Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F32089474
D15538.1765007861.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
19 KB
Referenced Files
None
Subscribers
None
D15538.1765007861.diff
View Options
diff --git a/services/terraform/remote/service_backup.tf b/services/terraform/remote/service_backup.tf
--- a/services/terraform/remote/service_backup.tf
+++ b/services/terraform/remote/service_backup.tf
@@ -17,108 +17,7 @@
backup_fargate_url = "http://${local.backup_sc_dns_name}-fargate:${local.backup_service_container_http_port}"
}
-resource "aws_ecs_task_definition" "backup_service" {
- family = "backup-service-task-def"
- container_definitions = jsonencode([
- {
- name = local.backup_service_container_name
- image = local.backup_service_server_image
- essential = true
- portMappings = [
- {
- name = local.backup_sc_port_name
- containerPort = local.backup_service_container_http_port
- protocol = "tcp"
- appProtocol = "http"
- },
- ]
- environment = [
- {
- name = "RUST_LOG"
- value = local.is_staging ? "info,backup=debug,comm_lib=debug" : "info"
- },
- {
- name = "BLOB_SERVICE_URL",
- value = local.blob_local_url
- # If this ever fails, we can fallback to blob public URL:
- # "https://${local.blob_service_domain_name}"
- },
- {
- name = "IDENTITY_SERVICE_ENDPOINT",
- value = local.identity_local_url
- },
- {
- name = "COMM_SERVICES_DISABLE_CSAT_VERIFICATION",
- value = local.is_staging ? "false" : "true"
- },
- {
- name = "COMM_SERVICES_USE_JSON_LOGS",
- value = local.comm_services_use_json_logs
- }
- ]
- logConfiguration = {
- "logDriver" = "awslogs"
- "options" = {
- "awslogs-create-group" = "true"
- "awslogs-group" = "/ecs/backup-service-task-def"
- "awslogs-region" = "us-east-2"
- "awslogs-stream-prefix" = "ecs"
- }
- }
- }
- ])
- task_role_arn = aws_iam_role.backup_service.arn
- execution_role_arn = aws_iam_role.ecs_task_execution.arn
- network_mode = "bridge"
- cpu = "1024"
- memory = "4096"
- requires_compatibilities = ["EC2"]
- # Set this to true if you want to keep old revisions
- # when this definition is changed
- skip_destroy = false
-}
-
-resource "aws_ecs_service" "backup_service" {
- name = "backup-service"
- cluster = aws_ecs_cluster.comm_services.id
- launch_type = "EC2"
-
- task_definition = aws_ecs_task_definition.backup_service.arn
- force_new_deployment = true
-
- desired_count = 0
- lifecycle {
- ignore_changes = [desired_count]
- }
-
- service_connect_configuration {
- enabled = true
- service {
- discovery_name = local.backup_sc_dns_name
- port_name = local.backup_sc_port_name
- client_alias {
- port = local.backup_service_container_http_port
- dns_name = local.backup_sc_dns_name
- }
- }
- }
-
- # HTTP
- load_balancer {
- target_group_arn = aws_lb_target_group.backup_service_http.arn
- container_name = local.backup_service_container_name
- container_port = local.backup_service_container_http_port
- }
-
- deployment_circuit_breaker {
- enable = true
- rollback = true
- }
-
- enable_execute_command = true
- enable_ecs_managed_tags = true
-}
# Security group to configure access to the service
resource "aws_security_group" "backup_service" {
@@ -146,24 +45,6 @@
}
}
-resource "aws_lb_target_group" "backup_service_http" {
- name = "backup-service-ecs-http-tg"
- port = local.backup_service_container_http_port
- protocol = "HTTP"
- vpc_id = aws_vpc.default.id
-
- target_type = "instance"
-
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
-
- protocol = "HTTP"
- path = "/health"
- matcher = "200-204"
- }
-}
# Load Balancer
resource "aws_lb" "backup_service" {
