Migrate off of ECS onto sobeck.jdb-software.com.
This commit is contained in:
parent
dfaede9fd8
commit
9cbc1e708a
1
.tool-versions
Normal file
1
.tool-versions
Normal file
@ -0,0 +1 @@
|
|||||||
|
opentofu 1.8.1
|
17
api/Makefile
17
api/Makefile
@ -82,3 +82,20 @@ echo-vars:
|
|||||||
"VERSION=$(VERSION)\n" \
|
"VERSION=$(VERSION)\n" \
|
||||||
"PORT=$(PORT)\n" \
|
"PORT=$(PORT)\n" \
|
||||||
"INTEGRATION_TOKEN=$(INTEGRATION_TOKEN)\n"
|
"INTEGRATION_TOKEN=$(INTEGRATION_TOKEN)\n"
|
||||||
|
|
||||||
|
publis:
|
||||||
|
-rm -r deploy
|
||||||
|
-mkdir deploy
|
||||||
|
m4 \
|
||||||
|
-D "HFF_ENTRY_FORMS_API_VERSION=$(VERSION)" \
|
||||||
|
-D "TARGET_ENV=$(TARGET_ENV)" \
|
||||||
|
-D "TARGET_PORT=$(TARGET_PORT)" \
|
||||||
|
hff_entry_forms_api.service \
|
||||||
|
> deploy/hff_entry_forms_api.$(TARGET_ENV).service
|
||||||
|
-ssh deployer@$(TARGET_SERVER) "docker stop hff_entry_forms.$(TARGET_ENV).service && sudo systemctl stop hff_entry_forms.$(TARGET_ENV)"
|
||||||
|
ssh deployer@$(TARGET_SERVER) "aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin $(ECR_ACCOUNT_URL) && docker pull $(ECR_ACCOUNT_URL)/hff_entry_forms:$(VERSION)"
|
||||||
|
scp \
|
||||||
|
deploy/hff_entry_forms.$(TARGET_ENV).service \
|
||||||
|
deployer@$(TARGET_SERVER):/etc/systemd/system/hff_entry_forms.$(TARGET_ENV).service
|
||||||
|
ssh deployer@$(TARGET_SERVER) "sudo systemctl daemon-reload"
|
||||||
|
ssh deployer@$(TARGET_SERVER) "sudo systemctl start hff_entry_forms.$(TARGET_ENV)"
|
||||||
|
16
api/hff_entry_forms.service
Normal file
16
api/hff_entry_forms.service
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=HFF Entry Forms (TARGET_ENV)
|
||||||
|
After=network-online.target
|
||||||
|
Requires=docker.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
TimeoutStartSec=0
|
||||||
|
Restart=always
|
||||||
|
ExecStartPre=-/usr/bin/docker rm %n
|
||||||
|
ExecStart=/usr/bin/docker run --rm -p TARGET_PORT:80 --name %n \
|
||||||
|
--env-file /etc/hff_entry_forms/TARGET_ENV.env \
|
||||||
|
063932952339.dkr.ecr.us-west-2.amazonaws.com/hff_entry_forms:HFF_ENTRY_FORMS_VERSION
|
||||||
|
ExecStop=/usr/bin/docker stop --name %n
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
36
operations/opentofu/.terraform.lock.hcl
Normal file
36
operations/opentofu/.terraform.lock.hcl
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# This file is maintained automatically by "tofu init".
