Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3521861
D9066.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
6 KB
Referenced Files
None
Subscribers
None
D9066.diff
View Options
diff --git a/services/terraform/modules/shared/outputs.tf b/services/terraform/modules/shared/outputs.tf
--- a/services/terraform/modules/shared/outputs.tf
+++ b/services/terraform/modules/shared/outputs.tf
@@ -1,6 +1,7 @@
locals {
exported_dynamodb_tables = [
- aws_dynamodb_table.feature-flags
+ aws_dynamodb_table.feature-flags,
+ aws_dynamodb_table.backup-service-backup,
]
}
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -138,3 +138,31 @@
]
}
+# Backup Service IAM
+data "aws_iam_policy_document" "manage_backup_ddb" {
+ statement {
+ sid = "BackupFullDDBAccess"
+ effect = "Allow"
+ actions = [
+ "dynamodb:*",
+ ]
+ resources = [
+ module.shared.dynamodb_tables["backup-service-backup"].arn,
+ "${module.shared.dynamodb_tables["backup-service-backup"].arn}/index/*"
+ ]
+ }
+}
+resource "aws_iam_policy" "manage_backup_ddb" {
+ name = "backup-ddb-full-access"
+ policy = data.aws_iam_policy_document.manage_backup_ddb.json
+ description = "Allows full access to backup DynamoDB table"
+}
+resource "aws_iam_role" "backup_service" {
+ name = "backup-service-role"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+ managed_policy_arns = [
+ aws_iam_policy.allow_ecs_exec.arn,
+ aws_iam_policy.manage_backup_ddb.arn
+ ]
+}
diff --git a/services/terraform/remote/service_backup.tf b/services/terraform/remote/service_backup.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/service_backup.tf
@@ -0,0 +1,174 @@
+locals {
+ backup_service_image_tag = local.is_staging ? "latest" : "0.2"
+ backup_service_container_name = "backup-service-server"
+ backup_service_server_image = "commapp/backup-server:${local.backup_service_image_tag}"
+ backup_service_container_http_port = 50052
+ backup_service_domain_name = "backup.${local.root_domain}"
+}
+
+resource "aws_ecs_task_definition" "backup_service" {
+ family = "backup-service-task-def"
+ container_definitions = jsonencode([
+ {
+ name = local.backup_service_container_name
+ image = local.backup_service_server_image
+ essential = true
+ portMappings = [
+ {
+ containerPort = local.backup_service_container_http_port
+ protocol = "tcp"
+ appProtocol = "http"
+ },
+ ]
+ environment = [
+ {
+ name = "RUST_LOG"
+ value = "info"
+ },
+ {
+ name = "BLOB_SERVICE_URL",
+ value = local.blob_local_url
+ # If this ever fails, we can fallback to blob public URL:
+ # "https://${local.blob_service_domain_name}"
+ },
+ ]
+ logConfiguration = {
+ "logDriver" = "awslogs"
+ "options" = {
+ "awslogs-create-group" = "true"
+ "awslogs-group" = "/ecs/backup-service-task-def"
+ "awslogs-region" = "us-east-2"
+ "awslogs-stream-prefix" = "ecs"
+ }
+ }
+ }
+ ])
+ task_role_arn = aws_iam_role.backup_service.arn
+ execution_role_arn = aws_iam_role.ecs_task_execution.arn
+ network_mode = "bridge"
+ cpu = "256"
+ memory = "256"
+ requires_compatibilities = ["EC2"]
+
+ # Set this to true if you want to keep old revisions
+ # when this definition is changed
+ skip_destroy = false
+}
+
+resource "aws_ecs_service" "backup_service" {
+ name = "backup-service"
+ cluster = aws_ecs_cluster.comm_services.id
+ launch_type = "EC2"
+
+ task_definition = aws_ecs_task_definition.backup_service.arn
+ force_new_deployment = true
+
+ desired_count = 1
+ lifecycle {
+ ignore_changes = [desired_count]
+ }
+
+ service_connect_configuration {
+ # to be able to reach Blob service by DNS name
+ enabled = true
+ }
+
+ # HTTP
+ load_balancer {
+ target_group_arn = aws_lb_target_group.backup_service_http.arn
+ container_name = local.backup_service_container_name
+ container_port = local.backup_service_container_http_port
+ }
+
+ deployment_circuit_breaker {
+ enable = true
+ rollback = true
+ }
+
+ enable_execute_command = true
+ enable_ecs_managed_tags = true
+}
+
+# Security group to configure access to the service
+resource "aws_security_group" "backup_service" {
+ name = "backup-service-ecs-sg"
+ vpc_id = aws_vpc.default.id
+
+ ingress {
+ from_port = local.backup_service_container_http_port
+ to_port = local.backup_service_container_http_port
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "HTTP port"
+ }
+
+ # Allow all outbound traffic
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+resource "aws_lb_target_group" "backup_service_http" {
+ name = "backup-service-ecs-http-tg"
+ port = local.backup_service_container_http_port
+ protocol = "HTTP"
+ vpc_id = aws_vpc.default.id
+
+ target_type = "instance"
+
+ health_check {
+ enabled = true
+ healthy_threshold = 2
+ unhealthy_threshold = 3
+
+ protocol = "HTTP"
+ path = "/health"
+ matcher = "200-204"
+ }
+}
+
+# Load Balancer
+resource "aws_lb" "backup_service" {
+ load_balancer_type = "application"
+ name = "backup-service-lb"
+ internal = false
+ subnets = [
+ aws_subnet.public_a.id,
+ aws_subnet.public_b.id,
+ aws_subnet.public_c.id,
+ ]
+}
+
+resource "aws_lb_listener" "backup_service_https" {
+ load_balancer_arn = aws_lb.backup_service.arn
+ port = "443"
+ protocol = "HTTPS"
+ ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+ certificate_arn = data.aws_acm_certificate.backup_service.arn
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.backup_service_http.arn
+ }
+
+ lifecycle {
+ # Target group cannot be destroyed if it is used
+ replace_triggered_by = [aws_lb_target_group.backup_service_http]
+
+ # Required to avoid no-op plan differences
+ ignore_changes = [default_action[0].forward[0].stickiness[0].duration]
+ }
+}
+
+# SSL Certificate
+data "aws_acm_certificate" "backup_service" {
+ domain = local.backup_service_domain_name
+ statuses = ["ISSUED"]
+}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Dec 24, 5:10 AM (20 h, 28 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2698410
Default Alt Text
D9066.diff (6 KB)
Attached To
Mode
D9066: [backup] Setup terraform
Attached
Detach File
Event Timeline
Log In to Comment