From d3da8aabe7f256f0a76feedc9eb275ccd6ef4ce5 Mon Sep 17 00:00:00 2001
From: "Alok G Singh alok@tyk.io" <alephnull@hcoop.net>
Date: Tue, 7 May 2024 12:17:35 +0800
Subject: [PATCH] infra supporting cd tasks for pro env

---
 base/base.tf                    |  7 +++
 base/dns.tf                     | 13 ++++--
 infra/{iam.tf => cd.tf}         | 75 +++++++++++++++++++++++++++++++++
 infra/deps/Makefile             |  3 ++
 infra/deps/envfiles/mongo44.env | 30 +++++++++++++
 infra/deps/envfiles/redis60.env |  6 +++
 infra/infra.tf                  | 43 ++++++++++++++++---
 7 files changed, 168 insertions(+), 9 deletions(-)
 rename infra/{iam.tf => cd.tf} (51%)
 create mode 100644 infra/deps/envfiles/mongo44.env
 create mode 100644 infra/deps/envfiles/redis60.env

diff --git a/base/base.tf b/base/base.tf
index 48d2554..04bed50 100644
--- a/base/base.tf
+++ b/base/base.tf
@@ -71,6 +71,13 @@ resource "aws_efs_file_system" "shared" {
   creation_token = "reproducible environments"
 }
 
+resource "aws_ssm_parameter" "cd_efs" {
+  name        = "/cd/efs"
+  type        = "String"
+  description = "EFS ID for CD tasks"
+  value       = aws_efs_file_system.shared.id
+}
+
 # CD secrets
 resource "aws_kms_key" "cd" {
   description             = "usage delegated to tyk-ci/infra"
diff --git a/base/dns.tf b/base/dns.tf
index 86d3669..f9a6198 100644
--- a/base/dns.tf
+++ b/base/dns.tf
@@ -6,20 +6,27 @@ provider "cloudflare" {
 }
 
 resource "cloudflare_record" "dev_tyk_tech" {
-  for_each = toset(aws_route53_zone.dev_tyk_tech.name_servers)
+  for_each   = toset(aws_route53_zone.dev_tyk_tech.name_servers)
   depends_on = [aws_route53_zone.dev_tyk_tech]
-  
+
   # This is the tyk.technology zone
   zone_id = "f3ee9e1c1e0e47f8ab60fae66d39aa8f"
   name    = "dev"
   type    = "NS"
-  value = each.value
+  value   = each.value
 }
 
 resource "aws_route53_zone" "dev_tyk_tech" {
   name = "dev.tyk.technology"
 }
 
+resource "aws_ssm_parameter" "cd_zone" {
+  name        = "/cd/zone"
+  type        = "String"
+  description = "Route53 zone ID for CD tasks"
+  value       = aws_route53_zone.dev_tyk_tech.id
+}
+
 # One wildcard cert
 
 resource "aws_acm_certificate" "dev_tyk_tech" {
diff --git a/infra/iam.tf b/infra/cd.tf
similarity index 51%
rename from infra/iam.tf
rename to infra/cd.tf
index b303433..f12ed75 100644
--- a/infra/iam.tf
+++ b/infra/cd.tf
@@ -1,3 +1,5 @@
+# Common resources used by all CD tasks
+
 data "aws_iam_policy_document" "ecs_assume_role_policy" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -36,6 +38,29 @@ data "aws_iam_policy_document" "extra" {
 
     resources = [data.aws_efs_file_system.shared.arn]
   }
+
+  statement {
+    sid = "envfiles"
+    actions = [
+      "s3:GetObject"
+    ]
+
+    resources = ["arn:aws:s3:::${data.terraform_remote_state.base.outputs.assets}/envfiles/*"]
+  }
+
+  statement {
+    sid = "secrets"
+    actions = [
+      "ssm:GetParameters",
+      "kms:Decrypt"
+    ]
+
+    resources = [
+      data.terraform_remote_state.base.outputs.kms,
+      "arn:aws:ssm:eu-central-1:754489498669:parameter/cd/*"
+    ]
+  }
+
 }
 
 data "aws_efs_file_system" "shared" {
@@ -58,6 +83,13 @@ resource "aws_iam_role" "ter" {
   #managed_policy_arns = ["arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy"]
 }
 
+resource "aws_ssm_parameter" "ter" {
+  name        = "/cd/ter"
+  type        = "String"
+  description = "Task execution role ARN for CD tasks"
+  value       = aws_iam_role.ter.arn
+}
+
 resource "aws_s3_bucket_policy" "deptrack_lb_logs" {
   bucket = data.terraform_remote_state.base.outputs.assets
   policy = <<EOF
@@ -77,3 +109,46 @@ resource "aws_s3_bucket_policy" "deptrack_lb_logs" {
 EOF
 }
 
+resource "aws_security_group" "cd_tasks" {
+  name        = "cd-tasks"
+  description = "EFS, gw, dash"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_ssm_parameter" "cd_sg" {
+  name        = "/cd/sg"
+  type        = "String"
+  description = "Security group ID for CD tasks"
+  value       = aws_security_group.cd_tasks.id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "gw" {
+  security_group_id = aws_security_group.cd_tasks.id
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = 8080
+  to_port           = 8080
+  ip_protocol       = "tcp"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "dash" {
+  security_group_id = aws_security_group.cd_tasks.id
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = 3000
+  to_port           = 3000
+  ip_protocol       = "tcp"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "efs" {
+  security_group_id = aws_security_group.cd_tasks.id
+  cidr_ipv4         = data.terraform_remote_state.base.outputs.vpc.cidr
+  from_port         = 2049
+  to_port           = 2049
+  ip_protocol       = "tcp"
+}
diff --git a/infra/deps/Makefile b/infra/deps/Makefile
index 5df5a8c..a1952f1 100644
--- a/infra/deps/Makefile
+++ b/infra/deps/Makefile
@@ -20,3 +20,6 @@ launch:
 