|
||||||
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
|
provider "registry.opentofu.org/hashicorp/aws" {
|
||||||
|
version = "5.62.0"
|
||||||
|
hashes = [
|
||||||
|
"h1:DzXMlmL2hRPfACAbN1PUhnLDGY9Kl0vbrt05qSfGsxA=",
|
||||||
|
"zh:2cb519ce7f3cbcb88b2e93dd3b3424ad85a347fc0e7429661945da5df8a20fda",
|
||||||
|
"zh:2fc7ed911cceaa1652d1f4090eaa91e8463aba86873910bccf16601260379886",
|
||||||
|
"zh:395b32d157adeb92571a0efd230c73bbee01744782a50356fb16e8946bd63ffb",
|
||||||
|
"zh:43303d36af40a568cd40bd54dc9e8430e18c4a4d78682b459dca8c755c717a0c",
|
||||||
|
"zh:65b2c6e955deeeffb9d9cd4ed97e8c532a453ba690d0e3d88c740f9036bccc4d",
|
||||||
|
"zh:a9d09dc9daf33b16894ed7d192ceb4c402261da58cded503a3ffa1dd2373e3fb",
|
||||||
|
"zh:c5e9f8bc4397c2075b6dc62458be51b93322517affd760c161633d56b0b9a334",
|
||||||
|
"zh:db0921c091402179edd549f8aa4f12dce18aab09d4302e800c67d6ec6ff88a86",
|
||||||
|
"zh:e7d13f9c0891446d03c29e4fcd60de633f71bbf1bc9786fca47a0ee356ac979a",
|
||||||
|
"zh:f128a725dbdbd31b9ed8ea478782152339c9fab4d635485763c8da2a477fe3f6",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "registry.opentofu.org/hashicorp/external" {
|
||||||
|
version = "2.3.3"
|
||||||
|
hashes = [
|
||||||
|
"h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=",
|
||||||
|
"zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68",
|
||||||
|
"zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f",
|
||||||
|
"zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea",
|
||||||
|
"zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250",
|
||||||
|
"zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338",
|
||||||
|
"zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328",
|
||||||
|
"zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b",
|
||||||
|
"zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495",
|
||||||
|
"zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0",
|
||||||
|
"zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea",
|
||||||
|
]
|
||||||
|
}
|
@ -1,6 +1,6 @@
|
|||||||
resource "aws_lb_target_group" "hff_entry_forms_api" {
|
resource "aws_lb_target_group" "hff_entry_forms_api" {
|
||||||
name = "${local.environment_name}-${substr(uuid(), 0, 2)}"
|
name = "${local.environment_name}-${substr(uuid(), 0, 2)}"
|
||||||
port = 80
|
port = var.target_port
|
||||||
protocol = "HTTP"
|
protocol = "HTTP"
|
||||||
target_type = "instance"
|
target_type = "instance"
|
||||||
vpc_id = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id
|
vpc_id = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id
|
||||||
@ -41,3 +41,9 @@ resource "aws_lb_listener_rule" "hff_entry_forms_api" {
|
|||||||
Environment = local.environment_name
|
Environment = local.environment_name
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_lb_target_group_attachment" "hff_entry_forms_api" {
|
||||||
|
target_group_arn = aws_lb_target_group.hff_entry_forms_api.arn
|
||||||
|
target_id = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id
|
||||||
|
port = var.target_port
|
||||||
|
}
|
@ -12,6 +12,10 @@ variable "ecr_repo" {
|
|||||||
description = "ECR repository information."
|
description = "ECR repository information."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "target_port" {
|
||||||
|
description = "The port the deployed service will listen on."
|
||||||
|
}
|
||||||
|
|
||||||
variable "api_certificate_arn" {
|
variable "api_certificate_arn" {
|
||||||
description = "ARN of the certificate to use for the API loadbalancer."
|
description = "ARN of the certificate to use for the API loadbalancer."
|
||||||
}
|
}
|
@ -15,6 +15,7 @@ module "dev_env" {
|
|||||||
artifact_bucket = aws_s3_bucket.hff_entry_forms
|
artifact_bucket = aws_s3_bucket.hff_entry_forms
|
||||||
cloudfront_certificate_arn = var.cloudfront_certificate_arn
|
cloudfront_certificate_arn = var.cloudfront_certificate_arn
|
||||||
ecr_repo = aws_ecr_repository.hff_entry_forms_api
|
ecr_repo = aws_ecr_repository.hff_entry_forms_api
|
||||||
|
target_port = 6005
|
||||||
}
|
}
|
||||||
|
|
||||||
module "prod_env" {
|
module "prod_env" {
|
||||||
@ -25,11 +26,14 @@ module "prod_env" {
|
|||||||
artifact_bucket = aws_s3_bucket.hff_entry_forms
|
artifact_bucket = aws_s3_bucket.hff_entry_forms
|
||||||
cloudfront_certificate_arn = var.cloudfront_certificate_arn
|
cloudfront_certificate_arn = var.cloudfront_certificate_arn
|
||||||
ecr_repo = aws_ecr_repository.hff_entry_forms_api
|
ecr_repo = aws_ecr_repository.hff_entry_forms_api
|
||||||
|
target_port = 6006
|
||||||
}
|
}
|
||||||
|
|
||||||
data "aws_iam_policy_document" "cloudfront_access_policy" {
|
data "aws_iam_policy_document" "cloudfront_access_policy" {
|
||||||
source_json = "${module.dev_env.oai_access_policy.json}"
|
source_policy_documents = [
|
||||||
override_json = "${module.prod_env.oai_access_policy.json}"
|
module.dev_env.oai_access_policy.json,
|
||||||
|
module.prod_env.oai_access_policy.json
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_s3_bucket_policy" "hff_entry_forms" {
|
resource "aws_s3_bucket_policy" "hff_entry_forms" {
|
@ -1,70 +0,0 @@
|
|||||||
resource "aws_secretsmanager_secret" "hff_entry_forms_api" {
|
|
||||||
name = "${local.environment_name}-Config"
|
|
||||||
tags = { Environment = local.environment_name }
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_ecs_task_definition" "hff_entry_forms_api" {
|
|
||||||
family = local.environment_name
|
|
||||||
network_mode = "bridge"
|
|
||||||
requires_compatibilities = ["EC2"]
|
|
||||||
execution_role_arn = aws_iam_role.ecs_task.arn
|
|
||||||
|
|
||||||
# See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html
|
|
||||||
container_definitions = jsonencode([
|
|
||||||
{
|
|
||||||
name = local.environment_name
|
|
||||||
image = "${var.ecr_repo.repository_url}:${data.external.git_describe.result.version}"
|
|
||||||
cpu = 128
|
|
||||||
memory = 128
|
|
||||||
memoryReservation = 32
|
|
||||||
environment = [
|
|
||||||
{
|
|
||||||
name = "PORT"
|
|
||||||
value = "80"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
portMappings = [
|
|
||||||
{
|
|
||||||
protocol = "tcp"
|
|
||||||
containerPort = 80
|
|
||||||
}
|
|
||||||
]
|
|
||||||
secrets = [
|
|
||||||
{
|
|
||||||
name = "INTEGRATION_TOKEN"
|
|
||||||
description = "Connection string with user credentials."
