Skip to content

Commit

Permalink
Merge pull request #245 from silinternational/release/12.4.0
Browse files Browse the repository at this point in the history
Release 12.4.0 - AppConfig for id-broker
  • Loading branch information
briskt authored Mar 11, 2024
2 parents ee8c2f6 + de785e1 commit 45b1188
Show file tree
Hide file tree
Showing 10 changed files with 155 additions and 35 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
*.env
google-auth.json
.terraform/
.terraform.lock.hcl
3 changes: 3 additions & 0 deletions terraform/000-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ used by later workspaces for HTTPS with the ALB.
- Create ECS cluster named after `app_name` and `app_env`
- Create IAM roles and policies for ECS services and instances
- Optionally create and validate an ACM certificate using DNS
- Optionally manage AppConfig application and environment

## Required Inputs

Expand All @@ -18,6 +19,8 @@ used by later workspaces for HTTPS with the ALB.

- `create_acm_cert` - Set to true if an ACM certificate is needed. Default: `false`
- `create_cd_user` - Set to false if an IAM user for continuous deployment is not needed. Default: `true`
- `app_env` - The abbreviated version of the environment used for naming resources, typically either stg or prod. Default: 'prod'
- `appconfig_app_name` - The application name in AppConfig. If not specified, no AppConfig resources will be created."

## Outputs

Expand Down
13 changes: 13 additions & 0 deletions terraform/000-core/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,16 @@ resource "aws_acm_certificate_validation" "idp" {
certificate_arn = aws_acm_certificate.idp[0].arn
validation_record_fqdns = [cloudflare_record.idp-verification[0].hostname]
}

resource "aws_appconfig_application" "this" {
count = var.appconfig_app_name == "" ? 0 : 1

name = var.appconfig_app_name
}

resource "aws_appconfig_environment" "this" {
count = var.appconfig_app_name == "" ? 0 : 1

name = var.app_env
application_id = one(aws_appconfig_application.this[*].id)
}
13 changes: 13 additions & 0 deletions terraform/000-core/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,16 @@ output "ecsServiceRole_arn" {
value = module.ecscluster.ecsServiceRole_arn
}


/*
* AppConfig outputs
*/
output "app_id" {
description = "AppConfig application ID"
value = one(aws_appconfig_application.this[*].id)
}

output "env_id" {
description = "AppConfig environment ID"
value = one(aws_appconfig_environment.this[*].environment_id)
}
17 changes: 17 additions & 0 deletions terraform/000-core/vars.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,20 @@ variable "create_cd_user" {
default = true
}


/*
* Optional variables
*/

variable "app_env" {
description = "The abbreviated version of the environment used for naming resources, typically either stg or prod. Default: 'prod'"
type = string
default = "prod"
}

variable "appconfig_app_name" {
description = "The application name in AppConfig. If not specified, no AppConfig resources will be created."
type = string
default = ""
}

34 changes: 0 additions & 34 deletions terraform/020-database/db-users.sql

This file was deleted.

3 changes: 3 additions & 0 deletions terraform/040-id-broker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ This module is used to create an ECS service running id-broker.
- Create internal ALB for idp-broker
- Create task definition and ECS service for id-broker
- Create Cloudflare DNS record
- Optionally manage AppConfig configuration profile and ECS assume role

## Required Inputs

Expand Down Expand Up @@ -50,11 +51,13 @@ This module is used to create an ECS service running id-broker.
- `abandoned_user_abandoned_period` - Time a user record can remain abandoned before HR is notified. Default: `+6 months`
- `abandoned_user_best_practice_url` - URL for best practices, referenced in notification email. Default: (none)
- `abandoned_user_deactivate_instructions_url` - URL for instruction on how to deactivate user accounts, referenced in notification email. Default: (none)
- `app_id` - AppConfig application ID created by AWS. This cannot be the application name. Use with `env_id`.
- `contingent_user_duration` - How long before a new user without a primary email address expires. Default: `+4 weeks`
- `cpu_cron` - How much CPU to allocate to cron service. Default: `128`
- `email_repeat_delay_days` - Don't resend the same type of email to the same user for X days. Default: `31`
- `email_service_assertValidIp` - Whether or not to assert IP address for Email Service API is trusted
- `email_signature` - Signature for use in emails. Default is empty string
- `env_id` - AppConfig environment ID created by AWS. This cannot be the environment name. Use with `app_id`.
- `event_schedule` - Task run schedule. Default: `cron(0 0 * * ? *)`
- `ga_api_secret` - The Google Analytics API secret for the data stream (e.g. aB-abcdef7890123456789)
- `ga_client_id` - Used by Google Analytics to distinguish the user (e.g. IDP-<the idp name>-ID-BROKER)
Expand Down
76 changes: 76 additions & 0 deletions terraform/040-id-broker/main.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
locals {
aws_account = data.aws_caller_identity.this.account_id
aws_region = data.aws_region.current.name
cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id)
config_id = local.cfg_id == null ? "" : local.cfg_id
}

