Skip to content

Commit b1fc54b

Browse files
ewildeewilde
committed
consistent naming
Signed-off-by: Edward Wilde <[email protected]>
1 parent 3d71cca commit b1fc54b

File tree

10 files changed

+141
-65
lines changed

10 files changed

+141
-65
lines changed

data/iam/ecs-task-assumerole.json

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{
2+
"Version": "2008-10-17",
3+
"Statement": [
4+
{
5+
"Action": "sts:AssumeRole",
6+
"Principal": {
7+
"Service": [
8+
"ecs.amazonaws.com",
9+
"ecs-tasks.amazonaws.com"
10+
]
11+
},
12+
"Effect": "Allow"
13+
}
14+
]
15+
}

data/iam/log-policy.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"Effect": "Allow",
3+
"Action": [
4+
"logs:CreateLogGroup",
5+
"logs:CreateLogStream",
6+
"logs:PutLogEvents",
7+
"logs:DescribeLogStreams"
8+
],
9+
"Resource": "arn:aws:logs:*:*:*"
10+
}

debug.tf

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ resource "aws_security_group" "bastion" {
4848
}
4949
}
5050

51-
resource "aws_security_group_rule" "bastion-ingress-ssh" {
51+
resource "aws_security_group_rule" "bastion_ingress_ssh" {
5252
count = "${var.debug}"
5353
type = "ingress"
5454
security_group_id = "${aws_security_group.bastion.id}"
@@ -58,7 +58,7 @@ resource "aws_security_group_rule" "bastion-ingress-ssh" {
5858
cidr_blocks = ["${var.developer_ip}/32"]
5959
}
6060

61-
resource "aws_security_group_rule" "bastion-egress-ssh" {
61+
resource "aws_security_group_rule" "bastion_egress_ssh" {
6262
count = "${var.debug}"
6363
type = "egress"
6464
security_group_id = "${aws_security_group.bastion.id}"
@@ -68,7 +68,7 @@ resource "aws_security_group_rule" "bastion-egress-ssh" {
6868
protocol = "tcp"
6969
}
7070

71-
resource "aws_security_group_rule" "bastion-egress-http" {
71+
resource "aws_security_group_rule" "bastion_egress_http" {
7272
count = "${var.debug}"
7373
type = "egress"
7474
security_group_id = "${aws_security_group.bastion.id}"
@@ -78,7 +78,7 @@ resource "aws_security_group_rule" "bastion-egress-http" {
7878
protocol = "tcp"
7979
}
8080

81-
resource "aws_security_group_rule" "bastion-egress-https" {
81+
resource "aws_security_group_rule" "bastion_egress_https" {
8282
count = "${var.debug}"
8383
type = "egress"
8484
security_group_id = "${aws_security_group.bastion.id}"
@@ -88,7 +88,7 @@ resource "aws_security_group_rule" "bastion-egress-https" {
8888
protocol = "tcp"
8989
}
9090

91-
resource "aws_security_group_rule" "bastion-egress-nats" {
91+
resource "aws_security_group_rule" "bastion_egress_nats" {
9292
count = "${var.debug}"
9393
type = "egress"
9494
security_group_id = "${aws_security_group.bastion.id}"
@@ -98,6 +98,16 @@ resource "aws_security_group_rule" "bastion-egress-nats" {
9898
protocol = "tcp"
9999
}
100100

101+
resource "aws_security_group_rule" "bastion_egress_ecs_provider" {
102+
count = "${var.debug}"
103+
type = "egress"
104+
security_group_id = "${aws_security_group.bastion.id}"
105+
source_security_group_id = "${aws_security_group.ecs_provider.id}"
106+
from_port = 8081
107+
to_port = 8081
108+
protocol = "tcp"
109+
}
110+
101111
resource "aws_key_pair" "bastion_ssh" {
102112
key_name = "${var.bastion_keypair_name}"
103113
public_key = "${file("${path.module}/keys/${var.bastion_keypair_name}.pub")}"

