From 09b2ca10d3d07273fd1ebd4ece3afdb573a4ddb0 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:01:46 -0600 Subject: [PATCH 01/12] add AppConfig to other services --- terraform/031-email-service/main.tf | 95 +++++++++++-------- .../task-definition-api.json | 16 ++++ .../task-definition-cron.json | 16 ++++ terraform/031-email-service/vars.tf | 12 +++ terraform/040-id-broker/main.tf | 42 ++------ terraform/050-pw-manager/main-api.tf | 44 +++++++++ .../050-pw-manager/task-definition-api.json | 16 ++++ terraform/050-pw-manager/vars.tf | 12 +++ terraform/060-simplesamlphp/main.tf | 45 +++++++++ .../060-simplesamlphp/task-definition.json | 16 ++++ terraform/060-simplesamlphp/vars.tf | 12 +++ terraform/070-id-sync/main.tf | 41 ++++++++ terraform/070-id-sync/task-definition.json | 16 ++++ terraform/070-id-sync/vars.tf | 12 +++ terraform/ecs-role/main.tf | 50 ++++++++++ terraform/ecs-role/outputs.tf | 4 + terraform/ecs-role/variables.tf | 9 ++ 17 files changed, 382 insertions(+), 76 deletions(-) create mode 100644 terraform/ecs-role/main.tf create mode 100644 terraform/ecs-role/outputs.tf create mode 100644 terraform/ecs-role/variables.tf diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index d9c13b87..f35cef56 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -55,50 +57,44 @@ resource "random_id" "access_token_idsync" { byte_length = 16 } + /* - * Create role for access to SES + * Create ECS role */ -resource "aws_iam_role" "ses" { - name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "ECSAssumeRoleSES" - Effect = "Allow" - Principal = { - Service = [ - "ses.amazonaws.com", - "ecs-tasks.amazonaws.com", - ] - } - Action = "sts:AssumeRole" - } - ] - }) +module "ecs_role" { + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = local.ecs_role_policy } -resource "aws_iam_role_policy" "ses" { - name = "ses" - role = aws_iam_role.ses.id - policy = jsonencode( +locals { + ecs_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = concat(local.ses_policy_statement, local.appconfig_policy_statement) + }) + ses_policy_statement = [{ + Sid = "SendEmail" + Effect = "Allow" + Action = "ses:SendEmail" + Resource = "*" + Condition = { + StringEquals = { + "ses:FromAddress" = var.from_email + } + } + }] + appconfig_policy_statement = var.app_id == "" ? [] : [ { - Version = "2012-10-17" - Statement = [ - { - Sid = "SendEmail" - Effect = "Allow" - Action = "ses:SendEmail" - Resource = "*" - Condition = { - StringEquals = { - "ses:FromAddress" = var.from_email - } - } - } + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", ] - }) + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + }, + ] } /* @@ -108,6 +104,9 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def_api = templatefile("${path.module}/task-definition-api.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -143,13 +142,16 @@ module "ecsservice_api" { container_def_json = local.task_def_api desired_count = var.desired_count_api tg_arn = aws_alb_target_group.email.arn - task_role_arn = aws_iam_role.ses.arn + task_role_arn = module.ecs_role.role_arn lb_container_name = "api" lb_container_port = "80" } locals { task_def_cron = templatefile("${path.module}/task-definition-cron.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -182,7 +184,7 @@ module "ecsservice_cron" { service_name = "${var.idp_name}-${var.app_name}-cron" service_env = var.app_env container_def_json = local.task_def_cron - task_role_arn = aws_iam_role.ses.arn + task_role_arn = module.ecs_role.role_arn desired_count = var.enable_cron ? 1 : 0 } @@ -201,6 +203,19 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/031-email-service/task-definition-api.json b/terraform/031-email-service/task-definition-api.json index e0ca1a9d..ec517dc0 100644 --- a/terraform/031-email-service/task-definition-api.json +++ b/terraform/031-email-service/task-definition-api.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "API_ACCESS_KEYS", "value": "${api_access_keys}" diff --git a/terraform/031-email-service/task-definition-cron.json b/terraform/031-email-service/task-definition-cron.json index ce4cbc18..f3bff57e 100644 --- a/terraform/031-email-service/task-definition-cron.json +++ b/terraform/031-email-service/task-definition-cron.json @@ -15,6 +15,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "API_ACCESS_KEYS", "value": "${api_access_keys}" diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf index bf53b18c..a72a76a7 100644 --- a/terraform/031-email-service/vars.tf +++ b/terraform/031-email-service/vars.tf @@ -160,3 +160,15 @@ variable "wildcard_cert_arn" { variable "enable_cron" { default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 03bf3954..d92909a3 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -207,7 +207,7 @@ module "ecsservice" { tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" lb_container_port = "80" - task_role_arn = one(aws_iam_role.app_config[*].arn) + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -431,43 +431,13 @@ data "cloudflare_zone" "domain" { /* - * Create role for access to AppConfig + * Create ECS role */ -resource "aws_iam_role" "app_config" { - count = var.app_id == "" ? 