diff --git a/services/terraform/remote/service_blob.tf b/services/terraform/remote/service_blob.tf
--- a/services/terraform/remote/service_blob.tf
+++ b/services/terraform/remote/service_blob.tf
@@ -21,105 +21,7 @@
blob_service_s3_bucket = "commapp-blob${local.s3_bucket_name_suffix}"
}
-resource "aws_ecs_task_definition" "blob_service" {
- family = "blob-service-task-def"
- container_definitions = jsonencode([
- {
- name = local.blob_service_container_name
- image = local.blob_service_server_image
- essential = true
- portMappings = [
- {
- name = local.blob_sc_port_name
- containerPort = local.blob_service_container_http_port
- protocol = "tcp"
- appProtocol = "http"
- }
- ]
- environment = [
- {
- name = "RUST_LOG"
- value = local.is_staging ? "info,blob=debug,comm_lib=debug" : "info"
- },
- {
- name = "BLOB_S3_BUCKET_NAME",
- value = local.blob_service_s3_bucket
- },
- {
- name = "IDENTITY_SERVICE_ENDPOINT",
- value = local.identity_local_url
- },
- {
- name = "COMM_SERVICES_DISABLE_CSAT_VERIFICATION",
- value = local.is_staging ? "false" : "true"
- },
- {
- name = "COMM_SERVICES_USE_JSON_LOGS",
- value = local.comm_services_use_json_logs
- }
- ]
- logConfiguration = {
- "logDriver" = "awslogs"
- "options" = {
- "awslogs-create-group" = "true"
- "awslogs-group" = "/ecs/blob-service-task-def"
- "awslogs-region" = "us-east-2"
- "awslogs-stream-prefix" = "ecs"
- }
- }
- }
- ])
- task_role_arn = aws_iam_role.services_ddb_full_access.arn
- execution_role_arn = aws_iam_role.ecs_task_execution.arn
- network_mode = "bridge"
- cpu = "512"
- memory = local.is_staging ? "512" : "2048"
- requires_compatibilities = ["EC2"]
-
- # Set this to true if you want to keep old revisions
- # when this definition is changed
- skip_destroy = false
-}
-
-resource "aws_ecs_service" "blob_service" {
- name = "blob-service"
- cluster = aws_ecs_cluster.comm_services.id
- launch_type = "EC2"
-
- task_definition = aws_ecs_task_definition.blob_service.arn
- force_new_deployment = true
-
- desired_count = 0
-
- lifecycle {
- ignore_changes = [desired_count]
- }
-
- # Expose Blob service to other services in the cluster
- service_connect_configuration {
- enabled = true
- service {
- discovery_name = local.blob_sc_dns_name
- port_name = local.blob_sc_port_name
- client_alias {
- port = local.blob_service_container_http_port
- dns_name = local.blob_sc_dns_name
- }
- }
- }
- # HTTP
- load_balancer {
- target_group_arn = aws_lb_target_group.blob_service_http.arn
- container_name = local.blob_service_container_name
- container_port = local.blob_service_container_http_port
- }
-
- deployment_circuit_breaker {
- enable = true
- rollback = true
- }
-}
# Security group to configure access to the service
resource "aws_security_group" "blob_service" {
@@ -147,25 +49,6 @@
}
}
-resource "aws_lb_target_group" "blob_service_http" {
- name = "blob-service-ecs-http-tg"
- port = local.blob_service_container_http_port
- protocol = "HTTP"
- vpc_id = aws_vpc.default.id
-
- # ECS Fargate requires target type set to IP
- target_type = "instance"
-
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
-
- protocol = "HTTP"
- path = "/health"
- matcher = "200-499"
- }
-}
# Load Balancer
resource "aws_lb" "blob_service" {
diff --git a/services/terraform/remote/service_identity.tf b/services/terraform/remote/service_identity.tf
--- a/services/terraform/remote/service_identity.tf
+++ b/services/terraform/remote/service_identity.tf
@@ -47,141 +47,7 @@
name = local.opaque_server_setup_secret_name
}
-resource "aws_ecs_task_definition" "identity_service" {
- family = "identity-service-task-def"
- container_definitions = jsonencode([
