Merge pull request #87 from kunduso/enable-blue-green-deployment

Enable blue green deployment
kunduso · Oct 3, 2024 · 20e154c · 20e154c
2 parents 97a5c2b + 1e6ef02
commit 20e154c
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 72 deletions.
diff --git a/deploy/code_deploy_role.tf b/deploy/code_deploy_role.tf
@@ -1,70 +1,82 @@
-# data "aws_iam_policy_document" "assume_by_codedeploy" {
-#   statement {
-#     sid     = ""
-#     effect  = "Allow"
-#     actions = ["sts:AssumeRole"]
+data "aws_iam_policy_document" "assume_by_codedeploy" {
+  statement {
+    sid     = ""
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
 
-#     principals {
-#       type        = "Service"
-#       identifiers = ["codedeploy.amazonaws.com"]
-#     }
-#   }
-# }
+    principals {
+      type        = "Service"
+      identifiers = ["codedeploy.amazonaws.com"]
+    }
+  }
+}
 
-# resource "aws_iam_role" "codedeploy" {
-#   name               = "codedeploy"
-#   assume_role_policy = data.aws_iam_policy_document.assume_by_codedeploy.json
-# }
+resource "aws_iam_role" "codedeploy" {
+  name               = "${var.name}-code-deploy-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_by_codedeploy.json
+}
 
 
-# data "aws_iam_policy_document" "codedeploy" {
-#   statement {
-#     sid    = "AllowLoadBalancingAndECSModifications"
-#     effect = "Allow"
+data "aws_iam_policy_document" "codedeploy" {
+  statement {
+    sid    = "AllowLoadBalancingAndECSModifications"
+    effect = "Allow"
+    actions = [
+      "ecs:CreateTaskSet",
+      "ecs:DeleteTaskSet",
+      "ecs:DescribeServices",
+      "ecs:UpdateServicePrimaryTaskSet"
+    ]
+    resources = ["arn:aws:ecs:${var.region}:${data.aws_caller_identity.current.account_id}:service/*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "elasticloadbalancing:DescribeListeners",
+      "elasticloadbalancing:DescribeRules",
+      "elasticloadbalancing:DescribeTargetGroups",
+      "elasticloadbalancing:ModifyListener",
+      "elasticloadbalancing:ModifyRule"
+    ]
+    resources = [
+      "arn:aws:elasticloadbalancing:${var.region}:${data.aws_caller_identity.current.account_id}:loadbalancer/*",
+      "arn:aws:elasticloadbalancing:${var.region}:${data.aws_caller_identity.current.account_id}:listener/*",
+      "arn:aws:elasticloadbalancing:${var.region}:${data.aws_caller_identity.current.account_id}:targetgroup/*"
+    ]
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["s3:GetObject"]
+    resources = [
+      "arn:aws:s3:::*/*"
+    ]
+  }
+  statement {
+    sid    = "AllowPassRole"
+    effect = "Allow"
 
-#     actions = [
-#       "ecs:CreateTaskSet",
-#       "ecs:DeleteTaskSet",
-#       "ecs:DescribeServices",
-#       "ecs:UpdateServicePrimaryTaskSet",
-#       "elasticloadbalancing:DescribeListeners",
-#       "elasticloadbalancing:DescribeRules",
-#       "elasticloadbalancing:DescribeTargetGroups",
-#       "elasticloadbalancing:ModifyListener",
-#       "elasticloadbalancing:ModifyRule",
-#       "s3:GetObject"
-#     ]
+    actions = ["iam:PassRole"]
 
