diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 571db42..6aeac0e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,6 +1,13 @@ on: workflow_call: inputs: + additional_certificate_arns: + # Arrays are not supported by Github resuable workflow inputs. It might be best to + # move back to defining each environment workflow completely independently. + default: "[]" + description: "A set of additional ACM certificate ARNs to be assigned to the ALB listener." + required: false + type: string aws_region: description: The AWS region target for deployment required: true @@ -96,6 +103,7 @@ jobs: id: terraform-apply run: | terraform apply -auto-approve \ + -var="additional_certificate_arns=${{ inputs.additional_certificate_arns }}" \ -var="aws_region=${{ inputs.aws_region }}" \ -var="aws_replication_region=${{ inputs.aws_replication_region }}" \ -var="dns_name=${{ inputs.dns_name }}" \ diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index 3ee86ca..bba1534 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -23,10 +23,11 @@ jobs: # So now we're hardcoding the values here and using it as a manifest. Please see # commit 1ec7a0346abc04b73c03e35c0e228e9dba14300c for the previous implementation. with: + additional_certificate_arns: '[\"arn:aws:acm:us-east-1:510777193308:certificate/9a15e75a-1d74-4349-9ed0-65b0df777a22\"]' aws_region: us-east-1 aws_replication_region: us-west-2 aws_s3_terraform_state_object_key: production.tfstate - dns_name: aws-ecs-demo.carlucci.network + dns_name: prod.aws-ecs-demo.carlucci.network environment_name: prod vpc_cidr_index: 0 secrets: diff --git a/CHANGELOG.md b/CHANGELOG.md index 36a4ee3..fc5c9c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# 0.3.0 + +* Additional ACM certificate assignment + # 0.2.1 * HOTFIX: Fix production dns_name in manifest diff --git a/terraform/ec2.tf b/terraform/ec2.tf index cb0c2a9..a990375 100644 --- a/terraform/ec2.tf +++ b/terraform/ec2.tf @@ -45,7 +45,8 @@ resource "aws_security_group_rule" "alb_egress_all" { # TODO: adopt "Encryption Everywhere" policy by protecting internal traffic # between the ALB and the application service as well (#15) resource "aws_lb_target_group" "alb" { - name = local.namespace + # name not specified as it creates conflicts when resource needs to be replaced. Depend + # on tags to identify target groups in the console. port = 443 protocol = "HTTPS" target_type = "ip" @@ -59,6 +60,11 @@ resource "aws_lb_target_group" "alb" { } vpc_id = aws_vpc.vpc.id + + lifecycle { + # For if/when ports change + create_before_destroy = true + } } resource "aws_lb" "alb" { @@ -96,3 +102,11 @@ resource "aws_lb_listener" "https" { port = 443 protocol = "HTTPS" } + +# Support the assigment of external certificates by ARN +resource "aws_lb_listener_certificate" "additional" { + for_each = var.additional_certificate_arns + + listener_arn = aws_lb_listener.https.arn + certificate_arn = each.value +} diff --git a/terraform/ecs.tf b/terraform/ecs.tf index 036419c..64d4a8c 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -33,6 +33,16 @@ data "aws_iam_policy_document" "ecs_task_assume_role" { identifiers = ["ecs-tasks.amazonaws.com"] type = "Service" } + condition { + test = "ArnLike" + values = ["arn:aws:ecs:${var.aws_region}:${local.account_id}:*"] + variable = "aws:SourceArn" + } + condition { + test = "StringEquals" + values = [local.account_id] + variable = "aws:SourceAccount" + } } } @@ -42,7 +52,7 @@ resource "aws_iam_role" "ecs_task_execution" { } # Use the AWS-provided managed role for basic logging and ECR repository permissions -resource "aws_iam_role_policy_attachment" "legacy_listener_aws_task_execution_role_policy" { +resource "aws_iam_role_policy_attachment" "hello_world_aws_task_execution_role_policy" { role = aws_iam_role.ecs_task_execution.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } diff --git a/terraform/variables.tf b/terraform/variables.tf index 862a0a4..97c767e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,3 +1,9 @@ +variable "additional_certificate_arns" { + default = [] + description = "A set of additional ACM certificate ARNs to be assigned to the ALB listener." + type = set(string) +} + variable "aws_region" { default = "us-east-1" description = "The AWS region name in which the main infrastructure should be deployed."