- {
- name = local.identity_service_container_name
- image = local.identity_service_server_image
- essential = true
- portMappings = [
- {
- name = local.identity_sc_port_name
- containerPort = local.identity_service_container_grpc_port
- protocol = "tcp"
- appProtocol = "grpc"
- },
- {
- name = local.identity_sc_ws_port_name
- containerPort = local.identity_service_container_ws_port
- protocol = "tcp"
- appProtocol = "http"
- }
- ]
- environment = [
- {
- name = "RUST_LOG"
- value = local.is_staging ? "info,identity=debug,comm_lib=debug" : "info"
- },
- {
- name = "KEYSERVER_PUBLIC_KEY"
- value = nonsensitive(local.secrets["keyserverPublicKey"])
- },
- {
- name = "TUNNELBROKER_GRPC_ENDPOINT"
- value = local.tunnelbroker_local_grpc_url
- },
- {
- name = "BACKUP_SERVICE_URL",
- value = local.backup_local_url
- },
- {
- name = "BLOB_SERVICE_URL",
- value = local.blob_local_url
- },
- {
- name = "OPENSEARCH_ENDPOINT"
- value = module.shared.opensearch_domain_identity.endpoint
- },
- {
- name = "ALLOW_ORIGIN_LIST"
- value = local.is_staging ? local.staging_allow_origin_list : local.production_allow_origin_list
- },
- {
- name = "COMM_SERVICES_USE_JSON_LOGS",
- value = local.comm_services_use_json_logs
- },
- {
- name = "REDACT_SENSITIVE_DATA",
- value = local.is_staging ? "false" : "true"
- }
- ]
- secrets = [
- {
- # This is exposed as an environment variable in the container
- name = "OPAQUE_SERVER_SETUP"
- valueFrom = data.aws_secretsmanager_secret.identity_server_setup.arn
- }
- ]
- logConfiguration = {
- "logDriver" = "awslogs"
- "options" = {
- "awslogs-create-group" = "true"
- "awslogs-group" = "/ecs/identity-service-task-def"
- "awslogs-region" = "us-east-2"
- "awslogs-stream-prefix" = "ecs"
- }
- }
- linuxParameters = {
- initProcessEnabled = true
- }
- }
- ])
- task_role_arn = aws_iam_role.services_ddb_full_access.arn
- execution_role_arn = aws_iam_role.ecs_task_execution.arn
- network_mode = "bridge"
- cpu = "512"
- memory = "2048"
- requires_compatibilities = ["EC2"]
- # Set this to true if you want to keep old revisions
- # when this definition is changed
- skip_destroy = false
-}
-
-resource "aws_ecs_service" "identity_service" {
- name = "identity-service"
- cluster = aws_ecs_cluster.comm_services.id
- launch_type = "EC2"
-
- task_definition = aws_ecs_task_definition.identity_service.arn
- force_new_deployment = true
-
- desired_count = 0
-
- # Expose Identity service to other services in the cluster
- service_connect_configuration {
- enabled = true
- service {
- discovery_name = local.identity_sc_dns_name
- port_name = local.identity_sc_port_name
- client_alias {
- port = local.identity_service_container_grpc_port
- dns_name = local.identity_sc_dns_name
- }
- }
- }
-
- load_balancer {
- target_group_arn = aws_lb_target_group.identity_service_ws.arn
- container_name = local.identity_service_container_name
- container_port = local.identity_service_container_ws_port
- }
-
- load_balancer {
- target_group_arn = aws_lb_target_group.identity_service_grpc.arn
- container_name = local.identity_service_container_name
- container_port = local.identity_service_container_grpc_port
- }
-
- deployment_circuit_breaker {
- enable = true
- rollback = true
- }
-
- enable_execute_command = true
- enable_ecs_managed_tags = true
-}
# Security group to configure access to the service
resource "aws_security_group" "identity_service" {
@@ -217,48 +83,7 @@
}
}
-resource "aws_lb_target_group" "identity_service_grpc" {
- name = "identity-service-ecs-grpc-tg"
- port = local.identity_service_container_grpc_port
- protocol = "HTTP"
