" = "true" - "awslogs-group" = "/ecs/tunnelbroker-task-def" - "awslogs-region" = "us-east-2" - "awslogs-stream-prefix" = "ecs" - } - } - } - ]) - task_role_arn = aws_iam_role.services_ddb_full_access.arn - execution_role_arn = aws_iam_role.ecs_task_execution.arn - network_mode = "bridge" - cpu = "256" - memory = local.is_staging ? "256" : "1024" - requires_compatibilities = ["EC2"] - # Set this to true if you want to keep old revisions - # when this definition is changed - skip_destroy = true -} - -# ECS Service - defines task scaling, load balancer connection, -# network configuration etc. -resource "aws_ecs_service" "tunnelbroker" { - name = "tunnelbroker" - cluster = aws_ecs_cluster.comm_services.id - launch_type = "EC2" - - task_definition = aws_ecs_task_definition.tunnelbroker.arn - force_new_deployment = true - - desired_count = 0 - - service_connect_configuration { - enabled = true - service { - discovery_name = local.tunnelbroker_config.local_dns_name - port_name = local.tunnelbroker_config.grpc_port_name - client_alias { - port = local.tunnelbroker_config.grpc_port - dns_name = local.tunnelbroker_config.local_dns_name - } - } - } - - # Websocket - load_balancer { - target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn - container_name = local.tunnelbroker_config.container_name - container_port = local.tunnelbroker_config.websocket_port - } - - # gRPC - dynamic "load_balancer" { - for_each = aws_lb_listener.tunnelbroker_grpc - content { - target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn - container_name = local.tunnelbroker_config.container_name - container_port = local.tunnelbroker_config.grpc_port - } - } - - deployment_circuit_breaker { - enable = true - rollback = true - } -} # Security group to configure access to the service resource "aws_security_group" "tunnelbroker" { @@ -252,52 +105,7 @@ } } -# Running service instances are registered here -# to be accessed by the load balancer -resource "aws_lb_target_group" "tunnelbroker_ws" { - name = "tunnelbroker-ws-tg" - port = local.tunnelbroker_config.websocket_port - protocol = "HTTP" - protocol_version = "HTTP1" - vpc_id = aws_vpc.default.id - target_type = "instance" - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - - protocol = "HTTP" - path = "/health" - matcher = "200" - - } -} - -/* This is generally a dead (empty) resource on prod, i.e. it should not have - * any targets registered. We have gRPC listener resource disabled on prod, - * which results in the following exception if any targets are registered here: - * "The target group "tunnelbroker-grpc-tg" does not have - * an associated load balancer." - * - * See also `aws_lb_listener.tunnelbroker_grpc` and the "dynamic" block in - * `aws_ecs_service.tunnelbroker` on how this is disabled. - * The `count` or `for_each` isn't added here to avoid complicating things more. - */ -resource "aws_lb_target_group" "tunnelbroker_grpc" { - name = "tunnelbroker-grpc-tg" - port = local.tunnelbroker_config.grpc_port - protocol = "HTTP" - protocol_version = "GRPC" - vpc_id = aws_vpc.default.id - target_type = "instance" - - health_check { - enabled = true - healthy_threshold = 2 - unhealthy_threshold = 3 - } -} # Load Balancer resource "aws_lb" "tunnelbroker" {