From 396ab3b31415e26190573d7be40553c8cf414c82 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 31 Oct 2023 10:29:49 -0600 Subject: [PATCH] remove id-sync API, including the ALB and DNS records --- terraform/070-id-sync/README.md | 16 ----- terraform/070-id-sync/main.tf | 80 +--------------------- terraform/070-id-sync/outputs.tf | 12 ---- terraform/070-id-sync/task-definition.json | 11 --- terraform/070-id-sync/vars.tf | 26 ------- test/070-id-sync.tf | 6 -- 6 files changed, 1 insertion(+), 150 deletions(-) delete mode 100644 terraform/070-id-sync/outputs.tf diff --git a/terraform/070-id-sync/README.md b/terraform/070-id-sync/README.md index a4fd3db..6d97b1f 100644 --- a/terraform/070-id-sync/README.md +++ b/terraform/070-id-sync/README.md @@ -4,9 +4,7 @@ store. ## What this does - - Create ALB target group for SSP with hostname based routing - Create task definition and ECS service - - Create Cloudflare DNS record ## Required Inputs @@ -15,9 +13,6 @@ store. - `aws_region` - AWS region - `cloudwatch_log_group_name` - CloudWatch log group name - `vpc_id` - ID for VPC - - `alb_https_listener_arn` - ARN for ALB HTTPS listener - - `subdomain` - Subdomain for SSP IdP - - `cloudflare_domain` - Top level domain name for use with Cloudflare - `docker_image` - URL to Docker image - `email_service_accessToken` - Access token for Email Service API - `email_service_baseUrl` - Base URL (e.g. 'https://email.example.com') to Email Service API @@ -32,7 +27,6 @@ store. - `idp_display_name` - Friendly name for IdP - `ecs_cluster_id` - ID for ECS Cluster - `ecsServiceRole_arn` - ARN for ECS Service Role - - `alb_dns_name` - DNS name for application load balancer - `memory` - Amount of memory to allocate to container - `cpu` - Amount of CPU to allocate to container @@ -44,16 +38,10 @@ store. - `notifier_email_to` - Who to send notifications to about sync problems (e.g. users lacking email addresses) - `sync_safety_cutoff` - The percentage of records allowed to be changed during a sync, provided as a float, ex: `0.2` for `20%` - `allow_empty_email` - Whether or not to allow the primary email property to be empty. Default: `false` -- `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` - `enable_new_user_notification` - Enable email notification to HR Contact upon creation of a new user, if set to 'true'. Default: `false` - `enable_sync` - Set to false to disable the sync process. - `sentry_dsn` - Sentry DSN for error logging and alerting. Obtain from Sentry dashboard: Settings - Projects - (project) - Client Keys -## Outputs - - - `idsync_url` - URL for ID Sync webhook endpoint - - `access_token_external` - Access token for external systems to use to make webhook calls to Sync - ## Usage Example ```hcl @@ -65,9 +53,7 @@ module "idsync" { app_env = var.app_env vpc_id = data.terraform_remote_state.cluster.vpc_id alb_https_listener_arn = data.terraform_remote_state.cluster.alb_https_listener_arn - subdomain = var.sync_subdomain aws_region = var.aws_region - cloudflare_domain = var.cloudflare_domain cloudwatch_log_group_name = var.cloudwatch_log_group_name docker_image = data.terraform_remote_state.ecr.ecr_repo_idsync email_service_accessToken = data.terraform_remote_state.email.access_token_idsync @@ -84,8 +70,6 @@ module "idsync" { idp_name = var.idp_name idp_display_name = var.idp_display_name ecs_cluster_id = data.terraform_remote_state.core.ecs_cluster_id - ecsServiceRole_arn = data.terraform_remote_state.core.ecsServiceRole_arn - alb_dns_name = data.terraform_remote_state.cluster.alb_dns_name alerts_email = var.alerts_email notifier_email_to = var.notifier_email_to allow_empty_email = var.allow_empty_email diff --git a/terraform/070-id-sync/main.tf b/terraform/070-id-sync/main.tf index 3e49a33..3588d92 100644 --- a/terraform/070-id-sync/main.tf +++ b/terraform/070-id-sync/main.tf @@ -1,54 +1,7 @@ -/* - * Create target group for ALB - */ -resource "aws_alb_target_group" "idsync" { - name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = "80" - protocol = "HTTP" - vpc_id = var.vpc_id - deregistration_delay = "30" - - health_check { - path = "/site/system-status" - matcher = "200" - } -} - -/* - * Create listener rule for hostname routing to new target group - */ -resource "aws_alb_listener_rule" "idsync" { - listener_arn = var.alb_https_listener_arn - priority = "70" - - action { - type = "forward" - target_group_arn = aws_alb_target_group.idsync.arn - } - - condition { - host_header { - values = [ - "${var.subdomain}.${var.cloudflare_domain}", - "${local.subdomain_with_region}.