diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf index fe1e00ec6..382d9bc29 100644 --- a/services/terraform/remote/aws_iam.tf +++ b/services/terraform/remote/aws_iam.tf @@ -1,379 +1,391 @@ ### General AWS Utility IAM resources # Docs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html resource "aws_iam_role" "ecs_instance_role" { name = "ecsInstanceRole" description = "Allows EC2 instances to call AWS services on your behalf." assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } } ] }) managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", # Let instances download Docker images from ECR "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" ] } # ECS Task execution role # Docs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html resource "aws_iam_role" "ecs_task_execution" { name = "ecsTaskExecutionRole" assume_role_policy = jsonencode({ Version = "2008-10-17" Statement = [ { Sid = "" Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ecs-tasks.amazonaws.com" } } ] }) managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", # Let ECS write logs to CloudWatch "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess", # Let ECS tasks access secrets to expose them as env vars "arn:aws:iam::aws:policy/SecretsManagerReadWrite", ] } # Assume Role Policy Document for EC2 and ECS # This policy allows ECS and EC2 use roles that it is assigned to data "aws_iam_policy_document" "assume_role_ecs_ec2" { statement { effect = "Allow" actions = [ "sts:AssumeRole", ] principals { type = "Service" identifiers = [ "ec2.amazonaws.com", "ecs-tasks.amazonaws.com" ] } } } +# Role for keyserver service nodes +# Allows for ecs exec +resource "aws_iam_role" "keyserver_node_ecs_task_role" { + name = "ecs-iam_role" + description = "Allows to SSH into ECS containers" + assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json + + managed_policy_arns = [ + aws_iam_policy.allow_ecs_exec.arn, + ] +} + # Allows ECS Exec to SSH into service task containers resource "aws_iam_policy" "allow_ecs_exec" { name = "allow-ecs-exec" description = "Adds SSM permissions to enable ECS Exec" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ] Resource = "*" } ] }) } ### App IAM resources # Our app role - this is to give access to DynamoDB etc # Has trust policy with EC2 and ECS # Also allows to SSH into containers resource "aws_iam_role" "services_ddb_full_access" { name = "dynamodb-s3-full-access" description = "Full RW access to DDB and S3. Allows to SSH into ECS containers" assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json managed_policy_arns = [ aws_iam_policy.allow_ecs_exec.arn, aws_iam_policy.read_services_token.arn, "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess", ] } # Services token read policy data "aws_iam_policy_document" "read_services_token" { statement { sid = "SecretsManagerReadServicesToken" effect = "Allow" actions = [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ] resources = [ module.shared.services_token_id ] } } resource "aws_iam_policy" "read_services_token" { name = "service-to-service-token-read-access" policy = data.aws_iam_policy_document.read_services_token.json description = "Allows full read access to service-to-service token SecretsManager secret" } # Feature Flags IAM data "aws_iam_policy_document" "read_feature_flags" { statement { sid = "FeatureFlagsDDBReadAccess" effect = "Allow" actions = [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", ] resources = [ module.shared.dynamodb_tables["feature-flags"].arn ] } } resource "aws_iam_policy" "read_feature_flags" { name = "feature-flags-ddb-read-access" policy = data.aws_iam_policy_document.read_feature_flags.json description = "Allows full read access to feature-flags DynamoDB table" } resource "aws_iam_role" "feature_flags_service" { name = "feature-flags-service-role" assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json managed_policy_arns = [ aws_iam_policy.read_feature_flags.arn ] } # Backup Service IAM data "aws_iam_policy_document" "manage_backup_ddb" { statement { sid = "BackupFullDDBAccess" effect = "Allow" actions = [ "dynamodb:*", ] resources = [ module.shared.dynamodb_tables["backup-service-backup"].arn, "${module.shared.dynamodb_tables["backup-service-backup"].arn}/index/*", module.shared.dynamodb_tables["backup-service-log"].arn, ] } } resource "aws_iam_policy" "manage_backup_ddb" { name = "backup-ddb-full-access" policy = data.aws_iam_policy_document.manage_backup_ddb.json description = "Allows full access to backup DynamoDB table" } resource "aws_iam_role" "backup_service" { name = "backup-service-role" assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json managed_policy_arns = [ aws_iam_policy.allow_ecs_exec.arn, aws_iam_policy.manage_backup_ddb.arn, aws_iam_policy.read_services_token.arn, ] } # Reports Service IAM data "aws_iam_policy_document" "manage_reports_ddb" { statement { sid = "ReportsFullDDBAccess" effect = "Allow" actions = [ "dynamodb:*", ] resources = [ module.shared.dynamodb_tables["reports-service-reports"].arn ] } } resource "aws_iam_policy" "manage_reports_ddb" { name = "reports-ddb-full-access" policy = data.aws_iam_policy_document.manage_reports_ddb.json description = "Allows full access to reports DynamoDB table" } resource "aws_iam_role" "reports_service" { name = "reports-service-role" assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json managed_policy_arns = [ aws_iam_policy.allow_ecs_exec.arn, aws_iam_policy.manage_reports_ddb.arn, aws_iam_policy.read_services_token.arn, ] } # Identity Search data "aws_iam_policy_document" "assume_identity_search_role" { statement { effect = "Allow" principals { type = "Service" identifiers = ["lambda.amazonaws.com"] } actions = ["sts:AssumeRole"] } } resource "aws_iam_role" "search_index_lambda" { name = "search_index_lambda" assume_role_policy = data.aws_iam_policy_document.assume_identity_search_role.json } resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" { role = aws_iam_role.search_index_lambda.name policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" } resource "aws_iam_role_policy_attachment" "manage_cloudwatch_logs" { role = aws_iam_role.search_index_lambda.name policy_arn = aws_iam_policy.manage_cloudwatch_logs.arn } resource "aws_iam_role_policy_attachment" "manage_network_interface" { role = aws_iam_role.search_index_lambda.name policy_arn = aws_iam_policy.manage_network_interface.arn } resource "aws_iam_role_policy_attachment" "read_identity_users_stream" { role = aws_iam_role.search_index_lambda.name policy_arn = aws_iam_policy.read_identity_users_stream.arn } data "aws_iam_policy_document" "read_identity_users_stream" { statement { effect = "Allow" actions = [ "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams", ] resources = [ module.shared.dynamodb_tables["identity-users"].stream_arn, "${module.shared.dynamodb_tables["identity-users"].arn}/stream/*", module.shared.dynamodb_tables["identity-reserved-usernames"].stream_arn, "${module.shared.dynamodb_tables["identity-reserved-usernames"].arn}/stream/*", ] } } resource "aws_iam_policy" "read_identity_users_stream" { name = "read-identity-users-stream" path = "/" description = "IAM policy for managing identity-users stream" policy = data.aws_iam_policy_document.read_identity_users_stream.json } data "aws_iam_policy_document" "manage_cloudwatch_logs" { statement { effect = "Allow" actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ] resources = ["arn:aws:logs:*:*:*"] } } resource "aws_iam_policy" "manage_cloudwatch_logs" { name = "manage-cloudwatch-logs" path = "/" description = "IAM policy for managing cloudwatch logs" policy = data.aws_iam_policy_document.manage_cloudwatch_logs.json } data "aws_iam_policy_document" "manage_network_interface" { statement { effect = "Allow" actions = [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ] resources = ["*"] } } resource "aws_iam_policy" "manage_network_interface" { name = "manage-network-interface" path = "/" description = "IAM policy for managing network interfaces" policy = data.aws_iam_policy_document.manage_network_interface.json } data "aws_iam_policy_document" "opensearch_domain_access" { statement { effect = "Allow" actions = [ "es:ESHttpHead", "es:ESHttpPost", "es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPut", ] resources = ["${module.shared.opensearch_domain_identity.arn}/*"] } } resource "aws_iam_policy" "opensearch_domain_access" { name = "opensearch-domain-access-policy" policy = data.aws_iam_policy_document.opensearch_domain_access.json } resource "aws_opensearch_domain_policy" "opensearch_domain_access" { domain_name = module.shared.opensearch_domain_identity.domain_name access_policies = data.aws_iam_policy_document.opensearch_domain_access.json } resource "aws_iam_role_policy_attachment" "search_index_lambda_opensearch_access" { role = aws_iam_role.search_index_lambda.name policy_arn = aws_iam_policy.opensearch_domain_access.arn } resource "aws_iam_role" "task_scheduler" { name = "cron-scheduler-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { Service = ["scheduler.amazonaws.com"] } Action = "sts:AssumeRole" } ] }) } diff --git a/services/terraform/remote/secrets.json b/services/terraform/remote/secrets.json index a573d43c9..6d09745fa 100644 --- a/services/terraform/remote/secrets.json +++ b/services/terraform/remote/secrets.json @@ -1,39 +1,93 @@ { "accountIDs": { - "production": "ENC[AES256_GCM,data:bFvAqsaeaK63a89t,iv:DItiKGCI6RPfkjQPSrUWhddvJQKOTnYEeyzgHfckrXw=,tag:5NTw9AuEXhU9eOKzd2wvtw==,type:str]", - "staging": "ENC[AES256_GCM,data:qoJZWlb2BusLjLJV,iv:cRt9S8qKZ8qz3q41Xc1o+giTTHA0jWkTLQDFHUHFR2U=,tag:EbZKVX7NkxDmx1s1PIjIeg==,type:str]" + "production": "ENC[AES256_GCM,data:7IFfLPfwCMbVtQ0l,iv:k2YUjcdeS5zfra7MNT+lBWeyRDqRm/+jXnOEHzasGfM=,tag:6+kJ8UmBegInaL0U1qWp2Q==,type:str]", + "staging": "ENC[AES256_GCM,data:Zb+8XOWcyOqM2THe,iv:fDe9Z7kLzdEgmIZlZHGkESn+YMW/7ukphx28vhte1L8=,tag:TyaixW9C57Ty2htFEogg3w==,type:str]" }, - "keyserverPublicKey": "ENC[AES256_GCM,data:6QnxnmA21WMjsqFJHgSxh4UkzoR1LMQuoK+F4uj5cxZPqsvverDjf9OfJg==,iv:gScxT+OOcnIrnc32S/Skk1/y15k2yhMVkCjuCUkQ3Y8=,tag:ZzP+7sgxZoJHD/XpMwwxWg==,type:str]", + "keyserverPublicKey": "ENC[AES256_GCM,data:kISIHWgvPLMlIFDEgwkMH4l35T30rP8cAxjp2X8LOVCJ0TTGXfLP8OvpsQ==,iv:dvUGQaG8d1uqYSykXSDzpI8Ob3LQsy/ZEaNItznBPkg=,tag:g88JxTnfk3ExqaS3PRIgDQ==,type:str]", "emailConfig": { - "postmarkToken": "ENC[AES256_GCM,data:9LHtrcnsPjSQ9taGbM984vHubERZZxvVrrEu0EmpSxA3fABH,iv:IGvphb6l6sCfeY6liOcmLaVsEtNKO97kSuB3YUMQVAg=,tag:+2F/or6vbv90kD1T1h+ZHA==,type:str]", - "senderEmail": "ENC[AES256_GCM,data:TtXiJwxtgqSfJw8Lht1o89i0aNwjHLHO70v7SlAUJWJXg2sMoz8Weg==,iv:g9a/QNXyDorilDdh6GQjWmO4iZ8ngYqjMmws8O64T9M=,tag:5QrBdNY011OTvZPr9FVqEg==,type:str]", + "postmarkToken": "ENC[AES256_GCM,data:BbtKG+s1jd6UAeDxZaEr/mu4uIVGeZGXZXi1dE2FkS0BIMNc,iv:0xnv4+R7UqDz2c6y6ysOM80dqiG8sbRrfTP01K1in8w=,tag:tdGnDjRXkN2JJ6TjboJ+4w==,type:str]", + "senderEmail": "ENC[AES256_GCM,data:deC9KkfrFH8I6mVWVMJBZr2w6KInNKrdVrdTJRvn3XXllX8gWpGY0w==,iv:7CxEU3W7vVKOfjT/OxDdi66FG9tgqNU5IWsZ8vdaEAo=,tag:JaQ2oDI/Ups7JWZT6Cvy7A==,type:str]", "mailingGroups": { - "inconsistencyReports": "ENC[AES256_GCM,data:WpfRg05ey0NqXD7xsJM4em2QxwBTZf1A/dhZJmll,iv:nSH3oPSmja6lvEqGLpNrpPqVmMrD8OqAU3gvMIlm68E=,tag:vIi5G+3F3eIoZP6zma7rZw==,type:str]", - "mediaReports": "ENC[AES256_GCM,data:ayhONEdMxKQgJKtVzkcJUMWy30y/hw==,iv:Cr/vcQ/HObcbSfoKXZ8hiGwSdTETsAoohJCargaWadM=,tag:WCpfrV0SSBM+DoYIahIkpw==,type:str]", - "errorReports": "ENC[AES256_GCM,data:5IfELwZmEvDgIalp3M4oxh8jgiJKuA==,iv:YCuAsQMiIE+ahatbc+GcJAwfr//aoGsfb6VCUeeXZh0=,tag:06RAnL4s2sFsvBJqH5IZuQ==,type:str]" + "inconsistencyReports": "ENC[AES256_GCM,data:xa5CZVgtN+aHg5+RnwMY7ATH27UrRT+2JqOKPT3C,iv:WeBytCB7C8hb+IFDc7C3Nw4sRjej5zJR3MQccs1yMW0=,tag:fxdGkYUyUnUyy4R1A4Z/yw==,type:str]", + "mediaReports": "ENC[AES256_GCM,data