diff --git a/ops/services/20-microservices/contracts.tf b/ops/services/20-microservices/contracts.tf index 721035b23..06c0cf5cc 100644 --- a/ops/services/20-microservices/contracts.tf +++ b/ops/services/20-microservices/contracts.tf @@ -10,106 +10,6 @@ locals { hpms_url_arn = module.platform.ssm.core.hpms_url.arn } -resource "aws_ecs_task_definition" "contracts" { - family = "${local.service_prefix}-contracts" - network_mode = "awsvpc" - execution_role_arn = data.aws_iam_role.task_execution_role.arn - task_role_arn = data.aws_iam_role.task_execution_role.arn #TODO task/execution role probably ought to be different 😕 - requires_compatibilities = ["FARGATE"] - cpu = 1024 - memory = 2048 - container_definitions = nonsensitive(jsonencode([{ - name : "contracts-service-container", #TODO: Consider simplifying this name, just use "contracts" - image : local.contracts_image_uri, - readonlyRootFilesystem = true - essential : true, - secrets : [ - { name : "AB2D_DB_DATABASE", valueFrom : local.db_database_arn }, - { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn }, - { name : "AB2D_DB_USER", valueFrom : local.db_user_arn }, - { name : "AB2D_HPMS_API_PARAMS", valueFrom : local.hpms_api_params_arn }, - { name : "AB2D_HPMS_URL", valueFrom : local.hpms_url_arn }, - { name : "HPMS_AUTH_KEY_ID", valueFrom : local.hpms_auth_key_id_arn }, - { name : "HPMS_AUTH_KEY_SECRET", valueFrom : local.hpms_auth_key_secret_arn } - ], - environment : [ - { name : "AB2D_DB_HOST", value : local.ab2d_db_host }, - { name : "AB2D_DB_PORT", value : "5432" }, - { name : "AB2D_DB_SSL_MODE", value : "require" }, - { name : "AB2D_EXECUTION_ENV", value : local.benv }, - { name : "AWS_SQS_URL", value : local.events_sqs_url } - ], - portMappings : [ - { - containerPort : 8070 - } - ], - logConfiguration : { - logDriver : "awslogs", - options : { - awslogs-group = "/aws/ecs/fargate/${local.service_prefix}/ab2d_contracts", - awslogs-create-group : "true", - awslogs-region : local.aws_region, - awslogs-stream-prefix : local.service_prefix - } - }, - healthCheck : null - mountPoints = [ - { - "containerPath" : "/tmp", - "sourceVolume" : "tmp", - "readOnly" : false - }, - { - "containerPath" : "/newrelic/logs", - "sourceVolume" : "newrelic_logs", - "readOnly" : false - }, - { - "containerPath" : "/var/log", - "sourceVolume" : "var_log", - "readOnly" : false - } - ] - }])) - # The NewRelic agent needs access to these - volume { - name = "tmp" - } - volume { - name = "newrelic_logs" - } - volume { - name = "var_log" - } -} - -resource "aws_ecs_service" "contracts" { - name = "${local.service_prefix}-contracts" - cluster = module.cluster.this.id - task_definition = aws_ecs_task_definition.contracts.arn - desired_count = 1 - launch_type = "FARGATE" - platform_version = "1.4.0" - force_new_deployment = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null]) - propagate_tags = "SERVICE" - - tags = { - service = "contracts" - } - - network_configuration { - subnets = keys(module.platform.private_subnets) - assign_public_ip = false - security_groups = [data.aws_security_group.api.id] - } - load_balancer { - target_group_arn = aws_lb_target_group.contracts.arn - container_name = "contracts-service-container" - container_port = 8070 - } -} - resource "aws_security_group_rule" "contracts_to_worker_egress_access" { type = "egress" from_port = 8070 @@ -178,3 +78,89 @@ resource "aws_lb_listener_rule" "contracts" { } } } + +module "contracts_service" { + source = "github.com/CMSgov/cdap//terraform/modules/service?ref=jscott/PLT-1445" + + awslogs_group_override = "ab2d_contracts" + cluster_arn = module.cluster.this.id + container_name_override = "contracts-service-container" + cpu = 1024 + desired_count = 1 + execution_role_arn = data.aws_iam_role.task_execution_role.arn + force_new_deployment = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null]) + health_check_grace_period_seconds = null + image = local.contracts_image_uri + memory = 2048 + platform = module.platform + platform_version = "1.4.0" + security_groups = [data.aws_security_group.api.id] + service_name_override = "contracts" + task_role_arn = data.aws_iam_role.task_execution_role.arn + + container_environment = [ + { name = "AB2D_DB_HOST", value = local.ab2d_db_host }, + { name = "AB2D_DB_PORT", value = "5432" }, + { name = "AB2D_DB_SSL_MODE", value = "require" }, + { name = "AB2D_EXECUTION_ENV", value = local.benv }, + { name = "AWS_SQS_URL", value = local.events_sqs_url } + ] + + container_secrets = [ + { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn }, + { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn }, + { name = "AB2D_DB_USER", valueFrom = local.db_user_arn }, + { name = "AB2D_HPMS_API_PARAMS", valueFrom = local.hpms_api_params_arn }, + { name = "AB2D_HPMS_URL", valueFrom = local.hpms_url_arn }, + { name = "HPMS_AUTH_KEY_ID", valueFrom = local.hpms_auth_key_id_arn }, + { name = "HPMS_AUTH_KEY_SECRET", valueFrom = local.hpms_auth_key_secret_arn } + ] + + load_balancers = [{ + target_group_arn = aws_lb_target_group.contracts.arn + container_name = "contracts-service-container" + container_port = 8070 + + }] + + mount_points = [ + { + "containerPath" = "/tmp", + "sourceVolume" = "tmp", + "readOnly" = false + }, + { + "containerPath" = "/newrelic/logs", + "sourceVolume" = "newrelic_logs", + "readOnly" = false + }, + { + "containerPath" = "/var/log", + "sourceVolume" = "var_log", + "readOnly" = false + } + ] + + port_mappings = [ + { + containerPort = 8070 + hostPort = 8070 + protocol = "tcp" + } + ] + + volumes = [ + { + configure_at_launch = false + name = "tmp" + }, + { + configure_at_launch = false + name = "newrelic_logs" + }, + { + configure_at_launch = false + name = "var_log" + } + ] +} diff --git a/ops/services/20-microservices/events.tf b/ops/services/20-microservices/events.tf index d940aa28e..86292abe6 100644 --- a/ops/services/20-microservices/events.tf +++ b/ops/services/20-microservices/events.tf @@ -18,101 +18,83 @@ resource "aws_sns_topic_subscription" "events" { endpoint = data.aws_sqs_queue.events.arn } -resource "aws_ecs_task_definition" "events" { - family = "${local.service_prefix}-events" - network_mode = "awsvpc" - execution_role_arn = data.aws_iam_role.task_execution_role.arn - task_role_arn = data.aws_iam_role.task_execution_role.arn +module "events_service" { + source = "github.com/CMSgov/cdap//terraform/modules/service?ref=jscott/PLT-1445" - requires_compatibilities = ["FARGATE"] - cpu = 512 - memory = 1024 - container_definitions = nonsensitive(jsonencode([{ - name : "events-service-container", #TODO: Consider simplifying this name, just use "events" - image : local.events_image_uri, - readonlyRootFilesystem = true - essential : true, - secrets : [ - { name : "AB2D_DB_DATABASE", valueFrom : local.db_database_arn }, - { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn }, - { name : "AB2D_DB_USER", valueFrom : local.db_user_arn }, - { name : "AB2D_KEYSTORE_LOCATION", valueFrom : local.ab2d_keystore_location_arn }, #FIXME: is this even used? - { name : "AB2D_KEYSTORE_PASSWORD", valueFrom : local.ab2d_keystore_password_arn }, #FIXME: is this even used? - { name : "AB2D_OKTA_JWT_ISSUER", valueFrom : local.ab2d_okta_jwt_issuer_arn }, #FIXME: is this even used? - { name : "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom : local.ab2d_slack_alert_webhooks_arn }, - { name : "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom : local.ab2d_slack_trace_webhooks_arn } - ], - environment : [ - { name : "AB2D_DB_HOST", value : local.ab2d_db_host }, - { name : "AB2D_DB_PORT", value : "5432" }, - { name : "AB2D_DB_SSL_MODE", value : "require" }, - { name : "AB2D_EXECUTION_ENV", value : local.benv }, - { name : "AWS_SQS_FEATURE_FLAG", value : "true" }, #FIXME: is this even used? - { name : "AWS_SQS_URL", value : local.events_sqs_url }, - { name : "IMAGE_VERSION", value : local.events_image_tag } #FIXME: is this even used? - ], - portMappings : [ - { - containerPort : 8010 #FIXME is this even necessary? - } - ], - logConfiguration : { - logDriver : "awslogs", - options : { - awslogs-group = "/aws/ecs/fargate/${local.service_prefix}/ab2d_events", - awslogs-create-group : "true", - awslogs-region : local.aws_region, - awslogs-stream-prefix : local.service_prefix - } + awslogs_group_override = "ab2d_events" + cluster_arn = module.cluster.this.id + container_name_override = "events-service-container" + cpu = 512 + desired_count = 1 + execution_role_arn = data.aws_iam_role.task_execution_role.arn + force_new_deployment = anytrue([var.force_events_deployment, var.events_service_image_tag != null]) + health_check_grace_period_seconds = null + image = local.events_image_uri + memory = 1024 + platform = module.platform + platform_version = "1.4.0" + security_groups = [data.aws_security_group.api.id] + service_name_override = "events" + task_role_arn = data.aws_iam_role.task_execution_role.arn + + container_environment = [ + { name = "AB2D_DB_HOST", value = local.ab2d_db_host }, + { name = "AB2D_DB_PORT", value = "5432" }, + { name = "AB2D_DB_SSL_MODE", value = "require" }, + { name = "AB2D_EXECUTION_ENV", value = local.benv }, + { name = "AWS_SQS_FEATURE_FLAG", value = "true" }, #FIXME: is this even used? + { name = "AWS_SQS_URL", value = local.events_sqs_url }, + { name = "IMAGE_VERSION", value = local.events_image_tag } #FIXME: is this even used? + ] + + container_secrets = [ + { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn }, + { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn }, + { name = "AB2D_DB_USER", valueFrom = local.db_user_arn }, + { name = "AB2D_KEYSTORE_LOCATION", valueFrom = local.ab2d_keystore_location_arn }, #FIXME: is this even used? + { name = "AB2D_KEYSTORE_PASSWORD", valueFrom = local.ab2d_keystore_password_arn }, #FIXME: is this even used? + { name = "AB2D_OKTA_JWT_ISSUER", valueFrom = local.ab2d_okta_jwt_issuer_arn }, #FIXME: is this even used? + { name = "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom = local.ab2d_slack_alert_webhooks_arn }, + { name = "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom = local.ab2d_slack_trace_webhooks_arn } + ] + + mount_points = [ + { + "containerPath" = "/tmp", + "sourceVolume" = "tmp", + "readOnly" = false }, - healthCheck : null - mountPoints = [ - { - "containerPath" : "/tmp", - "sourceVolume" : "tmp", - "readOnly" : false - }, - { - "containerPath" : "/newrelic/logs", - "sourceVolume" : "newrelic_logs", - "readOnly" : false - }, - { - "containerPath" : "/var/log", - "sourceVolume" : "var_log", - "readOnly" : false - } - ] - }])) - # The NewRelic agent needs access to these - volume { - name = "tmp" - } - volume { - name = "newrelic_logs" - } - volume { - name = "var_log" - } -} + { + "containerPath" = "/newrelic/logs", + "sourceVolume" = "newrelic_logs", + "readOnly" = false + }, + { + "containerPath" = "/var/log", + "sourceVolume" = "var_log", + "readOnly" = false + } + ] -resource "aws_ecs_service" "events" { - name = "${local.service_prefix}-events" - cluster = module.cluster.this.id - task_definition = aws_ecs_task_definition.events.arn - desired_count = 1 - launch_type = "FARGATE" - platform_version = "1.4.0" - force_new_deployment = anytrue([var.force_events_deployment, var.events_service_image_tag != null]) - propagate_tags = "SERVICE" + port_mappings = [ + { + containerPort = 8010 #FIXME is this even necessary? + } + ] - tags = { - service = "events" - } + volumes = [ + { + configure_at_launch = false + name = "tmp" + }, + { + configure_at_launch = false + name = "newrelic_logs" + }, + { + configure_at_launch = false + name = "var_log" + } - network_configuration { - subnets = keys(module.platform.private_subnets) - assign_public_ip = false - security_groups = [data.aws_security_group.api.id] - } + ] } diff --git a/ops/services/20-microservices/moved.tf b/ops/services/20-microservices/moved.tf new file mode 100644 index 000000000..5706b64f1 --- /dev/null +++ b/ops/services/20-microservices/moved.tf @@ -0,0 +1,19 @@ +moved { + from = aws_ecs_task_definition.contracts + to = module.contracts_service.aws_ecs_task_definition.this +} + +moved { + from = aws_ecs_service.contracts + to = module.contracts_service.aws_ecs_service.this +} + +moved { + from = aws_ecs_task_definition.events + to = module.events_service.aws_ecs_task_definition.this +} + +moved { + from = aws_ecs_service.events + to = module.events_service.aws_ecs_service.this +} diff --git a/ops/services/30-worker/main.tf b/ops/services/30-worker/main.tf index 9013149da..0f8c6ac30 100644 --- a/ops/services/30-worker/main.tf +++ b/ops/services/30-worker/main.tf @@ -117,127 +117,103 @@ resource "aws_security_group_rule" "efs_ingress" { security_group_id = data.aws_security_group.efs.id } +data "aws_sqs_queue" "events" { + name = "${local.service_prefix}-events" +} module "cluster" { source = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=e06f4acfea302df22c210549effa2e91bc3eff0d" platform = module.platform } -data "aws_sqs_queue" "events" { - name = "${local.service_prefix}-events" -} - -resource "aws_ecs_task_definition" "worker" { - family = "${local.service_prefix}-${local.service}" - network_mode = "awsvpc" - execution_role_arn = data.aws_iam_role.worker.arn - task_role_arn = data.aws_iam_role.worker.arn - requires_compatibilities = ["FARGATE"] - cpu = local.ecs_task_def_cpu_worker - memory = local.ecs_task_def_memory_worker - - volume { - name = "efs" - - efs_volume_configuration { - file_system_id = data.aws_efs_file_system.this.id - root_directory = "/" - transit_encryption = "ENABLED" - authorization_config { - access_point_id = data.aws_efs_access_point.this.id - } +module "service" { + source = "github.com/CMSgov/cdap//terraform/modules/service?ref=jscott/PLT-1445" + + cluster_arn = module.cluster.this.arn + cpu = local.ecs_task_def_cpu_worker + desired_count = local.worker_desired_instances + execution_role_arn = data.aws_iam_role.worker.arn + force_new_deployment = anytrue([var.force_worker_deployment, var.worker_service_image_tag != null]) + health_check_grace_period_seconds = null + image = local.worker_image_uri + memory = local.ecs_task_def_memory_worker + platform = module.platform + platform_version = "LATEST" + security_groups = [data.aws_security_group.worker.id] + task_role_arn = data.aws_iam_role.worker.arn + + container_environment = [ + { name = "AB2D_BFD_INSIGHTS", value = local.bfd_insights }, #FIXME: Is this even used? + { name = "AB2D_BFD_KEYSTORE_LOCATION", value = local.bfd_keystore_location }, + { name = "AB2D_BFD_URL", value = local.bfd_url }, + { name = "AB2D_BFD_URL_V3", value = local.bfd_url_v3 }, + { name = "AB2D_DB_HOST", value = local.ab2d_db_host }, + { name = "AB2D_DB_PORT", value = "5432" }, + { name = "AB2D_DB_SSL_MODE", value = "require" }, + { name = "AB2D_EFS_MOUNT", value = local.ab2d_efs_mount }, + { name = "AB2D_EXECUTION_ENV", value = local.benv }, + { name = "AB2D_JOB_POOL_CORE_SIZE", value = local.max_concurrent_eob_jobs }, + { name = "AB2D_JOB_POOL_MAX_SIZE", value = local.max_concurrent_eob_jobs }, + { name = "AWS_SQS_FEATURE_FLAG", value = "true" }, #FIXME: Is this even used? + { name = "AWS_SQS_URL", value = data.aws_sqs_queue.events.url }, + { name = "AWS_SNS_TOPIC_PREFIX", value = "ab2d-${local.parent_env}" }, + { name = "IMAGE_VERSION", value = local.worker_image_tag }, + { name = "NEW_RELIC_APP_NAME", value = local.new_relic_app_name }, + { name = "MICROSERVICES_URL", value = local.microservices_url } + ] + + container_secrets = [ + { name = "AB2D_BFD_KEYSTORE_PASSWORD", valueFrom = local.bfd_keystore_password_arn }, + { name = "AB2D_DB_DATABASE", valueFrom = local.db_name_arn }, + { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn }, + { name = "AB2D_DB_USER", valueFrom = local.db_username_arn }, + { name = "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom = local.slack_alert_webhooks_arn }, #FIXME: Is this even used? + { name = "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom = local.slack_trace_webhooks_arn }, #FIXME: Is this even used? + { name = "NEW_RELIC_LICENSE_KEY", valueFrom = local.new_relic_license_key_arn } #FIXME: Is this even used? + ] + + mount_points = [ + { + containerPath = local.ab2d_efs_mount, + sourceVolume = "efs" + }, + { + "containerPath" = "/tmp", + "sourceVolume" = "tmp", + "readOnly" = false + }, + { + "containerPath" = "/newrelic/logs", + "sourceVolume" = "newrelic_logs", + "readOnly" = false + }, + { + "containerPath" = "/var/log", + "sourceVolume" = "var_logs", + "readOnly" = false } - } - - container_definitions = nonsensitive(jsonencode([{ - name : local.service, - image : local.worker_image_uri, - readonlyRootFilesystem = true - essential : true, - mountPoints : [ - { - containerPath : local.ab2d_efs_mount, - sourceVolume : "efs" - }, - { - "containerPath" : "/tmp", - "sourceVolume" : "tmp", - "readOnly" : false - }, - { - "containerPath" : "/newrelic/logs", - "sourceVolume" : "newrelic_logs", - "readOnly" : false - }, - { - "containerPath" : "/var/log", - "sourceVolume" : "var_logs", - "readOnly" : false - }, - ], - secrets : [ - { name : "AB2D_BFD_KEYSTORE_PASSWORD", valueFrom : local.bfd_keystore_password_arn }, - { name : "AB2D_DB_DATABASE", valueFrom : local.db_name_arn }, - { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn }, - { name : "AB2D_DB_USER", valueFrom : local.db_username_arn }, - { name : "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom : local.slack_alert_webhooks_arn }, #FIXME: Is this even used? - { name : "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom : local.slack_trace_webhooks_arn }, #FIXME: Is this even used? - { name : "NEW_RELIC_LICENSE_KEY", valueFrom : local.new_relic_license_key_arn } #FIXME: Is this even used? - ] - environment : [ - { name : "AB2D_BFD_INSIGHTS", value : local.bfd_insights }, #FIXME: Is this even used? - { name : "AB2D_BFD_KEYSTORE_LOCATION", value : local.bfd_keystore_location }, - { name : "AB2D_BFD_URL", value : local.bfd_url }, - { name : "AB2D_BFD_URL_V3", value : local.bfd_url_v3 }, - { name : "AB2D_DB_HOST", value : local.ab2d_db_host }, - { name : "AB2D_DB_PORT", value : "5432" }, - { name : "AB2D_DB_SSL_MODE", value : "require" }, - { name : "AB2D_EFS_MOUNT", value : local.ab2d_efs_mount }, - { name : "AB2D_EXECUTION_ENV", value : local.benv }, - { name : "AB2D_JOB_POOL_CORE_SIZE", value : local.max_concurrent_eob_jobs }, - { name : "AB2D_JOB_POOL_MAX_SIZE", value : local.max_concurrent_eob_jobs }, - { name : "AWS_SQS_FEATURE_FLAG", value : "true" }, #FIXME: Is this even used? - { name : "AWS_SQS_URL", value : data.aws_sqs_queue.events.url }, - { name : "AWS_SNS_TOPIC_PREFIX", value : "ab2d-${local.parent_env}" }, - { name : "IMAGE_VERSION", value : local.worker_image_tag }, - { name : "NEW_RELIC_APP_NAME", value : local.new_relic_app_name }, - { name : "MICROSERVICES_URL", value : local.microservices_url }, - ], - logConfiguration : { - logDriver : "awslogs" - options : { - awslogs-group : "/aws/ecs/fargate/${local.service_prefix}/${local.service}", - awslogs-create-group : "true", - awslogs-region : local.aws_region, - awslogs-stream-prefix : local.service_prefix + ] + + volumes = [ + { + name = "efs" + efs_volume_configuration = { + file_system_id = data.aws_efs_file_system.this.id + root_directory = "/" + transit_encryption = "ENABLED" + authorization_config = { + access_point_id = data.aws_efs_access_point.this.id + } } }, - healthCheck : null - }])) - volume { - name = "tmp" - } - volume { - name = "newrelic_logs" - } - volume { - name = "var_logs" - } -} - -resource "aws_ecs_service" "worker" { - name = "${local.service_prefix}-${local.service}" - cluster = module.cluster.this.id - task_definition = coalesce(var.override_task_definition_arn, aws_ecs_task_definition.worker.arn) - launch_type = "FARGATE" - desired_count = local.worker_desired_instances - force_new_deployment = anytrue([var.force_worker_deployment, var.worker_service_image_tag != null]) - deployment_minimum_healthy_percent = 100 - propagate_tags = "SERVICE" - - network_configuration { - subnets = local.writer_adjacent_subnets - assign_public_ip = false - security_groups = [data.aws_security_group.worker.id] - } + { + name = "tmp" + }, + { + name = "newrelic_logs" + }, + { + name = "var_logs" + } + ] } diff --git a/ops/services/30-worker/moved.tf b/ops/services/30-worker/moved.tf new file mode 100644 index 000000000..416e8b2b6 --- /dev/null +++ b/ops/services/30-worker/moved.tf @@ -0,0 +1,9 @@ +moved { + from = aws_ecs_task_definition.worker + to = module.service.aws_ecs_task_definition.this +} + +moved { + from = aws_ecs_service.worker + to = module.service.aws_ecs_service.this +}