|
|
||||||
valueFrom = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:integrationToken::"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name = "KNOWN_ORIGINS"
|
|
||||||
description = "Connection string with user credentials."
|
|
||||||
valueFrom = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:knownOrigins::"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
])
|
|
||||||
|
|
||||||
tags = {
|
|
||||||
Name = local.api_domain_name
|
|
||||||
Environment = local.environment_name
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_ecs_service" "hff_entry_forms_api" {
|
|
||||||
name = local.environment_name
|
|
||||||
cluster = data.terraform_remote_state.jdbsoft.outputs.aws_ecs_cluster_ortis.id
|
|
||||||
task_definition = aws_ecs_task_definition.hff_entry_forms_api.arn
|
|
||||||
desired_count = 1
|
|
||||||
launch_type = "EC2"
|
|
||||||
|
|
||||||
load_balancer {
|
|
||||||
target_group_arn = aws_lb_target_group.hff_entry_forms_api.arn
|
|
||||||
container_name = local.environment_name
|
|
||||||
container_port = 80
|
|
||||||
}
|
|
||||||
|
|
||||||
tags = {
|
|
||||||
Name = local.api_domain_name
|
|
||||||
Environment = local.environment_name
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,69 +0,0 @@
|
|||||||
resource "aws_iam_role" "ecs_task" {
|
|
||||||
name = "${local.environment_name}-EcsTaskRole"
|
|
||||||
|
|
||||||
assume_role_policy = jsonencode({
|
|
||||||
Version = "2012-10-17"
|
|
||||||
Statement = [
|
|
||||||
{
|
|
||||||
Action = "sts:AssumeRole"
|
|
||||||
Effect = "Allow"
|
|
||||||
Sid = ""
|
|
||||||
Principal = {
|
|
||||||
Service = "ecs-tasks.amazonaws.com"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
})
|
|
||||||
|
|
||||||
inline_policy {
|
|
||||||
name = "AllowSecretsAccessForHffEntryFormsApiTasks"
|
|
||||||
policy = jsonencode({
|
|
||||||
Version = "2012-10-17"
|
|
||||||
Statement = [
|
|
||||||
{
|
|
||||||
Effect = "Allow"
|
|
||||||
Action = [
|
|
||||||
"secretsmanager:GetSecretValue",
|
|
||||||
"kms:Decrypt"
|
|
||||||
]
|
|
||||||
Resource = [
|
|
||||||
aws_secretsmanager_secret.hff_entry_forms_api.arn
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
inline_policy {
|
|
||||||
name = "AllowAccessToEcrForHffEntryFormsApiTasks"
|
|
||||||
policy = jsonencode({
|
|
||||||
Version = "2012-10-17"
|
|
||||||
Statement = [
|
|
||||||
{
|
|
||||||
Effect = "Allow"
|
|
||||||
Action = [
|
|
||||||
"ecr:GetAuthorizationToken"
|
|
||||||
]
|
|
||||||
Resource = [ "*" ]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Effect = "Allow"
|
|
||||||
Action = [
|
|
||||||
"ecr:BatchGetImage",
|
|
||||||
"ecr:BatchCheckLayerAvailability",
|
|
||||||
"ecr:DescribeImages",
|
|
||||||
"ecr:GetDownloadUrlForLayer"
|
|
||||||
]
|
|
||||||
Resource = [
|
|
||||||
var.ecr_repo.arn
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
tags = {
|
|
||||||
Name = "HffEntryForms-EcsTaskRole"
|
|
||||||
Environment = local.environment_name
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user