0 : 1 - - name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "ECSAssumeRoleAppConfig" - Effect = "Allow" - Principal = { - Service = [ - "ecs-tasks.amazonaws.com", - ] - } - Action = "sts:AssumeRole" - Condition = { - ArnLike = { - "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*" - } - StringEquals = { - "aws:SourceAccount" = local.aws_account - } - } - } - ] - }) -} - -resource "aws_iam_role_policy" "app_config" { - count = var.app_id == "" ? 0 : 1 +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" - name = "app_config" - role = one(aws_iam_role.app_config[*].id) + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index 37b6cb69..e60dd4b6 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -2,6 +2,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -60,6 +62,9 @@ locals { api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition-api.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id access_token_hash = random_id.access_token_hash.hex alerts_email = var.alerts_email alerts_email_enabled = var.alerts_email_enabled @@ -126,6 +131,7 @@ module "ecsservice" { lb_container_name = "web" lb_container_port = "80" ecsServiceRole_arn = var.ecsServiceRole_arn + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -153,6 +159,44 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + /* * AWS data */ diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index bd77fd49..c077e45b 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "ACCESS_TOKEN_HASH_KEY", "value": "${access_token_hash}" diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index 51830231..33fc06ae 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -285,3 +285,15 @@ variable "create_dns_record" { type = bool default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 5db472f2..0e1feca6 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id } /* @@ -66,6 +68,9 @@ locals { secret_salt = var.secret_salt == "" ? random_id.secretsalt.hex : var.secret_salt task_def = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id memory = var.memory cpu = var.cpu admin_email = var.admin_email @@ -121,6 +126,7 @@ module "ecsservice" { lb_container_name = "web" lb_container_port = "80" ecsServiceRole_arn = var.ecsServiceRole_arn + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -148,6 +154,45 @@ data "cloudflare_zone" "domain" { name = var.cloudflare_domain } + +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/060-simplesamlphp/task-definition.json b/terraform/060-simplesamlphp/task-definition.json index 1a8ee99a..fb47dade 100644 --- a/terraform/060-simplesamlphp/task-definition.json +++ b/terraform/060-simplesamlphp/task-definition.json @@ -21,6 +21,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "ADMIN_EMAIL", "value": "${admin_email}" diff --git a/terraform/060-simplesamlphp/vars.tf b/terraform/060-simplesamlphp/vars.tf index fb41de22..742c8c38 100644 --- a/terraform/060-simplesamlphp/vars.tf +++ b/terraform/060-simplesamlphp/vars.tf @@ -202,3 +202,15 @@ variable "create_dns_record" { type = bool default = true } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 27d8eeeb..48f07720 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,6 +1,8 @@ locals { aws_account = data.aws_caller_identity.this.account_id aws_region = data.aws_region.current.name + cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.cfg_id == null ? "" : local.cfg_id /* * Create ECS service @@ -13,6 +15,9 @@ locals { ) task_def = templatefile("${path.module}/task-definition.json", { + app_id = var.app_id + env_id = var.env_id + config_id = local.config_id app_env = var.app_env app_name = var.app_name aws_region = local.aws_region @@ -98,6 +103,7 @@ resource "aws_ecs_task_definition" "cron_td" { family = "${var.idp_name}-${var.app_name}-cron-${var.app_env}" container_definitions = local.task_def network_mode = "bridge" + task_role_arn = one(module.ecs_role[*].role_arn) } /* @@ -129,6 +135,41 @@ resource "aws_cloudwatch_event_target" "id_sync_event_target" { } } +/* + * Create ECS role + */ +module "ecs_role" { + count = var.app_id == "" ? 0 : 1 + source = "../ecs-role" + + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "AppConfig" + Effect = "Allow" + Action = [ + "appconfig:GetLatestConfiguration", + "appconfig:StartConfigurationSession", + ] + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + } + ] + }) +} + +/* + * Create AppConfig configuration profile + */ +resource "aws_appconfig_configuration_profile" "this" { + application_id = var.app_id + name = "${var.app_name}-${var.app_env}" + location_uri = "hosted" +} + + /* * AWS data */ diff --git a/terraform/070-id-sync/task-definition.json b/terraform/070-id-sync/task-definition.json index e90ff0f6..94651c45 100644 --- a/terraform/070-id-sync/task-definition.json +++ b/terraform/070-id-sync/task-definition.json @@ -14,6 +14,22 @@ "ulimits": null, "dockerSecurityOptions": null, "environment": [ + { + "name": "APP_ID", + "value": "${app_id}" + }, + { + "name": "AWS_REGION", + "value": "${aws_region}" + }, + { + "name": "ENV_ID", + "value": "${env_id}" + }, + { + "name": "CONFIG_ID", + "value": "${config_id}" + }, { "name": "APP_ENV", "value": "${app_env}" diff --git a/terraform/070-id-sync/vars.tf b/terraform/070-id-sync/vars.tf index 79de5eec..09e1f5fe 100644 --- a/terraform/070-id-sync/vars.tf +++ b/terraform/070-id-sync/vars.tf @@ -149,3 +149,15 @@ variable "heartbeat_method" { type = string default = "" } + +variable "app_id" { + description = "AppConfig application ID" + type = string + default = "" +} + +variable "env_id" { + description = "AppConfig environment ID" + type = string + default = "" +} diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf new file mode 100644 index 00000000..c21dc8c5 --- /dev/null +++ b/terraform/ecs-role/main.tf @@ -0,0 +1,50 @@ +locals { + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name +} + +/* + * Create ECS role + */ +resource "aws_iam_role" "this" { + name = var.name + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "ECSAssumeRoleAppConfig" + Effect = "Allow" + Principal = { + Service = [ + "ecs-tasks.amazonaws.com", + ] + } + Action = "sts:AssumeRole" + Condition = { + ArnLike = { + "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*" + } + StringEquals = { + "aws:SourceAccount" = local.aws_account + } + } + } + ] + }) +} + +resource "aws_iam_role_policy" "this" { + name = var.name + role = one(aws_iam_role.this[*].id) + policy = var.policy +} + + +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} diff --git a/terraform/ecs-role/outputs.tf b/terraform/ecs-role/outputs.tf new file mode 100644 index 00000000..0bbb6685 --- /dev/null +++ b/terraform/ecs-role/outputs.tf @@ -0,0 +1,4 @@ + +output "role_arn" { + value = aws_iam_role.this.arn +} diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf new file mode 100644 index 00000000..fc490a3a --- /dev/null +++ b/terraform/ecs-role/variables.tf @@ -0,0 +1,9 @@ +variable "name" { + description = "name of role and role policy" + type = string +} + +variable "policy" { + description = "ECS role policy" + type = string +} From c51ef9c154d8ddae313c26e1232a38e877b1e329 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:44:21 -0600 Subject: [PATCH 02/12] remove "AppConfig" from ECS role Sid --- terraform/ecs-role/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf index c21dc8c5..2212805c 100644 --- a/terraform/ecs-role/main.tf +++ b/terraform/ecs-role/main.tf @@ -13,7 +13,7 @@ resource "aws_iam_role" "this" { Version = "2012-10-17" Statement = [ { - Sid = "ECSAssumeRoleAppConfig" + Sid = "ECSAssumeRole" Effect = "Allow" Principal = { Service = [ From c875419846829b4b85f460a5ea65568827b30bfb Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:59:36 -0600 Subject: [PATCH 03/12] keep existing SES role in email-service --- terraform/031-email-service/main.tf | 51 +++++++++++++++++------------ terraform/ecs-role/main.tf | 4 ++- terraform/ecs-role/outputs.tf | 4 +++ terraform/ecs-role/variables.tf | 1 + 4 files changed, 38 insertions(+), 22 deletions(-) diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index f35cef56..a4463c29 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -64,28 +64,36 @@ resource "random_id" "access_token_idsync" { module "ecs_role" { source = "../ecs-role" - name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - policy = local.ecs_role_policy + name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } -locals { - ecs_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = concat(local.ses_policy_statement, local.appconfig_policy_statement) - }) - ses_policy_statement = [{ - Sid = "SendEmail" - Effect = "Allow" - Action = "ses:SendEmail" - Resource = "*" - Condition = { - StringEquals = { - "ses:FromAddress" = var.from_email +resource "aws_iam_role_policy" "ses" { + name = "ses" + role = module.ecs_role.role_name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Sid = "SendEmail" + Effect = "Allow" + Action = "ses:SendEmail" + Resource = "*" + Condition = { + StringEquals = { + "ses:FromAddress" = var.from_email + } } - } - }] - appconfig_policy_statement = var.app_id == "" ? [] : [ - { + }] + }) +} + +resource "aws_iam_role_policy" "appconfig" { + count = app_id == "" ? 0 : 1 + + name = "appconfig" + role = module.ecs_role.role_name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ Sid = "AppConfig" Effect = "Allow" Action = [ @@ -93,10 +101,11 @@ locals { "appconfig:StartConfigurationSession", ] Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" - }, - ] + }] + }) } + /* * Create ECS services */ diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf index 2212805c..9ee9020b 100644 --- a/terraform/ecs-role/main.tf +++ b/terraform/ecs-role/main.tf @@ -35,8 +35,10 @@ resource "aws_iam_role" "this" { } resource "aws_iam_role_policy" "this" { + count = var.policy == "" ? 0 : 1 + name = var.name - role = one(aws_iam_role.this[*].id) + role = aws_iam_role.this.id policy = var.policy } diff --git a/terraform/ecs-role/outputs.tf b/terraform/ecs-role/outputs.tf index 0bbb6685..2340077a 100644 --- a/terraform/ecs-role/outputs.tf +++ b/terraform/ecs-role/outputs.tf @@ -2,3 +2,7 @@ output "role_arn" { value = aws_iam_role.this.arn } + +output "role_name" { + value = aws_iam_role.this.name +} diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf index fc490a3a..2556c5b5 100644 --- a/terraform/ecs-role/variables.tf +++ b/terraform/ecs-role/variables.tf @@ -6,4 +6,5 @@ variable "name" { variable "policy" { description = "ECS role policy" type = string + default = "" } From ba3194052ce6c06149386e51fcb0e333de35f7c7 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:02:29 -0600 Subject: [PATCH 04/12] add missing "var." --- terraform/031-email-service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index a4463c29..b8c1ba1e 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -87,7 +87,7 @@ resource "aws_iam_role_policy" "ses" { } resource "aws_iam_role_policy" "appconfig" { - count = app_id == "" ? 