From f62aef6db7cdab476da76b422bab31adaf6089c2 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 9 Sep 2024 17:17:42 +0800 Subject: [PATCH 1/8] extract a task module for ECS scheduled tasks --- terraform/032-db-backup/main.tf | 72 ++++++++++---------------- terraform/040-id-broker/main.tf | 90 +++++++++----------------------- terraform/070-id-sync/main.tf | 92 +++++++++------------------------ terraform/task/main.tf | 69 +++++++++++++++++++++++++ terraform/task/variables.tf | 44 ++++++++++++++++ terraform/task/versions.tf | 10 ++++ 6 files changed, 199 insertions(+), 178 deletions(-) create mode 100644 terraform/task/main.tf create mode 100644 terraform/task/variables.tf create mode 100644 terraform/task/versions.tf diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index 3ddcb60..b96cfd7 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -113,6 +113,24 @@ locals { }) } +module "backup_task" { + source = "../task" + name = "${var.idp_name}-${var.app_name}-${var.app_env}" + event_rule_description = "Start scheduled backup" + event_schedule = local.event_schedule + ecs_cluster_arn = var.ecs_cluster_id + task_definition_arn = aws_ecs_task_definition.cron_td.arn + tags = { + app_name = var.app_name + app_env = var.app_env + } +} + +moved { + from = aws_iam_role.ecs_events + to = module.backup_task.aws_iam_role.this +} + /* * Create role for scheduled running of cron task definitions. */ @@ -136,27 +154,9 @@ resource "aws_iam_role" "ecs_events" { ) } -resource "aws_iam_role_policy" "ecs_events_run_task_with_any_role" { - name = "ecs_events_run_task_with_any_role" - role = aws_iam_role.ecs_events.id - - policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = "iam:PassRole" - Resource = "*" - }, - { - Effect = "Allow" - Action = "ecs:RunTask" - Resource = "${aws_ecs_task_definition.cron_td.arn_without_revision}:*" - }, - ] - } - ) +moved { + from = aws_iam_role_policy.ecs_events_run_task_with_any_role + to = module.backup_task.aws_iam_role_policy.this } /* @@ -172,32 +172,14 @@ locals { event_schedule = var.cron_schedule != "" ? var.cron_schedule : var.event_schedule } -/* - * CloudWatch configuration to start scheduled backup. - */ -resource "aws_cloudwatch_event_rule" "event_rule" { - name = "${var.idp_name}-${var.app_name}-${var.app_env}" - description = "Start scheduled backup" - - schedule_expression = local.event_schedule - - tags = { - app_name = var.app_name - app_env = var.app_env - } +moved { + from = aws_cloudwatch_event_rule.event_rule + to = module.backup_task.aws_cloudwatch_event_rule.this } -resource "aws_cloudwatch_event_target" "backup_event_target" { - target_id = "${var.idp_name}-${var.app_name}-${var.app_env}" - rule = aws_cloudwatch_event_rule.event_rule.name - arn = var.ecs_cluster_id - role_arn = aws_iam_role.ecs_events.arn - - ecs_target { - task_count = 1 - launch_type = "EC2" - task_definition_arn = aws_ecs_task_definition.cron_td.arn - } +moved { + from = aws_cloudwatch_event_target.backup_event_target + to = module.backup_task.aws_cloudwatch_event_target.this } /* diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index de22b6b..15553b2 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -332,51 +332,27 @@ locals { }) } -/* - * Create role for scheduled running of cron task definitions. - */ -resource "aws_iam_role" "ecs_events" { - name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Sid = "" - Effect = "Allow" - Principal = { - Service = "events.amazonaws.com" - } - Action = "sts:AssumeRole" - }, - ] - } - ) +module "cron_task" { + source = "../task" + name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}-${local.aws_region}" + event_rule_description = "Start broker scheduled tasks" + event_schedule = var.event_schedule + ecs_cluster_arn = var.ecs_cluster_id + task_definition_arn = aws_ecs_task_definition.cron_td.arn + tags = { + app_name = var.app_name + app_env = var.app_env + } } -resource "aws_iam_role_policy" "ecs_events_run_task_with_any_role" { - name = "ecs_events_run_task_with_any_role" - role = aws_iam_role.ecs_events.id - - policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = "iam:PassRole" - Resource = "*" - }, - { - Effect = "Allow" - Action = "ecs:RunTask" - Resource = "${aws_ecs_task_definition.cron_td.arn_without_revision}:*" - }, - ] - } - ) +moved { + from = aws_iam_role.ecs_events + to = module.cron_task.aws_iam_role.this +} +moved { + from = aws_iam_role_policy.ecs_events_run_task_with_any_role + to = module.cron_task.aws_iam_role_policy.this } /* @@ -389,32 +365,14 @@ resource "aws_ecs_task_definition" "cron_td" { task_role_arn = one(module.ecs_role[*].role_arn) } -/* - * CloudWatch configuration to start scheduled tasks. - */ -resource "aws_cloudwatch_event_rule" "event_rule" { - name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}" - description = "Start broker scheduled tasks" - - schedule_expression = var.event_schedule - - tags = { - app_name = var.app_name - app_env = var.app_env - } +moved { + from = aws_cloudwatch_event_rule.event_rule + to = module.cron_task.aws_cloudwatch_event_rule.this } -resource "aws_cloudwatch_event_target" "broker_event_target" { - target_id = "${var.idp_name}-${var.app_name}-cron-${var.app_env}" - rule = aws_cloudwatch_event_rule.event_rule.name - arn = var.ecs_cluster_id - role_arn = aws_iam_role.ecs_events.arn - - ecs_target { - task_count = 1 - launch_type = "EC2" - task_definition_arn = aws_ecs_task_definition.cron_td.arn - } +moved { + from = aws_cloudwatch_event_target.event_target + to = module.cron_task.aws_cloudwatch_event_target.this } /* diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index c2504d4..0a9c010 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -49,51 +49,28 @@ locals { }) } -/* - * Create role for scheduled running of cron task definitions. - */ -resource "aws_iam_role" "ecs_events" { - name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}" - - assume_role_policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Sid = "" - Effect = "Allow" - Principal = { - Service = "events.amazonaws.com" - } - Action = "sts:AssumeRole" - }, - ] - } - ) +module "cron_task" { + source = "../task" + name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}-${local.aws_region}" + event_rule_description = "Start ID Sync scheduled tasks" + enable = var.enable_sync + event_schedule = var.event_schedule + ecs_cluster_arn = var.ecs_cluster_id + task_definition_arn = aws_ecs_task_definition.cron_td.arn + tags = { + app_name = var.app_name + app_env = var.app_env + } } -resource "aws_iam_role_policy" "ecs_events_run_task_with_any_role" { - name = "ecs_events_run_task_with_any_role" - role = aws_iam_role.ecs_events.id - - policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = "iam:PassRole" - Resource = "*" - }, - { - Effect = "Allow" - Action = "ecs:RunTask" - Resource = "${aws_ecs_task_definition.cron_td.arn_without_revision}:*" - }, - ] - } - ) +moved { + from = aws_iam_role.ecs_events + to = module.cron_task.aws_iam_role.this +} +moved { + from = aws_iam_role_policy.ecs_events_run_task_with_any_role + to = module.cron_task.aws_iam_role_policy.this } /* @@ -106,33 +83,14 @@ resource "aws_ecs_task_definition" "cron_td" { task_role_arn = one(module.ecs_role[*].role_arn) } -/* - * CloudWatch configuration to start scheduled tasks. - */ -resource "aws_cloudwatch_event_rule" "event_rule" { - name = "${var.idp_name}-${var.app_name}-${var.app_env}" - description = "Start ID Sync scheduled tasks" - is_enabled = var.enable_sync - - schedule_expression = var.event_schedule - - tags = { - app_name = var.app_name - app_env = var.app_env - } +moved { + from = aws_cloudwatch_event_rule.event_rule + to = module.cron_task.aws_cloudwatch_event_rule.this } -resource "aws_cloudwatch_event_target" "id_sync_event_target" { - target_id = "${var.idp_name}-${var.app_name}-${var.app_env}" - rule = aws_cloudwatch_event_rule.event_rule.name - arn = var.ecs_cluster_id - role_arn = aws_iam_role.ecs_events.arn - - ecs_target { - task_count = 1 - launch_type = "EC2" - task_definition_arn = aws_ecs_task_definition.cron_td.arn - } +moved { + from = aws_cloudwatch_event_target.id_sync_event_target + to = module.cron_task.aws_cloudwatch_event_target.this } /* diff --git a/terraform/task/main.tf b/terraform/task/main.tf new file mode 100644 index 0000000..64796c0 --- /dev/null +++ b/terraform/task/main.tf @@ -0,0 +1,69 @@ + +locals { + unique_name = "${var.name}-${random_id.name_suffix.b64_url}" +} + +resource "random_id" "name_suffix" { + byte_length = 6 +} + +resource "aws_iam_role" "this" { + name = "ecs_events-${var.name}" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "" + Effect = "Allow" + Principal = { + Service = "events.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "this" { + name = "ecs_events_run_task_with_any_role" + role = aws_iam_role.this.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "iam:PassRole" + Resource = "*" + }, + { + Effect = "Allow" + Action = "ecs:RunTask" + Resource = replace(var.task_definition_arn, "/:\\d+$/", ":*") + }, + ] + }) +} + +resource "aws_cloudwatch_event_rule" "this" { + name = local.unique_name + description = var.event_rule_description == "" ? "Start ${var.name} task" : var.event_rule_description + schedule_expression = var.event_schedule + is_enabled = var.enable + tags = var.tags +} + +resource "aws_cloudwatch_event_target" "this" { + target_id = local.unique_name + rule = aws_cloudwatch_event_rule.this.name + arn = var.ecs_cluster_arn + role_arn = aws_iam_role.this.arn + input = var.event_target_input + + ecs_target { + task_count = 1 + launch_type = "EC2" + task_definition_arn = var.task_definition_arn + } +} diff --git a/terraform/task/variables.tf b/terraform/task/variables.tf new file mode 100644 index 0000000..85d9530 --- /dev/null +++ b/terraform/task/variables.tf @@ -0,0 +1,44 @@ +variable "ecs_cluster_arn" { + description = "ecs cluster ID" + type = string +} + +variable "task_definition_arn" { + description = "ECS task definition ARN" + type = string +} + +variable "name" { + description = "name of event assigned to " + type = string +} + +variable "event_schedule" { + description = "event schedule in AWS EventBridge format" + type = string + default = "cron(0 0 * * ? *)" +} + +variable "enable" { + description = "enable the event rule" + type = bool + default = true +} + +variable "event_rule_description" { + description = "custom event rule description, if omitted, the description will be \"Start var.name task\"." + type = string + default = "" +} + +variable "event_target_input" { + description = "event target input, e.g.: {\"containerOverrides\":[{\"name\":\"container_name\",\"command\":[\"bin/console\",\"scheduled-task\"]}]}. See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerOverride.html for more information." + type = string + default = null +} + +variable "tags" { + description = "AWS tags to add to the aws_cloudwatch_event_rule" + type = map(string) + default = null +} diff --git a/terraform/task/versions.tf b/terraform/task/versions.tf new file mode 100644 index 