tui authn (#72)

* Allow release.yml to update ecs tasks * tui authn
TykTechnologies · Jun 11, 2024 · 6c3fb6a · 6c3fb6a
1 parent 6f7f48a
commit 6c3fb6a
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 11 deletions.
diff --git a/infra/cd.tf b/infra/cd.tf
@@ -83,6 +83,61 @@ resource "aws_iam_role" "ter" {
   #managed_policy_arns = ["arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy"]
 }
 
+# ecr_rw_tyk is created in base but ter is created here. We need to
+# know ter so that we can give ecr_rw_tyk the minimum permission
+# boundary
+data "aws_iam_role" "ecr_rw_tyk" {
+  name = "ecr_rw_tyk"
+}
+
+resource "aws_iam_policy" "ecs_deploy" {
+  name        = "ecs_deploy"
+  path        = "/cd/deploy/"
+  description = "Allows ECS tasks to be updated"
+
+  policy = <<-EOF
+{
+   "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Sid":"RegisterTaskDefinition",
+         "Effect":"Allow",
+         "Action":[
+            "ecs:RegisterTaskDefinition"
+         ],
+         "Resource":"*"
+      },
+      {
+         "Sid":"PassRolesInTaskDefinition",
+         "Effect":"Allow",
+         "Action":[
+            "iam:PassRole"
+         ],
+         "Resource":[
+            "${data.aws_iam_role.ecr_rw_tyk.arn}"
+         ]
+      },
+      {
+         "Sid":"DeployService",
+         "Effect":"Allow",
+         "Action":[
+            "ecs:UpdateService",
+            "ecs:DescribeServices"
+         ],
+         "Resource":[
+            "arn:aws:ecs:eu-central-1:754489498669:service/*"
+         ]
+      }
+   ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_deploy" {
+  role       = data.aws_iam_role.ecr_rw_tyk.name
+  policy_arn = aws_iam_policy.ecs_deploy.arn
+}
+
 resource "aws_ssm_parameter" "ter" {
   name        = "/cd/ter"
   type        = "String"
@@ -92,7 +147,7 @@ resource "aws_ssm_parameter" "ter" {
 
 resource "aws_s3_bucket_policy" "deptrack_lb_logs" {
   bucket = data.terraform_remote_state.base.outputs.assets
-  policy = <<EOF
+  policy = <<-EOF
 {
   "Version": "2012-10-17",
   "Statement": [

diff --git a/infra/gromit.tf b/infra/gromit.tf
@@ -20,6 +20,14 @@ resource "aws_ssm_parameter" "licenser_tokens" {
   value       = data.sops_file.secrets.data["licenser_tokens.${each.value}"]
 }
 
+
+resource "aws_ssm_parameter" "tui_credentials" {
+  name        = "/cd/tui_credentials"
+  type        = "SecureString"
+  description = "Authenticated tui APIs"
+  value       = data.sops_file.secrets.data["tui_credentials"]
+}
+
 # API server for test UI
 module "tui" {
   source = "./modules/fg-service"
@@ -32,13 +40,15 @@ module "tui" {
     port      = 80,
     log_group = "internal",
     image     = var.gromit_image,
-    command   = ["--textlogs=false", "policy", "serve", "--save=/shared/test-variations.yml", "--port=:80"],
+    command   = ["--textlogs=false", "policy", "serve", "--save=/shared/prod-variations.yml", "--port=:80"],
     mounts = [
       { src = "shared", dest = "/shared", readonly = false },
     ],
-    env     = [],
-    secrets = [],
-    region  = data.aws_region.current.name
+    env = [],
+    secrets = [
+      { name = "CREDENTIALS", valueFrom = aws_ssm_parameter.tui_credentials.arn }
+    ],
+    region = data.aws_region.current.name
   }
   trarn      = aws_iam_role.ter.arn
   tearn      = aws_iam_role.ter.arn

