feat: prepare aws-ecs and aws-rds to EUSC AWS partition, migrate Terragrunt cli usage, update Datadog ECS/Postres check configueration

Author: matihost

terraform/aws/aws-ecs/Makefile

@@ -4,29 +4,37 @@ SHELL := /usr/bin/env bash
 DEBUG := false
 ifeq ($(strip $(DEBUG)),true)
 	TF_LOG := DEBUG
-	TG_FLAGS := --terragrunt-debug
+	TG_FLAGS := --inputs-debug
 endif
 
 MODE := apply
 ifeq ($(strip $(MODE)),apply)
-	MODE_STR := apply -auto-approve
+	MODE_STR := --non-interactive -- apply -auto-approve
 else ifeq ($(strip $(MODE)),destroy)
-	MODE_STR := destroy -auto-approve
+	MODE_STR := --non-interactive -- destroy -auto-approve
 else
-	MODE_STR := plan
+	MODE_STR := --non-interactive -- plan
 endif
 
+PARTITION := aws
+
 ENV := dev
 
+ifeq ($(strip $(PARTITION)),eusc)
+	DEPLOY_PATH := stage/eusc/$(ENV)
+else
+	DEPLOY_PATH := stage/$(ENV)
+endif
+
 init:
-	cd stage/$(ENV) && terragrunt init -upgrade=true --backend-bootstrap --non-interactive
+	cd $(DEPLOY_PATH) && terragrunt run -- init -upgrade=true
 
 run: init ## setup ECS services: make run [ENV=dev] [MODE=apply]
-	@cd stage/$(ENV) && terragrunt validate && terragrunt $(MODE_STR) --non-interactive $(TG_FLAGS)
+	@cd $(DEPLOY_PATH) && terragrunt run validate && terragrunt run $(MODE_STR) $(TG_FLAGS)
 
 
 show-state: ## show state
-	cd stage/$(ENV) && terragrunt state list && terragrunt show
+	cd $(DEPLOY_PATH) && terragrunt state list && terragrunt show
 
 clean: ## clean cached plugins and data
 	find . -name ".terra*" -exec rm -rf {} +