0 : 1 + count = var.app_id == "" ? 0 : 1 name = "appconfig" role = module.ecs_role.role_name From 46954d917fdff7a6884c20be8595e3133ff201a5 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:08:46 -0600 Subject: [PATCH 05/12] ecs-role doesn't create the policy now --- terraform/ecs-role/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf index 2556c5b5..3edab3e0 100644 --- a/terraform/ecs-role/variables.tf +++ b/terraform/ecs-role/variables.tf @@ -1,5 +1,5 @@ variable "name" { - description = "name of role and role policy" + description = "name of role" type = string } From 16b6acce58cfc0e6b232719ddfbb131dd143f363 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Wed, 27 Mar 2024 11:19:16 -0600 Subject: [PATCH 06/12] eliminate race condition, create appconfig role outside ecs-role module --- terraform/040-id-broker/main.tf | 7 +++++++ terraform/050-pw-manager/main-api.tf | 7 +++++++ terraform/060-simplesamlphp/main.tf | 7 +++++++ terraform/070-id-sync/main.tf | 7 +++++++ terraform/ecs-role/main.tf | 26 +++++++++----------------- 5 files changed, 37 insertions(+), 17 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index d92909a3..f8c0862f 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -438,6 +438,13 @@ module "ecs_role" { source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" +} + +resource "aws_iam_role_policy" "this" { + count = var.app_id == "" ? 0 : 1 + + name = "appconfig" + role = one(module.ecs_role[*].role_name) policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index e60dd4b6..9f748acd 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -168,6 +168,13 @@ module "ecs_role" { source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" +} + +resource "aws_iam_role_policy" "this" { + count = var.app_id == "" ? 0 : 1 + + name = "appconfig" + role = one(module.ecs_role[*].role_name) policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 0e1feca6..2cf7cff9 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -163,6 +163,13 @@ module "ecs_role" { source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" +} + +resource "aws_iam_role_policy" "this" { + count = var.app_id == "" ? 0 : 1 + + name = "appconfig" + role = one(module.ecs_role[*].role_name) policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 48f07720..bba2e5b4 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -143,6 +143,13 @@ module "ecs_role" { source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" +} + +resource "aws_iam_role_policy" "this" { + count = var.app_id == "" ? 0 : 1 + + name = "appconfig" + role = one(module.ecs_role[*].role_name) policy = jsonencode( { Version = "2012-10-17" diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf index 9ee9020b..e8f11b00 100644 --- a/terraform/ecs-role/main.tf +++ b/terraform/ecs-role/main.tf @@ -3,6 +3,15 @@ locals { aws_region = data.aws_region.current.name } +/* + * AWS data + */ + +data "aws_caller_identity" "this" {} + +data "aws_region" "current" {} + + /* * Create ECS role */ @@ -33,20 +42,3 @@ resource "aws_iam_role" "this" { ] }) } - -resource "aws_iam_role_policy" "this" { - count = var.policy == "" ? 0 : 1 - - name = var.name - role = aws_iam_role.this.id - policy = var.policy -} - - -/* - * AWS data - */ - -data "aws_caller_identity" "this" {} - -data "aws_region" "current" {} From e2f186bcf0540ea90b6f40cf3219fe5a571e0c07 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Wed, 27 Mar 2024 12:56:24 -0600 Subject: [PATCH 07/12] correctly handle an empty id_store_config --- terraform/070-id-sync/main.tf | 2 +- terraform/070-id-sync/task-definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index bba2e5b4..0c608ef4 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -33,7 +33,7 @@ locals { id_broker_base_url = var.id_broker_base_url id_broker_trustedIpRanges = join(",", var.id_broker_trustedIpRanges) id_store_adapter = var.id_store_adapter - id_store_config = local.id_store_config + id_store_config = local.id_store_config == "" ? "" : ",${local.id_store_config}" idp_name = var.idp_name idp_display_name = var.idp_display_name alerts_email = var.alerts_email diff --git a/terraform/070-id-sync/task-definition.json b/terraform/070-id-sync/task-definition.json index 94651c45..da025947 100644 --- a/terraform/070-id-sync/task-definition.json +++ b/terraform/070-id-sync/task-definition.json @@ -117,7 +117,7 @@ { "name": "HEARTBEAT_METHOD", "value": "${heartbeat_method}" - }, + } ${id_store_config} ], "links": null, From ac268d3d53fd5392db2ab678b4f81b9571acb88d Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Wed, 27 Mar 2024 12:56:43 -0600 Subject: [PATCH 08/12] add conditional on id-sync config profile --- terraform/070-id-sync/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 0c608ef4..cf955d99 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -171,6 +171,8 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { + count = var.app_id == "" ? 