-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
354 lines (309 loc) · 13.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
/**
* # Metaco Harmonize Trusted Components Terraform Scripts for AWS ECS
*
* This project simplifies the creation and update of AWS ECS over Fargate,
* hosting Harmonize Trusted Components with a software HMZ KMS provider.
*
* Request information to our Customer success team to become familiar with
* the software HMZ KMS provider.
*
* ## Architecture
*
* The Terraform scripts deploy the following Harmonize Trusted Components over AWS ECS:
*
* 
*
* ## Required Dependencies
*
* To get started, install all required dependencies on the host machine.
*
* ### Check versions
*
* To check `terraform` version, run `terraform version`:
*
* Example output:
*
* ```bash
* Terraform v1.6.3
* on darwin_arm64
* + provider registry.terraform.io/hashicorp/aws v5.26.0
* + provider registry.terraform.io/hashicorp/random v2.3.2
* ```
*
* Initialize the Terraform scripts:
*
* ```bash
* terraform init
* ```
*
* ### Local configuration
*
* The Terraform scripts uses two configuration files:
*
* - `.env` file (for AWS Credentials)
* - `tfvars.terraform` file (for deployment parameters)
*
* Copy the provided sample configuration files
*
* ```bash
* cp .env.sample .env
* cp terraform.tfvars.sample terraform.tfvars
* ```
*
* ### AWS Login
*
* #### AWS Credentials
*
*
* Fill the environment variables file with you AWS Account credentials
*
* ```bash
* export AWS_ACCESS_KEY_ID='<YOUR_AWS_ACCESS_KEY>'
* export AWS_SECRET_ACCESS_KEY='<YOUR_AWS_ACCESS_KEY>'
* ```
*
* The [official AWS IAM Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) provide detailed steps to create an AWS Access Key.
* An AWS Access Key can be created for the root user by [following this documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user_manage_add-key.html).
*
* #### AWS SSO Login
*
* ```bash
* aws sso login --profile "<YOUR_AWS_ACCOUNT_NAME>"
* export AWS_PROFILE="<YOUR_AWS_ACCOUNT_NAME>"
* ```
*
* ### Ripple Custody Container Registry Credentials
*
* Retrieve the provided Metaco Container Registry Credentials (user and password) and fill the `tfvars.terraform` file.
*
* ### Harmonize Version
*
* The OCI (Open Container Initiative) tags MUST be provided in the file `tfvars.terraform` for the following HMZ Trusted Components:
*
* - Harmonize KMS Connect
* - Harmonize Notary
* - Harmonize Vault
*
* ### Harmonize SaaS instance endpoints
*
* Retrieve the provided dedicated Harmonize endpoint:
*
* - Harmonize Core API endpoint (for the Vault)
* - Harmonize Notary Bridge endpoint (for the Notary)
*
* The `tfvars.terraform` file MUST be filled with those values.
*
* ### Harmonize Vault Config
*
* For each Harmonize Vault instance, fill the values:
*
* - Vault ID
* - Vault Log Level
* - Vault Bridge Log Level
* - Vault Trusted Notary Messaging Public Key (retrieved after Genesis is executed successfully)
*
* #### Notary Message Public Key retrieval
*
* First apply the Genesis against the Harmonize API (HTTP POST request @ /v1/genesis)
*
* ```bash
* curl -s \
* --location -g \
* --request POST "$HMZ_URL_API/v1/genesis" \
* --header 'Content-Type: application/json' \
* --data @"$FILE_NAME_GENESIS_CONFIG_JSON"
* ```
*
* Then, after a successful Genesis application, fetch from the Harmonize API,
* the Notary Messaging Public Key:
*
* ```bash
* curl \
* --location -g \
* --request GET \
* --url "$HMZ_URL_API/internal/v1/system/information"
* ```
*
*/
// The above comment must start at the immediate first line of the .tf file before any resource, variable, module, etc.
