-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathenvoy.tf
117 lines (101 loc) · 3.97 KB
/
envoy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
locals {
// optional envoy container for AWS AppMesh
envoy_container_defaults = {
dependsOn = var.firelens.enabled ? [{ containerName = var.firelens.container_name, condition = "HEALTHY" }] : []
name = var.app_mesh.container_name
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/ecr-public/appmesh/aws-appmesh-envoy:v1.27.3.0-prod"
essential = true
mountPoints = []
portMappings = []
readonlyRootFilesystem = false
systemControls = []
user = startswith(upper(var.operating_system_family), "WINDOWS") ? null : "1337:1337"
volumesFrom = []
environment = [
{
name = "APPMESH_RESOURCE_ARN",
value = "arn:aws:appmesh:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:mesh/${var.app_mesh.mesh_name}/virtualNode/${var.service_name}"
}
]
healthCheck = {
retries = 3
command = [
"CMD-SHELL",
"curl -s http://localhost:9901/server_info | grep state | grep -q LIVE"
]
timeout = 2
interval = 5
startPeriod = 15
}
ulimits = startswith(upper(var.operating_system_family), "WINDOWS") ? [] : [
{
name = "nofile"
softLimit = 1024 * 32
hardLimit = 4096 * 32
}
]
logConfiguration = var.firelens.enabled && var.firelens.opensearch_host != "" ? {
logDriver = "awsfirelens",
options = {
Aws_Auth = "On"
Aws_Region = null != var.firelens.aws_region ? var.firelens.aws_region : data.aws_region.current.name
Host = var.firelens.opensearch_host
Logstash_Format = "true"
Logstash_Prefix = "${var.service_name}-envoy"
Name = "opensearch"
Port = "443"
Suppress_Type_Name = "On"
tls = "On"
Trace_Output = "Off"
}
} : (var.cloudwatch_logs.enabled ? {
logDriver = "awslogs"
options = {
awslogs-group : aws_cloudwatch_log_group.containers[0].name
awslogs-region : data.aws_region.current.name
awslogs-stream-prefix : var.app_mesh.container_name
}
} : null)
}
envoy_container = var.app_mesh.enabled ? jsonencode(module.envoy_container_definition.merged) : ""
}
module "envoy_container_definition" {
source = "registry.terraform.io/cloudposse/config/yaml//modules/deepmerge"
version = "1.0.2"
maps = [
local.envoy_container_defaults,
var.app_mesh.container_definition
]
}
data "aws_iam_policy" "appmesh" {
count = var.app_mesh.enabled && var.task_role_arn == "" ? 1 : 0
arn = "arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess"
}
resource "aws_iam_role_policy_attachment" "appmesh" {
count = var.app_mesh.enabled && var.task_role_arn == "" ? 1 : 0
role = aws_iam_role.ecs_task_role[count.index].name
policy_arn = data.aws_iam_policy.appmesh[count.index].arn
}
resource "aws_iam_role_policy_attachment" "acm" {
count = var.app_mesh.enabled && var.task_role_arn == "" ? 1 : 0
policy_arn = aws_iam_policy.acm[count.index].arn
role = aws_iam_role.ecs_task_role[count.index].name
}
resource "aws_iam_policy" "acm" {
count = var.app_mesh.enabled && var.task_role_arn == "" ? 1 : 0
name = "${var.service_name}-acm-${data.aws_region.current.name}"
policy = data.aws_iam_policy_document.acm[count.index].json
}
data "aws_iam_policy_document" "acm" {
count = var.app_mesh.enabled && var.task_role_arn == "" ? 1 : 0
statement {
sid = "ACMExportCertificateAccess"
actions = ["acm:ExportCertificate", "acm:DescribeCertificate"]
resources = [var.app_mesh.tls.acm_certificate_arn]
}
statement {
sid = "ACMCertificateAuthorityAccess"
actions = ["acm-pca:GetCertificateAuthorityCertificate"]
resources = [var.app_mesh.tls.root_ca_arn]
}
}