:qohrB1LFt1gkXIpJQf15X6GJxBJYrQ==,iv:FdFOib8l5r3LHzq69WcrNal6Oapj8KpP3u8ntiKtjMY=,tag:RFvakkOLVPn8U2gvLS01ZA==,type:str]", + "errorReports": "ENC[AES256_GCM,data:y4ow1pkmfa99Q5svRgOvNACNArddYA==,iv:2b1SW/f2N77g6phgzJvTwqZABakN+Tb12y+0A3wQqSw=,tag:8bBAYCEdMbA3oydBcvS9HA==,type:str]" } }, "amqpPassword": { - "production": "ENC[AES256_GCM,data:HGWWEwKhNeIAYqqyzAo=,iv:JwsXBZwyrzvO7KvfmyE2RUmo23n+zXedS0HZpHUgg1U=,tag:CCk7MgUKbwREy9cSdJNtig==,type:str]", - "staging": "ENC[AES256_GCM,data:DULoLDulN6rSeHVf+g0=,iv:DOPgUu1P+1c6YXYbYona3Q/rCN2X9Gs8sMiOaJgLu1A=,tag:h35i33gOmBgFAtbjFiQgWw==,type:str]" + "production": "ENC[AES256_GCM,data:UvF1DhPQ3lLrJYj32No=,iv:QNPmqKxpGTrmZVgWmtNDtRWxSoVHIim2ckHyUrAuz0M=,tag:oNZRnFDxBVd2yGbwX7xSKw==,type:str]", + "staging": "ENC[AES256_GCM,data:DDZjkGqHPWlCOGrdLwo=,iv:Z7jQDL1iMXj2YdW7wKI3MiRBrUUrrBvDH8RHuAzWCh8=,tag:u0PAf4sGWDNVXcNt9dOaUA==,type:str]" + }, + "webappLandingEnvVars": { + "COMM_JSONCONFIG_facts_keyserver_url": { + "baseDomain": "ENC[AES256_GCM,data:+GcgIOcSSNTX3NnmvbXFd37yMTk=,iv:lMm4j7HgSBw3wmYZJMHMfUfd5sDi0xgKH9wK38EHVCk=,tag:8zQyNn7hU9R/PhArVBXNFw==,type:str]", + "basePath": "ENC[AES256_GCM,data:Fg==,iv:gDFfX9WUBJcNeyVft5HLeHZt8Xi7oJSfGFQbJxvf9tM=,tag:GfiSxHv2hpCFuAV9t9jLjA==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:Ig==,iv:/gf72cUemCOi4l1ba9tfrmzgKFNioM4ANt9FrIQmf2s=,tag:gozyFjcN6JShKIFqjEyhlg==,type:str]", + "https": "ENC[AES256_GCM,data:l/2Bag==,iv:+4iAKRVe2eU4aPGneHQbtK747N039ZN/Ih+LZqLm6y8=,tag:+J5sXye6biqxo6e7n7nKFQ==,type:bool]", + "proxy": "ENC[AES256_GCM,data:CJKU,iv:CYJg7H+OxAMRoWNCa4QPYYsSRrdE7SvrhyIWp8JlfKA=,tag:2fbwoy+zMPQohovX10pihg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_alchemy": { + "key": "ENC[AES256_GCM,data:gWcNWqhgHPQHDr5IH5f1Q2GTXk6CH5sB5rdFYVZevWA=,iv:jPwycRvSe/QjjG6Hv7da4xRVZoQktL7afSygGUo4uzU=,tag:9YmQRZfUMuB85oyp9fxj0w==,type:str]" + }, + "COMM_JSONCONFIG_secrets_walletconnect": { + "key": "ENC[AES256_GCM,data:qpjWmEYBBWCywgJexhZNHJvALaXE/W4UGHz9NZ0DsVA=,iv:Z+EgXtkKu4CEu+BZcbH+CXX3tsknUbyrkQDk4Utb9O0=,tag:jC4MRw0e0+dEdTeZiShHYg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_geoip_license": { + "key": "ENC[AES256_GCM,data:izLdCBxInOon8Ig1zQ3TCg==,iv:U0OCacer7ndhXxvz7jsVLqZsHbN7YtyIL4dOF7XO9Og=,tag:Hc1cqvkFr5np6cQc0PfbLg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_postmark": { + "apiToken": "ENC[AES256_GCM,data:VYDjTfJbx8DpmYOcaYH7204AF1BwEO0GHt2YbOMkG1Gq/OH8,iv:ab0qvpWtmSSjK9MgnWJv81CJLrrqjZgyFIND9anGdJs=,tag:ojwv2ibPEHzagQdbGEpJpg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_neynar": { + "key": "ENC[AES256_GCM,data:tZJcGhqmrfmcI4HesJDRfgsIfDG5kkBM1GoDdFp4KuqwAB6Q,iv:RXhGcXMu0iV0ZH3AdYIYDTLiLg53TT6VYZOeGkM1OWg=,tag:G7wKiASk4O6BW9PwNrWl6Q==,type:str]" + } + }, + "webappLandingStagingEnvVars": { + "COMM_JSONCONFIG_facts_webapp_url": { + "baseDomain": "ENC[AES256_GCM,data:o+EpVdZA23K1uYqzBmxygvzZeVj3,iv:WxEfd8J0i+KPqZ4I38TjS7oNKhWypicXXgtMArlDadM=,tag:p3BrsAh617hh3IdyHSbc6Q==,type:str]", + "basePath