// See: https://terraform-docs.io/user-guide/configuration/header-from/
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25.0"
}
}
}
provider "aws" {
region = var.aws_region
}
locals {
pet_name = random_pet.random_name.id
}
resource "random_pet" "random_name" {
length = 2
separator = "-"
}
# AWS Network
module "vpc" {
source = "./modules/vpc"
count = var.aws_enable_vpc_creation ? 1 : 0
}
data "aws_vpc" "aws_vpc_hmz_trusted_components" {
id = var.aws_enable_vpc_creation ? module.vpc.0.vpc_id : var.aws_vpc_id
}
data "aws_subnet" "hmz_trusted_components_subnet" {
id = var.aws_enable_vpc_creation ? module.vpc.0.private_subnet_id : var.aws_subnet_id
}
resource "aws_security_group" "ecs_https_egress" {
count = var.aws_security_group_id == "" ? 1 : 0
name = "ecs_https_egress_sg"
description = "Security group for ECS container to allow outbound HTTPS traffic"
vpc_id = data.aws_vpc.aws_vpc_hmz_trusted_components.id
egress {
description = "Allow outbound HTTPS traffic on port 443"
from_port = 0
to_port = 0
protocol = "-1" # -1 means all protocols
cidr_blocks = ["0.0.0.0/0"] # 0.0.0.0/0 represents all IP addresses
# ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "ECS HTTPS Egress"
}
}
data "aws_security_group" "hmz_trusted_components_sg" {
id = var.aws_security_group_id == "" ? aws_security_group.ecs_https_egress.0.id : var.aws_security_group_id
}
# AWS IAM
resource "aws_iam_role" "ecs_task_role_for_hmz_trusted_components" {
name = "ecs_task_role_for_hmz_trusted_components"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "ecs-tasks.amazonaws.com"
},
},
],
})
}
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
role = aws_iam_role.ecs_task_role_for_hmz_trusted_components.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# AWS ECS
resource "aws_ecs_cluster" "cluster" {
count = var.aws_ecs_cluster_name == "" ? 1 : 0
name = "${local.pet_name}-hmz-trusted-components-ecs-cluster"
setting {
name = "containerInsights"
value = "enabled"
}
}
data "aws_ecs_cluster" "aws_ecs_cluster_for_hmz_trusted_components" {
cluster_name = var.aws_ecs_cluster_name == "" ? aws_ecs_cluster.cluster.0.name : var.aws_ecs_cluster_name
}
# AWS Secrets Manager for HMZ
resource "aws_secretsmanager_secret" "hmz_oci_registry_credentials" {
count = var.aws_secrets_manager_arn_for_hmz_oci_registry_credentials == "" ? 1 : 0
name = "${local.pet_name}-metaco-oci-registry-credentials"
}
resource "aws_secretsmanager_secret_version" "hmz_oci_registry_credentials" {
count = var.aws_secrets_manager_arn_for_hmz_oci_registry_credentials == "" ? 1 : 0
secret_id = aws_secretsmanager_secret.hmz_oci_registry_credentials.0.id
secret_string = jsonencode({
username = var.hmz_metaco_container_registry_user,
password = var.hmz_metaco_container_registry_password
})
}
data "aws_secretsmanager_secret" "hmz_oci_registry_credentials" {
arn = var.aws_secrets_manager_arn_for_hmz_oci_registry_credentials == "" ? aws_secretsmanager_secret.hmz_oci_registry_credentials.0.arn : var.aws_secrets_manager_arn_for_hmz_oci_registry_credentials
}
# HMZ Trusted Components
module "notary" {
source = "./modules/notary"
count = var.hmz_notary_enabled ? 1 : 0
random_pet = local.pet_name
# AWS Config
aws_iam_role_ecs_task_role_arn = aws_iam_role.ecs_task_role_for_hmz_trusted_components.arn
aws_vpc_id = data.aws_vpc.aws_vpc_hmz_trusted_components.id
aws_vpc_cidr = data.aws_vpc.aws_vpc_hmz_trusted_components.cidr_block
aws_subnet_id = data.aws_subnet.hmz_trusted_components_subnet.id
aws_security_group_id = data.aws_security_group.hmz_trusted_components_sg.id
aws_ecs_cluster_name = data.aws_ecs_cluster.aws_ecs_cluster_for_hmz_trusted_components.cluster_name
aws_cloud_watch_logs_group = var.aws_cloud_watch_logs_group
aws_cloud_watch_logs_stream_prefix = var.aws_cloud_watch_logs_stream_prefix
aws_cloud_watch_logs_region = var.aws_cloud_watch_logs_region
aws_resource_tags = var.aws_resource_tags
aws_secrets_manager_arn_for_hmz_notary_oci_registry_credentials = data.aws_secretsmanager_secret.hmz_oci_registry_credentials.arn
aws_secrets_manager_arn_for_hmz_kms_connect_oci_registry_credentials = data.aws_secretsmanager_secret.hmz_oci_registry_credentials.arn
hmz_kms_oci_image = var.hmz_kms_oci_image
hmz_kms_oci_tag = var.hmz_kms_oci_tag
