Merge pull request #234 from silinternational/release/12.0.0

Release 12.0.0 - remove id-sync API and add AWS SES option

docker-compose/email/local.env.dist

@@ -1,3 +1,5 @@
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
 MAILER_USEFILES=
 MAILER_HOST=
 MAILER_USERNAME=

terraform/022-ecr/README.md

@@ -1,9 +1,9 @@
 # 022-ecr - EC2 Container Service Image Repository
-This module is used to create an ECS image repositories for all services
+This module is used to create ECR image repositories for ECS services
 
 ## What this does
 
- - Create ECR repositories for id-broker, email-service, pw-manager, simplesamlphp, and id-sync
+ - Create ECR repositories for id-broker, pw-manager, simplesamlphp, and id-sync
  - Attach ECR policy to allow appropriate access
 
 ## Required Inputs
@@ -16,7 +16,6 @@ This module is used to create an ECS image repositories for all services
 ## Outputs
 
  - `ecr_repo_idbroker` - The repository url for id-broker. Ex: `1234567890.dkr.ecr.us-east-1.amazonaws.com/idp-name/id-broker-environment`
- - `ecr_repo_emailservice` - The repository url for email-service. Ex: `1234567890.dkr.ecr.us-east-1.amazonaws.com/idp-name/email-service-environment`
  - `ecr_repo_pwapi` - The repository url for pw-api. Ex: `1234567890.dkr.ecr.us-east-1.amazonaws.com/idp-name/pw-api-environment`
  - `ecr_repo_simplesamlphp` - The repository url for simplesamlphp. Ex: `1234567890.dkr.ecr.us-east-1.amazonaws.com/idp-name/simplesamlphp-environment`
  - `ecr_repo_idsync` - The repository url for id-sync. Ex: `1234567890.dkr.ecr.us-east-1.amazonaws.com/idp-name/id-sync-environment`

terraform/022-ecr/main.tf

@@ -11,19 +11,6 @@ module "ecr_idbroker" {
   image_retention_tags  = ["latest"]
 }
 
-/*
- * email-service
- */
-module "ecr_emailservice" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
-  repo_name             = "${var.idp_name}/email-service"
-  ecsInstanceRole_arn   = var.ecsInstanceRole_arn
-  ecsServiceRole_arn    = var.ecsServiceRole_arn
-  cd_user_arn           = var.cd_user_arn
-  image_retention_count = 10
-  image_retention_tags  = ["latest"]
-}
-
 /*
  * pw-api
  */
@@ -62,17 +49,3 @@ module "ecr_idsync" {
   image_retention_count = 10
   image_retention_tags  = ["latest"]
 }
-
-/*
- * db-backup
- */
-module "ecr_dbbackup" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
-  repo_name             = "${var.idp_name}/db-backup"
-  ecsInstanceRole_arn   = var.ecsInstanceRole_arn
-  ecsServiceRole_arn    = var.ecsServiceRole_arn
-  cd_user_arn           = var.cd_user_arn
-  image_retention_count = 10
-  image_retention_tags  = ["latest"]
-}
-

terraform/022-ecr/outputs.tf

@@ -2,10 +2,6 @@ output "ecr_repo_idbroker" {
   value = module.ecr_idbroker.repo_url
 }
 
-output "ecr_repo_emailservice" {
-  value = module.ecr_emailservice.repo_url
-}
-
 output "ecr_repo_pwapi" {
   value = module.ecr_pwapi.repo_url
 }
@@ -17,8 +13,3 @@ output "ecr_repo_simplesamlphp" {
 output "ecr_repo_idsync" {
   value = module.ecr_idsync.repo_url
 }
-
-output "ecr_repo_dbbackup" {
-  value = module.ecr_dbbackup.repo_url
-}
-

terraform/031-email-service/README.md

@@ -6,6 +6,7 @@ This module is used to create an ECS service running email-service.
  - Create task definition and ECS service for email-service API
  - Create task definition and ECS service for email-service cron
  - Create Cloudflare DNS record
+ - Create ECS task role to send email via SES
 
