diff --git a/infra/dev/.terraform.lock.hcl b/infra/dev/.terraform.lock.hcl index e7c4ac7d..94b524f5 100644 --- a/infra/dev/.terraform.lock.hcl +++ b/infra/dev/.terraform.lock.hcl @@ -2,22 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.14.0" - constraints = "4.14.0" + version = "4.37.0" + constraints = "4.37.0" hashes = [ - "h1:RqBO9RnwTLRLqBtFdzeBq/2WxFqZMaHUfKcUbK5dpZ8=", - "h1:wJ1F5KqM9XLQqotZ82YFQywpN4pwtVFR35uc5ckqGKw=", - "zh:00d03c06e6a7f8ccf8a5a8e03d71842ebe75c9bf4a94112429cf457ae50e9ec4", - "zh:1dc73df493294451a8a5bf80575d083958b8e33051f5a37764dcfd6264e0fd37", - "zh:4427e14bf3e1e0879f44edcf81a7091c67f7dd3c0b4a842f70ab2c5108452108", - "zh:4c9d8e627881207354020bcc2c6fede891d85a1893ee1a60c96e96f26bb792a7", - "zh:69c1dd3e8d1cfe85529d201ac6390df5e28bc353cf340b1ec3c5981d696f6373", - "zh:76df2d46384d7bf3c10e799145ee16c829f5bbf9218896aab4a73ec57dae0e90", - "zh:863ce9721e6d1f8554d77541545b6081e2afb1f38cb0c73a0491e58235ed588e", - "zh:9a8184398f83781623b2257361a1c038fb0eeb8361bb4714d1897f2479398b49", + "h1:LFWMFPtcsxlzbzNlR5XQNfO9/teX2pD60XYycSU4gjQ=", + "zh:12c2eb60cb1eb0a41d1afbca6fc6f0eed6ca31a12c51858f951a9e71651afbe0", + "zh:1e17482217c39a12e930e71fd2c9af8af577bec6736b184674476ebcaad28477", + "zh:1e8163c3d871bbd54c189bf2fe5e60e556d67fa399e4c88c8e6ee0834525dc33", + "zh:399c41a3e096fd75d487b98b1791f7cea5bd38567ac4e621c930cb67ec45977c", + "zh:40d4329eef2cc130e4cbed7a6345cb053dd258bf6f5f8eb0f8ce777ae42d5a01", + "zh:625db5fa75638d543b418be7d8046c4b76dc753d9d2184daa0faaaaebc02d207", + "zh:7785c8259f12b45d19fa5abdac6268f3b749fe5a35c8be762c27b7a634a4952b", + "zh:8a7611f33cc6422799c217ec2eeb79c779035ef05331d12505a6002bc48582f0", + "zh:9188178235a73c829872d2e82d88ac6d334d8bb01433e9be31615f1c1633e921", + "zh:994895b57bf225232a5fa7422e6ab87d8163a2f0605f54ff6a18cdd71f0aeadf", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:bbf27af267e5a77780ccc83b2f79e75f47ce7b8ed4f864b34baad01cbf2f54fb", - "zh:f31cfa54f3951d4623a25712964724a57f491ab17b3944802d55072768b41043", - "zh:fe17dfac4954873faf340088949e2434058f6f6b2f228fe3e349527f1ecde92d", + "zh:b57de6903ef30c9f22d38d595d64b4f92a89ea717b65782e1f44f57020ce8b1f", ] } diff --git a/infra/dev/backend.tf b/infra/dev/backend.tf index 099cd9cb..cd113856 100644 --- a/infra/dev/backend.tf +++ b/infra/dev/backend.tf @@ -12,7 +12,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "4.14.0" + version = "4.37.0" } } diff --git a/infra/sandbox/.terraform.lock.hcl b/infra/sandbox/.terraform.lock.hcl new file mode 100644 index 00000000..94b524f5 --- /dev/null +++ b/infra/sandbox/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.37.0" + constraints = "4.37.0" + hashes = [ + "h1:LFWMFPtcsxlzbzNlR5XQNfO9/teX2pD60XYycSU4gjQ=", + "zh:12c2eb60cb1eb0a41d1afbca6fc6f0eed6ca31a12c51858f951a9e71651afbe0", + "zh:1e17482217c39a12e930e71fd2c9af8af577bec6736b184674476ebcaad28477", + "zh:1e8163c3d871bbd54c189bf2fe5e60e556d67fa399e4c88c8e6ee0834525dc33", + "zh:399c41a3e096fd75d487b98b1791f7cea5bd38567ac4e621c930cb67ec45977c", + "zh:40d4329eef2cc130e4cbed7a6345cb053dd258bf6f5f8eb0f8ce777ae42d5a01", + "zh:625db5fa75638d543b418be7d8046c4b76dc753d9d2184daa0faaaaebc02d207", + "zh:7785c8259f12b45d19fa5abdac6268f3b749fe5a35c8be762c27b7a634a4952b", + "zh:8a7611f33cc6422799c217ec2eeb79c779035ef05331d12505a6002bc48582f0", + "zh:9188178235a73c829872d2e82d88ac6d334d8bb01433e9be31615f1c1633e921", + "zh:994895b57bf225232a5fa7422e6ab87d8163a2f0605f54ff6a18cdd71f0aeadf", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b57de6903ef30c9f22d38d595d64b4f92a89ea717b65782e1f44f57020ce8b1f", + ] +} diff --git a/infra/sandbox/Makefile b/infra/sandbox/Makefile new file mode 100644 index 00000000..850cb8b0 --- /dev/null +++ b/infra/sandbox/Makefile @@ -0,0 +1,12 @@ +export +AWS_PROFILE=dev-string + +init: + terraform init +plan: + terraform plan +apply: + terraform apply + +destroy: + terraform destroy diff --git a/infra/sandbox/alb.tf b/infra/sandbox/alb.tf new file mode 100644 index 00000000..34e575e8 --- /dev/null +++ b/infra/sandbox/alb.tf @@ -0,0 +1,102 @@ +module "alb_acm" { + source = "../acm" + domain_name = "api.${local.root_domain}" + aws_region = "us-west-2" + zone_id = data.aws_route53_zone.root.zone_id + tags = { + Name = "api-${local.root_domain}-alb" + } +} + +resource "aws_alb" "alb" { + name = "${local.env}-${local.service_name}-alb" + drop_invalid_header_fields = true + security_groups = [aws_security_group.ecs_alb_https_sg.id] + subnets = data.terraform_remote_state.vpc.outputs.public_subnets + + tags = { + Name = "${local.env}-${local.service_name}-alb" + Environment = local.env + } + + lifecycle { + create_before_destroy = true + } +} + + resource "aws_ssm_parameter" "alb" { + name = "${local.service_name}-alb-arn" + value = aws_alb.alb.arn + type = "String" + } + + resource "aws_ssm_parameter" "alb_dns" { + name = "${local.service_name}-alb-dns" + value = aws_alb.alb.dns_name + type = "String" + } + +resource "aws_alb_target_group" "ecs_task_target_group" { + name = "${local.env}-${local.service_name}-tg" + port = local.container_port + vpc_id = data.terraform_remote_state.vpc.outputs.id + target_type = "ip" + protocol = "HTTP" + + lifecycle { + create_before_destroy = true + } + + health_check { + path = "/heartbeat" + protocol = "HTTP" + matcher = "200" + interval = 60 + timeout = 30 + unhealthy_threshold = "3" + healthy_threshold = "3" + } + + tags = { + Name = "${local.env}-${local.service_name}-tg" + } +} + +resource "aws_alb_listener" "alb_https_listener" { + load_balancer_arn = aws_alb.alb.arn + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + certificate_arn = module.alb_acm.arn + + lifecycle { + create_before_destroy = true + } + + default_action { + type = "forward" + target_group_arn = aws_alb_target_group.ecs_task_target_group.arn + } +} + + resource "aws_ssm_parameter" "alb_listerner" { + name = "${local.service_name}-alb-listener-arn" + value = aws_alb_listener.alb_https_listener.arn + type = "String" + } + +resource "aws_alb_listener_rule" "ecs_alb_listener_rule" { + listener_arn = aws_alb_listener.alb_https_listener.arn + priority = 100 + action { + type = "forward" + target_group_arn = aws_alb_target_group.ecs_task_target_group.arn + } + + condition { + host_header { + values = ["api.