0 : 1 + application_id = var.app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" From 3235cd5978822c71a71c6d8a090c8d54e4d50c8e Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Wed, 27 Mar 2024 12:56:52 -0600 Subject: [PATCH 09/12] remove unused variable --- terraform/ecs-role/variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf index 3edab3e0..46acf052 100644 --- a/terraform/ecs-role/variables.tf +++ b/terraform/ecs-role/variables.tf @@ -2,9 +2,3 @@ variable "name" { description = "name of role" type = string } - -variable "policy" { - description = "ECS role policy" - type = string - default = "" -} From 8a0b6d2efde66d3ef2c77ae6824e460b74b2fc6b Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:29:24 -0600 Subject: [PATCH 10/12] PR feedback: use a longer variable name --- terraform/031-email-service/main.tf | 8 ++++---- terraform/040-id-broker/main.tf | 8 ++++---- terraform/050-pw-manager/main-api.tf | 10 +++++----- terraform/060-simplesamlphp/main.tf | 8 ++++---- terraform/070-id-sync/main.tf | 8 ++++---- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index b8c1ba1e..4e71ba30 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.cfg_id == null ? "" : local.cfg_id + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index f8c0862f..4b903b76 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.cfg_id == null ? "" : local.cfg_id + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index 9f748acd..d895fc55 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -1,9 +1,9 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" - cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.cfg_id == null ? "" : local.cfg_id + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 2cf7cff9..130665a7 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.cfg_id == null ? "" : local.cfg_id + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index cf955d99..72495c4e 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - cfg_id = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.cfg_id == null ? "" : local.cfg_id + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + config_id = local.config_id_or_null == null ? "" : local.config_id_or_null /* * Create ECS service From 5be6dca73472122618eef00940000d3258296e9b Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:34:04 -0600 Subject: [PATCH 11/12] PR feedback: prefix appconfig parameters with "appconfig_" --- terraform/000-core/outputs.tf | 4 +-- terraform/031-email-service/main.tf | 28 ++++++++--------- .../task-definition-api.json | 6 ++-- .../task-definition-cron.json | 6 ++-- terraform/031-email-service/vars.tf | 4 +-- terraform/040-id-broker/README.md | 4 +-- terraform/040-id-broker/main.tf | 30 +++++++++---------- terraform/040-id-broker/task-definition.json | 6 ++-- terraform/040-id-broker/vars.tf | 4 +-- terraform/050-pw-manager/main-api.tf | 26 ++++++++-------- .../050-pw-manager/task-definition-api.json | 6 ++-- terraform/050-pw-manager/vars.tf | 4 +-- terraform/060-simplesamlphp/main.tf | 24 +++++++-------- .../060-simplesamlphp/task-definition.json | 6 ++-- terraform/060-simplesamlphp/vars.tf | 4 +-- terraform/070-id-sync/main.tf | 24 +++++++-------- terraform/070-id-sync/task-definition.json | 6 ++-- terraform/070-id-sync/vars.tf | 4 +-- 18 files changed, 98 insertions(+), 98 deletions(-) diff --git a/terraform/000-core/outputs.tf b/terraform/000-core/outputs.tf index 9e76a930..2820b305 100644 --- a/terraform/000-core/outputs.tf +++ b/terraform/000-core/outputs.tf @@ -49,12 +49,12 @@ output "ecsServiceRole_arn" { /* * AppConfig outputs */ -output "app_id" { +output "appconfig_app_id" { description = "AppConfig application ID" value = one(aws_appconfig_application.this[*].id) } -output "env_id" { +output "appconfig_env_id" { description = "AppConfig environment ID" value = one(aws_appconfig_environment.this[*].environment_id) } diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index 4e71ba30..67ab8394 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* @@ -87,7 +87,7 @@ resource "aws_iam_role_policy" "ses" { } resource "aws_iam_role_policy" "appconfig" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = module.ecs_role.role_name @@ -100,7 +100,7 @@ resource "aws_iam_role_policy" "appconfig" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" }] }) } @@ -113,9 +113,9 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def_api = templatefile("${path.module}/task-definition-api.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -158,9 +158,9 @@ module "ecsservice_api" { locals { task_def_cron = templatefile("${path.module}/task-definition-cron.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id api_access_keys = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}" app_env = var.app_env app_name = var.app_name @@ -217,9 +217,9 @@ data "cloudflare_zone" "domain" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 - application_id = var.app_id + application_id = var.