 ## Required Inputs
 
@@ -23,9 +24,6 @@ This module is used to create an ECS service running email-service.
  - `idp_name` - Short name of IdP for use in logs and email alerts
  - `internal_alb_dns_name` - DNS name for the IdP-in-a-Box's internal Application Load Balancer
  - `internal_alb_listener_arn` - ARN for the IdP-in-a-Box's internal ALB's listener
- - `mailer_host` - SMTP hostname
- - `mailer_password` - SMTP password
- - `mailer_username` - SMTP username
  - `mysql_host` - Address for RDS instance
  - `mysql_pass` - MySQL password for email-service
  - `mysql_user` - MySQL username for email-service
@@ -44,6 +42,9 @@ This module is used to create an ECS service running email-service.
  - `email_queue_batch_size` - How many queued emails to process per run
  - `enable_cron` - Set to false to disable the cron instance
  - `from_name` - Name to use when sending emails
+ - `mailer_host` - SMTP hostname
+ - `mailer_password` - SMTP password
+ - `mailer_username` - SMTP username
  - `mailer_usefiles` - Whether or not YiiMailer should write to files instead of sending emails
  - `memory_api` - Memory (RAM) resources to allot to each API instance
  - `memory_cron` - Memory (RAM) resources to allot to the cron instance

terraform/031-email-service/main.tf

@@ -50,6 +50,52 @@ resource "random_id" "access_token_idsync" {
   byte_length = 16
 }
 
+/*
+ * Create role for access to SES
+ */
+resource "aws_iam_role" "ses" {
+  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "ECSAssumeRoleSES"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "ses.amazonaws.com",
+            "ecs-tasks.amazonaws.com",
+          ]
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "ses" {
+  name = "ses"
+  role = aws_iam_role.ses.id
+  policy = jsonencode(
+    {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid      = "SendEmail"
+          Effect   = "Allow"
+          Action   = "ses:SendEmail"
+          Resource = "*"
+          Condition = {
+            StringEquals = {
+              "ses:FromAddress" = var.from_email
+            }
+          }
+        }
+      ]
+  })
+}
+
 /*
  * Create ECS services
  */
@@ -92,6 +138,7 @@ module "ecsservice_api" {
   container_def_json = local.task_def_api
   desired_count      = var.desired_count_api
   tg_arn             = aws_alb_target_group.email.arn
+  task_role_arn      = aws_iam_role.ses.arn
   lb_container_name  = "api"
   lb_container_port  = "80"
 }
@@ -130,6 +177,7 @@ module "ecsservice_cron" {
   service_name       = "${var.idp_name}-${var.app_name}-cron"
   service_env        = var.app_env
   container_def_json = local.task_def_cron
+  task_role_arn      = aws_iam_role.ses.arn
   desired_count      = var.enable_cron ? 1 : 0
 }
 

terraform/031-email-service/task-definition-api.json

@@ -33,6 +33,10 @@
         "name": "APP_NAME",
         "value": "${app_name}"
       },
+      {
+        "name": "AWS_REGION",
+        "value": "${aws_region}"
+      },
       {
         "name": "EMAIL_BRAND_COLOR",
         "value": "${email_brand_color}"

terraform/031-email-service/task-definition-cron.json

@@ -27,6 +27,10 @@
         "name": "APP_NAME",
         "value": "${app_name}"
       },
+      {
+        "name": "AWS_REGION",
+        "value": "${aws_region}"
+      },
       {
         "name": "EMAIL_BRAND_COLOR",
         "value": "${email_brand_color}"

terraform/031-email-service/vars.tf

@@ -91,20 +91,27 @@ variable "internal_alb_listener_arn" {
 }
 
 variable "mailer_host" {
-  type = string
+  description = "SMTP hostname - if omitted, SES will be used"
+  type        = string
+  default     = ""
 }
 
 variable "mailer_password" {
-  type = string
+  description = "password, used with mailer_username for authentication to SMTP server"
+  type        = string
+  default     = ""
 }
 
 variable "mailer_usefiles" {
-  type    = string
-  default = "false"
+  description = "Controls whether YiiMailer should write to files instead of sending emails"
+  type        = string
+  default     = "false"
 }
 
