feat: Added consumer and tools containers.

Author: jamesiarmes

tofu/config/service/outputs.tf

@@ -1,3 +1,13 @@
+output "consumer_image_push_commands" {
+  value       = module.system.consumer_image_push_commands
+  description = "Commands to push a Docker image to the consumer container repository."
+}
+
+output "tools_image_push_commands" {
+  value       = module.system.tools_image_push_commands
+  description = "Commands to push a Docker image to the consumer container repository."
+}
+
 output "export_bucket" {
   value       = module.system.export_bucket
   description = "The name of the S3 bucket for exports."

tofu/modules/deployment/templates/iam-policy.yaml.tftpl

@@ -1,5 +1,30 @@
 Version: "2012-10-17"
 Statement:
+- Sid: InfraStateAccess
+  Effect: Allow
+  Action:
+    - s3:CreateBucket
+    - s3:ListBucket
+    - s3:GetBucketLocation
+    - s3:GetObject
+    - s3:PutObject
+    - s3:DeleteObject
+  Resource:
+    - arn:${partition}:s3:::${project}-${environment}-tfstate
+    - arn:${partition}:s3:::${project}-${environment}-tfstate/*
+- Sid: InfraLockAccess
+  Effect: Allow
+  Action:
+    - dynamodb:CreateTable
+    - dynamodb:DescribeTable
+    - dynamodb:DeleteTable
+    - dynamodb:UpdateTable
+    - dynamodb:GetItem
+    - dynamodb:PutItem
+    - dynamodb:DeleteItem
+  Resource:
+    - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
+
 - Effect: Allow
   Action:
   - ec2:DescribeAddresses

tofu/modules/ephemeral_service/data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}

tofu/modules/ephemeral_service/iam.tf

@@ -0,0 +1,69 @@
+resource "aws_iam_policy" "execution" {
+  name        = "${local.prefix}-execution"
+  description = "${var.service} task execution policy for ${var.project} ${var.environment}."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/execution-policy.yaml.tftpl", {
+    project     = var.project
+    environment = var.environment
+    ecr_arn     = local.repository_arn
+  })))
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "execution" {
+  name        = "${local.prefix}-execution"
+  description = "${var.service} task execution role for ${var.project} ${var.environment}."
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "execution" {
+  role_name = aws_iam_role.execution.name
+  policy_arns = concat([
+    aws_iam_policy.execution.arn
+  ], var.execution_policies)
+}
+
+resource "aws_iam_role" "task" {
+  name        = "${local.prefix}-task"
+  description = "${var.service} task role for ${var.project} ${var.environment}."
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "task" {
+  role_name = aws_iam_role.task.name
+  # TODO: Create our own policy instead of using the managed ones.
+  policy_arns = concat([
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/CloudWatchFullAccess",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMFullAccess",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/CloudWatchAgentServerPolicy",
+  ], var.task_policies)
+}

tofu/modules/ephemeral_service/kms.tf

@@ -0,0 +1,19 @@
+resource "aws_kms_key" "fargate" {
+  description             = "${var.service} hosting encryption key for ${var.project} ${var.environment}"
+  deletion_window_in_days = var.key_recovery_period
+  enable_key_rotation     = true
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id,
+    exec_role_arn : aws_iam_role.execution.arn,
+    partition : data.aws_partition.current.partition,
+    region : data.aws_region.current.region,
+    repository_name : local.prefix,
+  })))
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "fargate" {
+  name          = "alias/${var.project}/${var.environment}/${var.service}"
+  target_key_id = aws_kms_key.fargate.id
+}

tofu/modules/ephemeral_service/locals.tf

@@ -0,0 +1,7 @@
+locals {
+  image_url      = module.ecr.repository_url
+  prefix         = "${var.project}-${var.environment}-${var.service}"
+  repository_arn = module.ecr.repository_arn
+  stats_prefix   = var.stats_prefix != "" ? var.stats_prefix : "${var.project}/${var.service}"
+  image_tag      = var.image_tag
+}

