refactor security groups, and dynamically create ecs services and loa…

…d balancer configuration
CDCgov · Jun 19, 2024 · f5e78a7 · f5e78a7
1 parent e2f7a70
commit f5e78a7
Show file tree

Hide file tree

Showing 6 changed files with 113 additions and 137 deletions.
diff --git a/terraform/implementation/ecs/_local.tf b/terraform/implementation/ecs/_local.tf
@@ -4,8 +4,9 @@ locals {
       fargate_cpu    = 1024,
       fargate_memory = 2048,
       app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-viewer:${var.phdi_version}",
-      container_port = 8080,
-      host_port      = 8080,
+      container_port = 3000,
+      host_port      = 3000,
+      public         = true
       env_vars       = []
     },
     fhir-converter = {
@@ -14,6 +15,7 @@ locals {
       app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/fhir-converter:${var.phdi_version}",
       container_port = 8080,
       host_port      = 8080,
+      public         = false
       env_vars       = []
     },
     ingestion = {
@@ -22,6 +24,7 @@ locals {
       app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ingestion:${var.phdi_version}",
       container_port = 8080,
       host_port      = 8080,
+      public         = false
       env_vars       = []
     },
     validation = {
@@ -30,6 +33,7 @@ locals {
       app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/validation:${var.phdi_version}",
       container_port = 8080,
       host_port      = 8080,
+      public         = false
       env_vars       = []
     },
     orchestration = {
@@ -38,6 +42,7 @@ locals {
       app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/orchestration:${var.phdi_version}",
       container_port = 8080,
       host_port      = 8080,
+      public         = true
       env_vars = [
         {
           name  = "APPMESH_VIRTUAL_NODE_NAME",

diff --git a/terraform/modules/ecs/_variable.tf b/terraform/modules/ecs/_variable.tf
@@ -80,7 +80,7 @@ variable "ecr_repo_url" {
 }
 
 variable "health_check_path" {
-  default = "/fhir-converter"
+  default = "/"
 }
 
 variable "fargate_cpu" {

diff --git a/terraform/modules/ecs/alb.tf b/terraform/modules/ecs/alb.tf
@@ -3,7 +3,7 @@ resource "aws_alb" "main" {
   internal           = false
   load_balancer_type = "application"
   subnets            = flatten([var.public_subnet_ids])
-  security_groups    = [aws_security_group.alb_sg.id]
+  security_groups    = [aws_security_group.alb.id]
 
   enable_deletion_protection = false
 
@@ -13,9 +13,10 @@ resource "aws_alb" "main" {
 }
 
 # Defines the target gropu associated with the ALB
-resource "aws_alb_target_group" "main" {
-  name        = var.target_group_name
-  port        = var.app_port
+resource "aws_alb_target_group" "this" {
+  name = var.target_group_name
+  # port        = key.value.container_port if each.key == orchestration || ecr-viewer else do_nothing
+  port        = 3000
   protocol    = "HTTP"
   vpc_id      = var.vpc_id
   target_type = "ip"
@@ -31,14 +32,90 @@ resource "aws_alb_target_group" "main" {
   }
 }
 
-# Redirect all traffic from the ALB to the target group
-resource "aws_alb_listener" "listener_8080" {
+resource "aws_alb_listener" "http" {
+  # for_each          = aws_alb_target_group.this
   load_balancer_arn = aws_alb.main.arn
-  port              = var.app_port
+  port              = "80"
   protocol          = "HTTP"
-
   default_action {
-    target_group_arn = aws_alb_target_group.main.arn
     type             = "forward"
+    target_group_arn = aws_alb_target_group.this.arn
+  }
+}
+
+# Security Group for ECS
+resource "aws_security_group" "ecs" {
+  vpc_id                 = var.vpc_id
+  name                   = "dibbs-aws-ecs"
+  description            = "Security group for ECS"
+  revoke_rules_on_delete = true
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# ECS Security Group Rules - INBOUND
+resource "aws_security_group_rule" "ecs_alb_ingress" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  description              = "Allow inbound traffic from ALB"
+  security_group_id        = aws_security_group.ecs.id
+  source_security_group_id = aws_security_group.alb.id
+}
+
+# ECS Security Group Rules - OUTBOUND
+resource "aws_security_group_rule" "ecs_all_egress" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  description       = "Allow outbound traffic from ECS"
+  security_group_id = aws_security_group.ecs.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+# Security Group for alb
+resource "aws_security_group" "alb" {
+  vpc_id                 = var.vpc_id
+  name                   = "dibbs-aws-ecs-alb"
+  description            = "Security group for ALB"
+  revoke_rules_on_delete = true
+  lifecycle {
+    create_before_destroy = true
   }
 }
+
+# Alb Security Group Rules - INBOUND
+resource "aws_security_group_rule" "alb_http_ingress" {
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "TCP"
+  description       = "Allow http inbound traffic from internet"
+  security_group_id = aws_security_group.alb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+# Alb Security Group Rules - INBOUND
+resource "aws_security_group_rule" "alb_https_ingress" {
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "TCP"
+  description       = "Allow https inbound traffic from internet"
+  security_group_id = aws_security_group.alb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+# Alb Security Group Rules - OUTBOUND
+resource "aws_security_group_rule" "alb_egress" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  description       = "Allow outbound traffic from alb"
+  security_group_id = aws_security_group.alb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
diff --git a/terraform/modules/ecs/ecs.tf b/terraform/modules/ecs/ecs.tf
@@ -2,68 +2,6 @@ resource "aws_ecs_cluster" "dibbs_app_cluster" {
   name = var.ecs_cluster_name
 }
 
