0.11 branch (#35)

* defaults ecr to immutable

* Policy support for ECS/Fagate injection of secrets manager secret

* adds example for installing the 0.11 template

* adds support for injection of secrets from ssm parameter store

Author: jritsema

README.md

@@ -39,7 +39,8 @@ that is needed.
 | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
 | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
 | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
-| [secretsmanager.tf][edsm] | Add a base secret to Secretsmanager | Yes |
+| [secretsmanager.tf][edsm] | Add a Secrets Manager secret with a CMK KMS key. Also gives app role and ECS task definition role access to read secrets from Secrets Manager | Yes |
+| [ssm-parameters.tf][ssm] | Add a CMK KMS key for use with SSM Parameter Store. Also gives ECS task definition role access to read secrets from parameter store. | Yes |
 | [ecs-event-stream.tf][ees] | Add an ECS event log dashboard | Yes |
 
 
@@ -87,7 +88,7 @@ create an input vars file (`terraform.tfvars`)
 app = "my-app"
 environment = "dev"
 
-internal = "true"
+internal = true
 container_port = "8080"
 replicas = "1"
 health_check = "/health"
@@ -110,6 +111,11 @@ tags = {
 $ fargate-create -f terraform.tfvars
 ```
 
+Note that if you would like to use Terraform 0.11.x, you can use the following command.
+```shell
+$ fargate-create -t [email protected]:turnerlabs/terraform-ecs-fargate?ref=v0.11
+```
+
 
 ## Additional Information
 
@@ -139,3 +145,4 @@ $ fargate-create -f terraform.tfvars
 [ees]: ./env/dev/ecs-event-stream.tf
 [base]: ./base/README.md
 [env-dev]: ./env/dev/README.md
+[ssm]: ./env/dev/ssm-parameters.tf

base/README.md

@@ -40,6 +40,7 @@ $ terraform apply
 |------|-------------|:----:|:-----:|:-----:|
 | app | Name of the application. This value should usually match the application tag below. | string |  | yes |
 | aws_profile | The AWS profile to use, this would be the same value used in AWS_PROFILE. | string |  | yes |
+| image_tag_mutability | The tag mutability setting for the repository. | string | IMMUTABLE |  |
 | region | The AWS region to use for the bucket and registry; typically `us-east-1`. Other possible values: `us-east-2`, `us-west-1`, or `us-west-2`. <br>Currently, Fargate is only available in `us-east-1`. | string | `us-east-1` | yes |
 | saml_role | The role that will have access to the S3 bucket, this should be a role that all members of the team have access to. | string |  | yes |
 | tags | A map of the tags to apply to various resources. The required tags are: <br>+ `application`, name of the app <br>+ `environment`, the environment being created <br>+ `team`, team responsible for the application <br>+ `contact-email`, contact email for the _team_ <br>+ `customer`, who the application was create for | map | `<map>` | yes |

base/ecr.tf

@@ -4,9 +4,15 @@
  * https://aws.amazon.com/ecr/
  */
 
+# The tag mutability setting for the repository (defaults to IMMUTABLE)
+variable "image_tag_mutability" {
+  default = "IMMUTABLE"
+}
+
 # create an ECR repo at the app/image level
 resource "aws_ecr_repository" "app" {
-  name = "${var.app}"
+  name                 = "${var.app}"
+  image_tag_mutability = "${var.image_tag_mutability}"
 }
 
 data "aws_caller_identity" "current" {}

env/dev/README.md

@@ -69,7 +69,7 @@ $ terraform apply
 | scale_down_max_capacity | The maximum number of containers to scale down to. | string | `0` | no |
 | scale_down_min_capacity | The mimimum number of containers to scale down to. Set this and `scale_down_max_capacity` to 0 to turn off service on the `scale_down_cron` schedule. | string | `0` | no |
 | scale_up_cron | Default scale up at 7 am weekdays, this is UTC so it doesn't adjust to daylight savings https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html | string | `cron(0 11 ? * MON-FRI *)` | no |
-| secrets_saml_users | The users (email addresses) from the saml role to give access | list | - | yes |
+| secrets_saml_users | The users (case sensitive email addresses) from the saml role to give access to Secrets Manager and SSM Parameter Store | list | - | yes |
 | tags | Tags for the infrastructure | map | - | yes |
 | vpc | The VPC to use for the Fargate cluster | string | - | yes |
 

env/dev/fargate-create.yml

@@ -30,11 +30,16 @@ prompts:
       - "logs-logzio.tf"      
       - "logs-logzio.zip"
 
-  - question: "Would you like an integrated Secrets Manager secret?"
+  - question: "Would you like to use Secrets Manager for secrets?"
     default: "no"
     filesToDeleteIfNo:
       - "secretsmanager.tf"
 
+  - question: "Would you like to use SSM Parameter Store for secrets?"