- protocol_version = "HTTP2"
- vpc_id = aws_vpc.default.id
-
- # The "bridge" network mode requires target type set to instance
- target_type = "instance"
-
- stickiness {
- type = "lb_cookie"
- cookie_duration = 10 # Duration in seconds
- enabled = true
- }
-
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
- }
-}
-
-resource "aws_lb_target_group" "identity_service_ws" {
- name = "identity-service-ecs-ws-tg"
- port = local.identity_service_container_ws_port
- protocol = "HTTP"
- protocol_version = "HTTP1"
- vpc_id = aws_vpc.default.id
- target_type = "instance"
-
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
- protocol = "HTTP"
- path = "/health"
- matcher = "200"
-
- }
-}
# Load Balancer
resource "aws_lb" "identity_service" {
diff --git a/services/terraform/remote/service_tunnelbroker.tf b/services/terraform/remote/service_tunnelbroker.tf
--- a/services/terraform/remote/service_tunnelbroker.tf
+++ b/services/terraform/remote/service_tunnelbroker.tf
@@ -67,154 +67,7 @@
amqp_endpoint = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].endpoints[0]
}
-# Task definition - defines container resources, ports,
-# environment variables, docker image etc.
-resource "aws_ecs_task_definition" "tunnelbroker" {
- family = "tunnelbroker-task-def"
- container_definitions = jsonencode([
- {
- name = local.tunnelbroker_config.container_name
- image = local.tunnelbroker_docker_image
- essential = true
- portMappings = [
- {
- name = "tunnelbroker_ws"
- containerPort = local.tunnelbroker_config.websocket_port
- protocol = "tcp"
- appProtocol = "http"
- },
- {
- name = local.tunnelbroker_config.grpc_port_name
- containerPort = local.tunnelbroker_config.grpc_port
- protocol = "tcp"
- appProtocol = "grpc"
- }
- ]
- environment = [
- {
- name = "RUST_LOG"
- value = local.is_staging ? "info,tunnelbroker=debug,comm_lib=debug" : "info"
- },
- {
- name = "AMQP_URI",
- value = local.amqp_endpoint
- },
- {
- name = "AMQP_USERNAME"
- value = "comm"
- },
- {
- name = "AMQP_PASSWORD"
- value = nonsensitive(local.rabbitmq_password)
- },
- {
- name = "COMM_TUNNELBROKER_IDENTITY_ENDPOINT",
- value = local.identity_local_url
- },
- {
- name = "BLOB_SERVICE_URL",
- value = local.blob_local_url
- },
- {
- name = "BLOB_SERVICE_PUBLIC_URL",
- value = "https://${local.blob_service_domain_name}"
- },
- {
- name = "COMM_SERVICES_USE_JSON_LOGS",
- value = local.comm_services_use_json_logs
- },
- {
- name = "REDACT_SENSITIVE_DATA",
- value = local.is_staging ? "false" : "true"
- }
- ]
- secrets = [
- {
- name = "APNS_CONFIG"
- valueFrom = data.aws_secretsmanager_secret.tunnelbroker_apns.arn
- },
- {
- name = "FCM_CONFIG"
- valueFrom = data.aws_secretsmanager_secret.tunnelbroker_fcm.arn
- },
- {
- name = "WEB_PUSH_CONFIG"
- valueFrom = data.aws_secretsmanager_secret.tunnelbroker_web_push.arn
- },
- {
- name = "WNS_CONFIG"
- valueFrom = data.aws_secretsmanager_secret.tunnelbroker_wns.arn
- }
- ]
- logConfiguration = {
- "logDriver" = "awslogs"
- "options" = {
- "awslogs-create-group" = "true"
- "awslogs-group" = "/ecs/tunnelbroker-task-def"
- "awslogs-region" = "us-east-2"
- "awslogs-stream-prefix" = "ecs"
- }
- }
- }
- ])
- task_role_arn = aws_iam_role.services_ddb_full_access.arn
- execution_role_arn = aws_iam_role.ecs_task_execution.arn
- network_mode = "bridge"
- cpu = "256"
- memory = local.is_staging ? "256" : "1024"
- requires_compatibilities = ["EC2"]
- # Set this to true if you want to keep old revisions
- # when this definition is changed
- skip_destroy = true
-}
-
-# ECS Service - defines task scaling, load balancer connection,
-# network configuration etc.