0000000..f6615c5 --- /dev/null +++ b/terraform/task/versions.tf @@ -0,0 +1,10 @@ + +terraform { + required_version = ">= 0.14" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0.0, < 6.0.0" + } + } +} From 587c671530466a36076e3e137bf2162372713d35 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 9 Sep 2024 19:59:07 +0800 Subject: [PATCH 2/8] use the broker web task definition for cron, but with containerOverrides --- terraform/040-id-broker/main.tf | 147 ++++---------------------------- 1 file changed, 16 insertions(+), 131 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 15553b2..d3172d5 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -212,133 +212,28 @@ module "ecsservice" { task_role_arn = one(module.ecs_role[*].role_arn) } -/* - * Create ECS service - */ -locals { - task_def_cron = templatefile("${path.module}/task-definition.json", { - appconfig_app_id = local.appconfig_app_id - appconfig_env_id = local.appconfig_env_id - appconfig_config_id = local.appconfig_config_id - api_access_keys = local.api_access_keys - abandoned_user_abandoned_period = var.abandoned_user_abandoned_period - abandoned_user_best_practice_url = var.abandoned_user_best_practice_url - abandoned_user_deactivate_instructions_url = var.abandoned_user_deactivate_instructions_url - app_env = var.app_env - app_name = var.app_name - aws_region = local.aws_region - cloudwatch_log_group_name = var.cloudwatch_log_group_name - cpu = var.cpu_cron - contingent_user_duration = var.contingent_user_duration - db_name = var.db_name - docker_image = var.docker_image - email_repeat_delay_days = var.email_repeat_delay_days - email_service_accessToken = var.email_service_accessToken - email_service_assertValidIp = var.email_service_assertValidIp - email_service_baseUrl = var.email_service_baseUrl - email_service_validIpRanges = join(",", var.email_service_validIpRanges) - email_signature = var.email_signature - ga_api_secret = var.ga_api_secret - ga_client_id = var.ga_client_id - ga_measurement_id = var.ga_measurement_id - google_config = local.google_vars - help_center_url = var.help_center_url - hibp_check_interval = var.hibp_check_interval - hibp_check_on_login = var.hibp_check_on_login - hibp_grace_period = var.hibp_grace_period - hibp_tracking_only = var.hibp_tracking_only - hibp_notification_bcc = var.hibp_notification_bcc - hr_notifications_email = var.hr_notifications_email - idp_display_name = var.idp_display_name - idp_name = var.idp_name - inactive_user_period = var.inactive_user_period - inactive_user_deletion_enable = var.inactive_user_deletion_enable - invite_email_delay_seconds = var.invite_email_delay_seconds - invite_grace_period = var.invite_grace_period - invite_lifespan = var.invite_lifespan - lost_security_key_email_days = var.lost_security_key_email_days - memory = var.memory_cron - method_add_interval = var.method_add_interval - method_codeLength = var.method_codeLength - method_gracePeriod = var.method_gracePeriod - method_lifetime = var.method_lifetime - method_maxAttempts = var.method_maxAttempts - mfa_add_interval = var.mfa_add_interval - mfa_allow_disable = var.mfa_allow_disable - mfa_lifetime = var.mfa_lifetime - mfa_manager_bcc = var.mfa_manager_bcc - mfa_manager_help_bcc = var.mfa_manager_help_bcc - mfa_required_for_new_users = var.mfa_required_for_new_users - mfa_totp_apibaseurl = var.mfa_totp_apibaseurl - mfa_totp_apikey = var.mfa_totp_apikey - mfa_totp_apisecret = var.mfa_totp_apisecret - mfa_webauthn_apibaseurl = var.mfa_webauthn_apibaseurl - mfa_webauthn_apikey = var.mfa_webauthn_apikey - mfa_webauthn_apisecret = var.mfa_webauthn_apisecret - mfa_webauthn_appid = var.mfa_webauthn_appid - mfa_webauthn_rpdisplayname = var.mfa_webauthn_rpdisplayname - mfa_webauthn_rpid = var.mfa_webauthn_rpid - rp_origins = var.rp_origins - minimum_backup_codes_before_nag = var.minimum_backup_codes_before_nag - mysql_host = var.mysql_host - mysql_pass = var.mysql_pass - mysql_user = var.mysql_user - name = "cron" - notification_email = var.notification_email - password_expiration_grace_period = var.password_expiration_grace_period - password_lifespan = var.password_lifespan - password_mfa_lifespan_extension = var.password_mfa_lifespan_extension - password_profile_url = var.password_profile_url - password_reuse_limit = var.password_reuse_limit - profile_review_interval = var.profile_review_interval - run_task = var.run_task - send_get_backup_codes_emails = var.send_get_backup_codes_emails - send_invite_emails = var.send_invite_emails - send_lost_security_key_emails = var.send_lost_security_key_emails - send_method_purged_emails = var.send_method_purged_emails - send_method_reminder_emails = var.send_method_reminder_emails - send_mfa_disabled_emails = var.send_mfa_disabled_emails - send_mfa_enabled_emails = var.send_mfa_enabled_emails - send_mfa_option_added_emails = var.send_mfa_option_added_emails - send_mfa_option_removed_emails = var.send_mfa_option_removed_emails - send_mfa_rate_limit_emails = var.send_mfa_rate_limit_emails - send_password_changed_emails = var.send_password_changed_emails - send_password_expired_emails = var.send_password_expired_emails - send_password_expiring_emails = var.send_password_expiring_emails - send_refresh_backup_codes_emails = var.send_refresh_backup_codes_emails - send_welcome_emails = var.send_welcome_emails - sentry_dsn = var.sentry_dsn - subject_for_abandoned_users = var.subject_for_abandoned_users - subject_for_get_backup_codes = var.subject_for_get_backup_codes - subject_for_invite = var.subject_for_invite - subject_for_lost_security_key = var.subject_for_lost_security_key - subject_for_method_purged = var.subject_for_method_purged - subject_for_method_reminder = var.subject_for_method_reminder - subject_for_method_verify = var.subject_for_method_verify - subject_for_mfa_disabled = var.subject_for_mfa_disabled - subject_for_mfa_enabled = var.subject_for_mfa_enabled - subject_for_mfa_manager = var.subject_for_mfa_manager - subject_for_mfa_manager_help = var.subject_for_mfa_manager_help - subject_for_mfa_option_added = var.subject_for_mfa_option_added - subject_for_mfa_option_removed = var.subject_for_mfa_option_removed - subject_for_mfa_rate_limit = var.subject_for_mfa_rate_limit - subject_for_password_changed = var.subject_for_password_changed - subject_for_password_expired = var.subject_for_password_expired - subject_for_password_expiring = var.subject_for_password_expiring - subject_for_refresh_backup_codes = var.subject_for_refresh_backup_codes - subject_for_welcome = var.subject_for_welcome - support_email = var.support_email - support_name = var.support_name - }) -} - module "cron_task" { source = "../task" name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}-${local.aws_region}" event_rule_description = "Start broker scheduled tasks" event_schedule = var.event_schedule ecs_cluster_arn = var.ecs_cluster_id - task_definition_arn = aws_ecs_task_definition.cron_td.arn + task_definition_arn = module.ecsservice.task_def_arn + event_target_input = jsonencode({ + containerOverrides = [ + { + name = "web" + cpu = var.cpu_cron + memory = var.memory_cron + environment = [ + { + "name" : "RUN_TASK", + "value" : "${var.run_task}" + } + ] + } + ] + }) tags = { app_name = var.app_name app_env = var.app_env @@ -355,16 +250,6 @@ moved { to = module.cron_task.aws_iam_role_policy.this } -/* - * Create cron task definition - */ -resource "aws_ecs_task_definition" "cron_td" { - family = "${var.idp_name}-${var.app_name}-cron-${var.app_env}" - container_definitions = local.task_def_cron - network_mode = "bridge" - task_role_arn = one(module.ecs_role[*].role_arn) -} - moved { from = aws_cloudwatch_event_rule.event_rule to = module.cron_task.aws_cloudwatch_event_rule.this From abbd0d07758bbcfdb0ff7056fb3ede570860119a Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 9 Sep 2024 21:02:41 +0800 Subject: [PATCH 3/8] missed removing one of the moved resources --- terraform/032-db-backup/main.tf | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index b96cfd7..2a208c1 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -131,29 +131,6 @@ moved { to = module.backup_task.aws_iam_role.this } -/* - * Create role for scheduled running of cron task definitions. - */ -resource "aws_iam_role" "ecs_events" { - name = "ecs_events-${var.idp_name}-${var.app_name}-${var.app_env}" - - assume_role_policy = jsonencode( - { - Version = "2012-10-17" - Statement = [ - { - Sid = "" - Effect = "Allow" - Principal = { - Service = "events.amazonaws.com" - }, - Action = "sts:AssumeRole" - }, - ] - } - ) -} - moved { from = aws_iam_role_policy.ecs_events_run_task_with_any_role to = module.backup_task.aws_iam_role_policy.this From 904c6833a746fded4e5d0a11dbb7484cfcaa946a Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 9 Sep 2024 21:04:41 +0800 Subject: [PATCH 4/8] left the unique_name but I meant to remove it --- terraform/task/main.tf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform/task/main.tf b/terraform/task/main.tf index 64796c0..a363474 100644 --- a/terraform/task/main.tf +++ b/terraform/task/main.tf @@ -1,8 +1,4 @@ -locals { - unique_name = "${var.name}-${random_id.name_suffix.b64_url}" -} - resource "random_id" "name_suffix" { byte_length = 6 } @@ -47,7 +43,7 @@ resource "aws_iam_role_policy" "this" { } resource "aws_cloudwatch_event_rule" "this" { - name = local.unique_name + name = var.name description = var.event_rule_description == "" ? "Start ${var.name} task" : var.event_rule_description schedule_expression = var.event_schedule is_enabled = var.enable @@ -55,7 +51,7 @@ resource "aws_cloudwatch_event_rule" "this" { } resource "aws_cloudwatch_event_target" "this" { - target_id = local.unique_name + target_id = var.name rule = aws_cloudwatch_event_rule.this.name arn = var.ecs_cluster_arn role_arn = aws_iam_role.this.arn From 7842dd56c7b419620efd48d329caf28075df44d8 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 9 Sep 2024 21:14:21 +0800 Subject: [PATCH 5/8] add back the unique_name I had hoped that it would be possible to preserve existing resources, but only a few were saved. --- terraform/task/main.tf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/task/main.tf b/terraform/task/main.tf index a363474..145bee8 100644 --- a/terraform/task/main.tf +++ b/terraform/task/main.tf @@ -1,10 +1,14 @@ +locals { + unique_name = "${var.name}-${random_id.name_suffix.b64_url}" +} + resource "random_id" "name_suffix" { byte_length = 6 } resource "aws_iam_role" "this" { - name = "ecs_events-${var.name}" + name = "ecs_events-${local.unique_name}" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -43,7 +47,7 @@ resource "aws_iam_role_policy" "this" { } resource "aws_cloudwatch_event_rule" "this" { - name = var.name + name = local.unique_name description = var.event_rule_description == "" ? "Start ${var.name} task" : var.event_rule_description schedule_expression = var.event_schedule is_enabled = var.enable @@ -51,7 +55,7 @@ resource "aws_cloudwatch_event_rule" "this" { } resource "aws_cloudwatch_event_target" "this" { - target_id = var.name + target_id = local.unique_name rule = aws_cloudwatch_event_rule.this.name arn = var.ecs_cluster_arn role_arn = aws_iam_role.this.arn From d2547be70c11b22cfda2f15f8812d18dd0168ddb Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 10 Sep 2024 09:45:29 +0800 Subject: [PATCH 6/8] remove moved blocks for scheduled task resources --- terraform/032-db-backup/main.tf | 20 -------------------- terraform/040-id-broker/main.tf | 20 -------------------- terraform/070-id-sync/main.tf | 20 -------------------- 3 files changed, 60 deletions(-) diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index 2a208c1..9e066d4 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -126,16 +126,6 @@ module "backup_task" { } } -moved { - from = aws_iam_role.ecs_events - to = module.backup_task.aws_iam_role.this -} - -moved { - from = aws_iam_role_policy.ecs_events_run_task_with_any_role - to = module.backup_task.aws_iam_role_policy.this -} - /* * Create cron task definition */ @@ -149,16 +139,6 @@ locals { event_schedule = var.cron_schedule != "" ? var.cron_schedule : var.event_schedule } -moved { - from = aws_cloudwatch_event_rule.event_rule - to = module.backup_task.aws_cloudwatch_event_rule.this -} - -moved { - from = aws_cloudwatch_event_target.backup_event_target - to = module.backup_task.aws_cloudwatch_event_target.this -} - /* * AWS backup */ diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index d3172d5..70ca206 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -240,26 +240,6 @@ module "cron_task" { } } -moved { - from = aws_iam_role.ecs_events - to = module.cron_task.aws_iam_role.this -} - -moved { - from = aws_iam_role_policy.ecs_events_run_task_with_any_role - to = module.cron_task.aws_iam_role_policy.this -} - -moved { - from = aws_cloudwatch_event_rule.event_rule - to = module.cron_task.aws_cloudwatch_event_rule.this -} - -moved { - from = aws_cloudwatch_event_target.event_target - to = module.cron_task.aws_cloudwatch_event_target.this -} - /* * Create Cloudflare DNS record(s) */ diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 0a9c010..f06bea9 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -63,16 +63,6 @@ module "cron_task" { } } -moved { - from = aws_iam_role.ecs_events - to = module.cron_task.aws_iam_role.this -} - -moved { - from = aws_iam_role_policy.ecs_events_run_task_with_any_role - to = module.cron_task.aws_iam_role_policy.this -} - /* * Create cron task definition */ @@ -83,16 +73,6 @@ resource "aws_ecs_task_definition" "cron_td" { task_role_arn = one(module.ecs_role[*].role_arn) } -moved { - from = aws_cloudwatch_event_rule.event_rule - to = module.cron_task.aws_cloudwatch_event_rule.this -} - -moved { - from = aws_cloudwatch_event_target.id_sync_event_target - to = module.cron_task.aws_cloudwatch_event_target.this -} - /* * Create ECS role */ From 8d84c7fa760cfad185e2306ee4a3e01643968216 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 10 Sep 2024 22:32:20 +0800 Subject: [PATCH 7/8] update terraform-modules and AWS provider --- terraform/000-core/main.tf | 2 +- terraform/000-core/versions.tf | 2 +- terraform/010-cluster/main.tf | 10 +++++----- terraform/010-cluster/versions.tf | 2 +- terraform/020-database/versions.tf | 2 +- terraform/022-ecr/main.tf | 8 ++++---- terraform/022-ecr/versions.tf | 2 +- terraform/030-phpmyadmin/main.tf | 2 +- terraform/030-phpmyadmin/versions.tf | 2 +- terraform/031-email-service/main.tf | 4 ++-- terraform/031-email-service/versions.tf | 2 +- terraform/032-db-backup/main.tf | 2 +- terraform/032-db-backup/versions.tf | 2 +- terraform/040-id-broker/main.tf | 2 +- terraform/040-id-broker/versions.tf | 2 +- terraform/041-id-broker-search-lambda/versions.tf | 2 +- terraform/050-pw-manager/main-api.tf | 2 +- terraform/050-pw-manager/versions.tf | 2 +- terraform/060-simplesamlphp/main.tf | 4 ++-- terraform/060-simplesamlphp/versions.tf | 2 +- terraform/070-id-sync/versions.tf | 2 +- 21 files changed, 30 insertions(+), 30 deletions(-) diff --git a/terraform/000-core/main.tf b/terraform/000-core/main.tf index 7efd487..3afdee0 100644 --- a/terraform/000-core/main.tf +++ b/terraform/000-core/main.tf @@ -2,7 +2,7 @@ * Create ECS cluster */ module "ecscluster" { - source = "github.com/silinternational/terraform-modules//aws/ecs/cluster?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/cluster?ref=8.13.1" cluster_name = var.cluster_name } diff --git a/terraform/000-core/versions.tf b/terraform/000-core/versions.tf index 51fd103..ac73224 100644 --- a/terraform/000-core/versions.tf +++ b/terraform/000-core/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf index b431b9b..da08a67 100644 --- a/terraform/010-cluster/main.tf +++ b/terraform/010-cluster/main.tf @@ -2,7 +2,7 @@ * Create VPC */ module "vpc" { - source = "github.com/silinternational/terraform-modules//aws/vpc?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/vpc?ref=8.13.1" app_name = var.app_name app_env = var.app_env aws_zones = var.aws_zones @@ -20,7 +20,7 @@ module "vpc" { * Security group to limit traffic to Cloudflare IPs */ module "cloudflare-sg" { - source = "github.com/silinternational/terraform-modules//aws/cloudflare-sg?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/cloudflare-sg?ref=8.13.1" vpc_id = module.vpc.id } @@ -41,7 +41,7 @@ data "aws_ami" "ecs_ami" { * Create auto-scaling group */ module "asg" { - source = "github.com/silinternational/terraform-modules//aws/asg?