 list:
 	aws ec2 describe-images --owners $(AWS_ACCOUNT_ID) --query "Images[*].[ImageId,Name,CreationDate]" --output text
+
+upload: envfiles
+	aws s3 sync $< s3://assets.dev.tyk.technology/$<
diff --git a/infra/deps/envfiles/mongo44.env b/infra/deps/envfiles/mongo44.env
new file mode 100644
index 0000000..182903c
--- /dev/null
+++ b/infra/deps/envfiles/mongo44.env
@@ -0,0 +1,30 @@
+TYK_DB_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_GW_HASHKEYFUNCTION=murmur64
+TYK_GW_HASHKEYS=true
+TYK_GW_SLAVEOPTIONS_APIKEY=<PLACEHOLDER>
+TYK_GW_SLAVEOPTIONS_RPCKEY=<PLACEHOLDER>
+TYK_LOGLEVEL=debug
+TYK_MDCB_ANALYTICSCONFIG_MONGOSSLINSECURESKIPVERIFY=false
+TYK_MDCB_ANALYTICSCONFIG_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_MDCB_ANALYTICSCONFIG_MONGOUSESSL=false
+TYK_MDCB_ANALYTICSCONFIG_TYPE=mongo
+TYK_MDCB_LOGLEVEL=debug
+TYK_MDCB_STORAGE_HOST=redis
+TYK_PMP_ANALYTICSSTORAGECONFIG_HOST=redis
+TYK_PMP_LOGLEVEL=debug
+TYK_PMP_PUMPS_MONGOAGGREGATE_META_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_PMP_PUMPS_MONGOAGGREGATE_META_TRACKALLPATHS=true
+TYK_PMP_PUMPS_MONGOAGGREGATE_META_USEMIXEDCOLLECTION=true
+TYK_PMP_PUMPS_MONGOAGGREGATE_TYPE=mongo-pump-aggregate
+TYK_PMP_PUMPS_MONGOSELECTIVE_META_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_PMP_PUMPS_MONGOSELECTIVE_META_TRACKALLPATHS=true
+TYK_PMP_PUMPS_MONGOSELECTIVE_META_USEMIXEDCOLLECTION=true
+TYK_PMP_PUMPS_MONGOSELECTIVE_TYPE=mongo-pump-selective
+TYK_PMP_PUMPS_MONGO_META_COLLECTIONNAME=tyk_analytics
+TYK_PMP_PUMPS_MONGO_META_MAXDOCUMENTSIZEBYTES=20112
+TYK_PMP_PUMPS_MONGO_META_MAXINSERTBATCHSIZEBYTES=80000
+TYK_PMP_PUMPS_MONGO_META_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_PMP_PUMPS_MONGO_TYPE=mongo
+TYK_PMP_UPTIMEPUMPCONFIG_COLLECTIONNAME=tyk_analytics
+TYK_PMP_UPTIMEPUMPCONFIG_MONGOURL=mongodb://mongo44.storage.internal:27017/tyk_analytics
+TYK_PMP_UPTIMEPUMPCONFIG_UPTIMETYPE=mongo
diff --git a/infra/deps/envfiles/redis60.env b/infra/deps/envfiles/redis60.env
new file mode 100644
index 0000000..6113517
--- /dev/null
+++ b/infra/deps/envfiles/redis60.env
@@ -0,0 +1,6 @@
+TYK_GW_STORAGE_HOST=redis60.storage.internal
+TYK_GW_STORAGE_USESSL=false
+TYK_GW_STORAGE_ENABLECLUSTER=false
+TYK_DB_REDIS_HOST=redis60.storage.internal
+TYK_DB_REDIS_USESSL=false
+TYK_PMP_ANALYTICSSTORAGECONFIG_HOST=redis60.storage.internal
diff --git a/infra/infra.tf b/infra/infra.tf
index 9b99ba1..c9fcf75 100644
--- a/infra/infra.tf
+++ b/infra/infra.tf
@@ -165,12 +165,6 @@ resource "aws_ecs_cluster" "internal" {
 
 # DNS
 
-resource "aws_service_discovery_private_dns_namespace" "internal" {
-  name        = "dev.internal"
-  description = "Private DNS for resources"
-  vpc         = data.terraform_remote_state.base.outputs.vpc.id
-}
-
 resource "aws_route53_record" "bastion" {
   zone_id = data.terraform_remote_state.base.outputs.dns.zone_id
 
@@ -180,3 +174,40 @@ resource "aws_route53_record" "bastion" {
 
   records = [module.bastion.public_ip]
 }
+
+# For CD tasks
+resource "aws_service_discovery_private_dns_namespace" "dev_internal" {
+  name        = "dev.internal"
+  description = "For CD ECS tasks"
+  vpc         = data.terraform_remote_state.base.outputs.vpc.id
+}
+
+resource "aws_service_discovery_service" "dev_internal" {
+  name = "dev-internal"
+
+  dns_config {
+    namespace_id = aws_service_discovery_private_dns_namespace.dev_internal.id
+
+    dns_records {
+      ttl  = 10
+      type = "A"
+    }
+    dns_records {
+      ttl  = 10
+      type = "SRV"
+    }
+
+    routing_policy = "MULTIVALUE"
+  }
+
+  health_check_custom_config {
+    failure_threshold = 1
+  }
+}
+
+resource "aws_ssm_parameter" "cd_sd" {
+  name        = "/cd/sd"
+  type        = "String"
+  description = "Service discovery registry arn for CD tasks"
+  value       = aws_service_discovery_service.dev_internal.arn
+}