expanding terraform

STollenaar · Sep 21, 2023 · f32dc8d · f32dc8d
1 parent fc0e9ab
commit f32dc8d
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 23 deletions.
diff --git a/terraform/data.tf b/terraform/data.tf
@@ -2,11 +2,91 @@ data "terraform_remote_state" "discord_bots_cluster" {
   backend = "s3"
   config = {
     profile = local.used_profile.name
-    region = "ca-central-1"
-    bucket = "stollenaar-terraform-states"
-    key    = "infrastructure/terraform.tfstate"
+    region  = "ca-central-1"
+    bucket  = "stollenaar-terraform-states"
+    key     = "infrastructure/terraform.tfstate"
   }
 }
+
+data "aws_iam_policy_document" "ssm_access_role_policy_document" {
+  statement {
+    sid    = "KMSDecryption"
+    effect = "Allow"
+    actions = [
+      "kms:ListKeys",
+      "kms:GetPublicKey",
+      "kms:DescribeKey",
+      "kms:Decrypt",
+    ]
+    resources = [
+      "*"
+    ]
+  }
+  statement {
+    sid    = "SSMAccess"
+    effect = "Allow"
+    actions = [
+      "ssm:GetParametersByPath",
+      "ssm:GetParameters",
+      "ssm:GetParameter",
+      "ssm:DescribeParameters",
+    ]
+    resources = ["*"]
+  }
+  source_policy_documents = [
+    data.aws_iam_policy_document.sqs_role_policy_document.json,
+    data.aws_iam_policy_document.cloudwatch_role_policy_document.json
+  ]
+}
+
+# IAM policy document for the container to access the sqs queue
+data "aws_iam_policy_document" "sqs_role_policy_document" {
+  statement {
+    sid    = "SQSSendMessage"
+    effect = "Allow"
+    actions = [
+      "sqs:GetQueueUrl",
+      "sqs:ReceiveMessage",
+      "sqs:SendMessage",
+    ]
+    resources = [
+      aws_sqs_queue.markov_user_request.arn,
+      aws_sqs_queue.markov_user_response.arn,
+    ]
+  }
+}
+
+# IAM policy document for the container to access cloudwatch
+data "aws_iam_policy_document" "cloudwatch_role_policy_document" {
+  statement {
+    sid    = "CloudwatchAccess"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams"
+    ]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+}
+
+
+data "aws_iam_policy_document" "assume_policy_document" {
+  statement {
+    effect = "Allow"
+    principals {
+      identifiers = ["ec2.amazonaws.com", "ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
 data "awsprofiler_list" "list_profiles" {}
 
 data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -28,6 +28,19 @@ provider "aws" {
   profile = local.used_profile.name
 }
 
+resource "aws_iam_role" "statisticsbot_role" {
+  name               = "StatisticsbotRole"
+  description        = "Role for the statisticsbot"
+  assume_role_policy = data.aws_iam_policy_document.assume_policy_document.json
+}
+
+resource "aws_iam_role_policy" "statisticsbot_role_policy" {
+  role   = aws_iam_role.statisticsbot_role.id
+  name   = "inline-role"
+  policy = data.aws_iam_policy_document.ssm_access_role_policy_document.json
+}
+
+
 resource "aws_ecs_service" "statisticsbot_service" {
   name            = local.name
   cluster         = data.terraform_remote_state.discord_bots_cluster.outputs.discord_bots_cluster.id
@@ -84,8 +97,8 @@ resource "aws_ecs_task_definition" "statisticsbot_service" {
     {
       name      = local.name
       image     = "${data.terraform_remote_state.discord_bots_cluster.outputs.discord_bots_repo.repository_url}:${local.name}-latest-arm64"
-      cpu       = 150
-      memory    = 100
+      cpu       = 256
+      memory    = 400
       essential = true
 
       portMappings = [
@@ -116,20 +129,6 @@ resource "aws_ecs_task_definition" "statisticsbot_service" {
           name  = "MONGO_USERNAME_PARAMETER"
           value = "/mongodb/statsuser/username"
         },
-      ]
-    },
-    {
-      name      = "sqspoller"
-      image     = "${data.terraform_remote_state.discord_bots_cluster.outputs.discord_bots_repo.repository_url}:sqspoller-latest-arm64"
-      cpu       = 50
-      memory    = 100
-      essential = true
-
-      environment = [
-        {
-          name  = "AWS_REGION"
-          value = data.aws_region.current.name
-        },
         {
           name  = "SQS_REQUEST"
           value = aws_sqs_queue.markov_user_request.name
@@ -138,10 +137,6 @@ resource "aws_ecs_task_definition" "statisticsbot_service" {
           name  = "SQS_RESPONSE"
           value = aws_sqs_queue.markov_user_response.name
         },
-        {
-          name  = "STATSBOT_URL"
-          value = "localhost"
-        },
       ]
     }
   ])