Rename nwp module to nwp-consumer

openclimatefix · Nov 9, 2023 · 526f073 · 526f073
1 parent 8298380
commit 526f073
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 87 deletions.
diff --git a/terraform/modules/services/nwp_consumer/ecs.tf b/terraform/modules/services/nwp_consumer/ecs.tf
@@ -2,7 +2,7 @@
 # needs access to the internet
 
 resource "aws_ecs_task_definition" "nwp-task-definition" {
-  family                   = "${var.consumer-name}"
+  family                   = "${var.app_name}"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
 
@@ -12,40 +12,41 @@ resource "aws_ecs_task_definition" "nwp-task-definition" {
   memory = 5120
 
   tags = {
-    name = "${var.consumer-name}-consumer"
+    name = "${var.app_name}-consumer"
     type = "ecs"
   }
 
   task_role_arn      = aws_iam_role.consumer-nwp-iam-role.arn
   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
   container_definitions = jsonencode([
     {
-      name  = "${var.consumer-name}-consumer"
-      image = "ghcr.io/openclimatefix/nwp-consumer:${var.docker_version}"
+      name  = "${var.app_name}-consumer"
+      image = "ghcr.io/openclimatefix/nwp-consumer:${var.docker_config.version}"
       #      cpu       = 128
       #      memory    = 128
       essential = true
 
       environment : [
-        { "name" : "AWS_REGION", "value" : "eu-west-1" },
-        { "name" : "AWS_S3_BUCKET", "value" : var.s3_config.bucket_id },
-        { "name" : "LOGLEVEL", "value" : "DEBUG"},
+        for key, value in var.docker_config.env_vars : {
+          "name" : key,
+          "value" : value
+        }
       ]
 
-      command: var.command
+      command: var.docker_config.command
 
       secrets: [
-        for var in var.secret-env-keys : {
-          name: var
-          valueFrom: "${data.aws_secretsmanager_secret.nwp-consumer-secret.arn}:${var}::"
+        for key in var.docker_config.secret_vars : {
+          name: key
+          valueFrom: "${data.aws_secretsmanager_secret_version.arn}:${key}::"
         }
       ]
 
       logConfiguration : {
         "logDriver" : "awslogs",
         "options" : {
           "awslogs-group" : local.log_group_name,
-          "awslogs-region" : var.region,
+          "awslogs-region" : var.aws_config.region,
           "awslogs-stream-prefix" : "streaming"
         }
       }

diff --git a/terraform/modules/services/nwp_consumer/iam.tf b/terraform/modules/services/nwp_consumer/iam.tf
@@ -3,7 +3,7 @@
 # Instance role is used to run the task
 
 resource "aws_iam_role" "ecs_task_execution_role" {
-  name = "${var.consumer-name}-execution-role"
+  name = "${var.app_name}-execution-role"
 
   assume_role_policy = <<EOF
 {
@@ -22,31 +22,10 @@ resource "aws_iam_role" "ecs_task_execution_role" {
 EOF
 }
 
-resource "aws_iam_policy" "nwp-secret-read" {
-  name        = "${var.consumer-name}-secret-read"
-  path        = "/consumer/nwp/"
-  description = "Policy to allow read access to NWP API secret."
-
-  # Terraform's "jsonencode" function converts a
-  # Terraform expression result to valid JSON syntax.
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "secretsmanager:ListSecretVersionIds",
-          "secretsmanager:GetSecretValue",
-        ]
-        Effect   = "Allow"
-        Resource = data.aws_secretsmanager_secret.nwp-consumer-secret.arn
-      },
-    ]
-  })
-}
 
 resource "aws_iam_policy" "cloudwatch-nwp" {
-  name        = "${var.consumer-name}-cloudwatch-read-and-write"
-  path        = "/consumer/${var.consumer-name}/"
+  name        = "${var.app_name}-cloudwatch-read-and-write"
+  path        = "/consumer/${var.app_name}/"
   description = "Policy to allow read and write to cloudwatch logs"
 
   # Terraform's "jsonencode" function converts a
@@ -94,14 +73,14 @@ data "aws_iam_policy_document" "ec2-instance-assume-role-policy" {
 }
 
 resource "aws_iam_role" "consumer-nwp-iam-role" {
-  name               = "consumer-${var.consumer-name}-iam-role"
+  name               = "consumer-${var.app_name}-iam-role"
   path               = "/consumer/"
   assume_role_policy = data.aws_iam_policy_document.ec2-instance-assume-role-policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "attach-write-s3" {
   role       = aws_iam_role.consumer-nwp-iam-role.name
-  policy_arn = var.iam-policy-s3-nwp-write.arn
+  policy_arn = var.s3_config.bucket_write_policy_arn
 }
 
 resource "aws_iam_role_policy_attachment" "attach-logs" {
@@ -122,10 +101,10 @@ resource "aws_iam_role_policy_attachment" "read-secret" {
 