${local.root_domain}"] + } + } +} + diff --git a/infra/sandbox/backend.tf b/infra/sandbox/backend.tf new file mode 100644 index 00000000..e427d0bb --- /dev/null +++ b/infra/sandbox/backend.tf @@ -0,0 +1,35 @@ +locals { + remote_state_bucket = "dev-string-terraform-state" + backend_region = "us-west-2" + vpc_remote_state_key = "vpc.tfstate" +} + +provider "aws" { + region = "us-west-2" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.37.0" + } + } + + backend "s3" { + encrypt = true + key = "sandbox-api.tfstate" + bucket = "dev-string-terraform-state" + dynamodb_table = "dev-string-terraform-state-lock" + region = "us-west-2" + } +} + +data "terraform_remote_state" "vpc" { + backend = "s3" + config = { + region = local.backend_region + bucket = local.remote_state_bucket + key = local.vpc_remote_state_key + } +} diff --git a/infra/sandbox/cloudfront.tf b/infra/sandbox/cloudfront.tf new file mode 100644 index 00000000..866d81e3 --- /dev/null +++ b/infra/sandbox/cloudfront.tf @@ -0,0 +1,51 @@ +resource "aws_cloudfront_distribution" "this" { + enabled = true + is_ipv6_enabled = true + aliases = ["api.${local.root_domain}"] + + origin { + domain_name = aws_alb.alb.dns_name + origin_id = local.origin_id + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "https-only" + origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"] + } + } + + restrictions { + geo_restriction { + restriction_type = "none" + locations = [] + } + } + + + default_cache_behavior { + target_origin_id = local.origin_id + compress = true + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + + forwarded_values { + query_string = true + headers = ["X-Forwarded-For", "Host", "X-Api-Key"] + cookies { + forward = "all" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 60 + max_ttl = 120 + } + + viewer_certificate { + ssl_support_method = "sni-only" + acm_certificate_arn = module.acm.arn + minimum_protocol_version = "TLSv1.1_2016" + cloudfront_default_certificate = false + } +} diff --git a/infra/sandbox/domain.tf b/infra/sandbox/domain.tf new file mode 100644 index 00000000..7211eb22 --- /dev/null +++ b/infra/sandbox/domain.tf @@ -0,0 +1,25 @@ +data "aws_route53_zone" "root" { + name = local.root_domain +} + +resource "aws_route53_record" "domain" { + name = "api" + type = "A" + zone_id = data.aws_route53_zone.root.zone_id + alias { + evaluate_target_health = false + name = aws_cloudfront_distribution.this.domain_name + zone_id = aws_cloudfront_distribution.this.hosted_zone_id + } +} + +module "acm" { + source = "../acm" + domain_name = "api.${local.root_domain}" + aws_region = "us-east-1" + zone_id = data.aws_route53_zone.root.zone_id + tags = { + Environment = local.env + Name = "api.${local.root_domain}" + } +} diff --git a/infra/sandbox/ecs.tf b/infra/sandbox/ecs.tf new file mode 100644 index 00000000..14c72c32 --- /dev/null +++ b/infra/sandbox/ecs.tf @@ -0,0 +1,59 @@ +resource "aws_ecs_cluster" "cluster" { + name = local.cluster_name +} + +resource "aws_ecs_task_definition" "task_definition" { + container_definitions = local.task_definition + family = local.service_name + cpu = local.cpu + memory = local.memory + requires_compatibilities = ["FARGATE"] + network_mode = "awsvpc" + execution_role_arn = aws_iam_role.task_ecs_role.arn + task_role_arn = aws_iam_role.task_ecs_role.arn +} + +resource "aws_ecr_repository" "repo" { + name = local.service_name + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + + tags = { + Environment = local.env + Name = local.service_name + } +} + +resource "aws_ecs_service" "ecs_service" { + name = local.service_name + task_definition = local.service_name + desired_count = local.desired_task_count + cluster = aws_ecs_cluster.cluster.name + launch_type = "FARGATE" + + network_configuration { + subnets = data.terraform_remote_state.vpc.outputs.public_subnets + security_groups = [aws_security_group.ecs_task_sg.id] + assign_public_ip = true + } + + load_balancer { + container_name = local.service_name + container_port = local.container_port + target_group_arn = aws_alb_target_group.ecs_task_target_group.arn + } + + depends_on = [ + aws_alb_listener_rule.ecs_alb_listener_rule, + aws_iam_role_policy.task_ecs_policy, + aws_ecs_task_definition.task_definition + ] + + tags = { + Environment = local.env + Name = local.service_name + } +} diff --git a/infra/sandbox/iam_roles.tf b/infra/sandbox/iam_roles.tf new file mode 100644 index 00000000..e6640443 --- /dev/null +++ b/infra/sandbox/iam_roles.tf @@ -0,0 +1,78 @@ +data "aws_iam_policy_document" "ecs_task_policy" { + statement { + sid = "AllowECSAndTaskAssumeRole" + actions = ["sts:AssumeRole"] + effect = "Allow" + principals { + type = "Service" + identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "task_ecs_role" { + name = "${local.env}-${local.service_name}-task-ecs-role" + assume_role_policy = data.aws_iam_policy_document.ecs_task_policy.json +} + +data "aws_iam_policy_document" "task_policy" { + statement { + sid = "AllowReadToResourcesInListToTask" + effect = "Allow" + actions = [ + "ecs:*", + "ecr:*" + ] + + resources = ["*"] + } + + statement { + sid = "AllowAccessToSSM" + effect = "Allow" + actions = [ + "ssm:GetParameters" + ] + resources = [ + data.aws_ssm_parameter.datadog.arn, + data.aws_ssm_parameter.evm_private_key.arn, + data.aws_ssm_parameter.string_encryption_secret.arn, + data.aws_ssm_parameter.string_internal_id.arn, + data.aws_ssm_parameter.string_wallet_id.arn, + data.aws_ssm_parameter.string_bank_id.arn, + data.aws_ssm_parameter.string_platform_id.arn, + data.aws_ssm_parameter.ipstack_api_key.arn, + data.aws_ssm_parameter.unit21_api_key.arn, + data.aws_ssm_parameter.checkout_public_key.arn, + data.aws_ssm_parameter.checkout_private_key.arn, + data.aws_ssm_parameter.owlracle_api_key.arn, + data.aws_ssm_parameter.owlracle_api_secret.arn, + data.aws_ssm_parameter.db_password.arn, + data.aws_ssm_parameter.db_username.arn, + data.aws_ssm_parameter.db_name.arn, + data.aws_ssm_parameter.db_host.arn, + data.aws_ssm_parameter.redis_host_url.arn, + data.aws_ssm_parameter.redis_auth_token.arn, + data.aws_ssm_parameter.fingerprint_api_key.arn, + data.aws_ssm_parameter.sendgrid_api_key.arn, + data.aws_ssm_parameter.twilio_sms_sid.arn, + data.aws_ssm_parameter.twilio_account_sid.arn, + data.aws_ssm_parameter.twilio_auth_token.arn + ] + } + + statement { + sid = "AllowDecrypt" + effect = "Allow" + actions = [ + "kms:Decrypt" + ] + resources = [data.aws_kms_key.kms_key.arn] + } +} + +resource "aws_iam_role_policy" "task_ecs_policy" { + name = "${local.env}-${local.service_name}-task-ecs-policy" + role = aws_iam_role.task_ecs_role.id + policy = data.aws_iam_policy_document.task_policy.json +} diff --git a/infra/sandbox/security_group.tf b/infra/sandbox/security_group.tf