${var.cloudflare_domain}" - ] - } - } -} - -/* - * Generate access token for external system to use when calling ID Sync - */ -resource "random_id" "access_token_external" { - byte_length = 16 -} - /* * Create ECS service */ locals { - subdomain_with_region = "${var.subdomain}-${var.aws_region}" - id_store_config = join(",", [for k, v in var.id_store_config : jsonencode({ name = "ID_STORE_CONFIG_${k}" @@ -73,7 +26,6 @@ locals { id_broker_trustedIpRanges = join(",", var.id_broker_trustedIpRanges) id_store_adapter = var.id_store_adapter id_store_config = local.id_store_config - id_sync_access_tokens = random_id.access_token_external.hex idp_name = var.idp_name idp_display_name = var.idp_display_name alerts_email = var.alerts_email @@ -88,40 +40,10 @@ locals { } module "ecsservice" { - source = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.6.0" + source = "github.com/silinternational/terraform-modules//aws/ecs/service-no-alb?ref=8.6.0" cluster_id = var.ecs_cluster_id service_name = "${var.idp_name}-${var.app_name}" service_env = var.app_env container_def_json = local.task_def desired_count = var.enable_sync ? 1 : 0 - tg_arn = aws_alb_target_group.idsync.arn - lb_container_name = "web" - lb_container_port = "80" - ecsServiceRole_arn = var.ecsServiceRole_arn } - -/* - * Create Cloudflare DNS record(s) - */ -resource "cloudflare_record" "idsyncdns" { - count = var.create_dns_record ? 1 : 0 - - zone_id = data.cloudflare_zone.domain.id - name = var.subdomain - value = cloudflare_record.idsyncdns_intermediate.hostname - type = "CNAME" - proxied = true -} - -resource "cloudflare_record" "idsyncdns_intermediate" { - zone_id = data.cloudflare_zone.domain.id - name = local.subdomain_with_region - value = var.alb_dns_name - type = "CNAME" - proxied = true -} - -data "cloudflare_zone" "domain" { - name = var.cloudflare_domain -} - diff --git a/terraform/070-id-sync/outputs.tf b/terraform/070-id-sync/outputs.tf deleted file mode 100644 index 4b95c91..0000000 --- a/terraform/070-id-sync/outputs.tf +++ /dev/null @@ -1,12 +0,0 @@ -output "idsync_url" { - value = "${var.subdomain}.${var.cloudflare_domain}" -} - -output "access_token_external" { - value = random_id.access_token_external.hex -} - -output "public_dns_value" { - description = "The value to use for the 'public' DNS record, if creating it outside of this module." - value = cloudflare_record.idsyncdns_intermediate.hostname -} diff --git a/terraform/070-id-sync/task-definition.json b/terraform/070-id-sync/task-definition.json index edf7da4..3648eb4 100644 --- a/terraform/070-id-sync/task-definition.json +++ b/terraform/070-id-sync/task-definition.json @@ -6,13 +6,6 @@ "dnsServers": null, "disableNetworking": null, "dnsSearchDomains": null, - "portMappings": [ - { - "hostPort": 0, - "containerPort": 80, - "protocol": "tcp" - } - ], "hostname": null, "essential": true, "entryPoint": null, @@ -65,10 +58,6 @@ "name": "ID_STORE_ADAPTER", "value": "${id_store_adapter}" }, - { - "name": "ID_SYNC_ACCESS_TOKENS", - "value": "${id_sync_access_tokens}" - }, { "name": "IDP_NAME", "value": "${idp_name}" diff --git a/terraform/070-id-sync/vars.tf b/terraform/070-id-sync/vars.tf index 87e2578..e9becb6 100644 --- a/terraform/070-id-sync/vars.tf +++ b/terraform/070-id-sync/vars.tf @@ -19,22 +19,10 @@ variable "vpc_id" { type = string } -variable "alb_https_listener_arn" { - type = string -} - variable "aws_region" { type = string } -variable "subdomain" { - type = string -} - -variable "cloudflare_domain" { - type = string -} - variable "cloudwatch_log_group_name" { type = string } @@ -106,14 +94,6 @@ variable "ecs_cluster_id" { type = string } -variable "ecsServiceRole_arn" { - type = string -} - -variable "alb_dns_name" { - type = string -} - variable "notifier_email_to" { default = "" type = string @@ -142,12 +122,6 @@ variable "enable_sync" { default = true } -variable "create_dns_record" { - description = "Controls creation of a DNS CNAME record for the ECS service." - type = bool - default = true -} - variable "sentry_dsn" { description = "Sentry DSN for error logging and alerting" type = string diff --git a/test/070-id-sync.tf b/test/070-id-sync.tf index a379291..44c749d 100644 --- a/test/070-id-sync.tf +++ b/test/070-id-sync.tf @@ -1,19 +1,14 @@ module "sync" { source = "../terraform/070-id-sync" - alb_dns_name = "" - alb_https_listener_arn = "" alerts_email = "" allow_empty_email = "" app_env = "" app_name = "" aws_region = "" - cloudflare_domain = "" cloudwatch_log_group_name = "" cpu = "" - create_dns_record = true docker_image = "" - ecsServiceRole_arn = "" ecs_cluster_id = "" email_service_accessToken = "" email_service_assertValidIp = "" @@ -32,7 +27,6 @@ module "sync" { idp_name = "" memory = "" notifier_email_to = "" - subdomain = "" sync_safety_cutoff = "" vpc_id = "" }