diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf --- a/services/terraform/remote/aws_iam.tf +++ b/services/terraform/remote/aws_iam.tf @@ -43,6 +43,7 @@ }) managed_policy_arns = [ + "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", # Let ECS write logs to CloudWatch "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess", diff --git a/services/terraform/remote/service_blob.tf b/services/terraform/remote/service_blob.tf --- a/services/terraform/remote/service_blob.tf +++ b/services/terraform/remote/service_blob.tf @@ -1,8 +1,19 @@ locals { - blob_service_image_tag = local.is_staging ? "latest" : "0.2.0" - blob_service_container_name = "blob-service-server" - blob_service_server_image = "commapp/blob-server:${local.blob_service_image_tag}" + blob_service_image_tag = local.is_staging ? "latest" : "0.2.0" + blob_service_container_name = "blob-service-server" + blob_service_server_image = "commapp/blob-server:${local.blob_service_image_tag}" + + # HTTP port & configuration for ECS Service Connect blob_service_container_http_port = 50053 + blob_sc_port_name = "blob-service-ecs-http" + blob_sc_dns_name = "blob-service" + + # URL accessible by other services in the same Service Connect namespace + # This renders to 'http://blob-service:50053' + blob_local_url = "http://${local.blob_sc_dns_name}:${local.blob_service_container_http_port}" + + blob_service_container_grpc_port = 50051 + blob_service_grpc_public_port = 50053 blob_service_domain_name = "blob.${local.root_domain}" blob_service_s3_bucket = "commapp-blob${local.s3_bucket_name_suffix}" } @@ -16,7 +27,7 @@ essential = true portMappings = [ { - name = "blob-service-ecs-http" + name = local.blob_sc_port_name containerPort = local.blob_service_container_http_port protocol = "tcp" appProtocol = "http" @@ -69,6 +80,19 @@ ignore_changes = [desired_count] } + # Expose Blob service to other services in the cluster + service_connect_configuration { + enabled = true + service { + discovery_name = local.blob_sc_dns_name + port_name = local.blob_sc_port_name + client_alias { + port = local.blob_service_container_http_port + dns_name = local.blob_sc_dns_name + } + } + } + # HTTP load_balancer { target_group_arn = aws_lb_target_group.blob_service_http.arn diff --git a/services/terraform/remote/service_identity.tf b/services/terraform/remote/service_identity.tf --- a/services/terraform/remote/service_identity.tf +++ b/services/terraform/remote/service_identity.tf @@ -5,6 +5,13 @@ # Port that the container is listening on identity_service_container_grpc_port = 50054 + identity_sc_port_name = "identity-service-ecs-grpc" + identity_sc_dns_name = "identity-service" + + # Endpoint name accessible by other services in the same Service Connect namespace + # This renders to e.g. 'identity-service:50054' + identity_local_endpoint = "${local.identity_sc_dns_name}:${local.identity_service_container_grpc_port}" + # Port that is exposed to the public SSL endpoint (appended to domain name) identity_service_grpc_public_port = 50054 identity_service_domain_name = "identity.${local.root_domain}" @@ -25,7 +32,7 @@ essential = true portMappings = [ { - name = "identity-service-ecs-grpc" + name = local.identity_sc_port_name containerPort = local.identity_service_container_grpc_port protocol = "tcp" appProtocol = "grpc" @@ -87,6 +94,19 @@ ignore_changes = [desired_count] } + # Expose Identity service to other services in the cluster + service_connect_configuration { + enabled = true + service { + discovery_name = local.identity_sc_dns_name + port_name = local.identity_sc_port_name + client_alias { + port = local.identity_service_container_grpc_port + dns_name = local.identity_sc_dns_name + } + } + } + load_balancer { target_group_arn = aws_lb_target_group.identity_service_grpc.arn container_name = local.identity_service_container_name