diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -43,6 +43,7 @@
})
managed_policy_arns = [
+ "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
# Let ECS write logs to CloudWatch
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
diff --git a/services/terraform/remote/service_blob.tf b/services/terraform/remote/service_blob.tf
--- a/services/terraform/remote/service_blob.tf
+++ b/services/terraform/remote/service_blob.tf
@@ -1,8 +1,19 @@
locals {
- blob_service_image_tag = local.is_staging ? "latest" : "0.2.0"
- blob_service_container_name = "blob-service-server"
- blob_service_server_image = "commapp/blob-server:${local.blob_service_image_tag}"
+ blob_service_image_tag = local.is_staging ? "latest" : "0.2.0"
+ blob_service_container_name = "blob-service-server"
+ blob_service_server_image = "commapp/blob-server:${local.blob_service_image_tag}"
+
+ # HTTP port & configuration for ECS Service Connect
blob_service_container_http_port = 50053
+ blob_sc_port_name = "blob-service-ecs-http"
+ blob_sc_dns_name = "blob-service"
+
+ # URL accessible by other services in the same Service Connect namespace
+ # This renders to 'http://blob-service:50053'
+ blob_local_url = "http://${local.blob_sc_dns_name}:${local.blob_service_container_http_port}"
+
+ blob_service_container_grpc_port = 50051
+ blob_service_grpc_public_port = 50053
blob_service_domain_name = "blob.${local.root_domain}"
blob_service_s3_bucket = "commapp-blob${local.s3_bucket_name_suffix}"
}
@@ -16,7 +27,7 @@
essential = true
portMappings = [
{
- name = "blob-service-ecs-http"
+ name = local.blob_sc_port_name
containerPort = local.blob_service_container_http_port
protocol = "tcp"
appProtocol = "http"
@@ -69,6 +80,19 @@
ignore_changes = [desired_count]
}
+ # Expose Blob service to other services in the cluster
+ service_connect_configuration {
+ enabled = true
+ service {
+ discovery_name = local.blob_sc_dns_name
+ port_name = local.blob_sc_port_name
+ client_alias {
+ port = local.blob_service_container_http_port
+ dns_name = local.blob_sc_dns_name
+ }
+ }
+ }
+
# HTTP
load_balancer {
target_group_arn = aws_lb_target_group.blob_service_http.arn
diff --git a/services/terraform/remote/service_identity.tf b/services/terraform/remote/service_identity.tf
--- a/services/terraform/remote/service_identity.tf
+++ b/services/terraform/remote/service_identity.tf
@@ -5,6 +5,13 @@
# Port that the container is listening on
identity_service_container_grpc_port = 50054
+ identity_sc_port_name = "identity-service-ecs-grpc"
+ identity_sc_dns_name = "identity-service"
+
+ # Endpoint name accessible by other services in the same Service Connect namespace
+ # This renders to e.g. 'identity-service:50054'
+ identity_local_endpoint = "${local.identity_sc_dns_name}:${local.identity_service_container_grpc_port}"
+
# Port that is exposed to the public SSL endpoint (appended to domain name)
identity_service_grpc_public_port = 50054
identity_service_domain_name = "identity.${local.root_domain}"
@@ -25,7 +32,7 @@
essential = true
portMappings = [
{
- name = "identity-service-ecs-grpc"
+ name = local.identity_sc_port_name
containerPort = local.identity_service_container_grpc_port
protocol = "tcp"
appProtocol = "grpc"
@@ -87,6 +94,19 @@
ignore_changes = [desired_count]
}
+ # Expose Identity service to other services in the cluster
+ service_connect_configuration {
+ enabled = true
+ service {
+ discovery_name = local.identity_sc_dns_name
+ port_name = local.identity_sc_port_name
+ client_alias {
+ port = local.identity_service_container_grpc_port
+ dns_name = local.identity_sc_dns_name
+ }
+ }
+ }
+
load_balancer {
target_group_arn = aws_lb_target_group.identity_service_grpc.arn
container_name = local.identity_service_container_name