hmz_kms_container_registry_user = coalesce(var.hmz_kms_container_registry_user, var.hmz_metaco_container_registry_user)
hmz_kms_container_registry_password = coalesce(var.hmz_kms_container_registry_password, var.hmz_metaco_container_registry_password)
hmz_notary_oci_image = var.hmz_notary_oci_image
hmz_notary_oci_tag = var.hmz_notary_oci_tag
hmz_notary_container_registry_user = coalesce(var.hmz_notary_container_registry_user, var.hmz_metaco_container_registry_user)
hmz_notary_container_registry_password = coalesce(var.hmz_notary_container_registry_password, var.hmz_metaco_container_registry_password)
# Compulsory HMZ Notary environment variables
hmz_notary_bridge_http_endpoint = var.hmz_notary_bridge_http_endpoint
# Optional HMZ Notary environment variables
hmz_notary_open_telemetry_type = var.hmz_notary_open_telemetry_type
hmz_notary_otel_sdk_disabled = var.hmz_notary_otel_sdk_disabled
hmz_notary_hc_tracing_enabled = var.hmz_notary_hc_tracing_enabled
hmz_notary_log_level = var.hmz_notary_log_level
hmz_notary_grpc_enabled = var.hmz_notary_grpc_enabled
hmz_notary_cols_dir = var.hmz_notary_cols_dir
hmz_notary_kms_grpc_keep_alive_interval = var.hmz_notary_kms_grpc_keep_alive_interval
hmz_notary_kms_grpc_keep_alive_timeout = var.hmz_notary_kms_grpc_keep_alive_timeout
hmz_notary_state_manifest_file_path = var.hmz_notary_state_manifest_file_path
hmz_notary_state_manifest_signature = var.hmz_notary_state_manifest_signature
# Compulsory HMZ KMS Connect environment variables
hmz_kms_connect_software_master_key = var.hmz_kms_connect_software_master_key
}
module "vault" {
source = "./modules/vault"
for_each = {
for index, vault in var.vaults :
index => vault
}
random_pet = local.pet_name
# AWS Config
aws_iam_role_ecs_task_role_arn = aws_iam_role.ecs_task_role_for_hmz_trusted_components.arn
aws_vpc_id = data.aws_vpc.aws_vpc_hmz_trusted_components.id
aws_vpc_cidr = data.aws_vpc.aws_vpc_hmz_trusted_components.cidr_block
aws_subnet_id = data.aws_subnet.hmz_trusted_components_subnet.id
aws_security_group_id = data.aws_security_group.hmz_trusted_components_sg.id
aws_ecs_cluster_name = data.aws_ecs_cluster.aws_ecs_cluster_for_hmz_trusted_components.cluster_name
aws_cloud_watch_logs_group = var.aws_cloud_watch_logs_group
aws_cloud_watch_logs_stream_prefix = var.aws_cloud_watch_logs_stream_prefix
aws_cloud_watch_logs_region = var.aws_cloud_watch_logs_region
aws_resource_tags = var.aws_resource_tags
aws_secrets_manager_arn_for_hmz_vault_oci_registry_credentials = data.aws_secretsmanager_secret.hmz_oci_registry_credentials.arn
aws_secrets_manager_arn_for_hmz_kms_connect_oci_registry_credentials = data.aws_secretsmanager_secret.hmz_oci_registry_credentials.arn
hmz_kms_oci_image = var.hmz_kms_oci_image
hmz_kms_oci_tag = var.hmz_kms_oci_tag
hmz_kms_container_registry_user = coalesce(var.hmz_kms_container_registry_user, var.hmz_metaco_container_registry_user)
hmz_kms_container_registry_password = coalesce(var.hmz_kms_container_registry_password, var.hmz_metaco_container_registry_password)
hmz_vault_oci_image = var.hmz_vault_oci_image
hmz_vault_oci_tag = var.hmz_vault_oci_tag
hmz_vault_container_registry_user = coalesce(var.hmz_vault_container_registry_user, var.hmz_metaco_container_registry_user)
hmz_vault_container_registry_password = coalesce(var.hmz_vault_container_registry_password, var.hmz_metaco_container_registry_password)
// Same environment variables for all vaults
hmz_vault_harmonize_core_endpoint = var.hmz_vault_harmonize_core_endpoint
hmz_vault_trusted_notary_messaging_public_key = var.hmz_vault_trusted_notary_messaging_public_key
hmz_kms_connect_software_master_key = var.hmz_kms_connect_software_master_key
hmz_vault_harmonize_core_proxy_address = var.hmz_vault_harmonize_core_proxy_address
hmz_vault_harmonize_core_no_proxy_address = var.hmz_vault_harmonize_core_no_proxy_address
// Specific environment variables for each vault
hmz_vault_id = each.value.hmz_vault_id
hmz_vault_log_level = each.value.hmz_vault_log_level
hmz_vault_bridge_log_level = each.value.hmz_vault_bridge_log_level
hmz_vault_feature_otlp_in_stdout = each.value.hmz_vault_feature_otlp_in_stdout
hmz_vault_optional_maximum_fee = each.value.hmz_vault_optional_maximum_fee
}