diff --git a/infra/infra-secrets.yaml b/infra/infra-secrets.yaml
@@ -1,18 +1,19 @@
 licenser_tokens:
-    dashboard: ENC[AES256_GCM,data:u1B1KGOh92bVfktN9g6RS9NQLUXDsVUD,iv:KoBlulrFLg0PTnXLFHOTjFnQEVXTucp8IwfLeMauRhQ=,tag:v2UhZ/MtX+u5OMfoCXY+jg==,type:str]
-    mdcb: ENC[AES256_GCM,data:+qTuXUgqmO4RZU1pYazSk3WAaG1E1FdG,iv:YqO0vbY67lchZWVWdW5WvcCIS+WiXpFgy+OE2dUcNJU=,tag:bljHmF4VHk9zRtU/k1jAuQ==,type:str]
+    dashboard: ENC[AES256_GCM,data:ARm3X9c5XmDXKR5gl3enUa+XkD4uaTkF,iv:ey2f6e4gzCkmSUa0ma8bZA4E9UxeXqJtjKQ2UxQUmwM=,tag:p91bdBouymiVnfntaflzNw==,type:str]
+    mdcb: ENC[AES256_GCM,data:YA6ZxYsyc8lFW3a4Fv8DMik9ZR2ZFz9W,iv:Eg9fHCY585C+lmSFU1xg65nZoI0ClVK782yyzZfpLoQ=,tag:R6sQkOicphqtSAruFCaJ4g==,type:str]
+tui_credentials: ENC[AES256_GCM,data:BRr5BWNzH/t0EUrq8QbjSuBpmaiyooY8sR1UP3Xr,iv:U/xixSobXf5NDo8/R2SGGB6EP3QbV4CB43L1TUlacO0=,tag:zxrw9mZx5X+gf9KkW+7yJA==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-central-1:754489498669:key/215a7274-5652-4521-8a88-b18e02b8f13e
-          created_at: "2024-05-29T06:41:45Z"
-          enc: AQICAHiDjTyDzev9deXqMt8qn7IIVL95PjWZTOOP+RjKHUtt0AGrZPgA+y+xDk2alhHiR+b7AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+gwhG51MD8EVbk/dAgEQgDvTJKJ9nmeih80qSogOkwKer8uJ+c6odA2OT2oSSOQxZ/ECFM2TO0fbNQEE2LN9wcJXPYxh1+W7EGooWA==
+          created_at: "2024-06-08T17:43:43Z"
+          enc: AQICAHiDjTyDzev9deXqMt8qn7IIVL95PjWZTOOP+RjKHUtt0AEy68B6RFvcEeDgE4Xa8FfWAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMA1yRymzR5l6gsKqEAgEQgDvSs6U45h2J6SJEwk7jpBmV8Thq163gAXvWgbqzRKF2h6lpWVzAlVjox1XH5Q8TjgHCrS0e7Sm9Chp9Bw==
           aws_profile: ""
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-05-29T06:41:51Z"
-    mac: ENC[AES256_GCM,data:Pnfu5731hZU+WQF7XDoxVGSMhLkNr4tjduwX/cPQB079/av5mmscto2Xxdp69pUjTjD/+xnbh3GZk3HLyqBNsSNOmjNlrUoNE49YdJQ5qeEzlAWCyBNxmHsTc4EuobXjBaWUxfUPSK8GuWtlXf4j64z6NeB033xXgVLfAYrJOIM=,iv:emLpO/C0zVVGMypEAkp19hK4YiBNWgNViv4i6UsDsiQ=,tag:i2E17VrUkmOA9tZqtiJ5aA==,type:str]
+    lastmodified: "2024-06-08T17:43:48Z"
+    mac: ENC[AES256_GCM,data:GC+/zezXdLBpPtn777JDJHsfMH6DbPxM6qgfE0dPI07G1phz+mZIRKFcuQgUwoLv06AqafkvVtdRFqaw/MiI2Avc95DE3yG4x9XGOhJNqAC7gf90JReFa/iPMb+QIAleqY3grUVqjvRBeo2bgQq6m26rDiKNi4Z38PBFFRV5guc=,iv:jo1cgkeBgq3N2d2ghNkoNJxnulHDZ5uUzKrzBWpU6A4=,tag:FLPwfdrkHJEw6Zbtq25Fmg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1