+    default: "no"
+    filesToDeleteIfNo:
+      - "ssm-parameters.tf"      
+
   - question: "Would you like an ECS event log dashboard?"
     default: "yes"
     filesToDeleteIfNo:

env/dev/secretsmanager.tf

@@ -71,6 +71,7 @@ locals {
   # list of role users and saml users for policies
   role_and_saml_ids = [
     "${aws_iam_role.app_role.unique_id}:*",
+    "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
     "${local.saml_user_ids}",
   ]
 

env/dev/ssm-parameters.tf

@@ -0,0 +1,197 @@
+locals {
+  # KMS write actions
+  kms_write_actions = [
+    "kms:CancelKeyDeletion",
+    "kms:CreateAlias",
+    "kms:CreateGrant",
+    "kms:CreateKey",
+    "kms:DeleteAlias",
+    "kms:DeleteImportedKeyMaterial",
+    "kms:DisableKey",
+    "kms:DisableKeyRotation",
+    "kms:EnableKey",
+    "kms:EnableKeyRotation",
+    "kms:Encrypt",
+    "kms:GenerateDataKey",
+    "kms:GenerateDataKeyWithoutPlaintext",
+    "kms:GenerateRandom",
+    "kms:GetKeyPolicy",
+    "kms:GetKeyRotationStatus",
+    "kms:GetParametersForImport",
+    "kms:ImportKeyMaterial",
+    "kms:PutKeyPolicy",
+    "kms:ReEncryptFrom",
+    "kms:ReEncryptTo",
+    "kms:RetireGrant",
+    "kms:RevokeGrant",
+    "kms:ScheduleKeyDeletion",
+    "kms:TagResource",
+    "kms:UntagResource",
+    "kms:UpdateAlias",
+    "kms:UpdateKeyDescription",
+  ]
+
+  # KMS read actions
+  kms_read_actions = [
+    "kms:Decrypt",
+    "kms:DescribeKey",
+    "kms:List*",
+  ]
+
+  # list of saml users for policies
+  saml_user_ids = [
+    "${data.aws_caller_identity.current.user_id}",
+    "${data.aws_caller_identity.current.account_id}",
+    "${formatlist("%s:%s", data.aws_iam_role.saml_role_ssm.unique_id, var.secrets_saml_users)}",
+  ]
+
+  # list of role users and saml users for policies
+  role_and_saml_ids = [
+    "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
+    "${local.saml_user_ids}",
+  ]
+
+  sm_arn = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:${var.app}-${var.environment}-??????"
+}
+
+# get the saml user info so we can get the unique_id
+data "aws_iam_role" "saml_role_ssm" {
+  name = "${var.saml_role}"
+}
+
+# The users (email addresses) from the saml role to give access
+# case sensitive
+variable "secrets_saml_users" {
+  type = "list"
+}
+
+# kms key used to encrypt ssm parameters
+resource "aws_kms_key" "ssm" {
+  description             = "ssm parameters key for ${var.app}-${var.environment}"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags                    = "${var.tags}"
+  policy                  = "${data.aws_iam_policy_document.ssm.json}"
+}
+
+resource "aws_kms_alias" "ssm" {
+  name          = "alias/${var.app}-${var.environment}"
+  target_key_id = "${aws_kms_key.ssm.id}"
+}
+
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    sid    = "DenyWriteToAllExceptSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = "${local.kms_write_actions}"
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = ["${local.saml_user_ids}"]
+    }
+  }
+
+  statement {
+    sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = "${local.kms_read_actions}"
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = ["${local.role_and_saml_ids}"]
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteToSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = "${local.kms_write_actions}"
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = ["${local.saml_user_ids}"]
+    }
+  }
+
+  statement {
+    sid    = "AllowReadRoleAndSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = "${local.kms_read_actions}"
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = ["${local.role_and_saml_ids}"]
+    }
+  }
+}
+
+# allow ecs task execution role to read this app's parameters
+resource "aws_iam_policy" "ecsTaskExecutionRole_ssm" {
+  name        = "${var.app}-${var.environment}-ecs-ssm"
+  path        = "/"
+  description = "allow ecs task execution role to read this app's parameters"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${var.app}/${var.environment}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_ssm" {
+  role       = "${aws_iam_role.ecsTaskExecutionRole.name}"
+  policy_arn = "${aws_iam_policy.ecsTaskExecutionRole_ssm.arn}"
+}
+
+output "ssm_add_secret" {
+  value = "aws ssm put-parameter --overwrite --type \"SecureString\" --key-id \"${aws_kms_alias.ssm.name}\" --name \"/${var.app}/${var.environment}/PASSWORD\" --value \"password\""
+}
+
+output "ssm_add_secret_ref" {
+  value = "fargate service env set --secret PASSWORD=/${var.app}/${var.environment}/PASSWORD"
+}
+
+output "ssm_key_id" {
+  value = "${aws_kms_key.ssm.key_id}"
+}