Tfhartmann/plat 1944 deploy to second cluster (#3)

* Lots of updates, including adding second vault cluster

* removing depricated error

* Formating

* Removed "extra_tags" param

It wasn't being used at all, using the tags map instead

Author: tfhartmann

README.md

@@ -57,28 +57,34 @@ Module Input Variables
 
 #### Optional
 
-- `vault_image` - Image to use when deploying vault, defaults to the hashicorp vault image
-- `desired_count` - Number of vaults that ECS should run. Defaults to 2
+- `vault_image` - Image to use when deploying vault, (Default: hashicorp/vault)
+- `cloudwatch_log_retention` - Specifies the number of days you want to retain log events in the specified log group. (Default: 30)
+- `desired_count` - Number of vaults that ECS should run. (Default: 2)
 - `hostname` - DNS Hostname for the bastion host. Defaults to ${VPC NAME}.${dns_zone} if hostname is not set
-- `iam_path` - IAM path, this is useful when creating resources with the same name across multiple regions. Defaults to /
-- `region` - AWS Region, defaults to us-east-1
+- `iam_path` - IAM path, this is useful when creating resources with the same name across multiple regions. (Default: / )
+- `lb_deregistration_delay` - The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. (Default: 300)
+- `service_minimum_healthy_percent` - The minimum healthy percent represents a lower limit on the number of your service's tasks that must remain in the RUNNING state during a deployment
+- `tags` - A map of tags to add to all resources
 
 Usage
 -----
 
 ```hcl
 module "vault" {
-  source         = "../modules/terraform-vault"
-  #source         = "github.com/FitnessKeeper/terraform-aws-vault?ref=v0.0.1"
-  alb_log_bucket = "rk-devops-${var.region}"
-  vault_image    = "${var.vault_image}"
-  ecs_cluster_id = "${module.ecs_consul.cluster_id}"
-  dns_zone       = "${aws_route53_zone.region.name}"
-  env            = "${var.env}"
-  subnets        = "${module.vpc.public_subnets}"
-  #unseal_key     = "${data.aws_kms_secret.unseal_key.vault}" # pass in a list "${split(",",data.aws_kms_secret.unseal_key.vault)}"
-  unseal_keys    = "${split(",",data.aws_kms_secret.unseal_key2.vault)}"
-  vpc_id         = "${module.vpc.vpc_id}"
+  source         = "github.com/FitnessKeeper/terraform-aws-vault?ref=v0.0.1"
+  alb_log_bucket  = "rk-devops-${var.region}"
+  vault_image     = "${var.vault_image}"
+  ecs_cluster_ids = "${module.ecs_consul.cluster_id}"
+  dns_zone        = "${aws_route53_zone.region.name}"
+  env             = "${var.env}"
+  subnets         = "${module.vpc.public_subnets}"
+  unseal_keys     = "${split(",",data.aws_kms_secret.unseal_key.vault)}"
+  vpc_id          = "${module.vpc.vpc_id}"
+
+  tags = {
+    "foo" = "bar"
+  }
+
 }
 
 ```

alb.tf

@@ -8,12 +8,12 @@ resource "aws_alb" "vault" {
 
   tags {
     Environment = "${var.env}"
-    VPC         = "${data.aws_vpc.vpc.tags["Name"]}"
+    VPC         = "${local.vpc_name}"
   }
 
   access_logs {
     bucket = "${var.alb_log_bucket}"
-    prefix = "logs/elb/${data.aws_vpc.vpc.tags["Name"]}/vault"
+    prefix = "logs/elb/${local.vpc_name}/vault"
   }
 }
 
@@ -32,9 +32,10 @@ resource "aws_route53_record" "vault" {
 
 # Create a new target group
 resource "aws_alb_target_group" "vault_ui" {
-  port     = 8200
-  protocol = "HTTP"
-  vpc_id   = "${data.aws_vpc.vpc.id}"
+  port                 = 8200
+  protocol             = "HTTP"
+  deregistration_delay = "${var.lb_deregistration_delay}"
+  vpc_id               = "${data.aws_vpc.vpc.id}"
 
   health_check {
     path    = "/v1/sys/health?standbyok=true"
@@ -48,7 +49,7 @@ resource "aws_alb_target_group" "vault_ui" {
 
   tags {
     Environment = "${var.env}"
-    VPC         = "${data.aws_vpc.vpc.tags["Name"]}"
+    VPC         = "${local.vpc_name}"
   }
 }
 

files/vault.json

@@ -23,7 +23,7 @@
             ],
             "cpu": 0,
             "volumesFrom": [
-              
+
             ],
             "mountPoints": [
 

main.tf

@@ -13,64 +13,118 @@ data "aws_acm_certificate" "cert" {
   domain = "${replace(var.dns_zone, "/.$/","")}" # dirty hack to strip off trailing dot
 }
 
