Merge pull request #8 from companieshouse/feature/ecs-configservice

Refactoring Terraform folder

terraform/groups/ecs-service/data.tf

@@ -17,6 +17,13 @@ data "aws_vpc" "vpc" {
   }
 }
 
+data "aws_subnets" "application" {
+  filter {
+    name   = "tag:Name"
+    values = [local.application_subnet_pattern]
+  }
+}
+
 data "aws_ecs_cluster" "ecs_cluster" {
   cluster_name = "${local.name_prefix}-cluster"
 }
@@ -44,3 +51,19 @@ data "aws_ssm_parameter" "secret" {
   for_each = toset(data.aws_ssm_parameters_by_path.secrets.names)
   name = each.key
 }
+
+# retrieve all global secrets for this env using global path
+data "aws_ssm_parameters_by_path" "global_secrets" {
+  path = "/${local.global_prefix}"
+}
+
+# create a list of secrets names to retrieve them in a nicer format and lookup each secret by name
+data "aws_ssm_parameter" "global_secret" {
+  for_each = toset(data.aws_ssm_parameters_by_path.global_secrets.names)
+  name     = each.key
+}
+
+// --- s3 bucket for shared services config ---
+data "vault_generic_secret" "shared_s3" {
+  path = "aws-accounts/shared-services/s3"
+}

terraform/groups/ecs-service/locals.tf

@@ -2,17 +2,22 @@
 locals {
   stack_name                = "identity" # this must match the stack name the service deploys into
   name_prefix               = "${local.stack_name}-${var.environment}"
+  global_prefix              = "global-${var.environment}"
   service_name              = "accounts-association-api"
   container_port            = "8080" # default Java port to match start script
   docker_repo               = "accounts-association-api"
   lb_listener_rule_priority = 14
   lb_listener_paths         = ["accounts/associations/*"]
   healthcheck_path          = "/healthcheck" #healthcheck path for accounts association service
   healthcheck_matcher       = "200"
-
+  application_subnet_ids     = data.aws_subnets.application.ids
   kms_alias                 = "alias/${var.aws_profile}/environment-services-kms"
   service_secrets           = jsondecode(data.vault_generic_secret.service_secrets.data_json)
-
+  stack_secrets              = jsondecode(data.vault_generic_secret.stack_secrets.data_json)
+  application_subnet_pattern = local.stack_secrets["application_subnet_pattern"]
+  use_set_environment_files  = var.use_set_environment_files
+  s3_config_bucket           = data.vault_generic_secret.shared_s3.data["config_bucket_name"]
+  app_environment_filename   = "accounts-association-api.env"
   parameter_store_secrets    = {
     "vpc_name"                        = local.vpc_name
   }
@@ -31,11 +36,45 @@ locals {
       trimprefix(sec.name, "/${local.service_name}-${var.environment}/") => sec.arn
   }
 
-  # TODO: task_secrets don't seem to correspond with 'parameter_store_secrets'. What is the difference?
-  task_secrets = [
+  global_secret_list = flatten([for key, value in local.global_secrets_arn_map :
+    { "name" = upper(key), "valueFrom" = value }
+  ])
+
+  global_secrets_arn_map = {
+    for sec in data.aws_ssm_parameter.global_secret :
+    trimprefix(sec.name, "/${local.global_prefix}/") => sec.arn
+  }
+
+  service_secret_list = flatten([for key, value in local.service_secrets_arn_map :
+    { "name" = upper(key), "valueFrom" = value }
+  ])
+
+  ssm_service_version_map = [
+    for sec in module.secrets.secrets : {
+      name  = "${replace(upper(local.service_name), "-", "_")}_${var.ssm_version_prefix}${replace(upper(basename(sec.name)), "-", "_")}",
+      value = tostring(sec.version)
+    }
   ]
 
-  task_environment = [
-    { "name": "LOG_LEVEL", "value": "${var.log_level}" },
+  ssm_global_version_map = [
+    for sec in data.aws_ssm_parameter.global_secret : {
+      name  = "GLOBAL_${var.ssm_version_prefix}${replace(upper(basename(sec.name)), "-", "_")}",
+      value = tostring(sec.version)
+    }
   ]
+
+  # secrets to go in list
+  #  task_secrets = concat(local.global_secret_list, local.service_secret_list, [
+  #    { "name" : "COOKIE_SECRET", "valueFrom" : "${local.service_secrets_arn_map.cookie_secret}" },
+  #    { "name" : "CHS_DEVELOPER_CLIENT_SECRET", "valueFrom" : "${local.service_secrets_arn_map.chs_developer_client_secret}" },
+  #    { "name" : "CHS_DEVELOPER_CLIENT_ID", "valueFrom" : "${local.service_secrets_arn_map.chs_developer_client_id}" },
+  #    { "name" : "OAUTH2_REQUEST_KEY", "valueFrom" : "${local.service_secrets_arn_map.oauth2_request_key}" },
+  #    { "name" : "DEVELOPER_OAUTH2_REQUEST_KEY", "valueFrom" : "${local.service_secrets_arn_map.developer_oauth2_request_key}" },
+  #  ])
+
+  # TODO: task_secrets don't seem to correspond with 'parameter_store_secrets'. What is the difference?
+  task_secrets = concat(local.global_secret_list, local.service_secret_list)
+
+  task_environment = concat(local.ssm_global_version_map,local.ssm_service_version_map)
+
 }

