WIP

dxw · Oct 4, 2024 · e28d586 · e28d586
1 parent 5009d9b
commit e28d586
Show file tree

Hide file tree

Showing 3 changed files with 192 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -107,6 +107,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_ecs_task_definition.infrastructure_ecs_cluster_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_ecs_task_definition.infrastructure_ecs_cluster_service_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_ecs_task_definition.infrastructure_rds_s3_backups_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
+| [aws_ecs_task_definition.infrastructure_rds_utility_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_efs_file_system.infrastructure_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
 | [aws_efs_mount_target.infrastructure_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
 | [aws_eip.infrastructure_nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
@@ -184,6 +185,11 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_policy.infrastructure_rds_s3_backups_task_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_task_s3_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_task_s3_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_utility_task_execution_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_utility_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_utility_task_execution_get_secret_value](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_utility_task_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_utility_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ecs_cluster_infrastructure_draining_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ecs_cluster_infrastructure_pending_task_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -201,6 +207,8 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role.infrastructure_rds_s3_backups_image_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.infrastructure_rds_s3_backups_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.infrastructure_rds_s3_backups_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.infrastructure_rds_utility_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.infrastructure_rds_utility_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.infrastructure_vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.infrastructure_vpc_flow_logs_allow_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_draining_ecs_container_instance_state_update_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -257,6 +265,11 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_s3_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_s3_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_utility_task_execution_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_utility_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_utility_task_execution_get_secret_value](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_utility_task_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_utility_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_user.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_instance.infrastructure_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_internet_gateway.infrastructure_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |

diff --git a/rds-infrastructure-tooling-ecs-cluster.tf b/rds-infrastructure-tooling-ecs-cluster.tf
@@ -8,19 +8,19 @@ resource "aws_ecs_cluster" "infrastrucutre_rds_tooling" {
     value = "enabled"
   }
 
-  dynamic "configuration" {
-    for_each = local.infrastructure_ecs_cluster_enable_execute_command_logging ? [1] : []
-    content {
-      execute_command_configuration {
-        kms_key_id = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null
-        logging    = "OVERRIDE"
+  #dynamic "configuration" {
+  #  for_each = local.infrastructure_ecs_cluster_enable_execute_command_logging ? [1] : []
+  #  content {
+  #    execute_command_configuration {
+  #      kms_key_id = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null
+  #      logging    = "OVERRIDE"
 