-#     resources = ["*"]
-#   }
-#   statement {
-#     sid    = "AllowPassRole"
-#     effect = "Allow"
-
-#     actions = ["iam:PassRole"]
-
-#     resources = [
-#       aws_iam_role.ecs_task_execution_role.arn
-#     ]
-#   }
-
-#   statement {
-#     sid    = "DeployService"
-#     effect = "Allow"
-
-#     actions = [
-#       "ecs:DescribeServices",
-#       "codedeploy:GetDeploymentGroup",
-#       "codedeploy:CreateDeployment",
-#       "codedeploy:GetDeployment",
-#       "codedeploy:GetDeploymentConfig",
-#       "codedeploy:RegisterApplicationRevision"
-#     ]
-
-#     resources = ["*"]
-#   }
-# }
-# resource "aws_iam_role_policy" "codedeploy" {
-#   role   = aws_iam_role.codedeploy.name
-#   policy = data.aws_iam_policy_document.codedeploy.json
-# }
+    resources = [
+      aws_iam_role.ecs_task_execution_role.arn
+    ]
+  }
+  statement {
+    sid    = "DeployService"
+    effect = "Allow"
+    actions = [
+      "codedeploy:GetDeploymentGroup",
+      "codedeploy:CreateDeployment",
+      "codedeploy:GetDeployment",
+      "codedeploy:GetDeploymentConfig",
+      "codedeploy:RegisterApplicationRevision"
+    ]
+    resources = [
+      "arn:aws:codedeploy:${var.region}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+}
+resource "aws_iam_role_policy" "codedeploy" {
+  role   = aws_iam_role.codedeploy.name
+  policy = data.aws_iam_policy_document.codedeploy.json
+}
diff --git a/deploy/ecs_service.tf b/deploy/ecs_service.tf
@@ -1,18 +1,18 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service
 resource "aws_ecs_service" "service" {
   name                 = var.name
-  cluster              = local.infra_output["cluster_id"]
+  cluster              = local.infra_output["aws_ecs_cluster_id"]
   task_definition      = aws_ecs_task_definition.web_app.arn
   desired_count        = 2
   force_new_deployment = true
   load_balancer {
-    target_group_arn = local.infra_output["aws_lb_target_group"]
+    target_group_arn = local.infra_output["aws_lb_blue_target_group"]
     container_name   = "first"
     container_port   = "8080" # Application Port
   }
   launch_type = "FARGATE"
   network_configuration {
-    security_groups  = [local.infra_output["security_group_id"]]
+    security_groups  = [local.infra_output["container_security_group_id"]]
     subnets          = local.infra_output["subnet_ids"]
     assign_public_ip = false
   }

diff --git a/deploy/ecs_task.tf b/deploy/ecs_task.tf
@@ -30,7 +30,7 @@ resource "aws_ecs_task_definition" "web_app" {
       logConfiguration = {
         logDriver = "awslogs"
         options = {
-          awslogs-group         = local.infra_output["cloud_watch_log_group_name"]
+          awslogs-group         = local.infra_output["aws_cloudwatch_log_group_name"]
           awslogs-region        = var.region
           awslogs-stream-prefix = "ecs"
         }

diff --git a/infra/security_group.tf b/infra/security_group.tf
@@ -8,18 +8,20 @@ resource "aws_security_group" "custom_sg" {
   description = "allow inbound traffic"
   vpc_id      = aws_vpc.this.id
   tags = {
-    "Name" = "${var.name}-sg"
+    "Name" = "${var.name}-lb-sg"
   }
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
 resource "aws_security_group_rule" "ingress_load_balancer" {
   description       = "allow traffic into the load balancer"
   type              = "ingress"
-  from_port         = 8080
-  to_port           = 8080
+  from_port         = 80
+  to_port           = 80
   protocol          = "tcp"
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.custom_sg.id
+  #checkov:skip=CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
+  #This is non prod and hence enabled.
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
 resource "aws_security_group_rule" "egress_load_balancer" {
@@ -32,6 +34,37 @@ resource "aws_security_group_rule" "egress_load_balancer" {
   security_group_id = aws_security_group.custom_sg.id
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "container_sg" {
+  name        = "${var.name}_container_allow_inbound_access"
+  description = "allow inbound traffic to the containers"
+  vpc_id      = aws_vpc.this.id
+  tags = {
+    "Name" = "${var.name}-container-sg"
+  }
+  #checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
+  #This security group is required in the deploy stack.
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "ingress_container" {
+  description              = "allow traffic into the containers from the vpc"
+  type                     = "ingress"
+  from_port                = 8080
+  to_port                  = 8080
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.custom_sg.id
+  security_group_id        = aws_security_group.container_sg.id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "egress_container" {
+  description       = "allow traffic to reach the vpc from the container"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 65535
+  protocol          = "tcp"
+  cidr_blocks       = [aws_vpc.this.cidr_block]
+  security_group_id = aws_security_group.container_sg.id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
 resource "aws_security_group" "endpoint_sg" {
   name        = "endpoint_access"
   description = "allow inbound traffic"

diff --git a/infra/ssm_parameter.tf b/infra/ssm_parameter.tf
@@ -6,7 +6,7 @@ resource "aws_ssm_parameter" "infra_output" {
   key_id      = aws_kms_key.custom_kms_key.id
   value = jsonencode({
     "subnet_ids" : [for subnet in aws_subnet.private : subnet.id],
-    "security_group_id" : "${aws_security_group.custom_sg.id}",
+    "container_security_group_id" : "${aws_security_group.container_sg.id}",
     "aws_lb_blue_target_group" : "${aws_lb_target_group.blue_target_group.arn}",
     "aws_lb_green_target_group" : "${aws_lb_target_group.green_target_group.arn}",
     "aws_lb_listener" : "${aws_alb_listener.listener.arn}",