Move to alexs aws

container-registry.tf

@@ -2,52 +2,6 @@ resource "aws_ecs_cluster" "cognoma" {
   name = "cognoma"
 }
 
-resource "aws_iam_role" "ecs-service-role" {
-  name = "ecs-service"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "ecs.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "ecs-service" {
-  name = "ecs-service-policy"
-  role = "${aws_iam_role.ecs-service-role.name}"
-
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:Describe*",
-                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-                "elasticloadbalancing:DeregisterTargets",
-                "elasticloadbalancing:Describe*",
-                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
-                "elasticloadbalancing:RegisterTargets"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-EOF
-}
-
 resource "aws_ecs_task_definition" "cognoma-core-service" {
   family = "cognoma-core-service"
   container_definitions = "${file("task-definitions/core-service.json.secret")}"
@@ -60,8 +14,10 @@ resource "aws_ecs_service" "cognoma-core-service" {
   desired_count  = 2
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent = 100
-  iam_role = "${aws_iam_role.ecs-service-role.name}"
-  depends_on = ["aws_iam_role_policy.ecs-service"]
+  iam_role = "arn:aws:iam::589864003899:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
+
+  # Give the service some time to come up before getting prematurely shut down.
+  health_check_grace_period_seconds = 180
 
   load_balancer {
     elb_name = "${aws_elb.cognoma-core.name}"
@@ -93,7 +49,6 @@ resource "aws_ecs_service" "cognoma-ml-workers" {
   desired_count  = 2
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent = 100
-  depends_on = ["aws_iam_role_policy.ecs-service"]
 
   # Task definitions get created during deployment. Therefore as soon
   # as someone deploys a new one, the one specified by these
@@ -107,6 +62,10 @@ resource "aws_ecr_repository" "cognoma-ml-workers" {
   name = "cognoma-ml-workers"
 }
 
+resource "aws_ecr_repository" "cognoma-nginx" {
+  name = "cognoma-nginx"
+}
+
 resource "aws_ecs_task_definition" "cognoma-nginx" {
   family = "cognoma-nginx"
   container_definitions = "${file("task-definitions/nginx.json.secret")}"
@@ -119,8 +78,10 @@ resource "aws_ecs_service" "nginx" {
   desired_count  = 2
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent = 100
-  iam_role = "${aws_iam_role.ecs-service-role.name}"
-  depends_on = ["aws_iam_role_policy.ecs-service"]
+  iam_role = "arn:aws:iam::589864003899:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
+
+  # Give the service some time to come up before getting prematurely shut down.
+  health_check_grace_period_seconds = 180
 
   load_balancer {
     elb_name = "${aws_elb.cognoma-nginx.name}"

load-balancers.tf

@@ -15,7 +15,7 @@ resource "aws_elb" "cognoma-core" {
     healthy_threshold = 10
     unhealthy_threshold = 2
     timeout = 5
-    target = "TCP:8000"
+    target = "HTTP:8000/"
     interval = 30
   }
 

main.tf

@@ -4,6 +4,12 @@ provider "aws" {
 
 variable "database_password" {}
 
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {
+  current = true
+}
+
 resource "aws_vpc" "cognoma-vpc" {
   cidr_block = "172.31.0.0/16"
   enable_dns_support = true
@@ -96,9 +102,9 @@ resource "aws_key_pair" "cognoma" {
 }
 
 resource "aws_instance" "cognoma-service-1" {
-  ami = "ami-275ffe31"
-  instance_type = "r4.large"
+  ami = "ami-5e414e24"
   availability_zone = "us-east-1a"
+  instance_type = "r4.large"
   vpc_security_group_ids = ["${aws_security_group.cognoma-service.id}"]
   iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-profile.name}"
   subnet_id = "${aws_subnet.cognoma-1a.id}"
@@ -112,9 +118,9 @@ resource "aws_instance" "cognoma-service-1" {
 }
 