-        log_configuration {
-          s3_bucket_encryption_enabled = true
-          s3_bucket_name               = aws_s3_bucket.infrastructure_logs[0].id
-          s3_key_prefix                = "ecs-exec"
-        }
-      }
-    }
-  }
+  #      log_configuration {
+  #        s3_bucket_encryption_enabled = true
+  #        s3_bucket_name               = aws_s3_bucket.infrastructure_logs[0].id
+  #        s3_key_prefix                = "ecs-exec"
+  #      }
+  #    }
+  #  }
+  #}
 }
diff --git a/rds-infrastructure-utility-task-definition.tf b/rds-infrastructure-utility-task-definition.tf
@@ -0,0 +1,165 @@
+resource "aws_iam_role" "infrastructure_rds_utility_task_execution" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-execution-${each.key}"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-execution-${each.key}"
+  assume_role_policy = templatefile(
+    "${path.root}/policies/assume-roles/service-principle-standard.json.tpl",
+    { services = jsonencode(["ecs-tasks.amazonaws.com"]) }
+  )
+}
+
+resource "aws_iam_policy" "infrastructure_rds_utility_task_execution_ecr_pull" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-execution-${each.key}-ecr-pull"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-execution-${each.key}-ecr-pull"
+  policy = templatefile(
+    "${path.root}/policies/ecr-pull.json.tpl",
+    { ecr_repository_arn = aws_ecr_repository.infrastructure_rds_s3_backups[0].arn }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_utility_task_execution_ecr_pull" {
+  for_each = local.infrastructure_rds
+
+  role       = aws_iam_role.infrastructure_rds_utility_task_execution[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_rds_utility_task_execution_ecr_pull[each.key].arn
+}
+
+resource "aws_iam_policy" "infrastructure_rds_utility_task_execution_cloudwatch_logs" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-execution-${each.key}-cloudwatch-logs"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-execution-${each.key}-cloudwatch-logs"
+  policy      = templatefile("${path.root}/policies/cloudwatch-logs-rw.json.tpl", {})
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_utility_task_execution_cloudwatch_logs" {
+  for_each = local.infrastructure_rds
+
+  role       = aws_iam_role.infrastructure_rds_utility_task_execution[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_rds_utility_task_execution_cloudwatch_logs[each.key].arn
+}
+
+resource "aws_iam_policy" "infrastructure_rds_utility_task_execution_get_secret_value" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-execution-${each.key}-get-secret-value"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-execution-${each.key}-get-secret-value"
+  policy = templatefile("${path.root}/policies/secrets-manager-get-secret-value.json.tpl", {
+    secret_name_arns = jsonencode([
+      aws_secretsmanager_secret.infrastructure_rds_root_password[each.key].arn,
+    ])
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_utility_task_execution_get_secret_value" {
+  for_each = local.infrastructure_rds
+
+  role       = aws_iam_role.infrastructure_rds_utility_task_execution[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_rds_utility_task_execution_get_secret_value[each.key].arn
+}
+
+resource "aws_iam_role" "infrastructure_rds_utility_task" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-${each.key}"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-${each.key}"
+  assume_role_policy = templatefile(
+    "${path.root}/policies/assume-roles/service-principle-standard.json.tpl",
+    { services = jsonencode(["ecs-tasks.amazonaws.com"]) }
+  )
+}
+
+resource "aws_iam_policy" "infrastructure_rds_utility_task_ssm_create_channels" {
+  for_each = local.infrastructure_rds
+
+  name        = "${local.resource_prefix}-${substr(sha512("rds-utility-task-${each.key}-create-channels"), 0, 6)}"
+  description = "${local.resource_prefix}-rds-utility-task-${each.key}-create-channels"
+  policy      = templatefile("${path.root}/policies/ssm-create-channels.json.tpl", {})
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_utility_task_ssm_create_channels" {
+  for_each = local.infrastructure_rds
+
+  role       = aws_iam_role.infrastructure_rds_utility_task[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_rds_utility_task_ssm_create_channels[each.key].arn
+}
+
+resource "aws_iam_policy" "infrastructure_rds_utility_task_kms_encrypt" {
+  for_each = local.infrastructure_kms_encryption ? local.infrastructure_rds : {}
+
+  name        = "${local.resource_prefix}-${substr(sha512("-rds-utility-task-${each.key}-kms-encrypt"), 0, 6)}"
+  description = "${local.resource_prefix}--rds-utility-task-${each.key}-kms-encrypt"
+  policy = templatefile(
+    "${path.root}/policies/kms-encrypt.json.tpl",
+    { kms_key_arn = aws_kms_key.infrastructure[0].arn }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_utility_task_kms_encrypt" {
+  for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {}
+
+  role       = aws_iam_role.infrastructure_rds_utility_task[each.key].name
+  policy_arn = aws_iam_policy.infrastructure_rds_utility_task_kms_encrypt[each.key].arn
+}
+
+resource "aws_ecs_task_definition" "infrastructure_rds_utility_scheduled_task" {
+  for_each = local.infrastructure_rds
+
+  family = "${local.resource_prefix}-rds-utility-${each.key}"
+  container_definitions = templatefile(
+    "./container-definitions/app.json.tpl",
+    {
+      container_name      = "rds-utility-${each.key}"
+      image               = aws_ecr_repository.infrastructure_rds_s3_backups[0].repository_url
+      entrypoint          = jsonencode(["/bin/bash", "-c", "sleep 60"])
+      command             = jsonencode([])
+      environment_file_s3 = ""
+      environment = jsonencode([
+        {
+          name  = "DB_HOST",
+          value = each.value["type"] == "instance" ? aws_db_instance.infrastructure_rds[each.key].address : each.value["type"] == "cluster" ? aws_rds_cluster.infrastructure_rds[each.key].reader_endpoint : null
+        },
+        {
+          name  = "DB_USER",
+          value = "root"
+        },
+        {
+          name  = "DB_PORT",
+          value = tostring(local.rds_ports[each.value["engine"]])
+        }
+      ])
+      secrets = jsonencode([
+        {
+          name      = "DB_PASSWORD"
+          valueFrom = aws_secretsmanager_secret.infrastructure_rds_root_password[each.key].arn,
+        }
+      ])
+      container_port = 0
+      extra_hosts    = jsonencode([])
+      volumes        = jsonencode([])
+      linux_parameters = jsonencode({
+        initProcessEnabled = true
+      })
+      syslog_address        = ""
+      syslog_tag            = ""
+      cloudwatch_log_group  = aws_cloudwatch_log_group.infrastructure_rds_s3_backups[each.key].name
+      awslogs_stream_prefix = "${local.resource_prefix}-rds-util-${each.key}"
+      region                = local.aws_region
+    }
+  )
+  execution_role_arn       = aws_iam_role.infrastructure_rds_utility_task_execution[each.key].arn
+  task_role_arn            = aws_iam_role.infrastructure_rds_utility_task[each.key].arn
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  memory                   = 1024
+  cpu                      = 512
+
+  depends_on = [
+    aws_iam_role_policy_attachment.infrastructure_rds_utility_task_execution_ecr_pull,
+    aws_iam_role_policy_attachment.infrastructure_rds_utility_task_execution_cloudwatch_logs,
+    terraform_data.infrastructure_rds_s3_backups_image_build_trigger_codebuild,
+  ]
+}