ecs-provider.tf

Lines changed: 48 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,13 @@ module "ecs_provider" {
44
ecs_cluster_name = "${var.ecs_cluster_name}"
55
aws_region = "${var.aws_region}"
66
desired_count = "1"
7-
security_groups = ["${aws_security_group.service.id}"]
7+
security_groups = ["${aws_security_group.service.id}", "${aws_security_group.ecs_provider.id}"]
88
allowed_subnets = ["${aws_subnet.internal.*.id}"]
99
namespace = "${var.namespace}"
1010
service_discovery_service_arn = "${aws_service_discovery_service.ecs_provider.arn}"
1111
task_image = "ewilde/faas-ecs"
1212
task_image_version = "latest"
13-
task_role_arn = "${aws_iam_role.ecs_role.arn}"
13+
task_role_arn = "${aws_iam_role.ecs_provider_role.arn}"
1414
task_ports = "[{\"containerPort\":8081,\"hostPort\":8081}]"
1515
task_env_vars = <<EOF
1616
[
@@ -22,20 +22,59 @@ module "ecs_provider" {
2222
EOF
2323
}
2424

25-
resource "aws_security_group_rule" "gateway-egress-ecs-provider" {
26-
type = "egress"
27-
security_group_id = "${aws_security_group.gateway.id}"
28-
source_security_group_id = "${aws_security_group.service.id}"
25+
resource "aws_security_group" "ecs_provider" {
26+
name = "${var.namespace}.ecs-provider"
27+
description = "Security rules for the ecs provider"
28+
vpc_id = "${aws_vpc.default.id}"
29+
30+
tags {
31+
Name = "${format("%s-ecs-provider", var.namespace)}"
32+
}
33+
}
34+
35+
resource "aws_security_group_rule" "ecs_provider_ingress_gateway" {
36+
type = "ingress"
37+
security_group_id = "${aws_security_group.ecs_provider.id}"
38+
source_security_group_id = "${aws_security_group.gateway.id}"
2939
from_port = 8081
3040
to_port = 8081
3141
protocol = "tcp"
3242
}
3343

34-
resource "aws_security_group_rule" "service-ingress-ecs-provider" {
44+
resource "aws_security_group_rule" "ecs-provider_ingress_bastion" {
3545
type = "ingress"
36-
security_group_id = "${aws_security_group.service.id}"
37-
source_security_group_id = "${aws_security_group.gateway.id}"
46+
security_group_id = "${aws_security_group.ecs_provider.id}"
47+
source_security_group_id = "${aws_security_group.bastion.id}"
3848
from_port = 8081
3949
to_port = 8081
4050
protocol = "tcp"
51+
count = "${var.debug}"
52+
}
53+
54+
resource "aws_iam_role" "ecs_provider_role" {
55+
name = "${var.namespace}-ecs-provider-role"
56+
assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
57+
}
58+
59+
resource "aws_iam_role_policy" "ecs_provider_role_policy" {
60+
name = "${var.namespace}-ecs-provider-role-policy"
61+
role = "${aws_iam_role.ecs_provider_role.id}"
62+
63+
policy = <<EOF
64+
{
65+
"Version": "2012-10-17",
66+
"Statement": [
67+
${file("${path.module}/data/iam/log-policy.json")},
68+
{
69+
"Effect": "Allow",
70+
"Action": [
71+
"ecs:*"
72+
],
73+
"Resource": [
74+
"*"
75+
]
76+
}
77+
]
78+
}
79+
EOF
4180
}

ecs.tf

Lines changed: 2 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,8 @@
11
resource "aws_ecs_cluster" "openfaas" {
22
name = "${var.ecs_cluster_name}"
33
}
4-
54
resource "aws_iam_role" "ecs_role" {
6-
assume_role_policy = <<EOF
7-
{
8-
"Version": "2008-10-17",
9-
"Statement": [
10-
{
11-
"Action": "sts:AssumeRole",
12-
"Principal": {
13-
"Service": [
14-
"ecs.amazonaws.com",
15-
"ecs-tasks.amazonaws.com"
16-
]
17-
},
18-
"Effect": "Allow"
19-
}
20-
]
21-
}
22-
EOF
5+
assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
236
}
247