": "ENC[AES256_GCM,data:+w==,iv:hAPYvTBpBuL8XwvRNVXaMdVh45Kcmr2peuSR+TLYcYE=,tag:TY3rTAmARFQ6pIKy6Mi/rg==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:RQ==,iv:RXGLhUo6utp81Wm9sA6EHI7wDQ963yUMhFecQvuVCCA=,tag:vdYqpRD8UA3nzTQ2FxyeZQ==,type:str]", + "https": "ENC[AES256_GCM,data:5lUNcA==,iv:VSAbJS3Pl36NLjJYAmUP9gYxR5Jb8jM8ka807z2dJX8=,tag:wKnYvt13JgWtu8C3adTqFA==,type:bool]", + "proxy": "ENC[AES256_GCM,data:A9HH,iv:BGXVa4aOsNjX0y1LLXLRDqx6k0CCW9U/poAKK8KBFs4=,tag:HMSXWIZrc9Ks8QxhLHGIVA==,type:str]" + }, + "COMM_JSONCONFIG_facts_landing_url": { + "baseDomain": "ENC[AES256_GCM,data:NX+COqXbFbK1JuaWa7lJTXNCLTen,iv:C6+YAkU0oXxOQR8jz3NhFgGN1RWY8mLCARB7i+j15Uw=,tag:UFnDyJc4+6TDKJvMeg/4ng==,type:str]", + "basePath": "ENC[AES256_GCM,data:wA==,iv:AV1Ld5U7jdo7xie//iTZB+wjPibswDw3okLhDTqcuHI=,tag:XIiuMXzAGK975FAGA8ShSQ==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:GA==,iv:19x9COVTcr5YXrIy03LQ8TQNl1KfWZxmK5IU5NDl/r4=,tag:0ZuqykTszTVcwLMV28FasA==,type:str]", + "https": "ENC[AES256_GCM,data:OrEisQ==,iv:3wy5MSzhB5Ti48J3evBsD6LwvH+u5TbHnLV1bChNJVI=,tag:1PPSHV8W4r1SvsSWAj4lNA==,type:bool]" + } + }, + "webappLandingProdEnvVars": { + "COMM_JSONCONFIG_facts_webapp_url": { + "baseDomain": "ENC[AES256_GCM,data:PkQCRBTN+k3UmdWrJx5apl8swfo=,iv:PGEXm7BKR4mazT0O6bK0ZgYZ1N769olqxv+9MdIj06A=,tag:ISSpIZfTjBhkX7+jwxO5XQ==,type:str]", + "basePath": "ENC[AES256_GCM,data:Mg==,iv:k0mZrlNJvUFwJ0Nv0nnj/ngEBpcry22ygFUK0aIb7rs=,tag:P2QBvKphr3Nv1UFgX5gJyw==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:Tg==,iv:m1NIh3/swrVhHDBXdKy0JApSTIx4Sv9+Yl3RZiBGcEI=,tag:UZgFVcZQwcAcpfP/KE395w==,type:str]", + "https": "ENC[AES256_GCM,data:enK/KA==,iv:GJNsCjVVE7ksFuOgTmed5/IOfAPY/G8Aap1rVxi3Ljc=,tag:/18SDiWCUW+4qKioUnxnPA==,type:bool]", + "proxy": "ENC[AES256_GCM,data:jwlb,iv:UB6TikOilAESBHMuD9+LIDmNZD4g24o2x0K1a+7xS0w=,tag:E6THOXGN4QMjlg29QW2vwQ==,type:str]" + }, + "COMM_JSONCONFIG_facts_landing_url": { + "baseDomain": "ENC[AES256_GCM,data:dRsAlE/ZERqISxIx7P6aCg==,iv:SLM9tvU/sksjUtj8q6PipBSa8AUXFSwc6DS0P2nDxfE=,tag:xeiTBFC2uz2AXjbyXY7AuA==,type:str]", + "basePath": "ENC[AES256_GCM,data:sQ==,iv:Oz5g4GIyWDvVIigUtaqu3XZ9a4H8J8he0sH4ItmccIU=,tag:FdMzgGH7ZZqMWxubhMGDsA==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:yA==,iv:C44lMkHqZvbzqU8whBp0Hym5AxizY0SKVfa4X7PwKj0=,tag:uZmMxA78hdQwKe2gzL5w6Q==,type:str]", + "https": "ENC[AES256_GCM,data:D1gRoQ==,iv:FshkmudzDrEedO51n206Z9RQHjJzXWpkfPe4Njk6pb8=,tag:KBSO1fnTX8vVKk5EV86Lnw==,type:bool]" + } }, "sops": { "kms": [ { "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303", - "created_at": "2023-07-29T15:16:43Z", - "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewFFXrO432X6dWZfZHFVsgoGAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM0LAEze794jBZIKO/AgEQgDuVcwyViTDZoLwGj5icgKlABQFeUofitRD9e19i3Q+0ZyT7sSQ/4t2GuxvVo4cVEIkHCgTNH2RXLoqzPA==", + "created_at": "2024-08-02T19:26:39Z", + "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewHIbR0u6/Kr+Ftbzjo/wFIxAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMTB0popV+0Y/hGcnaAgEQgDskdVFmVlQgvwzmF1rHHdoa3hVzOr4AovjpmYRiapGrSn8DUhyKKVh/LhH8M+dL3FDAp7mBoRA26facEg==", "aws_profile": "" } ], "gcp_kms": null, "azure_kv": null, "hc_vault": null, "age": null, - "lastmodified": "2023-09-12T09:29:09Z", - "mac": "ENC[AES256_GCM,data:q0leMf7J7MBHoQQ6h82eT4xUsIHC6j1DKolRYn/USJsZ4+rt2EEICzD7J8tLUIzv2IqHnTV9hYMt+8Q0qAfOl87Z8VI0TwzXiAx3b2pdAfCheozz6vE1F/94XVz8S6v/YZpVGT9u1lwPISdXYfd/7QqK3u8hZJM/PVVn5djNcj8=,iv:pb1Ii6BfZMgz6S3R+xEehycArHeBz2wzNHJLms9Jby0=,tag:s8sCtTexTs7Qb6magRWzSw==,type:str]", + "lastmodified": "2024-08-02T19:26:39Z", + "mac": "ENC[AES256_GCM,data:S6LREk1Bahu+R92V+j6KBfmzb0GjjxXRQCHGoX8w7dDZHiDx+aTeag269vK+gfjZUwsGgMqYVuY5qBemj3j5Szcd9hHZ4t6sFN0XQ/jVhggRK3dlMwpNR7c4wmPNNlf/fj5q1NoNx3CItDkQlLL6kGkUFqOWJV7JHBZSRZxsYek=,iv:lYbRENzq+K6sjwQ/snwGe8GP2wR0ypgcTaz6XaJLtZs=,tag:hG9AOht9XEwtjTm5bfLV8Q==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" + "version": "3.8.1" } } diff --git a/services/terraform/remote/service_webapp.tf b/services/terraform/remote/service_webapp.tf new file mode 100644 index 000000000..616db61c9 --- /dev/null +++ b/services/terraform/remote/service_webapp.tf @@ -0,0 +1,54 @@ +locals { + webapp_image_tag = "1.0.103" + webapp_service_image = "commapp/keyserver:${local.webapp_image_tag}" + webapp_container_name = "webapp" + + webapp_run_server_config = jsonencode({ + runKeyserver = false + runWebApp = true + runLanding = false + }) + + webapp_landing_environment_vars = local.secrets["webappLandingEnvVars"] + + webapp_landing_environment_vars_encoded = { + for key, value in local.webapp_landing_environment_vars : key => jsonencode(value) + } + + stage_specific_environment_vars = (local.is_staging ? + local.secrets["webappLandingStagingEnvVars"] : + local.secrets["webappLandingProdEnvVars"]) + + stage_specific_environment_vars_encoded = { + for key, value in local.stage_specific_environment_vars : key => jsonencode(value) + } + + webapp_environment_vars = merge( + local.webapp_landing_environment_vars_encoded, + local.stage_specific_environment_vars_encoded, + { + "COMM_LISTEN_ADDR" = "0.0.0.0", + "COMM_NODE_ROLE" = "webapp", + "COMM_JSONCONFIG_facts_run_server_config" = local.webapp_run_server_config + }) +} + +module "webapp_service" { + source = "../modules/keyserver_node_service" + + container_name = "webapp" + image = local.webapp_service_image + service_name = "webapp" + cluster_id = aws_ecs_cluster.comm_services.id + domain_name = local.is_staging ? "comm.software" : "web.comm.app" + vpc_id = aws_vpc.default.id + vpc_subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id] + region = "us-east-2" + environment_vars = local.webapp_environment_vars + ecs_task_role_arn = aws_iam_role.keyserver_node_ecs_task_role.arn + ecs_task_execution_role_arn = aws_iam_role.ecs_task_execution.arn +} + +output "webapp_service_load_balancer_dns_name" { + value = module.webapp_service.service_load_balancer_dns_name +}