From c9c46eeb6ce76faae7f0fe878416a0dd40cf893d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 3 Feb 2025 14:02:09 +0100 Subject: [PATCH] Add ecs service for service discovery --- tf/environments/dev/main.tf | 6 +- tf/modules/ooni_monitoring/main.tf | 104 ++++++++++++++++++++++++ tf/modules/ooni_monitoring/variables.tf | 24 ++++++ 3 files changed, 133 insertions(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index f5e3d9f5..e0d2a0fe 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -795,5 +795,9 @@ resource "aws_acm_certificate_validation" "ooniapi_frontend" { module "ooni_monitoring" { source = "../../modules/ooni_monitoring" + environment = local.environment + aws_region = var.aws_region + cluster_id = module.ooniapi_cluster.cluster_id + tags = local.tags -} \ No newline at end of file +} diff --git a/tf/modules/ooni_monitoring/main.tf b/tf/modules/ooni_monitoring/main.tf index 22021f0e..c7d0e96d 100644 --- a/tf/modules/ooni_monitoring/main.tf +++ b/tf/modules/ooni_monitoring/main.tf @@ -1,3 +1,11 @@ +locals { + name = "ecs-service-discovery-${var.environment}" + + tags = { + Name = local.name + Environment = var.environment + } +} resource "aws_iam_user" "ooni_monitoring" { name = "oonidevops-monitoring" } @@ -34,4 +42,100 @@ resource "aws_ssm_parameter" "ooni_monitoring_secret_key" { name = "/oonidevops/secrets/ooni_monitoring/secret_key" type = "SecureString" value = aws_iam_access_key.ooni_monitoring.secret +} + +resource "aws_ecs_task_definition" "ooni_service_discovery" { + family = "ecs-sd-td" + network_mode = "bridge" + + container_definitions = jsonencode([ + { + memoryReservation = var.task_memory, + essential = true, + image = "apptality/aws-ecs-cloudmap-prometheus-discovery:latest", + name = local.name, + + portMappings = [ + { + containerPort = 9001 + protocol = "tcp" + } + ], + + environment = [ + { + name = "AWS_REGION" + value = var.aws_region + } + ] + secrets = [ + for k, v in var.task_secrets : { + name = k, + valueFrom = v + } + ], + logConfiguration = { + logDriver = "awslogs", + options = { + awslogs-group = aws_cloudwatch_log_group.ooni_ecs_sd.name, + awslogs-region = var.aws_region + } + } + } + ]) + + # TODO I think this should have its own role + task_role_arn = aws_iam_role.ecs_sd_task.arn + execution_role_arn = aws_iam_role.ecs_sd_task.arn + tags = var.tags + track_latest = true +} + +resource "aws_ecs_service" "service" { + name = local.name + cluster = var.cluster_id + launch_type = "EC2" + task_definition = aws_ecs_task_definition.ooni_service_discovery.id + desired_count = 1 + + # Required to SSH into the container + enable_execute_command = true + + # Below are required to enforce a new deployment to be ready before the old one is stopped + deployment_minimum_healthy_percent = 0 + deployment_maximum_percent = 100 + + # lifecycle { + # ignore_changes = [ + # desired_count + # ] + # } + + tags = var.tags +} + +resource "aws_iam_role" "ecs_sd_task" { + name = "${local.name}-task-role" + + tags = var.tags + + assume_role_policy = <