258
resource "aws_iam_role_policy" "ecs_role_policy" {
@@ -29,16 +12,7 @@ resource "aws_iam_role_policy" "ecs_role_policy" {
2912
{
3013
"Version": "2012-10-17",
3114
"Statement": [
32-
{
33-
"Effect": "Allow",
34-
"Action": [
35-
"logs:CreateLogGroup",
36-
"logs:CreateLogStream",
37-
"logs:PutLogEvents",
38-
"logs:DescribeLogStreams"
39-
],
40-
"Resource": "arn:aws:logs:*:*:*"
41-
}
15+
${file("${path.module}/data/iam/log-policy.json")}
4216
]
4317
}
4418
EOF

gateway.tf

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ resource "aws_ecs_task_definition" "gateway" {
4444
"environment": [
4545
{
4646
"name": "functions_provider_url",
47-
"value": "${aws_service_discovery_service.ecs_provider.name}.${aws_service_discovery_private_dns_namespace.openfaas.name}"
47+
"value": "http://${aws_service_discovery_service.ecs_provider.name}.${aws_service_discovery_private_dns_namespace.openfaas.name}:8081/"
4848
},
4949
{
5050
"name": "faas_nats_address",
@@ -93,7 +93,7 @@ resource "aws_security_group" "gateway" {
9393
}
9494
}
9595

96-
resource "aws_security_group_rule" "gateway-ingress-alb" {
96+
resource "aws_security_group_rule" "gateway_ingress_alb" {
9797
type = "ingress"
9898
security_group_id = "${aws_security_group.gateway.id}"
9999
source_security_group_id = "${aws_security_group.alb.id}"
@@ -102,16 +102,34 @@ resource "aws_security_group_rule" "gateway-ingress-alb" {
102102
protocol = "tcp"
103103
}
104104

105-
resource "aws_security_group_rule" "gateway-egress-nats" {
105+
resource "aws_security_group_rule" "gateway_egress_nats" {
106106
type = "egress"
107107
security_group_id = "${aws_security_group.gateway.id}"
108108
source_security_group_id = "${aws_security_group.nats.id}"
109109
from_port = 4222
110110
to_port = 4222
111+
protocol = "all"
112+
}
113+
114+
resource "aws_security_group_rule" "gateway_egress_nats_management" {
115+
type = "egress"
116+
security_group_id = "${aws_security_group.gateway.id}"
117+
source_security_group_id = "${aws_security_group.nats.id}"
118+
from_port = 8222
119+
to_port = 8222
120+
protocol = "tcp"
121+
}
122+
123+
resource "aws_security_group_rule" "gateway_egress_ecs" {
124+
type = "egress"
125+
security_group_id = "${aws_security_group.gateway.id}"
126+
source_security_group_id = "${aws_security_group.ecs_provider.id}"
127+
from_port = 8081
128+
to_port = 8081
111129
protocol = "tcp"
112130
}
113131

114-
resource "aws_security_group_rule" "gateway-egress-http" {
132+
resource "aws_security_group_rule" "gateway_egress_http" {
115133
type = "egress"
116134
security_group_id = "${aws_security_group.gateway.id}"
117135
from_port = 80
@@ -120,7 +138,7 @@ resource "aws_security_group_rule" "gateway-egress-http" {
120138
cidr_blocks = ["0.0.0.0/0"]
121139
}
122140

123-
resource "aws_security_group_rule" "gateway-egress-https" {
141+
resource "aws_security_group_rule" "gateway_egress_https" {
124142
type = "egress"
125143
security_group_id = "${aws_security_group.gateway.id}"
126144
from_port = 443

nats.tf

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,15 @@ module "nats" {
1111
task_image = "ewilde/nats-streaming"
1212
task_image_version = "0.9.2-linux"
1313
task_role_arn = "${aws_iam_role.ecs_role.arn}"
14-
task_ports = "[{\"containerPort\":8222,\"hostPort\":8222}]"
14+
task_ports = "[{\"containerPort\":4222,\"hostPort\":4222}, {\"containerPort\":8222,\"hostPort\":8222}]"
15+
task_command = <<CMD
16+
[
17+
"--store",
18+
"memory",
19+
"--cluster_id",
20+
"faas-cluster"
21+
]
22+
CMD
1523
}
1624

1725
resource "aws_security_group" "nats" {
@@ -24,16 +32,25 @@ resource "aws_security_group" "nats" {
2432
}
2533
}
2634