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/031-email-service/task-definition-api.json b/terraform/031-email-service/task-definition-api.json index ec517dc0..1ed4271b 100644 --- a/terraform/031-email-service/task-definition-api.json +++ b/terraform/031-email-service/task-definition-api.json @@ -23,7 +23,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -31,11 +31,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "API_ACCESS_KEYS", diff --git a/terraform/031-email-service/task-definition-cron.json b/terraform/031-email-service/task-definition-cron.json index f3bff57e..22ab7e6a 100644 --- a/terraform/031-email-service/task-definition-cron.json +++ b/terraform/031-email-service/task-definition-cron.json @@ -17,7 +17,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -25,11 +25,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "API_ACCESS_KEYS", diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf index a72a76a7..0616dfd1 100644 --- a/terraform/031-email-service/vars.tf +++ b/terraform/031-email-service/vars.tf @@ -161,13 +161,13 @@ variable "enable_cron" { default = true } -variable "app_id" { +variable "appconfig_app_id" { description = "AppConfig application ID" type = string default = "" } -variable "env_id" { +variable "appconfig_env_id" { description = "AppConfig environment ID" type = string default = "" diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md index 9f028927..cbf6bb2b 100644 --- a/terraform/040-id-broker/README.md +++ b/terraform/040-id-broker/README.md @@ -51,13 +51,13 @@ This module is used to create an ECS service running id-broker. - `abandoned_user_abandoned_period` - Time a user record can remain abandoned before HR is notified. Default: `+6 months` - `abandoned_user_best_practice_url` - URL for best practices, referenced in notification email. Default: (none) - `abandoned_user_deactivate_instructions_url` - URL for instruction on how to deactivate user accounts, referenced in notification email. Default: (none) - - `app_id` - AppConfig application ID created by AWS. This cannot be the application name. Use with `env_id`. + - `appconfig_app_id` - AppConfig application ID created by AWS. This cannot be the application name. Use with `appconfig_env_id`. - `contingent_user_duration` - How long before a new user without a primary email address expires. Default: `+4 weeks` - `cpu_cron` - How much CPU to allocate to cron service. Default: `128` - `email_repeat_delay_days` - Don't resend the same type of email to the same user for X days. Default: `31` - `email_service_assertValidIp` - Whether or not to assert IP address for Email Service API is trusted - `email_signature` - Signature for use in emails. Default is empty string - - `env_id` - AppConfig environment ID created by AWS. This cannot be the environment name. Use with `app_id`. + - `appconfig_env_id` - AppConfig environment ID created by AWS. This cannot be the environment name. Use with `appconfig_app_id`. - `event_schedule` - Task run schedule. Default: `cron(0 0 * * ? *)` - `ga_api_secret` - The Google Analytics API secret for the data stream (e.g. aB-abcdef7890123456789) - `ga_client_id` - Used by Google Analytics to distinguish the user (e.g. IDP--ID-BROKER) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 4b903b76..dd78e3b7 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* @@ -81,9 +81,9 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url @@ -215,9 +215,9 @@ module "ecsservice" { */ locals { task_def_cron = templatefile("${path.module}/task-definition.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period abandoned_user_best_practice_url = var.abandoned_user_best_practice_url @@ -434,14 +434,14 @@ data "cloudflare_zone" "domain" { * Create ECS role */ module "ecs_role" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } resource "aws_iam_role_policy" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = one(module.ecs_role[*].role_name) @@ -456,7 +456,7 @@ resource "aws_iam_role_policy" "this" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" } ] }) @@ -467,9 +467,9 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 - application_id = var.app_id + application_id = var.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/040-id-broker/task-definition.json b/terraform/040-id-broker/task-definition.json index 539bd119..95d4b10b 100644 --- a/terraform/040-id-broker/task-definition.json +++ b/terraform/040-id-broker/task-definition.json @@ -23,7 +23,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -31,11 +31,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "ABANDONED_USER_abandonedPeriod", diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index 4f6857db..f49dcf66 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -581,13 +581,13 @@ variable "wildcard_cert_arn" { type = string } -variable "app_id" { +variable "appconfig_app_id" { description = "AppConfig application ID created by AWS. This cannot be the application name." type = string default = "" } -variable "env_id" { +variable "appconfig_env_id" { description = "AppConfig environment ID created by AWS. This cannot be the environment name." type = string default = "" diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index d895fc55..f00f1e4e 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -1,9 +1,9 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" - config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + ui_hostname = "${var.ui_subdomain}.