Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F32551734
D12531.1767188625.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
8 KB
Referenced Files
None
Subscribers
None
D12531.1767188625.diff
View Options
diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf
--- a/services/terraform/self-host/aws_db.tf
+++ b/services/terraform/self-host/aws_db.tf
@@ -5,6 +5,13 @@
vpc_id = data.aws_vpc.default.id
# Inbound rules
+ ingress {
+ from_port = 3307
+ to_port = 3307
+ protocol = "tcp"
+ security_groups = [aws_security_group.keyserver_service.id]
+ }
+
ingress {
from_port = 3307
to_port = 3307
diff --git a/services/terraform/self-host/aws_ecs.tf b/services/terraform/self-host/aws_ecs.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/aws_ecs.tf
@@ -0,0 +1,27 @@
+resource "aws_ecs_cluster" "keyserver_cluster" {
+ name = "keyserver-cluster"
+
+ configuration {
+ execute_command_configuration {
+ logging = "DEFAULT"
+ }
+ }
+
+ service_connect_defaults {
+ namespace = aws_service_discovery_http_namespace.keyserver_cluster.arn
+ }
+}
+
+# Namespace for services to be able to communicate with each other
+# by their hostnames. Similar to docker compose network.
+resource "aws_service_discovery_http_namespace" "keyserver_cluster" {
+ name = "keyserver-cluster-http-namespace"
+ tags = {
+ "AmazonECSManaged" = "true"
+ }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "keyserver_cluster" {
+ cluster_name = aws_ecs_cluster.keyserver_cluster.name
+ capacity_providers = ["FARGATE"]
+}
diff --git a/services/terraform/self-host/aws_iam.tf b/services/terraform/self-host/aws_iam.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/aws_iam.tf
@@ -0,0 +1,85 @@
+resource "aws_iam_role" "ecs_task_role" {
+ name = "ecs-iam_role"
+ description = "Allows to SSH into ECS containers"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+ managed_policy_arns = [
+ aws_iam_policy.allow_ecs_exec.arn,
+ ]
+}
+
+data "aws_iam_policy_document" "assume_role_ecs_ec2" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "sts:AssumeRole",
+ ]
+ principals {
+ type = "Service"
+ identifiers = [
+ "ec2.amazonaws.com",
+ "ecs-tasks.amazonaws.com"
+ ]
+ }
+ }
+}
+
+resource "aws_iam_policy" "allow_ecs_exec" {
+ name = "allow-ecs-exec"
+ description = "Adds SSM permissions to enable ECS Exec"
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [
+ {
+ Effect = "Allow"
+ Action = [
+ "ssmmessages:CreateControlChannel",
+ "ssmmessages:CreateDataChannel",
+ "ssmmessages:OpenControlChannel",
+ "ssmmessages:OpenDataChannel"
+ ]
+ Resource = "*"
+ }
+ ]
+ })
+}
+
+resource "aws_iam_role" "fargate_execution_role" {
+ assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Principal": {"Service": "ecs-tasks.amazonaws.com"},
+ "Action": "sts:AssumeRole"
+ }
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "fargate_execution_role" {
+ role = aws_iam_role.fargate_execution_role.name
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role" "ecs_task_execution" {
+ name = "ecsTaskExecutionRole"
+ assume_role_policy = jsonencode({
+ Version = "2008-10-17"
+ Statement = [
+ {
+ Sid = ""
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ecs-tasks.amazonaws.com"
+ }
+ }
+ ]
+ })
+
+ managed_policy_arns = [
+ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+ "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
+ ]
+}
diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/keyserver_primary.tf
@@ -0,0 +1,149 @@
+locals {
+ keyserver_service_image_tag = "1.0"
+ keyserver_service_server_image = "wyilio/keyserver:${local.keyserver_service_image_tag}"
+ keyserver_service_container_name = "keyserver-primary"
+}
+
+resource "aws_cloudwatch_log_group" "ecs_log_group" {