terraform/aws/aws-ecs/README.md

@@ -35,7 +35,7 @@ aws configure
 ```bash
 
 # deploy ECS apps
-make run ENV=dev MODE=apply
+make run MODE=apply [ENV=dev] [PARTITION=aws]
 
 # show Terraform state
 make show-state

terraform/aws/aws-ecs/module/alb.tf

@@ -14,7 +14,7 @@ resource "aws_lb" "app" {
   load_balancer_type = "application"
   security_groups    = [data.aws_security_group.app-security-group[each.key].id]
 
-  # TODO replace with subnet mapping to reserver EIP
+  # TODO replace with subnet mapping to reserved EIP
   subnets = local.private_subnet_ids
 }
 
@@ -29,7 +29,7 @@ resource "aws_lb_listener" "app" {
   # port              = "443"
   # protocol          = "HTTPS"
   # ssl_policy        = "ELBSecurityPolicy-2016-08"
-  # certificate_arn   = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
+  # certificate_arn   = "arn:${var.partition}:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
 
   default_action {
     type             = "forward"

terraform/aws/aws-ecs/module/app.tf

@@ -109,9 +109,10 @@ resource "aws_ecs_service" "app" {
     security_groups = [data.aws_security_group.app-security-group[each.key].id]
   }
 
-  deployment_maximum_percent         = "200"
-  deployment_minimum_healthy_percent = "50"
+  deployment_maximum_percent         = try(each.value.maximum_percent, 200)
+  deployment_minimum_healthy_percent = try(each.value.minimum_healthy_percent, 50)
 
+  availability_zone_rebalancing = coalesce(each.value.maximum_percent, 200) > 100 ? "ENABLED" : "DISABLED"
 
   dynamic "load_balancer" {
     for_each = each.value.port != 0 ? [1] : []

terraform/aws/aws-ecs/module/iam.tf

@@ -15,7 +15,7 @@ resource "aws_iam_role" "task-role" {
          "Action":"sts:AssumeRole",
          "Condition":{
             "ArnLike":{
-            "aws:SourceArn":"arn:aws:ecs:${var.region}:${local.account_id}:*"
+            "aws:SourceArn":"arn:${var.partition}:ecs:${var.region}:${local.account_id}:*"
             },
             "StringEquals":{
                "aws:SourceAccount":"${local.account_id}"
@@ -36,12 +36,20 @@ EOF
       {
       "Effect": "Allow",
       "Action": [
-            "ssmmessages:CreateControlChannel",
-            "ssmmessages:CreateDataChannel",
-            "ssmmessages:OpenControlChannel",
-            "ssmmessages:OpenDataChannel"
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
       ],
       "Resource": "*"
+      },
+      {
+      "Effect": "Allow",
+      "Action": [
+        "ecs:ListClusters",
+        "ecs:ListContainerInstances",
+        "ecs:DescribeContainerInstances"],
+      "Resource": "*"
       }
   ]
 }
@@ -88,9 +96,9 @@ EOF
         "kms:Decrypt"
       ],
       "Resource": [
-        "arn:aws:ssm:${var.region}:${local.account_id}:parameter/*",
-        "arn:aws:secretsmanager:${var.region}:${local.account_id}:secret:*",
-        "arn:aws:kms:${var.region}:${local.account_id}:key/*"
+        "arn:${var.partition}:ssm:${var.region}:${local.account_id}:parameter/*",
+        "arn:${var.partition}:secretsmanager:${var.region}:${local.account_id}:secret:*",
+        "arn:${var.partition}:kms:${var.region}:${local.account_id}:key/*"
       ]
     }
   ]
@@ -103,5 +111,5 @@ EOF
 
 resource "aws_iam_role_policy_attachment" "exec-role" {
   role       = aws_iam_role.exec-role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }

terraform/aws/aws-ecs/module/variables.tf

@@ -24,16 +24,18 @@ variable "zones" {
 
 variable "apps" {
   type = map(object({
-    name                = string
-    image               = string
-    memory              = number
-    cpu                 = number
-    port                = number
-    protocol            = string
-    desired_instances   = number
-    security_group_name = string
-    env_vars            = list(map(string))
-    docker_labels       = map(string)
+    name                    = string
+    image                   = string
+    memory                  = number
+    cpu                     = number
+    port                    = number
+    protocol                = string
+    desired_instances       = number
+    security_group_name     = string
+    env_vars                = list(map(string))
+    docker_labels           = map(string)
+    maximum_percent         = optional(number)
+    minimum_healthy_percent = optional(number)
   }))
   description = "Map of apps to deploy as ECS tasks,"
 }
@@ -54,6 +56,11 @@ variable "zone" {
 }
 
 # tflint-ignore: terraform_unused_declarations
+variable "partition" {
+  type        = string
+  description = "The AWS partition in which to create resources"
+  default     = "aws"
+}
 variable "region" {
   default     = "us-east-1"
   type        = string
@@ -62,6 +69,6 @@ variable "region" {
 
 # tflint-ignore: terraform_unused_declarations
 variable "aws_tags" {
-  type        = map(string)
+  type        = map(any)
   description = "AWS tags"
 }

terraform/aws/aws-ecs/module/versions.tf

@@ -5,5 +5,5 @@ terraform {
       version = "~> 6"
     }
   }
-  required_version = ">= 1.0"
+  required_version = ">= 1.9"
 }

terraform/aws/aws-ecs/stage/dev/terragrunt.hcl

@@ -1,3 +1,11 @@
+locals {
+  region                    = "us-east-1"
+  dd_api_key                = try(get_env("DD_API_KEY"), "")
+  dd_rds_dns                = try(get_env("DD_RDS_DNS"), "")
+  dd_rds_password           = try(get_env("DD_RDS_PASSWORD"), "")
