diff --git a/services/terraform/self-host/aws_ecs.tf b/services/terraform/self-host/keyserver_cluster.tf similarity index 57% rename from services/terraform/self-host/aws_ecs.tf rename to services/terraform/self-host/keyserver_cluster.tf index d4ed72082..3aae82824 100644 --- a/services/terraform/self-host/aws_ecs.tf +++ b/services/terraform/self-host/keyserver_cluster.tf @@ -1,31 +1,64 @@ locals { keyserver_service_image_tag = "1.0.102" keyserver_service_server_image = (var.custom_keyserver_image != null ? var.custom_keyserver_image : "commapp/keyserver:${local.keyserver_service_image_tag}") } resource "aws_ecs_cluster" "keyserver_cluster" { # Do not change without replacing cluster_name in aws-deploy.sh name = "keyserver-cluster" configuration { execute_command_configuration { logging = "DEFAULT" } } } # Namespace for services to be able to communicate with each other # by their hostnames. Similar to docker compose network. resource "aws_service_discovery_http_namespace" "keyserver_cluster" { name = "keyserver-cluster-http-namespace" tags = { "AmazonECSManaged" = "true" } } resource "aws_ecs_cluster_capacity_providers" "keyserver_cluster" { cluster_name = aws_ecs_cluster.keyserver_cluster.name capacity_providers = ["FARGATE"] } + +resource "aws_security_group" "keyserver_service" { + name = "keyserver-service-ecs-sg" + vpc_id = local.vpc_id + + # Allow all inbound traffic on port 3000 + ingress { + from_port = 3000 + to_port = 3000 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Allow inbound traffic from any IPv6 address" + from_port = 3000 + to_port = 3000 + protocol = "tcp" + ipv6_cidr_blocks = ["::/0"] + } + + # Allow all outbound traffic + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf index 9f98aedd2..59d238417 100644 --- a/services/terraform/self-host/keyserver_primary.tf +++ b/services/terraform/self-host/keyserver_primary.tf @@ -1,149 +1,116 @@ locals { keyserver_primary_container_name = "keyserver-primary" keyserver_run_server_config = jsonencode({ runKeyserver = true runWebApp = false runLanding = false }) primary_environment_vars = merge(local.shared_environment_vars, { "COMM_NODE_ROLE" = "primary", "COMM_JSONCONFIG_facts_run_server_config" = local.keyserver_run_server_config }) primary_environment = [ for name, value in local.primary_environment_vars : { name = name value = value } ] } resource "aws_cloudwatch_log_group" "keyserver_primary_service" { name = "/ecs/keyserver-primary-task-def" retention_in_days = 7 } output "mariadb_address" { value = aws_db_instance.mariadb.address } resource "aws_ecs_task_definition" "keyserver_primary_service" { network_mode = "awsvpc" family = "keyserver-primary-task-def" requires_compatibilities = ["FARGATE"] task_role_arn = aws_iam_role.ecs_task_role.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn cpu = "2048" memory = "4096" ephemeral_storage { size_in_gib = 40 } container_definitions = jsonencode([ { name = local.keyserver_primary_container_name image = local.keyserver_service_server_image essential = true portMappings = [ { name = "keyserver-port" containerPort = 3000 hostPort = 3000, protocol = "tcp" }, ] environment = local.primary_environment logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = aws_cloudwatch_log_group.keyserver_primary_service.name "awslogs-stream-prefix" = "ecs" "awslogs-region" = "${var.region}" } } linuxParameters = { initProcessEnabled = true } } ]) runtime_platform { cpu_architecture = "ARM64" operating_system_family = "LINUX" } skip_destroy = false } resource "aws_ecs_service" "keyserver_primary_service" { depends_on = [null_resource.create_comm_database] # Do not change name without replacing primary_service_name in aws-deploy.sh name = "keyserver-primary-service" cluster = aws_ecs_cluster.keyserver_cluster.id task_definition = aws_ecs_task_definition.keyserver_primary_service.arn launch_type = "FARGATE" enable_execute_command = true enable_ecs_managed_tags = true force_new_deployment = true desired_count = 1 deployment_maximum_percent = 100 deployment_minimum_healthy_percent = 0 network_configuration { subnets = local.vpc_subnets security_groups = [aws_security_group.keyserver_service.id] assign_public_ip = true } load_balancer { target_group_arn = aws_lb_target_group.keyserver_service.arn container_name = local.keyserver_primary_container_name container_port = 3000 } deployment_circuit_breaker { enable = true rollback = true } } - -resource "aws_security_group" "keyserver_service" { - name = "keyserver-service-ecs-sg" - vpc_id = local.vpc_id - - # Allow all inbound traffic on port 3000 - ingress { - from_port = 3000 - to_port = 3000 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "Allow inbound traffic from any IPv6 address" - from_port = 3000 - to_port = 3000 - protocol = "tcp" - ipv6_cidr_blocks = ["::/0"] - } - - # Allow all outbound traffic - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - lifecycle { - create_before_destroy = true - } -}