 resource "aws_iam_role_policy_attachment" "read-db-secret-execution" {
   role       = aws_iam_role.ecs_task_execution_role.name
-  policy_arn = var.iam-policy-rds-read-secret.arn
+  policy_arn = var.database_config.secret_read_policy_arn
 }
 
 resource "aws_iam_role_policy_attachment" "read-db-secret" {
   role       = aws_iam_role.consumer-nwp-iam-role.name
-  policy_arn = var.iam-policy-rds-read-secret.arn
+  policy_arn = var.database_config.secret_read_policy_arn
 }
diff --git a/terraform/modules/services/nwp_consumer/secrets.tf b/terraform/modules/services/nwp_consumer/secrets.tf
@@ -1,7 +1,32 @@
 # Read in required secrets for consumer
+# Get the secret resource from AWS for each entry in the list
+data "aws_secretsmanager_secret" "secret" {
+  name = var.aws_config.secretsmanager_secret_name
+}
+
+# Get the current secret value from AWS for the secret
+data "aws_secretsmanager_secret_version" "current" {
+  secret_id = data.aws_secretsmanager_secret.secret.id
+}
+
+# Get an IAM role to access the secret 
+resource "aws_iam_policy" "secret_read_policy" {
+  name        = "${var.app_name}-secret-read-policy"
+  path        = "/consumer/nwp/"
+  description = "Policy to allow read access to secret."
 
-data "aws_secretsmanager_secret" "nwp-consumer-secret" {
-  name = "${var.environment}/data/"
-  #  arn = "arn:aws:secretsmanager:eu-west-2::secret:development/consumer/nwp"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "secretsmanager:ListSecretVersionIds",
+          "secretsmanager:GetSecretValue",
+        ]
+        Effect   = "Allow"
+        Resource = data.aws_secretsmanager_secret_version.current.arn
+      },
+    ]
+  })
 }
 
diff --git a/terraform/modules/services/nwp_consumer/variables.tf b/terraform/modules/services/nwp_consumer/variables.tf
@@ -1,61 +1,66 @@
 locals {
-  log_group_name = "/aws/ecs/consumer/${var.consumer-name}/"
+  log_group_name = "/aws/ecs/consumer/${var.app_name}/"
 }
 
-variable "environment" {
-  description = "The Deployment environment"
-}
-
-variable "region" {
-  description = "The AWS region"
-}
-
-variable "iam-policy-s3-nwp-write" {
-  description = "IAM policy to write to s3 bucket for NWP data"
-}
-
-variable "ecs-cluster" {
-  description = "The ECS cluster"
-}
-
-variable "public_subnet_ids" {
-  type        = list(string)
-  description = "Public subnet ids"
-}
-
-variable "docker_version" {
-  description = "The version of the docker that should be used"
-}
-
-variable "database_secret" {
-  description = "AWS secret that gives connection details to the database"
-}
-
-variable "iam-policy-rds-read-secret" {
-  description = "IAM policy to be able to read the RDS secret"
-}
-
-variable "consumer-name" {
-  description = "Name of the consumer"
-}
-
-variable "secret-env-keys" {
-  type = list(string)
-  description = "List of environment variables that should be read from the secret"
+variable "aws_config" {
+  type = object({
+    region = string
+    environment = string
+    ecs_cluster = string
+    public_subnet_ids = list(string)
+    secretsmanaget_secret_name = string
+  })
+  description = <<EOT
+    aws_config = {
+      region : "AWS region"
+      environment : "Deployment environment"
+      ecs_cluster : "The ECS cluster name"
+      public_subnet_ids : "List of public subnet ids"
+      secretsmanaget_secret_name : "Name of secret in secrets manager to access"
+    }
+  EOT
 }
 
 variable "s3_config" {
   type = object({
     bucket_id = string
+    bucket_write_policy = string
   })
   description = <<EOT
     s3_config = {
       bucket_id : "ID of the nwp S3 bucket"
+      bucket_write_policy_arn : "IAM policy to write to the nwp S3 bucket"
     }
   EOT
 }
 
-variable "command" {
-  type = list(string)
-  description = "Command to run in the container"
+variable "docker_config" {
+  type = object({
+    container_tag = string
+    command = list(string)
+    secret_name = string
+    secret_vars = list(string)
+    environment_vars = list(object({
+      key = string
+      value = string
+    }))
+  })
+  description = <<EOT
+    docker_config = {
+      container_tag : "Docker image tag"
+      command : "Command to run in the container"
+      secret_name : "Name of the secret in secrets manager to access"
+      secret_vars : "List of keys to be mounted from consumer secret in the container env"
+      environment_vars : "List of environment variables to be set in the container"
+      environment_vars = {
+        key : "Name of the environment variable"
+        value : "Value of the environment variable"
+      }
+    }
+  EOT
 }
+
+variable app_name {
+  description = "Name of the application"
+}
+