+ name = "/ecs/keyserver-primary-task-def"
+ retention_in_days = 7
+}
+
+output "mariadb_address" {
+ value = aws_db_instance.mariadb.address
+}
+
+resource "aws_ecs_task_definition" "keyserver_service" {
+ network_mode = "awsvpc"
+ family = "keyserver-primary-task-def"
+ requires_compatibilities = ["FARGATE"]
+ task_role_arn = aws_iam_role.ecs_task_role.arn
+ execution_role_arn = aws_iam_role.ecs_task_execution.arn
+ cpu = "1024"
+ memory = "3072"
+
+ ephemeral_storage {
+ size_in_gib = 40
+ }
+
+ container_definitions = jsonencode([
+ {
+ name = local.keyserver_service_container_name
+ image = local.keyserver_service_server_image
+ essential = true
+ portMappings = [
+ {
+ name = "keyserver-port"
+ containerPort = 3000
+ protocol = "tcp"
+ },
+ {
+ name = "http-port"
+ containerPort = 80
+ protocol = "tcp"
+ appProtocol = "http"
+ },
+ ]
+ environment = [
+ {
+ name = "COMM_DATABASE_HOST"
+ value = "${aws_db_instance.mariadb.address}"
+ },
+ {
+ name = "COMM_DATABASE_DATABASE"
+ value = "comm"
+ },
+ {
+ name = "COMM_DATABASE_PORT"
+ value = "3307"
+ },
+ {
+ name = "COMM_DATABASE_USER"
+ value = "${var.mariadb_username}"
+ },
+ {
+ name = "COMM_DATABASE_PASSWORD"
+ value = "${var.mariadb_password}"
+ },
+ {
+ name = "COMM_JSONCONFIG_secrets_user_credentials"
+ value = <<EOF
+ {
+ "username": "${var.keyserver_username}",
+ "password": "${var.keyserver_password}",
+ "usingIdentityCredentials": ${var.using_identity_credentials}
+ }
+ EOF
+ }
+ ]
+ logConfiguration = {
+ "logDriver" = "awslogs"
+ "options" = {
+ "awslogs-create-group" = "true"
+ "awslogs-group" = aws_cloudwatch_log_group.ecs_log_group.name
+ "awslogs-stream-prefix" = "ecs"
+ "awslogs-region" = "${var.region}"
+ }
+ }
+ linuxParameters = {
+ initProcessEnabled = true
+ }
+ }
+ ])
+
+ runtime_platform {
+ cpu_architecture = "ARM64"
+ operating_system_family = "LINUX"
+ }
+
+ skip_destroy = false
+}
+
+resource "aws_ecs_service" "keyserver_primary_service" {
+ name = "keyserver-primary-service"
+ cluster = aws_ecs_cluster.keyserver_cluster.id
+ task_definition = aws_ecs_task_definition.keyserver_service.arn
+ launch_type = "FARGATE"
+ enable_execute_command = true
+ enable_ecs_managed_tags = true
+ force_new_deployment = true
+ desired_count = 1
+
+ network_configuration {
+ subnets = [data.aws_subnets.default.ids[0], data.aws_subnets.default.ids[1]]
+ security_groups = [aws_security_group.keyserver_service.id]
+ assign_public_ip = true
+ }
+
+ deployment_circuit_breaker {
+ enable = true
+ rollback = true
+ }
+}
+
+resource "aws_security_group" "keyserver_service" {
+ name = "keyserver-service-ecs-sg"
+ vpc_id = data.aws_vpc.default.id
+
+ # Allow all inbound traffic. This is temporary until load balancer is configured
+ ingress {
+ from_port = 0
+ to_port = 65535
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+
diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf
--- a/services/terraform/self-host/variables.tf
+++ b/services/terraform/self-host/variables.tf
@@ -20,3 +20,20 @@
description = "IP address"
type = string
}
+
+variable "keyserver_username" {
+ description = "Keyserver username"
+ type = string
+}
+
+variable "keyserver_password" {
+ description = "Keyserver password"
+ type = string
+ sensitive = true
+}
+
+variable "using_identity_credentials" {
+ description = "Whether to use identity credentials to login"
+ type = bool
+ default = false
+}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Dec 31, 1:43 PM (1 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5873764
Default Alt Text
D12531.1767188625.diff (8 KB)
Attached To
Mode
D12531: [terraform] initial ecs setup for keyserver primary
Attached
Detach File
Event Timeline
Log In to Comment