new file mode 100644 index 00000000..4f50d81a --- /dev/null +++ b/infra/sandbox/security_group.tf @@ -0,0 +1,84 @@ +resource "aws_security_group" "ecs_alb_https_sg" { + name = "${local.env}-${local.service_name}-alb-https-sg" + description = "Security group for ALB to cluster" + vpc_id = data.terraform_remote_state.vpc.outputs.id + + ingress { + from_port = 443 + to_port = 443 + protocol = "TCP" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = ["0.0.0.0/0"] + } + + lifecycle { + create_before_destroy = true + } + + tags = { + Name = "${local.env}-${local.service_name}-alb-https-sg" + Environment = local.env + } +} + +resource "aws_security_group" "ecs_task_sg" { + name = "${local.env}-${local.service_name}-task-sg" + vpc_id = data.terraform_remote_state.vpc.outputs.id + ingress { + from_port = local.container_port + to_port = local.container_port + protocol = "TCP" + cidr_blocks = [data.terraform_remote_state.vpc.outputs.cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + lifecycle { + create_before_destroy = true + } + + tags = { + Name = "${local.env}-${local.service_name}-task-sg" + environment = local.env + } +} + +# Give access to DB through security group rule +data "aws_security_group" "rds" { + name = "${local.env}-string-write-master-client-rds" + vpc_id = data.terraform_remote_state.vpc.outputs.id +} + +data "aws_security_group" "redis" { + name = "redis-client-redis" + vpc_id = data.terraform_remote_state.vpc.outputs.id +} + +resource "aws_security_group_rule" "rds_to_ecs" { + type = "ingress" + protocol = "TCP" + from_port = local.db_port + to_port = local.db_port + source_security_group_id = aws_security_group.ecs_task_sg.id + security_group_id = data.aws_security_group.rds.id +} + +resource "aws_security_group_rule" "redis_to_ecs" { + type = "ingress" + protocol = "TCP" + from_port = local.redis_port + to_port = local.redis_port + source_security_group_id = aws_security_group.ecs_task_sg.id + security_group_id = data.aws_security_group.redis.id +} diff --git a/infra/sandbox/ssm.tf b/infra/sandbox/ssm.tf new file mode 100644 index 00000000..854be3d0 --- /dev/null +++ b/infra/sandbox/ssm.tf @@ -0,0 +1,107 @@ +data "aws_ssm_parameter" "datadog" { + name = "datadog-key" +} + +data "aws_ssm_parameter" "evm_private_key" { + name = "string-encrypted-sk" +} + +data "aws_ssm_parameter" "string_encryption_secret" { + name = "string-encryption-secret" +} + +data "aws_ssm_parameter" "string_internal_id" { + name = "string-internal-id" +} + +data "aws_ssm_parameter" "string_wallet_id" { + name = "string-wallet-id" +} + +data "aws_ssm_parameter" "string_bank_id" { + name = "string-bank-id" +} + +data "aws_ssm_parameter" "string_platform_id" { + name = "string-placeholder-platform-id" +} + +data "aws_ssm_parameter" "user_jwt_secret" { + name = "user-jwt-secret" +} + +data "aws_ssm_parameter" "unit21_api_key" { + name = "unit21-api-key" +} + +data "aws_ssm_parameter" "ipstack_api_key" { + name = "ipstack-api-key" +} + +data "aws_ssm_parameter" "customer_jwt_secret" { + name = "customer-jwt-secret" +} + +data "aws_ssm_parameter" "checkout_public_key" { + name = "dev-checkout-public-key" +} + +data "aws_ssm_parameter" "checkout_private_key" { + name = "dev-checkout-private-key" +} + +data "aws_ssm_parameter" "owlracle_api_key" { + name = "dev-owlracle-api-key" +} + +data "aws_ssm_parameter" "fingerprint_api_key" { + name = "fingerprint-api-key" +} + +data "aws_ssm_parameter" "sendgrid_api_key" { + name = "sendgrid-api-key" +} + +data "aws_ssm_parameter" "twilio_sms_sid" { + name = "twilio-sms-sid" +} + +data "aws_ssm_parameter" "twilio_account_sid" { + name = "twilio-account-sid" +} + +data "aws_ssm_parameter" "twilio_auth_token" { + name = "twilio-auth-token" +} + +data "aws_ssm_parameter" "owlracle_api_secret" { + name = "dev-owlracle-api-secret" +} + +data "aws_ssm_parameter" "db_password" { + name = "string-rds-pg-db-password" +} + +data "aws_ssm_parameter" "db_username" { + name = "string-rds-pg-db-username" +} + +data "aws_ssm_parameter" "db_name" { + name = "string-rds-pg-db-name" +} + +data "aws_ssm_parameter" "db_host" { + name = "${local.env}-write-db-host-url" +} + +data "aws_ssm_parameter" "redis_auth_token" { + name = "redis-auth-token" +} + +data "aws_ssm_parameter" "redis_host_url" { + name = "redis-host-url" +} + +data "aws_kms_key" "kms_key" { + key_id = "alias/main-kms-key" +} diff --git a/infra/sandbox/variables.tf b/infra/sandbox/variables.tf new file mode 100644 index 00000000..336dc377 --- /dev/null +++ b/infra/sandbox/variables.tf @@ -0,0 +1,261 @@ +locals { + cluster_name = "core-sandbox" + env = "sandbox" + service_name = "api" + root_domain = "sandbox.string-api.xyz" + container_port = "3000" + origin_id = "sandbox-api" + desired_task_count = "2" + db_port = "5432" + redis_port = "6379" + memory = 512 + cpu = 256 + region = "us-west-2" +} + +variable "versioning" { + type = string + default = "v.1.0.0-alpha" +} + +locals { + task_definition = jsonencode([ + { + name = local.service_name + image = "${aws_ecr_repository.repo.repository_url}:${var.versioning}" + essential = true, + dockerLabels = { + "com.datadoghq.ad.instances" : "[{\"host\":\"%%host%%\"}]", + "com.datadoghq.ad.check_names" : "[\"${local.service_name}\"]", + }, + portMappings = [ + { + containerPort = 3000 + } + ], + secrets = [ + { + name = "EVM_PRIVATE_KEY" + valueFrom = data.aws_ssm_parameter.evm_private_key.arn + }, + { + name = "STRING_ENCRYPTION_KEY" + valueFrom = data.aws_ssm_parameter.string_encryption_secret.arn + }, + { + name = "STRING_INTERNAL_ID" + valueFrom = data.aws_ssm_parameter.string_internal_id.arn + }, + { + name = "STRING_WALLET_ID" + valueFrom = data.aws_ssm_parameter.string_wallet_id.arn + }, + { + name = "STRING_BANK_ID" + valueFrom = data.aws_ssm_parameter.string_bank_id.arn + }, + { + name = "STRING_PLACEHOLDER_PLATFORM_ID" + valueFrom = data.aws_ssm_parameter.string_platform_id.arn + }, + { + name = "UNIT21_API_KEY" + valueFrom = data.aws_ssm_parameter.unit21_api_key.arn + }, + { + name = "IPSTACK_API_KEY" + valueFrom = data.aws_ssm_parameter.ipstack_api_key.arn + }, + { + name = "CHECKOUT_PUBLIC_KEY" + valueFrom = data.aws_ssm_parameter.checkout_public_key.arn + }, + { + name = "CHECKOUT_SECRET_KEY" + valueFrom = data.aws_ssm_parameter.checkout_private_key.arn + }, + { + name = "OWLRACLE_API_KEY" + valueFrom = data.aws_ssm_parameter.owlracle_api_key.arn + }, + { + name = "OWLRACLE_API_SECRET" + valueFrom = data.aws_ssm_parameter.owlracle_api_secret.arn + }, + { + name = "FINGERPRINT_API_KEY" + valueFrom = data.aws_ssm_parameter.fingerprint_api_key.arn + }, + { + name = "SENDGRID_API_KEY" + valuefrom = data.aws_ssm_parameter.sendgrid_api_key.arn + }, + { + name = "TWILIO_ACCOUNT_SID" + valueFrom = data.aws_ssm_parameter.twilio_account_sid.arn + }, + { + name = "TWILIO_SMS_SID" + valuefrom = data.aws_ssm_parameter.twilio_sms_sid.arn + }, + { + name = "TWILIO_AUTH_TOKEN" + valuefrom = data.aws_ssm_parameter.twilio_auth_token.arn + }, + { + name = "DB_USERNAME" + valueFrom = data.aws_ssm_parameter.db_username.arn + }, + { + name = "DB_PASSWORD" + valueFrom = data.aws_ssm_parameter.db_password.arn + }, + { + name = "DB_HOST" + valueFrom = data.aws_ssm_parameter.db_host.arn + }, + { + name = "DB_NAME" + valueFrom = data.aws_ssm_parameter.db_name.arn + }, + { + name = "REDIS_HOST", + valuefrom = data.aws_ssm_parameter.redis_host_url.arn + }, + { + name = "REDIS_PASSWORD", + valuefrom = data.aws_ssm_parameter.redis_auth_token.arn + } + ] + environment = [ + { + name = "PORT" + value = local.container_port + }, + { + name = "REDIS_PORT" + value = local.redis_port + }, + { + name = "DB_PORT", + value = local.db_port + }, + { + name = "ENV" + value = local.env + }, + { + name = "AWS_REGION" + value = local.region + }, + { + name = "AWS_KMS_KEY_ID" + value = data.aws_kms_key.kms_key.key_id + }, + { + name = "OWLRACLE_API_URL" + value = "https://api.owlracle.info/v3/" + }, + { + name = "COINGECKO_API_URL" + value = "https://api.coingecko.com/api/v3/" + }, + { + name = "FINGERPRINT_API_URL" + value = "https://api.fpjs.io/" + }, + { + name = "BASE_URL" + value = "https://string-api.dev.string-api.xyz/" + }, + { + name = "UNIT21_ENV" + value = "sandbox2-api" + }, + { + name = "UNIT21_ORG_NAME" + value = "string" + }, + { + name = "CHECKOUT_ENV" + value = local.env + }, + { + name = "DD_LOGS_ENABLED" + value = "true" + }, + { + name = "DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL" + value = "true" + }, + { + name = "DD_SERVICE" + value = local.service_name + }, + { + name = "DD_VERSION" + value = var.versioning + }, + { + name = "DD_ENV" + value = local.env + }, + { + name = "DD_APM_ENABLED" + value = "true" + }, + { + name = "DD_SITE" + value = "datadoghq.com" + }, + { + name = "ECS_FARGATE" + value = "true" + } + ], + logConfiguration = { + logDriver = "awsfirelens" + secretOptions = [{ + name = "apiKey", + valueFrom = data.aws_ssm_parameter.datadog.arn + }] + options = { + Name = "datadog" + "dd_service" = "${local.service_name}" + "Host" = "http-intake.logs.datadoghq.com" + "dd_source" = "${local.service_name}" + "dd_message_key" = "log" + "dd_tags" = "project:${local.service_name}" + "TLS" = "on" + "provider" = "ecs" + } + } + }, + { + name = "datadog-agent" + image = "public.ecr.aws/datadog/agent:latest" + essential = true + secrets = [{ + name = "DD_API_KEY" + valueFrom = data.aws_ssm_parameter.datadog.arn + }], + portMappings = [{ + hostPort = 8126, + protocol = "tcp", + containerPort = 8126 + } + ] + }, + { + name = "log_router" + image = "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable" + essential = true + firelensConfiguration = { + type = "fluentbit" + options = { + "enable-ecs-log-metadata" = "true" + } + } + } + ]) +}