diff --git a/aws-ecsfargate-terraform/terraform.tf b/aws-ecsfargate-terraform/terraform.tf index dcc74cd..e95bbb5 100644 --- a/aws-ecsfargate-terraform/terraform.tf +++ b/aws-ecsfargate-terraform/terraform.tf @@ -15,11 +15,11 @@ provider "aws" { locals { name_prefix = var.name_prefix != "" ? var.name_prefix : "scim-bridge" - tags = var.tags == {} ? var.tags : { - application = "1Password SCIM Bridge", - version = trimprefix(jsondecode(file("task-definitions/scim.json"))[0].image, "1password/scim:v") + domain = join(".", slice(split(".", var.domain_name), 1, length(split(".", var.domain_name)))) + tags = var.tags == {} ? var.tags : { + application = "1Password SCIM Bridge", + version = trimprefix(jsondecode(file("task-definitions/scim.json"))[0].image, "1password/scim:v") } - domain = join(".", slice(split(".", var.domain_name), 1, length(split(".", var.domain_name)))) } # Use the default VPC or find the VPC by name @@ -36,9 +36,10 @@ data "aws_subnet_ids" "subnets" { resource "aws_secretsmanager_secret" "scimsession" { name = format("%s-%s",local.name_prefix,"scimsession") - tags = local.tags # Allow `terraform destroy` to delete secret (hint: save your scimsession file in 1Password) recovery_window_in_days = 0 + + tags = local.tags } resource "aws_secretsmanager_secret_version" "scimsession_1" { @@ -53,6 +54,7 @@ resource "aws_cloudwatch_log_group" "scim-bridge" { resource "aws_ecs_cluster" "scim-bridge" { name = var.name_prefix == "" ? "scim-bridge" : format("%s-%s",local.name_prefix,"scim-bridge") + tags = local.tags } @@ -68,12 +70,14 @@ resource "aws_ecs_task_definition" "scim-bridge" { memory = 512 cpu = 256 execution_role_arn = aws_iam_role.scim-bridge.arn + tags = local.tags } resource "aws_iam_role" "scim-bridge" { name = format("%s-%s",local.name_prefix,"task-role") assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json + tags = local.tags } @@ -118,9 +122,7 @@ resource "aws_ecs_service" "scim_bridge_service" { launch_type = "FARGATE" platform_version = "1.4.0" desired_count = 1 - depends_on = [aws_lb_listener.listener_https] - tags = local.tags - + load_balancer { target_group_arn = aws_lb_target_group.target_group_http.arn container_name = aws_ecs_task_definition.scim-bridge.family @@ -132,6 +134,10 @@ resource "aws_ecs_service" "scim_bridge_service" { assign_public_ip = true security_groups = [aws_security_group.service_security_group.id] } + + tags = local.tags + + depends_on = [aws_lb_listener.listener_https] } resource "aws_alb" "scim-bridge-alb" { @@ -139,13 +145,13 @@ resource "aws_alb" "scim-bridge-alb" { load_balancer_type = "application" subnets = data.aws_subnet_ids.subnets.ids security_groups = [aws_security_group.scim-bridge-sg.id] + tags = local.tags } # Create a security group for the load balancer: resource "aws_security_group" "scim-bridge-sg" { vpc_id = data.aws_vpc.vpc.id - tags = local.tags ingress { from_port = 80 to_port = 80 @@ -166,10 +172,11 @@ resource "aws_security_group" "scim-bridge-sg" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } + + tags = local.tags } resource "aws_security_group" "service_security_group" { - tags = local.tags ingress { from_port = 3002 to_port = 3002 @@ -184,6 +191,8 @@ resource "aws_security_group" "service_security_group" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } + + tags = local.tags } resource "aws_lb_target_group" "target_group_http" { @@ -192,11 +201,12 @@ resource "aws_lb_target_group" "target_group_http" { protocol = "HTTP" target_type = "ip" vpc_id = data.aws_vpc.vpc.id - tags = local.tags health_check { matcher = "200,301,302" path = "/app" } + + tags = local.tags } resource "aws_lb_listener" "listener_https" { @@ -206,30 +216,32 @@ resource "aws_lb_listener" "listener_https" { certificate_arn = !var.wildcard_cert ? ( var.using_route53 ? aws_acm_certificate_validation.scim_bridge_cert_validate[0].certificate_arn : aws_acm_certificate.scim_bridge_cert[0].arn - ) : data.aws_acm_certificate.wildcard_cert[0].arn + ) : data.aws_acm_certificate.wildcard_cert[0].arn default_action { type = "forward" target_group_arn = aws_lb_target_group.target_group_http.arn } } -output "cloudwatch-log-group" { +output "cloudwatch_log_group" { description = "Where you can find your SCIM bridge logs" value = aws_cloudwatch_log_group.scim-bridge.name } -output "loadbalancer-dns-name" { +output "loadbalancer_dns_name" { description = "The name of the load balancer to target in your DNS" value = var.using_route53 ? null : aws_alb.scim-bridge-alb.dns_name } data "aws_acm_certificate" "wildcard_cert" { count = !var.wildcard_cert ? 0 : 1 + domain = "*.${local.domain}" } resource "aws_acm_certificate" "scim_bridge_cert" { count = !var.wildcard_cert ? 1 : 0 + domain_name = var.domain_name validation_method = "DNS" @@ -240,12 +252,14 @@ resource "aws_acm_certificate" "scim_bridge_cert" { data "aws_route53_zone" "zone" { count = var.using_route53 ? 1 : 0 + name = local.domain private_zone = false } resource "aws_acm_certificate_validation" "scim_bridge_cert_validate" { count = var.using_route53 && !var.wildcard_cert ? 1 : 0 + certificate_arn = aws_acm_certificate.scim_bridge_cert[0].arn validation_record_fqdns = [for record in aws_route53_record.scim_bridge_cert_validation : record.fqdn] } @@ -262,6 +276,7 @@ resource "aws_route53_record" "scim_bridge_cert_validation" { } } : {} ) + allow_overwrite = true name = each.value.name records = [each.value.record] @@ -272,6 +287,7 @@ resource "aws_route53_record" "scim_bridge_cert_validation" { resource "aws_route53_record" "scim_bridge" { count = var.using_route53 ? 1 : 0 + zone_id = data.aws_route53_zone.zone[0].id name = var.domain_name type = "A" @@ -283,7 +299,7 @@ resource "aws_route53_record" "scim_bridge" { } } -output "url" { +output "scim_bridge_url" { description = "The URL of your SCIM bridge" value = "https://${var.domain_name}" }