+  dd_db_instance_identifier = try(get_env("DD_DB_INSTANCE_IDENTIFIER"), "")
+}
+
 include "root" {
   path = find_in_parent_folders("root.hcl")
 }
@@ -10,14 +18,14 @@ terraform {
 
 inputs = {
   env      = "dev"
-  region   = "us-east-1"
-  zone     = "us-east-1a"
-  vpc_name = "dev-us-east-1"
+  region   = local.region
+  zone     = "${local.region}a"
+  vpc_name = "dev-${local.region}"
   aws_tags = {
     Env    = "dev"
-    Region = "us-east1"
+    Region = local.region
   }
-  zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  zones = ["${local.region}a", "${local.region}b", "${local.region}c"]
   apps = {
     "nginx" : {
       name                = "nginx",
@@ -27,13 +35,24 @@ inputs = {
       cpu                 = 1024,
       memory              = 2048,
       port                = 80,
-      security_group_name = "dev-ssh-http-from-vpc"
+      security_group_name = "dev-${local.region}-ssh-http-from-vpc"
       env_vars            = []
       docker_labels       = {}
     },
     # Datadog agent for RDS database monitoring
+    # Configure PostgreSQL database: add user and grant permissions:
+    # https://docs.datadoghq.com/database_monitoring/setup_postgres/rds?tab=postgres15#grant-the-agent-access
     # https://docs.datadoghq.com/database_monitoring/setup_postgres/aurora?tab=docker#install-the-agent
     #
+    # To deploy and test:
+    #
+    # export DD_API_KEY="your_api_key"
+    # export DD_RDS_DNS="dev.cluster-czk84imkkq6n.eusc-de-east-1.rds.amazonaws.eu"
+    # export DD_RDS_PASSWORD="datadog"
+    # export DD_DB_INSTANCE_IDENTIFIER="dev"
+    #
+    # And uncomment:
+    #
     # "rds-datadog-agent" : {
     #   name                = "rds-datadog-agent",
     #   image               = "public.ecr.aws/datadog/agent:latest",
@@ -42,11 +61,18 @@ inputs = {
     #   cpu                 = 256,
     #   memory              = 512,
     #   port                = 0, # do not expose via ALB
-    #   security_group_name = "dev-us-east-1-psql-from-vpc"
+    #   security_group_name = "dev-${local.region}-psql-from-vpc"
+    #   # to emulate Recreate deployment strategy
+    #   maximum_percent         = 100,
+    #   minimum_healthy_percent = 0,
     #   env_vars = [
     #       {
     #         "name": "DD_API_KEY",
-    #         "value": "<DD_API_KEY_HERE>"
+    #         "value": "${local.dd_api_key}"
+    #       },
+    #       {
+    #         "name": "DD_SITE",
+    #         "value": "datadoghq.com"
     #       },
     #       {
     #         "name": "DD_HEALTH_PORT",
@@ -61,25 +87,8 @@ inputs = {
     #         "value": "true"
     #       },
     #   ],
-    #
-    ## TODO migrate DD checks/integration with format for Datadog Agent v7.36+:
-    ## Example on Redis check:
-    ##
-    ## labels:
-    ##   com.datadoghq.ad.checks: '{"redisdb": {"instances": [{"host": "%%host%%","port":"6379","password":"%%env_REDIS_PASSWORD%%"}], "logs": [{"type": "file", "path": "/var/log/redis_6379.log", "source": "redis", "service": "redis_service"}]}}'
-    ##
-    ## For earlier Agent versions it was formatted like:
-    ##
-    ## labels:
-    ##   com.datadoghq.ad.check_names: '["redisdb"]'
-    ##   com.datadoghq.ad.init_configs: '[{}]'
-    ##   com.datadoghq.ad.instances: '[{"host": "%%host%%","port":"6379","password":"%%env_REDIS_PASSWORD%%"}]'
-    ##   com.datadoghq.ad.logs: '[{"type": "file", "path": "/var/log/redis_6379.log", "source": "redis", "service": "redis_service"}]'
-    #
     #   docker_labels = {
-    #     "com.datadoghq.ad.check_names": "[\"postgres\"]",
-    #     "com.datadoghq.ad.init_configs": "[{}]",
-    #     "com.datadoghq.ad.instances": "[{\"dbm\": true, \"host\": \"<RDS-DNS>\", \"port\": 5432, \"username\": \"datadog\", \"password\": \"<PASSWORD>\" }]"
+    #     "com.datadoghq.ad.checks": "{\"postgres\": {\"instances\": [{\"dbm\": true, \"host\": \"${local.dd_rds_dns}\", \"port\": 5432, \"username\": \"datadog\", \"password\": \"${local.dd_rds_password}\", \"database_autodiscovery\": {\"enabled\": true}, \"aws\": {\"instance_endpoint\": \"${local.dd_rds_dns}\", \"region\": \"${local.region}\"}, \"tags\": [\"dbinstanceidentifier:${local.dd_db_instance_identifier}\"]  }]}}"
     #   },
     # },
   }

terraform/aws/aws-ecs/stage/eusc.hcl

@@ -0,0 +1,55 @@
+locals {
+  bucket  = "${local.account}-terraform-state"
+  account = "${run_cmd("--terragrunt-quiet", "aws", "sts", "get-caller-identity", "--query", "\"Account\"", "--output", "text")}"
+  region  = "eusc-de-east-1"
+  zone    = "eusc-de-east-1a"
+}
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "state.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket = local.bucket
+    key    = "${basename(abspath("${get_parent_terragrunt_dir()}/.."))}/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
+    region = local.region
+    # TODO play with it... maybe not in free tier
+    # encrypt        = true
+    # dynamodb_table = "my-lock-table"
+  }
+}
+
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region  = var.region
+  default_tags {
+    tags = var.aws_tags
+  }
+}
+EOF
+}
+
+terraform {
+  extra_arguments "common_vars" {
+    commands = get_terraform_commands_that_need_vars()
+
+    env_vars = {
+      TF_VAR_terraform_state_bucket = local.bucket
+    }
+  }
+}
+
+inputs = {
+  account = local.account
+  region  = local.region
+  zone    = local.zone
+
+  partition = "aws-eusc"
+
+}