Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds necessary resources for cognoma to send emails and write to s3. #8

Merged
merged 7 commits into from
Oct 9, 2017
5 changes: 4 additions & 1 deletion container-registry.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ resource "aws_iam_role_policy" "ecs-service" {
EOF
}


resource "aws_ecs_task_definition" "cognoma-core-service" {
family = "cognoma-core-service"
container_definitions = "${file("task-definitions/core-service.json.secret")}"
Expand Down Expand Up @@ -78,6 +77,10 @@ resource "aws_ecs_service" "cognoma-core-service" {
}
}

resource "aws_ecr_repository" "cognoma-core-service" {
name = "cognoma-core-service"
}

resource "aws_ecs_task_definition" "cognoma-nginx" {
family = "cognoma-nginx"
container_definitions = "${file("task-definitions/nginx.json.secret")}"
Expand Down
192 changes: 192 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -152,3 +152,195 @@ resource "aws_db_instance" "postgres-db" {
vpc_security_group_ids = ["${aws_security_group.cognoma-db.id}"]
multi_az = true
}

resource "aws_iam_user" "cognoma-server" {
name = "cognoma-server"
}

resource "aws_iam_user_policy" "ses-access" {
name = "ses-access"
user = "${aws_iam_user.cognoma-server.name}"

policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ses:SendEmail", "ses:SendRawEmail", "ses:GetSendQuota"],
"Resource":"*"
}
]
}
EOF
}

resource "aws_iam_access_key" "cognoma-server-access-key" {
user = "${aws_iam_user.cognoma-server.name}"
}

resource "aws_iam_user" "cognoma-deployer" {
name = "cognoma-deployer"
}

data "aws_iam_policy_document" "cognoma-deployment" {
statement {
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
]

resources = [
"arn:aws:s3:::${aws_s3_bucket.cognoma-static.id}/*",
]
}

statement {
actions = [
"s3:ListBucket"
]

resources = [
"arn:aws:s3:::${aws_s3_bucket.cognoma-static.id}",
]
}

statement {
actions = [
"ecs:DeregisterTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"ecs:RegisterTaskDefinition",
"ecs:UpdateService"
]

resources = ["*"]
}

statement {
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart",
]

resources = ["*"]
}
}

resource "aws_iam_user_policy" "cognoma-deployer" {
name = "cognoma-deployer"
user = "${aws_iam_user.cognoma-deployer.name}"
policy = "${data.aws_iam_policy_document.cognoma-deployment.json}"
}

resource "aws_iam_access_key" "cognoma-deployer-access-key" {
user = "${aws_iam_user.cognoma-deployer.name}"
}

resource "aws_s3_bucket" "cognoma-files" {
bucket = "cognoma-files"

cors_rule {
allowed_origins = ["*"]
allowed_methods = ["GET"]
max_age_seconds = 3000
allowed_headers = ["Authorization"]
}

tags {
Name = "Cognoma Files"
}
}

data "aws_iam_policy_document" "cognoma-s3-access" {
statement {
actions = [
"s3:GetObject",
]

resources = [
"arn:aws:s3:::${aws_s3_bucket.cognoma-files.id}/*",
]

principals {
type = "AWS"
identifiers = ["*"]
}
}

statement {
actions = [
"s3:*",
]

resources = [
"arn:aws:s3:::${aws_s3_bucket.cognoma-files.id}",
"arn:aws:s3:::${aws_s3_bucket.cognoma-files.id}/*",
]

principals {
type = "AWS"
identifiers = ["${aws_iam_user.cognoma-server.arn}"]
}
}
}

resource "aws_s3_bucket_policy" "cognoma-s3-policy" {
bucket = "${aws_s3_bucket.cognoma-files.id}"
policy = "${data.aws_iam_policy_document.cognoma-s3-access.json}"
}


resource "aws_s3_bucket" "cognoma-static" {
bucket = "cognoma.org"

cors_rule {
allowed_origins = ["*"]
allowed_methods = ["GET"]
max_age_seconds = 3000
allowed_headers = ["Authorization"]
}

tags {
Name = "Cognoma Static Files"
}

website {
index_document = "index.html"
}
}

data "aws_iam_policy_document" "cognoma-s3-static-access" {
statement {
actions = [
"s3:GetObject",
]

resources = [
"arn:aws:s3:::${aws_s3_bucket.cognoma-static.id}/*",
]

principals {
type = "AWS"
identifiers = ["*"]
}
}
}

resource "aws_s3_bucket_policy" "cognoma-s3-static-policy" {
bucket = "${aws_s3_bucket.cognoma-static.id}"
policy = "${data.aws_iam_policy_document.cognoma-s3-static-access.json}"
}
41 changes: 29 additions & 12 deletions route53.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,47 @@
# name = "cognoma.org"
# }

variable "cognoma-domain" {
default = "cognoma.org"
}

data "aws_route53_zone" "cognoma" {
zone_id = "Z2GDAYII3P3OEX"
}

resource "aws_route53_record" "cognoma-dot-org" {
zone_id = "${data.aws_route53_zone.cognoma.zone_id}"
name = "cognoma.org"
type = "A"
ttl = "300"

records = [
"192.30.252.153",
"192.30.252.153",
]
resource "aws_ses_domain_identity" "cognoma" {
domain = "${var.cognoma-domain}"
}

resource "aws_route53_record" "cognoma-api" {
zone_id = "${data.aws_route53_zone.cognoma.zone_id}"
name = "api.cognoma.org"
type = "A"
name = "api.${var.cognoma-domain}"
type = "A"

alias {
name = "${aws_elb.cognoma-nginx.dns_name}"
zone_id = "${aws_elb.cognoma-nginx.zone_id}"
evaluate_target_health = false
}
}

resource "aws_route53_record" "cognoma-dot-org" {
name = "${var.cognoma-domain}"
zone_id = "${data.aws_route53_zone.cognoma.zone_id}"
type = "A"
alias {
name = "${aws_s3_bucket.cognoma-static.website_domain}"
zone_id = "${aws_s3_bucket.cognoma-static.hosted_zone_id}"
evaluate_target_health = true
}

depends_on = ["aws_s3_bucket.cognoma-static"]
}

resource "aws_route53_record" "cognoma-ses-verification-record" {
zone_id = "${data.aws_route53_zone.cognoma.zone_id}"
name = "${var.cognoma-domain}"
type = "TXT"
ttl = "5"
records = ["${aws_ses_domain_identity.cognoma.verification_token}"]
}
Binary file modified task-definitions/core-service.json.secret
Binary file not shown.
Binary file modified terraform.tfstate
Binary file not shown.