 variable "mailer_username" {
-  type = string
+  description = "username, used with mailer_password for authentication to SMTP server"
+  type        = string
+  default     = ""
 }
 
 variable "memory_api" {

terraform/050-pw-manager/main-api.tf

@@ -46,7 +46,7 @@ resource "aws_alb_listener_rule" "pwmanager" {
 }
 
 /*
- * Generate access token for UI to use to call API
+ * Generate access token hash used for generating user access tokens
  */
 resource "random_id" "access_token_hash" {
   byte_length = 16

terraform/070-id-sync/README.md

@@ -4,9 +4,7 @@ store.
 
 ## What this does
 
- - Create ALB target group for SSP with hostname based routing
  - Create task definition and ECS service
- - Create Cloudflare DNS record
 
 ## Required Inputs
 
@@ -15,9 +13,6 @@ store.
  - `aws_region` - AWS region
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `vpc_id` - ID for VPC
- - `alb_https_listener_arn` - ARN for ALB HTTPS listener
- - `subdomain` - Subdomain for SSP IdP
- - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `docker_image` - URL to Docker image
  - `email_service_accessToken` - Access token for Email Service API
  - `email_service_baseUrl` - Base URL (e.g. 'https://email.example.com') to Email Service API
@@ -32,7 +27,6 @@ store.
  - `idp_display_name` - Friendly name for IdP
  - `ecs_cluster_id` - ID for ECS Cluster
  - `ecsServiceRole_arn` - ARN for ECS Service Role
- - `alb_dns_name` - DNS name for application load balancer
  - `memory` - Amount of memory to allocate to container
  - `cpu` - Amount of CPU to allocate to container
 
@@ -44,15 +38,10 @@ store.
 - `notifier_email_to` - Who to send notifications to about sync problems (e.g. users lacking email addresses)
 - `sync_safety_cutoff` - The percentage of records allowed to be changed during a sync, provided as a float, ex: `0.2` for `20%`
 - `allow_empty_email` - Whether or not to allow the primary email property to be empty. Default: `false`
-- `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true`
 - `enable_new_user_notification` - Enable email notification to HR Contact upon creation of a new user, if set to 'true'. Default: `false`
 - `enable_sync` - Set to false to disable the sync process.
 - `sentry_dsn` - Sentry DSN for error logging and alerting. Obtain from Sentry dashboard: Settings - Projects - (project) - Client Keys
-
-## Outputs
-
- - `idsync_url` - URL for ID Sync webhook endpoint
- - `access_token_external` - Access token for external systems to use to make webhook calls to Sync
+- `event_schedule` - AWS Cloudwatch schedule for the sync task. Use cron format "cron(Minutes Hours Day-of-month Month Day-of-week Year)" where either `day-of-month` or `day-of-week` must be a question mark, or rate format "rate(15 minutes)". Default = "cron(*/15 * * * ? *)"
 
 ## Usage Example
 
@@ -65,9 +54,7 @@ module "idsync" {
   app_env                     = var.app_env
   vpc_id                      = data.terraform_remote_state.cluster.vpc_id
   alb_https_listener_arn      = data.terraform_remote_state.cluster.alb_https_listener_arn
-  subdomain                   = var.sync_subdomain
   aws_region                  = var.aws_region
-  cloudflare_domain           = var.cloudflare_domain
   cloudwatch_log_group_name   = var.cloudwatch_log_group_name
   docker_image                = data.terraform_remote_state.ecr.ecr_repo_idsync
   email_service_accessToken   = data.terraform_remote_state.email.access_token_idsync
@@ -84,8 +71,6 @@ module "idsync" {
   idp_name                    = var.idp_name
   idp_display_name            = var.idp_display_name
   ecs_cluster_id              = data.terraform_remote_state.core.ecs_cluster_id
-  ecsServiceRole_arn          = data.terraform_remote_state.core.ecsServiceRole_arn
-  alb_dns_name                = data.terraform_remote_state.cluster.alb_dns_name
   alerts_email                = var.alerts_email
   notifier_email_to           = var.notifier_email_to
   allow_empty_email           = var.allow_empty_email