+data "aws_region" "current" {}
+
 data "template_file" "vault" {
   template = "${file("${path.module}/files/vault.json")}"
 
   vars {
-    datacenter            = "${data.aws_vpc.vpc.tags["Name"]}"
+    datacenter            = "${local.vpc_name}"
     env                   = "${var.env}"
     image                 = "${var.vault_image}"
     unseal_key0           = "${var.unseal_keys[0]}"
     unseal_key1           = "${var.unseal_keys[1]}"
     unseal_key2           = "${var.unseal_keys[2]}"
     awslogs_group         = "vault-${var.env}"
     awslogs_stream_prefix = "vault-${var.env}"
-    awslogs_region        = "${var.region}"
+    awslogs_region        = "${data.aws_region.current.name}"
   }
 }
 
 # End Data block
+# local variables
+locals {
+  cluster_count = "${length(var.ecs_cluster_ids)}"
+  vpc_name      = "${data.aws_vpc.vpc.tags["Name"]}"
+  sg_name       = "tf-${local.vpc_name}-vault-uiSecurityGroup"
+  sg_tags       = "${merge(var.tags, map("Name", local.sg_name, "Environment", var.env))}"
+  log_tags      = "${merge(var.tags, map("VPC", local.vpc_name, "Application", aws_ecs_task_definition.vault.family))}"
+}
 
 resource "aws_ecs_task_definition" "vault" {
   family                = "vault-${var.env}"
   container_definitions = "${data.template_file.vault.rendered}"
   network_mode          = "host"
   task_role_arn         = "${aws_iam_role.vault_task.arn}"
-
-  #volume {
-  #  name      = "docker-sock"
-  #  host_path = "/var/run/docker.sock"
-  #}
 }
 
 resource "aws_cloudwatch_log_group" "vault" {
-  name = "${aws_ecs_task_definition.vault.family}"
+  name              = "${aws_ecs_task_definition.vault.family}"
+  retention_in_days = "${var.cloudwatch_log_retention}"
+  tags              = "${local.log_tags}"
+}
+
+# ECS Service
+resource "aws_ecs_service" "vault" {
+  count                              = "${local.cluster_count  == 1 ? 1 : 0}"
+  name                               = "vault-${var.env}"
+  cluster                            = "${var.ecs_cluster_ids[0]}"
+  task_definition                    = "${aws_ecs_task_definition.vault.arn}"
+  desired_count                      = "${var.desired_count}"
+  deployment_minimum_healthy_percent = "${var.service_minimum_healthy_percent}"
+  iam_role                           = "${aws_iam_role.ecsServiceRole.arn}"
+
+  placement_constraints {
+    type = "distinctInstance"
+  }
 
-  tags {
-    VPC         = "${data.aws_vpc.vpc.tags["Name"]}"
-    Application = "${aws_ecs_task_definition.vault.family}"
+  load_balancer {
+    target_group_arn = "${aws_alb_target_group.vault_ui.arn}"
+    container_name   = "vault-${var.env}"
+    container_port   = 8200
   }
+
+  depends_on = ["aws_alb_target_group.vault_ui",
+    "aws_alb_listener.vault_https",
+    "aws_alb.vault",
+    "aws_iam_role.ecsServiceRole",
+  ]
 }
 
-resource "aws_ecs_service" "vault" {
-  name            = "vault-${var.env}"
-  cluster         = "${var.ecs_cluster_id}"
-  task_definition = "${aws_ecs_task_definition.vault.arn}"
-  desired_count   = "${var.desired_count}"
+resource "aws_ecs_service" "vault_primary" {
+  count                              = "${local.cluster_count  > 1 ? 1 : 0}"
+  name                               = "vault-${var.env}-primary"
+  cluster                            = "${var.ecs_cluster_ids[0]}"
+  task_definition                    = "${aws_ecs_task_definition.vault.arn}"
+  desired_count                      = "${var.desired_count}"
+  deployment_minimum_healthy_percent = "${var.service_minimum_healthy_percent}"
+  iam_role                           = "${aws_iam_role.ecsServiceRole.arn}"
 
   placement_constraints {
     type = "distinctInstance"
   }
 
   load_balancer {
     target_group_arn = "${aws_alb_target_group.vault_ui.arn}"
+    container_name   = "vault-${var.env}"
+    container_port   = 8200
+  }
+
+  depends_on = ["aws_alb_target_group.vault_ui",
+    "aws_alb_listener.vault_https",
+    "aws_alb.vault",
+    "aws_iam_role.ecsServiceRole",
+  ]
+}
 
