Add ecs service for service discovery

ooni · Feb 3, 2025 · c9c46ee · c9c46ee
1 parent 9f30039
commit c9c46ee
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 1 deletion.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -795,5 +795,9 @@ resource "aws_acm_certificate_validation" "ooniapi_frontend" {
 
 module "ooni_monitoring" {
   source = "../../modules/ooni_monitoring"
+  environment = local.environment
+  aws_region = var.aws_region
+  cluster_id = module.ooniapi_cluster.cluster_id
+
   tags = local.tags  
-}
+}
diff --git a/tf/modules/ooni_monitoring/main.tf b/tf/modules/ooni_monitoring/main.tf
@@ -1,3 +1,11 @@
+locals {
+  name = "ecs-service-discovery-${var.environment}"
+
+  tags = {
+    Name = local.name
+    Environment = var.environment
+  }
+}
 resource "aws_iam_user" "ooni_monitoring" {
   name = "oonidevops-monitoring"
 }
@@ -34,4 +42,100 @@ resource "aws_ssm_parameter" "ooni_monitoring_secret_key" {
   name = "/oonidevops/secrets/ooni_monitoring/secret_key"
   type = "SecureString"
   value = aws_iam_access_key.ooni_monitoring.secret
+}
+
+resource "aws_ecs_task_definition" "ooni_service_discovery" {
+  family       = "ecs-sd-td"
+  network_mode = "bridge"
+
+  container_definitions = jsonencode([
+    {
+      memoryReservation = var.task_memory,
+      essential         = true,
+      image = "apptality/aws-ecs-cloudmap-prometheus-discovery:latest",
+      name = local.name,
+
+      portMappings = [
+        {
+          containerPort = 9001
+          protocol = "tcp"
+        }
+      ],
+
+      environment = [
+        {
+          name = "AWS_REGION"
+          value = var.aws_region
+        }
+      ]
+      secrets = [
+        for k, v in var.task_secrets : {
+          name      = k,
+          valueFrom = v
+        }
+      ],
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          awslogs-group  = aws_cloudwatch_log_group.ooni_ecs_sd.name,
+          awslogs-region = var.aws_region
+        }
+      }
+    }
+  ])
+
+  # TODO I think this should have its own role
+  task_role_arn = aws_iam_role.ecs_sd_task.arn
+  execution_role_arn = aws_iam_role.ecs_sd_task.arn
+  tags               = var.tags
+  track_latest       = true
+}
+
+resource "aws_ecs_service" "service" {
+  name            = local.name
+  cluster         = var.cluster_id
+  launch_type     = "EC2"
+  task_definition = aws_ecs_task_definition.ooni_service_discovery.id
+  desired_count   = 1
+
+  # Required to SSH into the container
+  enable_execute_command = true
+
+  # Below are required to enforce a new deployment to be ready before the old one is stopped
+  deployment_minimum_healthy_percent = 0
+  deployment_maximum_percent         = 100
+
+  # lifecycle {
+  #   ignore_changes = [
+  #     desired_count
+  #   ]
+  # }
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "ecs_sd_task" {
+  name = "${local.name}-task-role"
+
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_cloudwatch_log_group" "ooni_ecs_sd" {
+  name = "ooni-ecs-group/${local.name}"
 }
diff --git a/tf/modules/ooni_monitoring/variables.tf b/tf/modules/ooni_monitoring/variables.tf
@@ -2,4 +2,28 @@ variable "tags" {
   description = "tags to apply to the resources"
   default     = {}
   type        = map(string)
+}
+
+variable "environment" {
+  type = string
+}
+
+variable "task_memory" {
+  description = "How much memory to allocate for this task"
+  type = number
+  default = 64
+}
+
+variable "aws_region" {
+  description = "AWS region"
+  type = string
+}
+
+variable "task_secrets" {
+  type = map(string)
+  default = {}
+}
+
+variable "cluster_id" {
+  type = string
 }