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/asg?ref=8.13.1" app_name = var.app_name app_env = var.app_env aws_instance = var.aws_instance @@ -65,7 +65,7 @@ data "aws_acm_certificate" "wildcard" { * Create application load balancer for public access */ module "alb" { - source = "github.com/silinternational/terraform-modules//aws/alb?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/alb?ref=8.13.1" app_name = var.app_name app_env = var.app_env internal = "false" @@ -79,7 +79,7 @@ module "alb" { * Create application load balancer for internal use */ module "internal_alb" { - source = "github.com/silinternational/terraform-modules//aws/alb?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/alb?ref=8.13.1" alb_name = "alb-${var.app_name}-${var.app_env}-int" app_name = var.app_name app_env = var.app_env diff --git a/terraform/010-cluster/versions.tf b/terraform/010-cluster/versions.tf index 9b46c04..f6615c5 100644 --- a/terraform/010-cluster/versions.tf +++ b/terraform/010-cluster/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } } } diff --git a/terraform/020-database/versions.tf b/terraform/020-database/versions.tf index 0580594..9ab05c5 100644 --- a/terraform/020-database/versions.tf +++ b/terraform/020-database/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } random = { source = "hashicorp/random" diff --git a/terraform/022-ecr/main.tf b/terraform/022-ecr/main.tf index 0730736..e04039e 100644 --- a/terraform/022-ecr/main.tf +++ b/terraform/022-ecr/main.tf @@ -2,7 +2,7 @@ * id-broker */ module "ecr_idbroker" { - source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.1" repo_name = "${var.idp_name}/id-broker" ecsInstanceRole_arn = var.ecsInstanceRole_arn ecsServiceRole_arn = var.ecsServiceRole_arn @@ -15,7 +15,7 @@ module "ecr_idbroker" { * pw-api */ module "ecr_pwapi" { - source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.1" repo_name = "${var.idp_name}/pw-api" ecsInstanceRole_arn = var.ecsInstanceRole_arn ecsServiceRole_arn = var.ecsServiceRole_arn @@ -28,7 +28,7 @@ module "ecr_pwapi" { * simplesamlphp */ module "ecr_simplesamlphp" { - source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.1" repo_name = "${var.idp_name}/simplesamlphp" ecsInstanceRole_arn = var.ecsInstanceRole_arn ecsServiceRole_arn = var.ecsServiceRole_arn @@ -41,7 +41,7 @@ module "ecr_simplesamlphp" { * id-sync */ module "ecr_idsync" { - source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.1" repo_name = "${var.idp_name}/id-sync" ecsInstanceRole_arn = var.ecsInstanceRole_arn ecsServiceRole_arn = var.ecsServiceRole_arn diff --git a/terraform/022-ecr/versions.tf b/terraform/022-ecr/versions.tf index 9b46c04..f6615c5 100644 --- a/terraform/022-ecr/versions.tf +++ b/terraform/022-ecr/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } } } diff --git a/terraform/030-phpmyadmin/main.tf b/terraform/030-phpmyadmin/main.tf index ba7fdc0..e7f5ea6 100644 --- a/terraform/030-phpmyadmin/main.tf +++ b/terraform/030-phpmyadmin/main.tf @@ -1,6 +1,6 @@ module "phpmyadmin" { source = "silinternational/phpmyadmin/aws" - version = "~> 1.1.3" + version = "~> 1.2" app_name = "${var.idp_name}-${var.app_name}" app_env = var.app_env vpc_id = var.vpc_id diff --git a/terraform/030-phpmyadmin/versions.tf b/terraform/030-phpmyadmin/versions.tf index 51fd103..ac73224 100644 --- a/terraform/030-phpmyadmin/versions.tf +++ b/terraform/030-phpmyadmin/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf index 67ab839..bdc9940 100644 --- a/terraform/031-email-service/main.tf +++ b/terraform/031-email-service/main.tf @@ -143,7 +143,7 @@ locals { } module "ecsservice_api" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.13.1" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}-api" service_env = var.app_env @@ -188,7 +188,7 @@ locals { } module "ecsservice_cron" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-no-alb?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-no-alb?ref=8.13.1" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}-cron" service_env = var.app_env diff --git a/terraform/031-email-service/versions.tf b/terraform/031-email-service/versions.tf index 47793b8..ee7659e 100644 --- a/terraform/031-email-service/versions.tf +++ b/terraform/031-email-service/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index 9e066d4..3b050cf 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -146,7 +146,7 @@ module "aws_backup" { count = var.enable_aws_backup ? 1 : 0 source = "silinternational/backup/aws" - version = "0.2.0" + version = "~> 0.2.0" app_name = var.idp_name app_env = var.app_env diff --git a/terraform/032-db-backup/versions.tf b/terraform/032-db-backup/versions.tf index 9b46c04..f6615c5 100644 --- a/terraform/032-db-backup/versions.tf +++ b/terraform/032-db-backup/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } } } diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 70ca206..6078efe 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -199,7 +199,7 @@ locals { } module "ecsservice" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.13.1" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}" service_env = var.app_env diff --git a/terraform/040-id-broker/versions.tf b/terraform/040-id-broker/versions.tf index 47793b8..ee7659e 100644 --- a/terraform/040-id-broker/versions.tf +++ b/terraform/040-id-broker/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/041-id-broker-search-lambda/versions.tf b/terraform/041-id-broker-search-lambda/versions.tf index dafdc5b..867cc9c 100644 --- a/terraform/041-id-broker-search-lambda/versions.tf +++ b/terraform/041-id-broker-search-lambda/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } http = { source = "hashicorp/http" diff --git a/terraform/050-pw-manager/main-api.tf b/terraform/050-pw-manager/main-api.tf index f00f1e4..710f756 100644 --- a/terraform/050-pw-manager/main-api.tf +++ b/terraform/050-pw-manager/main-api.tf @@ -121,7 +121,7 @@ locals { } module "ecsservice" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.13.1" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}" service_env = var.app_env diff --git a/terraform/050-pw-manager/versions.tf b/terraform/050-pw-manager/versions.tf index 47793b8..ee7659e 100644 --- a/terraform/050-pw-manager/versions.tf +++ b/terraform/050-pw-manager/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 770bb9d..e39f366 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -55,7 +55,7 @@ resource "random_id" "secretsalt" { } module "cf_ips" { - source = "github.com/silinternational/terraform-modules//cloudflare/ips?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//cloudflare/ips?ref=8.13.1" } locals { @@ -116,7 +116,7 @@ locals { } module "ecsservice" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.7.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.13.1" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}" service_env = var.app_env diff --git a/terraform/060-simplesamlphp/versions.tf b/terraform/060-simplesamlphp/versions.tf index 47793b8..ee7659e 100644 --- a/terraform/060-simplesamlphp/versions.tf +++ b/terraform/060-simplesamlphp/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" diff --git a/terraform/070-id-sync/versions.tf b/terraform/070-id-sync/versions.tf index 47793b8..ee7659e 100644 --- a/terraform/070-id-sync/versions.tf +++ b/terraform/070-id-sync/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 4.0.0, < 6.0.0" } cloudflare = { source = "cloudflare/cloudflare" From f42c57dc01ab4f2d9b39964662d19d8e1e69c644 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Wed, 11 Sep 2024 21:19:54 +0800 Subject: [PATCH 8/8] use published task module and update AWS to v5 --- terraform/010-cluster/main.tf | 10 +++-- terraform/020-database/main.tf | 2 +- terraform/032-db-backup/main.tf | 4 +- terraform/040-id-broker/main.tf | 4 +- terraform/070-id-sync/main.tf | 4 +- terraform/task/main.tf | 69 --------------------------------- terraform/task/variables.tf | 44 --------------------- terraform/task/versions.tf | 10 ----- test/.terraform.lock.hcl | 34 ++++++++-------- 9 files changed, 34 insertions(+), 147 deletions(-) delete mode 100644 terraform/task/main.tf delete mode 100644 terraform/task/variables.tf delete mode 100644 terraform/task/versions.tf diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf index da08a67..97482b8 100644 --- a/terraform/010-cluster/main.tf +++ b/terraform/010-cluster/main.tf @@ -2,7 +2,9 @@ * Create VPC */ module "vpc" { - source = "github.com/silinternational/terraform-modules//aws/vpc?ref=8.13.1" + source = "silinternational/vpc/aws" + version = "~> 1.0" + app_name = var.app_name app_env = var.app_env aws_zones = var.aws_zones @@ -65,7 +67,9 @@ data "aws_acm_certificate" "wildcard" { * Create application load balancer for public access */ module "alb" { - source = "github.com/silinternational/terraform-modules//aws/alb?ref=8.13.1" + source = "silinternational/alb/aws" + version = "~> 1.0" + app_name = var.app_name app_env = var.app_env internal = "false" @@ -111,7 +115,7 @@ module "ecs-service-cloudwatch-dashboard" { count = var.create_dashboard ? 1 : 0 source = "silinternational/ecs-service-cloudwatch-dashboard/aws" - version = "~> 3.0.1" + version = "~> 3.1" cluster_name = var.ecs_cluster_name dashboard_name = "${var.app_name}-${var.app_env}-${data.aws_region.current.name}" diff --git a/terraform/020-database/main.tf b/terraform/020-database/main.tf index 613b70d..9165e35 100644 --- a/terraform/020-database/main.tf +++ b/terraform/020-database/main.tf @@ -8,7 +8,7 @@ resource "random_id" "db_root_pass" { } module "rds" { - source = "github.com/silinternational/terraform-modules//aws/rds/mariadb?ref=8.8.0" + source = "github.com/silinternational/terraform-modules//aws/rds/mariadb?ref=8.13.1" app_name = var.app_name app_env = var.app_env db_name = var.db_name diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf index 3b050cf..40bce8f 100644 --- a/terraform/032-db-backup/main.tf +++ b/terraform/032-db-backup/main.tf @@ -114,7 +114,9 @@ locals { } module "backup_task" { - source = "../task" + source = "silinternational/scheduled-ecs-task/aws" + version = "0.1.0" + name = "${var.idp_name}-${var.app_name}-${var.app_env}" event_rule_description = "Start scheduled backup" event_schedule = local.event_schedule diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 6078efe..8a19388 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -213,7 +213,9 @@ module "ecsservice" { } module "cron_task" { - source = "../task" + source = "silinternational/scheduled-ecs-task/aws" + version = "0.1.0" + name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}-${local.aws_region}" event_rule_description = "Start broker scheduled tasks" event_schedule = var.event_schedule diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index f06bea9..7c0e997 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -50,7 +50,9 @@ locals { } module "cron_task" { - source = "../task" + source = "silinternational/scheduled-ecs-task/aws" + version = "0.1.0" + name = "${var.idp_name}-${var.app_name}-cron-${var.app_env}-${local.aws_region}" event_rule_description = "Start ID Sync scheduled tasks" enable = var.enable_sync diff --git a/terraform/task/main.tf