-resource "aws_ecs_service" "tunnelbroker" {
- name = "tunnelbroker"
- cluster = aws_ecs_cluster.comm_services.id
- launch_type = "EC2"
-
- task_definition = aws_ecs_task_definition.tunnelbroker.arn
- force_new_deployment = true
-
- desired_count = 0
-
- service_connect_configuration {
- enabled = true
- service {
- discovery_name = local.tunnelbroker_config.local_dns_name
- port_name = local.tunnelbroker_config.grpc_port_name
- client_alias {
- port = local.tunnelbroker_config.grpc_port
- dns_name = local.tunnelbroker_config.local_dns_name
- }
- }
- }
-
- # Websocket
- load_balancer {
- target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn
- container_name = local.tunnelbroker_config.container_name
- container_port = local.tunnelbroker_config.websocket_port
- }
-
- # gRPC
- dynamic "load_balancer" {
- for_each = aws_lb_listener.tunnelbroker_grpc
- content {
- target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn
- container_name = local.tunnelbroker_config.container_name
- container_port = local.tunnelbroker_config.grpc_port
- }
- }
-
- deployment_circuit_breaker {
- enable = true
- rollback = true
- }
-}
# Security group to configure access to the service
resource "aws_security_group" "tunnelbroker" {
@@ -252,52 +105,7 @@
}
}
-# Running service instances are registered here
-# to be accessed by the load balancer
-resource "aws_lb_target_group" "tunnelbroker_ws" {
- name = "tunnelbroker-ws-tg"
- port = local.tunnelbroker_config.websocket_port
- protocol = "HTTP"
- protocol_version = "HTTP1"
- vpc_id = aws_vpc.default.id
- target_type = "instance"
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
-
- protocol = "HTTP"
- path = "/health"
- matcher = "200"
-
- }
-}
-
-/* This is generally a dead (empty) resource on prod, i.e. it should not have
- * any targets registered. We have gRPC listener resource disabled on prod,
- * which results in the following exception if any targets are registered here:
- * "The target group "tunnelbroker-grpc-tg" does not have
- * an associated load balancer."
- *
- * See also `aws_lb_listener.tunnelbroker_grpc` and the "dynamic" block in
- * `aws_ecs_service.tunnelbroker` on how this is disabled.
- * The `count` or `for_each` isn't added here to avoid complicating things more.
- */
-resource "aws_lb_target_group" "tunnelbroker_grpc" {
- name = "tunnelbroker-grpc-tg"
- port = local.tunnelbroker_config.grpc_port
- protocol = "HTTP"
- protocol_version = "GRPC"
- vpc_id = aws_vpc.default.id
- target_type = "instance"
-
- health_check {
- enabled = true
- healthy_threshold = 2
- unhealthy_threshold = 3
- }
-}
# Load Balancer
resource "aws_lb" "tunnelbroker" {
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Dec 6, 7:57 AM (22 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5834144
Default Alt Text
D15538.1765007861.diff (19 KB)
Attached To
Mode
D15538: [terraform] remove EC2-based resources
Attached
Detach File
Event Timeline
Log In to Comment