tofu/modules/ephemeral_service/logs.tf

@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_group" "service" {
+  name              = "/aws/ecs/${var.project}/${var.environment}/${var.service}"
+  retention_in_days = 30
+  kms_key_id        = var.logging_key_id
+
+  tags = var.tags
+}

tofu/modules/ephemeral_service/main.tf

@@ -0,0 +1,82 @@
+module "ecr" {
+  source  = "terraform-aws-modules/ecr/aws"
+  version = "~> 3.0"
+
+  repository_name                 = local.prefix
+  repository_image_scan_on_push   = true
+  repository_encryption_type      = "KMS"
+  repository_force_delete         = var.force_delete
+  repository_image_tag_mutability = var.image_tags_mutable ? "MUTABLE" : "IMMUTABLE"
+  repository_kms_key              = aws_kms_key.fargate.arn
+  repository_lifecycle_policy = jsonencode(yamldecode(templatefile(
+    "${path.module}/templates/repository-lifecycle.yaml.tftpl", {
+      untagged_image_retention : var.untagged_image_retention
+    }
+  )))
+
+
+  tags = var.tags
+}
+
+module "ecs_task" {
+  source  = "HENNGE/ecs/aws//modules/core/task"
+  version = "~> 5.3"
+
+  name = local.prefix
+  # cluster                           = module.ecs.arn
+  # container_name                    = local.prefix
+  cpu                      = var.cpu
+  memory                   = var.memory
+  daemon_role              = aws_iam_role.execution.arn
+  task_role                = aws_iam_role.task.arn
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+
+  volume_configurations = [
+    {
+      name = "aws-lib"
+    },
+    {
+      name = "logs"
+    },
+    {
+      name = "senzing-home"
+    }
+  ]
+
+  container_definitions = jsonencode(yamldecode(templatefile(
+    "${path.module}/templates/container_definitions.yaml.tftpl", {
+      name              = local.prefix
+      cpu               = var.cpu - 256
+      memory            = var.memory - 512
+      image             = "${local.image_url}:${local.image_tag}"
+      container_command = var.container_command
+      container_port    = var.container_port
+      log_group         = aws_cloudwatch_log_group.service.name
+      region            = data.aws_region.current.region
+      namespace         = "${var.project}/${var.service}"
+      env_vars          = var.environment_variables
+      otel_log_level    = var.otel_log_level
+      otel_ssm_arn      = module.otel_config.ssm_parameter_arn
+      env_secrets       = var.environment_secrets
+
+      volumes = {
+        # Needed to support SMS agent and ecs exec.
+        aws-lib = {
+          name  = "aws-lib"
+          mount = "/var/lib/aws"
+        },
+        logs = {
+          name  = "logs",
+          mount = "/var/log"
+        },
+        senzing-home = {
+          name  = "senzing-home"
+          mount = "/home/senzing"
+        }
+      }
+    }
+  )))
+
+  tags = var.tags
+}

tofu/modules/ephemeral_service/outputs.tf

@@ -0,0 +1,9 @@
+output "docker_push" {
+  description = "Commands to push a Docker image to the container repository."
+  value       = <<EOT
+aws ecr get-login-password --region ${data.aws_region.current.region} | docker login --username AWS --password-stdin ${module.ecr.repository_registry_id}.dkr.ecr.${data.aws_region.current.region}.amazonaws.com
+docker build -t ${module.ecr.repository_name} --platform linux/amd64 -f Dockerfile .
+docker tag ${module.ecr.repository_name}:${var.image_tag} ${local.image_url}:latest
+docker push ${local.image_url}:latest
+EOT
+}

tofu/modules/ephemeral_service/secrets.tf

@@ -0,0 +1,13 @@
+module "otel_config" {
+  source  = "terraform-aws-modules/ssm-parameter/aws"
+  version = "~> 1.1"
+
+  name        = "/${var.project}/${var.environment}/${var.service}/otel"
+  description = "Configuration for the OpenTelemetry collector."
+  tier        = "Intelligent-Tiering"
+  value = templatefile("${path.module}/templates/aws-otel-config.yaml.tftpl", {
+    app_namespace = local.stats_prefix
+  })
+
+  tags = var.tags
+}