-    #elb_name         = "${aws_elb.vault.name}"
-    container_name = "vault-${var.env}"
-    container_port = 8200
+resource "aws_ecs_service" "vault_secondary" {
+  count                              = "${local.cluster_count  > 1 ? 1 : 0}"
+  name                               = "vault-${var.env}-secondary"
+  cluster                            = "${var.ecs_cluster_ids[1]}"
+  task_definition                    = "${aws_ecs_task_definition.vault.arn}"
+  desired_count                      = "${var.desired_count}"
+  deployment_minimum_healthy_percent = "${var.service_minimum_healthy_percent}"
+  iam_role                           = "${aws_iam_role.ecsServiceRole.arn}"
+
+  placement_constraints {
+    type = "distinctInstance"
   }
 
-  iam_role = "${aws_iam_role.ecsServiceRole.arn}"
+  load_balancer {
+    target_group_arn = "${aws_alb_target_group.vault_ui.arn}"
+    container_name   = "vault-${var.env}"
+    container_port   = 8200
+  }
 
   depends_on = ["aws_alb_target_group.vault_ui",
     "aws_alb_listener.vault_https",
@@ -79,11 +133,13 @@ resource "aws_ecs_service" "vault" {
   ]
 }
 
+# End Service
 # Security Groups
 resource "aws_security_group" "lb-vault-sg" {
-  name        = "tf-${data.aws_vpc.vpc.tags["Name"]}-vault-uiSecurityGroup"
-  description = "Allow Web Traffic into the ${data.aws_vpc.vpc.tags["Name"]} VPC"
+  name        = "tf-${local.vpc_name}-vault-uiSecurityGroup"
+  description = "Allow Web Traffic into the ${local.vpc_name} VPC"
   vpc_id      = "${data.aws_vpc.vpc.id}"
+  tags        = "${local.sg_tags}"
 
   ingress {
     from_port   = 443
@@ -98,9 +154,4 @@ resource "aws_security_group" "lb-vault-sg" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-  tags {
-    Name        = "tf-${data.aws_vpc.vpc.tags["Name"]}-vault-uiSecurityGroup"
-    Environment = "${var.env}"
-  }
 }

variables.tf

@@ -7,6 +7,11 @@ variable "vault_image" {
   default     = "vault:latest"
 }
 
+variable "cloudwatch_log_retention" {
+  default     = "30"
+  description = "Specifies the number of days you want to retain log events in the specified log group. (defaults to 30)"
+}
+
 variable "desired_count" {
   description = "Number of vaults that ECS should run."
   default     = "2"
@@ -16,8 +21,9 @@ variable "dns_zone" {
   description = "Zone where the Consul UI alb will be created. This should *not* be consul.example.com"
 }
 
-variable "ecs_cluster_id" {
-  description = "ARN of the ECS ID"
+variable "ecs_cluster_ids" {
+  type        = "list"
+  description = "List of ARNs of the ECS Cluster IDs"
 }
 
 variable "env" {}
@@ -32,14 +38,25 @@ variable "iam_path" {
   description = "IAM path, this is useful when creating resources with the same name across multiple regions. Defaults to /"
 }
 
+variable "lb_deregistration_delay" {
+  default     = "300"
+  description = "The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. (Default: 300)"
+}
+
+variable "service_minimum_healthy_percent" {
+  description = "The minimum healthy percent represents a lower limit on the number of your service's tasks that must remain in the RUNNING state during a deployment (default 50)"
+  default     = "50"
+}
+
 variable "subnets" {
   type        = "list"
   description = "List of subnets used to deploy the Consul alb"
 }
 
-variable "region" {
-  default     = "us-east-1"
-  description = "AWS Region, defaults to us-east-1"
+variable "tags" {
+  type        = "map"
+  description = "A map of tags to add to all resources"
+  default     = {}
 }
 
 variable "unseal_keys" {