27-
resource "aws_security_group_rule" "nats-ingress-gateway" {
35+
resource "aws_security_group_rule" "nats_ingress_gateway" {
2836
type = "ingress"
2937
security_group_id = "${aws_security_group.nats.id}"
3038
source_security_group_id = "${aws_security_group.gateway.id}"
3139
from_port = 4222
3240
to_port = 4222
41+
protocol = "all"
42+
}
43+
44+
resource "aws_security_group_rule" "nats_management_ingress_gateway" {
45+
type = "ingress"
46+
security_group_id = "${aws_security_group.nats.id}"
47+
source_security_group_id = "${aws_security_group.gateway.id}"
48+
from_port = 8222
49+
to_port = 8222
3350
protocol = "tcp"
3451
}
3552

36-
resource "aws_security_group_rule" "nats-ingress-service" {
53+
resource "aws_security_group_rule" "nats_ingress_service" {
3754
type = "ingress"
3855
security_group_id = "${aws_security_group.nats.id}"
3956
source_security_group_id = "${aws_security_group.service.id}"
@@ -42,11 +59,12 @@ resource "aws_security_group_rule" "nats-ingress-service" {
4259
protocol = "tcp"
4360
}
4461

45-
resource "aws_security_group_rule" "nats-ingress-bastion" {
62+
resource "aws_security_group_rule" "nats_ingress_bastion" {
4663
type = "ingress"
4764
security_group_id = "${aws_security_group.nats.id}"
4865
source_security_group_id = "${aws_security_group.bastion.id}"
4966
from_port = 4222
5067
to_port = 4222
5168
protocol = "tcp"
69+
count = "${var.debug}"
5270
}

security.tf

Lines changed: 4 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ resource "aws_security_group" "alb" {
88
}
99
}
1010

11-
resource "aws_security_group_rule" "alb-ingress" {
11+
resource "aws_security_group_rule" "alb_ingress" {
1212
type = "ingress"
1313
from_port = 80
1414
to_port = 80
@@ -27,7 +27,7 @@ resource "aws_security_group" "service" {
2727
}
2828
}
2929

30-
resource "aws_security_group_rule" "service-ingress-bastion" {
30+
resource "aws_security_group_rule" "service_ingress_bastion" {
3131
type = "ingress"
3232
security_group_id = "${aws_security_group.service.id}"
3333
source_security_group_id = "${aws_security_group.bastion.id}"
@@ -36,7 +36,7 @@ resource "aws_security_group_rule" "service-ingress-bastion" {
3636
protocol = "tcp"
3737
}
3838

39-
resource "aws_security_group_rule" "service-egress-http" {
39+
resource "aws_security_group_rule" "service_egress_http" {
4040
type = "egress"
4141
security_group_id = "${aws_security_group.service.id}"
4242
from_port = 80
@@ -45,21 +45,11 @@ resource "aws_security_group_rule" "service-egress-http" {
4545
cidr_blocks = ["0.0.0.0/0"]
4646
}
4747

48-
resource "aws_security_group_rule" "service-egress-https" {
48+
resource "aws_security_group_rule" "service_egress_https" {
4949
type = "egress"
5050
security_group_id = "${aws_security_group.service.id}"
5151
from_port = 443
5252
to_port = 443
5353
protocol = "tcp"
5454
cidr_blocks = ["0.0.0.0/0"]
5555
}
56-
57-
resource "aws_security_group_rule" "service-egress-nats" {
58-
count = "${var.debug}"
59-
type = "egress"
60-
security_group_id = "${aws_security_group.service.id}"
61-
source_security_group_id = "${aws_security_group.nats.id}"
62-
from_port = 4222
63-
to_port = 4222
64-
protocol = "tcp"
65-
}

service-internal/main.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ resource "aws_ecs_task_definition" "main" {
3333
{
3434
"cpu": ${var.task_cpu},
3535
"environment": ${var.task_env_vars},
36+
"command": ${var.task_command},
3637
"essential": true,
3738
"image": "${var.task_image}:${var.task_image_version}",
3839
"memory": ${var.task_memory},

0 commit comments

Comments
 (0)