 resource "aws_instance" "cognoma-service-2" {
-  ami = "ami-275ffe31"
-  instance_type = "r4.large"
+  ami = "ami-5e414e24"
   availability_zone = "us-east-1b"
+  instance_type = "r4.large"
   vpc_security_group_ids = ["${aws_security_group.cognoma-service.id}"]
   iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-profile.name}"
   subnet_id = "${aws_subnet.cognoma-1b.id}"

route53.tf

@@ -7,7 +7,7 @@ variable "cognoma-domain" {
 }
 
 data "aws_route53_zone" "cognoma" {
-  zone_id = "Z2GDAYII3P3OEX"
+  zone_id = "Z1D5X4ZSR5R6N1"
 }
 
 resource "aws_ses_domain_identity" "cognoma" {
@@ -41,7 +41,9 @@ resource "aws_route53_record" "cognoma-dot-org" {
 
 resource "aws_route53_record" "cognoma-ses-verification-record" {
   zone_id = "${data.aws_route53_zone.cognoma.zone_id}"
-  name = "${var.cognoma-domain}"
+  # This name was what AWS SES said it needed to be when I clicked the
+  # retry button in the AWS console.
+  name = "_amazonses.${var.cognoma-domain}"
   type = "TXT"
   ttl = "5"
   records = ["${aws_ses_domain_identity.cognoma.verification_token}"]

security-groups.tf

@@ -26,6 +26,17 @@ resource "aws_security_group_rule" "cognoma-service-custom" {
   security_group_id = "${aws_security_group.cognoma-service.id}"
 }
 
+# The ELB needs to be able to make outbound http requests to the
+# intances for health checks
+resource "aws_security_group_rule" "cognoma-service-elb-outbound" {
+  type = "egress"
+  from_port = 8000
+  to_port = 8000
+  protocol = "tcp"
+  self = true
+  security_group_id = "${aws_security_group.cognoma-service.id}"
+}
+
 resource "aws_security_group_rule" "cognoma-service-ssh" {
   type = "ingress"
   from_port = 22
@@ -35,6 +46,24 @@ resource "aws_security_group_rule" "cognoma-service-ssh" {
   security_group_id = "${aws_security_group.cognoma-service.id}"
 }
 
+resource "aws_security_group_rule" "cognoma-service-outbound-http" {
+  type = "egress"
+  from_port = 80
+  to_port = 80
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.cognoma-service.id}"
+}
+
+resource "aws_security_group_rule" "cognoma-service-outbound-https" {
+  type = "egress"
+  from_port = 443
+  to_port = 443
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.cognoma-service.id}"
+}
+
 resource "aws_security_group" "cognoma-public-elb" {
   name = "cognoma-public-elb"
   description = "cognoma-public-elb"
@@ -74,7 +103,8 @@ resource "aws_security_group" "cognoma-db" {
   }
 }
 
-resource "aws_security_group_rule" "cognoma-db-postgres-self" {
+# Allow RDS instance to accept inbound postgres connections from cognoma service instances
+resource "aws_security_group_rule" "cognoma-db-from-instance" {
   type = "ingress"
   from_port = 5432
   to_port = 5432
@@ -83,6 +113,16 @@ resource "aws_security_group_rule" "cognoma-db-postgres-self" {
   security_group_id = "${aws_security_group.cognoma-db.id}"
 }
 
+# Allow the cognoma service instances to make outbound postgres connections to RDS instance
+resource "aws_security_group_rule" "cognoma-instance-to-db" {
+  type = "egress"
+  from_port = 5432
+  to_port = 5432
+  protocol = "tcp"
+  source_security_group_id = "${aws_security_group.cognoma-db.id}"
+  security_group_id = "${aws_security_group.cognoma-service.id}"
+}
+
 resource "aws_security_group_rule" "cognoma-db-outbound" {
   type = "egress"
   from_port = 0