diff --git a/terraform/implementation/ecs/_local.tf b/terraform/implementation/ecs/_local.tf index acbac105..8d531796 100644 --- a/terraform/implementation/ecs/_local.tf +++ b/terraform/implementation/ecs/_local.tf @@ -4,8 +4,9 @@ locals { fargate_cpu = 1024, fargate_memory = 2048, app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-viewer:${var.phdi_version}", - container_port = 8080, - host_port = 8080, + container_port = 3000, + host_port = 3000, + public = true env_vars = [] }, fhir-converter = { @@ -14,6 +15,7 @@ locals { app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/fhir-converter:${var.phdi_version}", container_port = 8080, host_port = 8080, + public = false env_vars = [] }, ingestion = { @@ -22,6 +24,7 @@ locals { app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ingestion:${var.phdi_version}", container_port = 8080, host_port = 8080, + public = false env_vars = [] }, validation = { @@ -30,6 +33,7 @@ locals { app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/validation:${var.phdi_version}", container_port = 8080, host_port = 8080, + public = false env_vars = [] }, orchestration = { @@ -38,6 +42,7 @@ locals { app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/orchestration:${var.phdi_version}", container_port = 8080, host_port = 8080, + public = true env_vars = [ { name = "APPMESH_VIRTUAL_NODE_NAME", diff --git a/terraform/modules/ecs/_variable.tf b/terraform/modules/ecs/_variable.tf index 0e61fa2b..ed19cbcc 100644 --- a/terraform/modules/ecs/_variable.tf +++ b/terraform/modules/ecs/_variable.tf @@ -80,7 +80,7 @@ variable "ecr_repo_url" { } variable "health_check_path" { - default = "/fhir-converter" + default = "/" } variable "fargate_cpu" { diff --git a/terraform/modules/ecs/alb.tf b/terraform/modules/ecs/alb.tf index e9c258d3..9ca32fff 100644 --- a/terraform/modules/ecs/alb.tf +++ b/terraform/modules/ecs/alb.tf @@ -3,7 +3,7 @@ resource "aws_alb" "main" { internal = false load_balancer_type = "application" subnets = flatten([var.public_subnet_ids]) - security_groups = [aws_security_group.alb_sg.id] + security_groups = [aws_security_group.alb.id] enable_deletion_protection = false @@ -13,9 +13,10 @@ resource "aws_alb" "main" { } # Defines the target gropu associated with the ALB -resource "aws_alb_target_group" "main" { - name = var.target_group_name - port = var.app_port +resource "aws_alb_target_group" "this" { + name = var.target_group_name + # port = key.value.container_port if each.key == orchestration || ecr-viewer else do_nothing + port = 3000 protocol = "HTTP" vpc_id = var.vpc_id target_type = "ip" @@ -31,14 +32,90 @@ resource "aws_alb_target_group" "main" { } } -# Redirect all traffic from the ALB to the target group -resource "aws_alb_listener" "listener_8080" { +resource "aws_alb_listener" "http" { + # for_each = aws_alb_target_group.this load_balancer_arn = aws_alb.main.arn - port = var.app_port + port = "80" protocol = "HTTP" - default_action { - target_group_arn = aws_alb_target_group.main.arn type = "forward" + target_group_arn = aws_alb_target_group.this.arn + } +} + +# Security Group for ECS +resource "aws_security_group" "ecs" { + vpc_id = var.vpc_id + name = "dibbs-aws-ecs" + description = "Security group for ECS" + revoke_rules_on_delete = true + lifecycle { + create_before_destroy = true + } +} + +# ECS Security Group Rules - INBOUND +resource "aws_security_group_rule" "ecs_alb_ingress" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + description = "Allow inbound traffic from ALB" + security_group_id = aws_security_group.ecs.id + source_security_group_id = aws_security_group.alb.id +} + +# ECS Security Group Rules - OUTBOUND +resource "aws_security_group_rule" "ecs_all_egress" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + description = "Allow outbound traffic from ECS" + security_group_id = aws_security_group.ecs.id + cidr_blocks = ["0.0.0.0/0"] +} + +# Security Group for alb +resource "aws_security_group" "alb" { + vpc_id = var.vpc_id + name = "dibbs-aws-ecs-alb" + description = "Security group for ALB" + revoke_rules_on_delete = true + lifecycle { + create_before_destroy = true } } + +# Alb Security Group Rules - INBOUND +resource "aws_security_group_rule" "alb_http_ingress" { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "TCP" + description = "Allow http inbound traffic from internet" + security_group_id = aws_security_group.alb.id + cidr_blocks = ["0.0.0.0/0"] +} + +# Alb Security Group Rules - INBOUND +resource "aws_security_group_rule" "alb_https_ingress" { + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "TCP" + description = "Allow https inbound traffic from internet" + security_group_id = aws_security_group.alb.id + cidr_blocks = ["0.0.0.0/0"] +} + +# Alb Security Group Rules - OUTBOUND +resource "aws_security_group_rule" "alb_egress" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + description = "Allow outbound traffic from alb" + security_group_id = aws_security_group.alb.id + cidr_blocks = ["0.0.0.0/0"] +} \ No newline at end of file diff --git a/terraform/modules/ecs/ecs.tf b/terraform/modules/ecs/ecs.tf index 0da6ccd8..0257258a 100644 --- a/terraform/modules/ecs/ecs.tf +++ b/terraform/modules/ecs/ecs.tf @@ -2,68 +2,6 @@ resource "aws_ecs_cluster" "dibbs_app_cluster" { name = var.ecs_cluster_name } -resource "aws_default_vpc" "default_vpc" {} - -resource "aws_default_subnet" "default_subnet_a" { - availability_zone = var.availability_zones[0] -} - -resource "aws_default_subnet" "default_subnet_b" { - availability_zone = var.availability_zones[1] -} - -resource "aws_security_group" "load_balancer_security_group" { - vpc_id = var.vpc_id - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -# resource "aws_lb_target_group" "target_group" { -# name = var.target_group_name -# port = var.container_port -# protocol = "HTTP" -# target_type = "ip" -# vpc_id = var.vpc_id -# } - -# resource "aws_lb_listener" "listener" { -# load_balancer_arn = aws_alb.main.arn -# port = "80" -# protocol = "HTTP" -# default_action { -# type = "forward" -# target_group_arn = aws_lb_target_group.target_group.arn -# } -# } - -resource "aws_security_group" "service_security_group" { - vpc_id = var.vpc_id - ingress { - from_port = 0 - to_port = 0 - protocol = "-1" - security_groups = ["${aws_security_group.load_balancer_security_group.id}"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - resource "aws_ecs_task_definition" "this" { for_each = var.service_data family = each.key @@ -74,14 +12,14 @@ resource "aws_ecs_task_definition" "this" { memory = each.value.fargate_memory container_definitions = jsonencode([ { - name = "${each.key}-app", - image = "${each.value.app_image}", + name = each.key, + image = each.value.app_image, networkMode = "awsvpc", logConfiguration = { logDriver = "awslogs", options = { - awslogs-group = "${var.ecs_cloudwatch_log_group}", - awslogs-region = "${var.region}", + awslogs-group = var.ecs_cloudwatch_log_group, + awslogs-region = var.region, awslogs-stream-prefix = "ecs" } }, @@ -120,10 +58,22 @@ resource "aws_ecs_service" "this" { type = "ECS" } + dynamic "load_balancer" { + for_each = { + for key, value in var.service_data : key => value + if(each.key == "orchestration" && key == "orchestration") || (each.key == "ecr-viewer" && key == "ecr-viewer") + } + content { + target_group_arn = aws_alb_target_group.this.arn + container_name = load_balancer.key + container_port = load_balancer.value.container_port + } + } + network_configuration { - security_groups = ["${aws_security_group.service_security_group.id}"] - subnets = var.public_subnet_ids - assign_public_ip = true + security_groups = [aws_security_group.ecs.id] + subnets = var.private_subnet_ids + assign_public_ip = false } service_registries { diff --git a/terraform/modules/ecs/security.tf b/terraform/modules/ecs/security.tf deleted file mode 100644 index eb00cd96..00000000 --- a/terraform/modules/ecs/security.tf +++ /dev/null @@ -1,56 +0,0 @@ -# ALB security Group: Edit to restrict access to the application -resource "aws_security_group" "alb_sg" { - name = "dibbs-aws-ecs-alb-security-group" - description = "controls access to the ALB" - vpc_id = var.vpc_id - - ingress { - protocol = "tcp" - from_port = var.app_port - to_port = var.app_port - cidr_blocks = ["0.0.0.0/0"] - } - #matches the load balancer listener rule (without unreachable) - ingress { - protocol = "tcp" - from_port = 80 - to_port = 80 - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - protocol = "tcp" - from_port = 8080 #changed from https port 443 - to_port = 8080 #changed from https port 443 - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_security_group" "orchestration_sg" { - name = "dibbs-aws-ecs-orchestration-security-group" - description = "controls access to the orchestration service" - vpc_id = var.vpc_id - - - #matches the load balancer listener rule (without unreachable) - ingress { - protocol = "tcp" - from_port = var.app_port - to_port = var.app_port - cidr_blocks = ["${var.cidr}"] - } - #matches the load balancer listener rule (without unreachable) - ingress { - protocol = "tcp" - from_port = 80 - to_port = 80 - cidr_blocks = ["${var.cidr}"] - } - - egress { - protocol = "tcp" - from_port = 8080 - to_port = 8080 - cidr_blocks = ["${var.cidr}"] - } -} diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/s3.tf similarity index 100% rename from terraform/modules/s3/main.tf rename to terraform/modules/s3/s3.tf