-resource "aws_default_vpc" "default_vpc" {}
-
-resource "aws_default_subnet" "default_subnet_a" {
-  availability_zone = var.availability_zones[0]
-}
-
-resource "aws_default_subnet" "default_subnet_b" {
-  availability_zone = var.availability_zones[1]
-}
-
-resource "aws_security_group" "load_balancer_security_group" {
-  vpc_id = var.vpc_id
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
-
-# resource "aws_lb_target_group" "target_group" {
-#   name        = var.target_group_name
-#   port        = var.container_port
-#   protocol    = "HTTP"
-#   target_type = "ip"
-#   vpc_id      = var.vpc_id
-# }
-
-# resource "aws_lb_listener" "listener" {
-#   load_balancer_arn = aws_alb.main.arn
-#   port              = "80"
-#   protocol          = "HTTP"
-#   default_action {
-#     type             = "forward"
-#     target_group_arn = aws_lb_target_group.target_group.arn
-#   }
-# }
-
-resource "aws_security_group" "service_security_group" {
-  vpc_id = var.vpc_id
-  ingress {
-    from_port       = 0
-    to_port         = 0
-    protocol        = "-1"
-    security_groups = ["${aws_security_group.load_balancer_security_group.id}"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
-
 resource "aws_ecs_task_definition" "this" {
   for_each                 = var.service_data
   family                   = each.key
@@ -74,14 +12,14 @@ resource "aws_ecs_task_definition" "this" {
   memory                   = each.value.fargate_memory
   container_definitions = jsonencode([
     {
-      name        = "${each.key}-app",
-      image       = "${each.value.app_image}",
+      name        = each.key,
+      image       = each.value.app_image,
       networkMode = "awsvpc",
       logConfiguration = {
         logDriver = "awslogs",
         options = {
-          awslogs-group         = "${var.ecs_cloudwatch_log_group}",
-          awslogs-region        = "${var.region}",
+          awslogs-group         = var.ecs_cloudwatch_log_group,
+          awslogs-region        = var.region,
           awslogs-stream-prefix = "ecs"
         }
       },
@@ -120,10 +58,22 @@ resource "aws_ecs_service" "this" {
     type = "ECS"
   }
 
+  dynamic "load_balancer" {
+    for_each = {
+      for key, value in var.service_data : key => value
+      if(each.key == "orchestration" && key == "orchestration") || (each.key == "ecr-viewer" && key == "ecr-viewer")
+    }
+    content {
+      target_group_arn = aws_alb_target_group.this.arn
+      container_name   = load_balancer.key
+      container_port   = load_balancer.value.container_port
+    }
+  }
+
   network_configuration {
-    security_groups  = ["${aws_security_group.service_security_group.id}"]
-    subnets          = var.public_subnet_ids
-    assign_public_ip = true
+    security_groups  = [aws_security_group.ecs.id]
+    subnets          = var.private_subnet_ids
+    assign_public_ip = false
   }
 
   service_registries {

diff --git a/terraform/modules/ecs/security.tf b/terraform/modules/ecs/security.tf
diff --git a/terraform/modules/s3/main.tf → terraform/modules/s3/s3.tf b/terraform/modules/s3/main.tf → terraform/modules/s3/s3.tf