terraform/groups/ecs-service/main.tf

@@ -24,7 +24,7 @@ module "secrets" {
   name_prefix = "${local.service_name}-${var.environment}"
   environment = var.environment
   kms_key_id  = data.aws_kms_key.kms_key.id
-  secrets     = local.parameter_store_secrets
+  secrets     = nonsensitive(local.service_secrets)
 }
 
 module "ecs-service" {
@@ -42,8 +42,6 @@ module "ecs-service" {
   lb_listener_arn           = data.aws_lb_listener.service_lb_listener.arn
   lb_listener_rule_priority = local.lb_listener_rule_priority
   lb_listener_paths         = local.lb_listener_paths
-  healthcheck_path          = local.healthcheck_path
-  healthcheck_matcher       = local.healthcheck_matcher
 
   # Docker container details
   docker_registry   = var.docker_registry
@@ -55,17 +53,33 @@ module "ecs-service" {
   service_name = local.service_name
   name_prefix  = local.name_prefix
   use_fargate  = var.use_fargate
+  fargate_subnets           = local.application_subnet_ids
+  service_autoscale_enabled = var.service_autoscale_enabled
 
   # Service Healthcheck configuration
+  use_task_container_healthcheck    = true
+  healthcheck_path                  = local.healthcheck_path
+  healthcheck_matcher               = local.healthcheck_matcher
+  health_check_grace_period_seconds = 300
+  healthcheck_healthy_threshold     = "2"
 
   # Service performance and scaling configs
   desired_task_count = var.desired_task_count
   required_cpus      = var.required_cpus
   required_memory    = var.required_memory
+  service_autoscale_target_value_cpu = var.service_autoscale_target_value_cpu
+  service_scaledown_schedule         = var.service_scaledown_schedule
+  service_scaleup_schedule           = var.service_scaleup_schedule
+  use_capacity_provider              = var.use_capacity_provider
+
+  # Cloudwatch
+  cloudwatch_alarms_enabled = var.cloudwatch_alarms_enabled
 
   # Service environment variable and secret configs
   task_environment = local.task_environment
   task_secrets     = local.task_secrets
+  app_environment_filename  = local.app_environment_filename
+  use_set_environment_files = local.use_set_environment_files
 
   depends_on=[module.secrets]
 }

terraform/groups/ecs-service/profiles/development-eu-west-2/cidev/vars

@@ -1,4 +1,6 @@
 environment = "cidev"
 aws_profile = "development-eu-west-2"
 
+# service configs
+use_set_environment_files = true
 log_level = "debug"

terraform/groups/ecs-service/profiles/development-eu-west-2/phoenix1/vars

@@ -1,4 +1,6 @@
 environment = "phoenix1"
 aws_profile = "development-eu-west-2"
 
+# service configs
+use_set_environment_files = true
 log_level = "debug"

terraform/groups/ecs-service/variables.tf

@@ -47,15 +47,68 @@ variable "use_fargate" {
   description = "If true, sets the required capabilities for all containers in the task definition to use FARGATE, false uses EC2"
   default     = true
 }
+
+variable "use_capacity_provider" {
+  type        = bool
+  description = "Whether to use a capacity provider instead of setting a launch type for the service"
+  default     = true
+}
+
+variable "service_autoscale_enabled" {
+  type        = bool
+  description = "Whether to enable service autoscaling, including scheduled autoscaling"
+  default     = true
+}
+
+variable "service_autoscale_target_value_cpu" {
+  type        = number
+  description = "Target CPU percentage for the ECS Service to autoscale on"
+  default     = 50 # 100 disables autoscaling using CPU as a metric
+}
+
+variable "service_scaledown_schedule" {
+  type        = string
+  description = "The schedule to use when scaling down the number of tasks to zero."
+  default     = ""
+}
+
+variable "service_scaleup_schedule" {
+  type        = string
+  description = "The schedule to use when scaling up the number of tasks to their normal desired level."
+  default     = ""
+}
+
+# ----------------------------------------------------------------------
+# Cloudwatch alerts
+# ----------------------------------------------------------------------
+variable "cloudwatch_alarms_enabled" {
+  description = "Whether to create a standard set of cloudwatch alarms for the service.  Requires an SNS topic to have already been created for the stack."
+  type        = bool
+  default     = true
+}
+
 # ------------------------------------------------------------------------------
 # Service environment variable configs
 # ------------------------------------------------------------------------------
+variable "ssm_version_prefix" {
+  type        = string
+  description = "String to use as a prefix to the names of the variables containing variables and secrets version."
+  default     = "SSM_VERSION_"
+}
+
+variable "use_set_environment_files" {
+  type        = bool
+  default     = false
+  description = "Toggle default global and shared  environment files"
+}
+
 variable "log_level" {
   default     = "info"
   type        = string
   description = "The log level for services to use: trace, debug, info or error"
 }
+
 variable "accounts_association_api_version" {
   type        = string
   description = "The version of the accounts-association-api container to run."
-}
+}