b/terraform/task/main.tf deleted file mode 100644 index 145bee8..0000000 --- a/terraform/task/main.tf +++ /dev/null @@ -1,69 +0,0 @@ - -locals { - unique_name = "${var.name}-${random_id.name_suffix.b64_url}" -} - -resource "random_id" "name_suffix" { - byte_length = 6 -} - -resource "aws_iam_role" "this" { - name = "ecs_events-${local.unique_name}" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "" - Effect = "Allow" - Principal = { - Service = "events.amazonaws.com" - } - Action = "sts:AssumeRole" - } - ] - }) -} - -resource "aws_iam_role_policy" "this" { - name = "ecs_events_run_task_with_any_role" - role = aws_iam_role.this.id - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = "iam:PassRole" - Resource = "*" - }, - { - Effect = "Allow" - Action = "ecs:RunTask" - Resource = replace(var.task_definition_arn, "/:\\d+$/", ":*") - }, - ] - }) -} - -resource "aws_cloudwatch_event_rule" "this" { - name = local.unique_name - description = var.event_rule_description == "" ? "Start ${var.name} task" : var.event_rule_description - schedule_expression = var.event_schedule - is_enabled = var.enable - tags = var.tags -} - -resource "aws_cloudwatch_event_target" "this" { - target_id = local.unique_name - rule = aws_cloudwatch_event_rule.this.name - arn = var.ecs_cluster_arn - role_arn = aws_iam_role.this.arn - input = var.event_target_input - - ecs_target { - task_count = 1 - launch_type = "EC2" - task_definition_arn = var.task_definition_arn - } -} diff --git a/terraform/task/variables.tf b/terraform/task/variables.tf deleted file mode 100644 index 85d9530..0000000 --- a/terraform/task/variables.tf +++ /dev/null @@ -1,44 +0,0 @@ -variable "ecs_cluster_arn" { - description = "ecs cluster ID" - type = string -} - -variable "task_definition_arn" { - description = "ECS task definition ARN" - type = string -} - -variable "name" { - description = "name of event assigned to " - type = string -} - -variable "event_schedule" { - description = "event schedule in AWS EventBridge format" - type = string - default = "cron(0 0 * * ? *)" -} - -variable "enable" { - description = "enable the event rule" - type = bool - default = true -} - -variable "event_rule_description" { - description = "custom event rule description, if omitted, the description will be \"Start var.name task\"." - type = string - default = "" -} - -variable "event_target_input" { - description = "event target input, e.g.: {\"containerOverrides\":[{\"name\":\"container_name\",\"command\":[\"bin/console\",\"scheduled-task\"]}]}. See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerOverride.html for more information." - type = string - default = null -} - -variable "tags" { - description = "AWS tags to add to the aws_cloudwatch_event_rule" - type = map(string) - default = null -} diff --git a/terraform/task/versions.tf b/terraform/task/versions.tf deleted file mode 100644 index f6615c5..0000000 --- a/terraform/task/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ - -terraform { - required_version = ">= 0.14" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0.0, < 6.0.0" - } - } -} diff --git a/test/.terraform.lock.hcl b/test/.terraform.lock.hcl index 4664a46..874d480 100644 --- a/test/.terraform.lock.hcl +++ b/test/.terraform.lock.hcl @@ -25,25 +25,25 @@ provider "registry.terraform.io/cloudflare/cloudflare" { } provider "registry.terraform.io/hashicorp/aws" { - version = "4.67.0" - constraints = ">= 4.0.0, ~> 4.0, < 5.0.0" + version = "5.66.0" + constraints = ">= 2.0.0, >= 3.0.0, >= 4.0.0, >= 5.0.0, < 6.0.0" hashes = [ - "h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=", - "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060", - "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6", - "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183", - "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1", - "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29", - "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7", - "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043", - "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362", - "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b", + "h1:RHs4rOiKrKJqr8UhVW7yqfoMVwaofQ+9ChP41rAzc1A=", + "zh:071c908eb18627f4becdaf0a9fe95d7a61f69be365080aba2ef5e24f6314392b", + "zh:3dea2a474c6ad4be5b508de4e90064ec485e3fbcebb264cb6c4dec660e3ea8b5", + "zh:56c0b81e3bbf4e9ccb2efb984f8758e2bc563ce179ff3aecc1145df268b046d1", + "zh:5f34b75a9ef69cad8c79115ecc0697427d7f673143b81a28c3cf8d5decfd7f93", + "zh:65632bc2c408775ee44cb32a72e7c48376001a9a7b3adbc2c9b4d088a7d58650", + "zh:6d0550459941dfb39582fadd20bfad8816255a827bfaafb932d51d66030fcdd5", + "zh:7f1811ef179e507fdcc9776eb8dc3d650339f8b84dd084642cf7314c5ca26745", + "zh:8a793d816d7ef57e71758fe95bf830cfca70d121df70778b65cc11065ad004fd", + "zh:8c7cda08adba01b5ae8cc4e5fbf16761451f0fab01327e5f44fc47b7248ba653", + "zh:96d855f1771342771855c0fb2d47ff6a731e8f2fa5d242b18037c751fd63e6c3", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf", - "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b", - "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c", - "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c", - "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d", + "zh:b2a62669b72c2471820410b58d764102b11c24e326831ddcfae85c7d20795acf", + "zh:b4a6b251ac24c8f5522581f8d55238d249d0008d36f64475beefc3791f229e1d", + "zh:ca519fa7ee1cac30439c7e2d311a0ecea6a5dae2d175fe8440f30133688b6272", + "zh:fbcd54e7d65806b0038fc8a0fbdc717e1284298ff66e22aac39dcc5a22cc99e5", ] }