/*
Expand Down Expand Up @@ -79,6 +81,9 @@ locals {
subdomain_with_region = "${var.subdomain}-${local.aws_region}"

task_def = templatefile("${path.module}/task-definition.json", {
app_id = var.app_id
env_id = var.env_id
config_id = local.config_id
api_access_keys = local.api_access_keys
abandoned_user_abandoned_period = var.abandoned_user_abandoned_period
abandoned_user_best_practice_url = var.abandoned_user_best_practice_url
Expand Down Expand Up @@ -202,13 +207,17 @@ module "ecsservice" {
tg_arn = aws_alb_target_group.broker.arn
lb_container_name = "web"
lb_container_port = "80"
task_role_arn = one(aws_iam_role.app_config[*].arn)
}

/*
* Create ECS service
*/
locals {
task_def_cron = templatefile("${path.module}/task-definition.json", {
app_id = var.app_id
env_id = var.env_id
config_id = local.config_id
api_access_keys = local.api_access_keys
abandoned_user_abandoned_period = var.abandoned_user_abandoned_period
abandoned_user_best_practice_url = var.abandoned_user_best_practice_url
Expand Down Expand Up @@ -421,6 +430,73 @@ data "cloudflare_zone" "domain" {
}


/*
* Create role for access to AppConfig
*/
resource "aws_iam_role" "app_config" {
count = var.app_id == "" ? 0 : 1

name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "ECSAssumeRoleAppConfig"
Effect = "Allow"
Principal = {
Service = [
"ecs-tasks.amazonaws.com",
]
}
Action = "sts:AssumeRole"
Condition = {
ArnLike = {
"aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*"
}
StringEquals = {
"aws:SourceAccount" = local.aws_account
}
}
}
]
})
}

resource "aws_iam_role_policy" "app_config" {
count = var.app_id == "" ? 0 : 1

name = "app_config"
role = one(aws_iam_role.app_config[*].id)
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Sid = "AppConfig"
Effect = "Allow"
Action = [
"appconfig:GetLatestConfiguration",
"appconfig:StartConfigurationSession",
]
Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}"
}
]
})
}


/*
* Create AppConfig configuration profile
*/
resource "aws_appconfig_configuration_profile" "this" {
count = var.app_id == "" ? 0 : 1

application_id = var.app_id
name = "${var.app_name}-${var.app_env}"
location_uri = "hosted"
}

/*
* AWS data
*/
Expand Down
16 changes: 16 additions & 0 deletions terraform/040-id-broker/task-definition.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,22 @@
"ulimits": null,
"dockerSecurityOptions": null,
"environment": [
{
"name": "APP_ID",
"value": "${app_id}"
},
{
"name": "AWS_REGION",
"value": "${aws_region}"
},
{
"name": "ENV_ID",
"value": "${env_id}"
},
{
"name": "CONFIG_ID",
"value": "${config_id}"
},
{
"name": "ABANDONED_USER_abandonedPeriod",
"value": "${abandoned_user_abandoned_period}"
Expand Down
14 changes: 13 additions & 1 deletion terraform/040-id-broker/vars.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ variable "app_name" {
}

variable "aws_region" {
description = "This is deprecated. The region is more reliably determined from the aws_region data source."
description = "This is not used. The region is more reliably determined from the aws_region data source."
type = string
default = ""
}
Expand Down Expand Up @@ -580,3 +580,15 @@ variable "vpc_id" {
variable "wildcard_cert_arn" {
type = string
}

variable "app_id" {
description = "AppConfig application ID created by AWS. This cannot be the application name."
type = string
default = ""
}

variable "env_id" {
description = "AppConfig environment ID created by AWS. This cannot be the environment name."
type = string
default = ""
}

0 comments on commit 45b1188

Please sign in to comment.