${var.cloudflare_domain}" + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* @@ -62,9 +62,9 @@ locals { api_subdomain_with_region = "${var.api_subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition-api.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id access_token_hash = random_id.access_token_hash.hex alerts_email = var.alerts_email alerts_email_enabled = var.alerts_email_enabled @@ -164,14 +164,14 @@ data "cloudflare_zone" "domain" { * Create ECS role */ module "ecs_role" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } resource "aws_iam_role_policy" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = one(module.ecs_role[*].role_name) @@ -186,7 +186,7 @@ resource "aws_iam_role_policy" "this" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" } ] }) @@ -197,9 +197,9 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 - application_id = var.app_id + application_id = var.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/050-pw-manager/task-definition-api.json b/terraform/050-pw-manager/task-definition-api.json index c077e45b..099fcfe9 100644 --- a/terraform/050-pw-manager/task-definition-api.json +++ b/terraform/050-pw-manager/task-definition-api.json @@ -23,7 +23,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -31,11 +31,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "ACCESS_TOKEN_HASH_KEY", diff --git a/terraform/050-pw-manager/vars.tf b/terraform/050-pw-manager/vars.tf index 33fc06ae..d88fd401 100644 --- a/terraform/050-pw-manager/vars.tf +++ b/terraform/050-pw-manager/vars.tf @@ -286,13 +286,13 @@ variable "create_dns_record" { default = true } -variable "app_id" { +variable "appconfig_app_id" { description = "AppConfig application ID" type = string default = "" } -variable "env_id" { +variable "appconfig_env_id" { description = "AppConfig environment ID" type = string default = "" diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 130665a7..770bb9df 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null } /* @@ -68,9 +68,9 @@ locals { secret_salt = var.secret_salt == "" ? random_id.secretsalt.hex : var.secret_salt task_def = templatefile("${path.module}/task-definition.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id memory = var.memory cpu = var.cpu admin_email = var.admin_email @@ -159,14 +159,14 @@ data "cloudflare_zone" "domain" { * Create ECS role */ module "ecs_role" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } resource "aws_iam_role_policy" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = one(module.ecs_role[*].role_name) @@ -181,7 +181,7 @@ resource "aws_iam_role_policy" "this" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" } ] }) @@ -192,9 +192,9 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 - application_id = var.app_id + application_id = var.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/060-simplesamlphp/task-definition.json b/terraform/060-simplesamlphp/task-definition.json index fb47dade..afe96aed 100644 --- a/terraform/060-simplesamlphp/task-definition.json +++ b/terraform/060-simplesamlphp/task-definition.json @@ -23,7 +23,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -31,11 +31,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "ADMIN_EMAIL", diff --git a/terraform/060-simplesamlphp/vars.tf b/terraform/060-simplesamlphp/vars.tf index 742c8c38..5d1605b2 100644 --- a/terraform/060-simplesamlphp/vars.tf +++ b/terraform/060-simplesamlphp/vars.tf @@ -203,13 +203,13 @@ variable "create_dns_record" { default = true } -variable "app_id" { +variable "appconfig_app_id" { description = "AppConfig application ID" type = string default = "" } -variable "env_id" { +variable "appconfig_env_id" { description = "AppConfig environment ID" type = string default = "" diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 72495c4e..c2504d49 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,8 +1,8 @@ locals { - aws_account = data.aws_caller_identity.this.account_id - aws_region = data.aws_region.current.name - config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) - config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + aws_account = data.aws_caller_identity.this.account_id + aws_region = data.aws_region.current.name + config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) + appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null /* * Create ECS service @@ -15,9 +15,9 @@ locals { ) task_def = templatefile("${path.module}/task-definition.json", { - app_id = var.app_id - env_id = var.env_id - config_id = local.config_id + appconfig_app_id = var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id + appconfig_config_id = local.appconfig_config_id app_env = var.app_env app_name = var.app_name aws_region = local.aws_region @@ -139,14 +139,14 @@ resource "aws_cloudwatch_event_target" "id_sync_event_target" { * Create ECS role */ module "ecs_role" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } resource "aws_iam_role_policy" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = one(module.ecs_role[*].role_name) @@ -161,7 +161,7 @@ resource "aws_iam_role_policy" "this" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" } ] }) @@ -171,9 +171,9 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.app_id == "" ? 0 : 1 + count = var.appconfig_app_id == "" ? 0 : 1 - application_id = var.app_id + application_id = var.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/070-id-sync/task-definition.json b/terraform/070-id-sync/task-definition.json index da025947..6a0ccb6a 100644 --- a/terraform/070-id-sync/task-definition.json +++ b/terraform/070-id-sync/task-definition.json @@ -16,7 +16,7 @@ "environment": [ { "name": "APP_ID", - "value": "${app_id}" + "value": "${appconfig_app_id}" }, { "name": "AWS_REGION", @@ -24,11 +24,11 @@ }, { "name": "ENV_ID", - "value": "${env_id}" + "value": "${appconfig_env_id}" }, { "name": "CONFIG_ID", - "value": "${config_id}" + "value": "${appconfig_config_id}" }, { "name": "APP_ENV", diff --git a/terraform/070-id-sync/vars.tf b/terraform/070-id-sync/vars.tf index 09e1f5fe..012d8e83 100644 --- a/terraform/070-id-sync/vars.tf +++ b/terraform/070-id-sync/vars.tf @@ -150,13 +150,13 @@ variable "heartbeat_method" { default = "" } -variable "app_id" { +variable "appconfig_app_id" { description = "AppConfig application ID" type = string default = "" } -variable "env_id" { +variable "appconfig_env_id" { description = "AppConfig environment ID" type = string default = "" From 79ce115cdd0c54c191214f542352d93786222f50 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 9 Apr 2024 16:39:44 -0600 Subject: [PATCH 12/12] add back the app_id and env_id variables in id-broker for compatibility --- terraform/040-id-broker/main.tf | 20 +++++++++++--------- terraform/040-id-broker/vars.tf | 12 ++++++++++++ 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index dd78e3b7..0baa2b4c 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -3,6 +3,8 @@ locals { aws_region = data.aws_region.current.name config_id_or_null = one(aws_appconfig_configuration_profile.this[*].configuration_profile_id) appconfig_config_id = local.config_id_or_null == null ? "" : local.config_id_or_null + appconfig_app_id = var.appconfig_app_id == "" ? var.app_id : var.appconfig_app_id + appconfig_env_id = var.appconfig_env_id == "" ? var.env_id : var.appconfig_env_id } /* @@ -81,8 +83,8 @@ locals { subdomain_with_region = "${var.subdomain}-${local.aws_region}" task_def = templatefile("${path.module}/task-definition.json", { - appconfig_app_id = var.appconfig_app_id - appconfig_env_id = var.appconfig_env_id + appconfig_app_id = local.appconfig_app_id + appconfig_env_id = local.appconfig_env_id appconfig_config_id = local.appconfig_config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period @@ -215,8 +217,8 @@ module "ecsservice" { */ locals { task_def_cron = templatefile("${path.module}/task-definition.json", { - appconfig_app_id = var.appconfig_app_id - appconfig_env_id = var.appconfig_env_id + appconfig_app_id = local.appconfig_app_id + appconfig_env_id = local.appconfig_env_id appconfig_config_id = local.appconfig_config_id api_access_keys = local.api_access_keys abandoned_user_abandoned_period = var.abandoned_user_abandoned_period @@ -434,14 +436,14 @@ data "cloudflare_zone" "domain" { * Create ECS role */ module "ecs_role" { - count = var.appconfig_app_id == "" ? 0 : 1 + count = local.appconfig_app_id == "" ? 0 : 1 source = "../ecs-role" name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" } resource "aws_iam_role_policy" "this" { - count = var.appconfig_app_id == "" ? 0 : 1 + count = local.appconfig_app_id == "" ? 0 : 1 name = "appconfig" role = one(module.ecs_role[*].role_name) @@ -456,7 +458,7 @@ resource "aws_iam_role_policy" "this" { "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", ] - Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.appconfig_app_id}/environment/${var.appconfig_env_id}/configuration/${local.appconfig_config_id}" + Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${local.appconfig_app_id}/environment/${local.appconfig_env_id}/configuration/${local.appconfig_config_id}" } ] }) @@ -467,9 +469,9 @@ resource "aws_iam_role_policy" "this" { * Create AppConfig configuration profile */ resource "aws_appconfig_configuration_profile" "this" { - count = var.appconfig_app_id == "" ? 0 : 1 + count = local.appconfig_app_id == "" ? 0 : 1 - application_id = var.appconfig_app_id + application_id = local.appconfig_app_id name = "${var.app_name}-${var.app_env}" location_uri = "hosted" } diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index f49dcf66..58f24a5b 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -581,12 +581,24 @@ variable "wildcard_cert_arn" { type = string } +variable "app_id" { + description = "DEPRECATED AppConfig application ID created by AWS. This cannot be the application name." + type = string + default = "" +} + variable "appconfig_app_id" { description = "AppConfig application ID created by AWS. This cannot be the application name." type = string default = "" } +variable "env_id" { + description = "DEPRECATED AppConfig environment ID created by AWS. This cannot be the environment name." + type = string + default = "" +} + variable "appconfig_env_id" { description = "AppConfig environment ID created by AWS. This cannot be the environment name." type = string