diff --git a/docs/media/diagrams/perforce-module-architectures.drawio b/docs/media/diagrams/perforce-module-architectures.drawio index a183b10d..d81e57e4 100644 --- a/docs/media/diagrams/perforce-module-architectures.drawio +++ b/docs/media/diagrams/perforce-module-architectures.drawio @@ -1,105 +1,93 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - - + - - - - - + + - + - - - - + - + - - + + - - - - + @@ -107,7 +95,7 @@ - + @@ -115,20 +103,38 @@ - + - - + + + + + - - + + + + + + + - - + + + + + + + - - + + + + + + + diff --git a/docs/media/images/helix-swarm-architecture.jpg b/docs/media/images/helix-swarm-architecture.jpg new file mode 100644 index 00000000..c7ed9e78 Binary files /dev/null and b/docs/media/images/helix-swarm-architecture.jpg differ diff --git a/docs/media/images/helix-swarm-architecture.png b/docs/media/images/helix-swarm-architecture.png index 64a0c007..329d09ed 100644 Binary files a/docs/media/images/helix-swarm-architecture.png and b/docs/media/images/helix-swarm-architecture.png differ diff --git a/docs/media/images/perforce-complete-example.jpg b/docs/media/images/perforce-complete-example.jpg new file mode 100644 index 00000000..77b9bcee Binary files /dev/null and b/docs/media/images/perforce-complete-example.jpg differ diff --git a/docs/modules/perforce/examples/complete.md b/docs/modules/perforce/examples/complete.md new file mode 100644 index 00000000..10190cd6 --- /dev/null +++ b/docs/modules/perforce/examples/complete.md @@ -0,0 +1,13 @@ +# Perforce Complete Example + +This example provisions [Helix Core](https://www.perforce.com/products/helix-core), [Helix Swarm](https://www.perforce.com/products/helix-swarm), and the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service). It also configures security groups for each of these modules to allow inter-service communication. This example takes a single input variable:`root_domain_name` is expected to correspond to an existing [AWS Route53 hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-hosted-zone). This hosted zone is used for provisioning DNS records used for external and internal routing, and enables this example to create validated SSL certificates on your behalf. + +If you do not have a domain yet you can [register one through Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html#domain-register-procedure-section). + +If you already have a domain with a different domain registrar you can leverage Route53 for DNS services. [Please review the documentation for migrating to Route53 as your DNS provider.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html) + +If you own the domain: "example.com" this example will deploy Helix Core to "core.helix.example.com" and Helix Swarm to "swarm.helix.example.com" - this can be modified from the `dns.tf` file. + +## Deployment Architecture + +![Perforce Example Architecture](../../../media/images/perforce-complete-example.jpg) diff --git a/docs/modules/perforce/helix-swarm/helix-swarm.md b/docs/modules/perforce/helix-swarm/helix-swarm.md index 544a401e..578ff5f9 100644 --- a/docs/modules/perforce/helix-swarm/helix-swarm.md +++ b/docs/modules/perforce/helix-swarm/helix-swarm.md @@ -4,17 +4,18 @@ [Perforce Helix Swarm](https://www.perforce.com/products/helix-swarm) is a free code review tool for projects hosted in [Perforce Helix Core](https://www.perforce.com/products/helix-core). This module deploys Helix Swarm as a service on AWS Elastic Container Service using the [publicly available image from Dockerhub](https://hub.docker.com/r/perforce/helix-swarm). -Helix Swarm also relies on a Redis cache. The module runs Redis as a service alongside Helix Swarm as part of the same task definition. +Helix Swarm also relies on a Redis cache. The module provisions a single node AWS Elasticache Redis OSS cluster and configures connectivity for the Helix Swarm service. This module deploys the following resources: - An Elastic Container Service (ECS) cluster backed by AWS Fargate. This can also be created externally and passed in via the `cluster_name` variable. -- An ECS service running the latest Helix Swarm container ([perforce/helix-swarm](https://hub.docker.com/r/perforce/helix-swarm)) available and a Redis sidecar. +- An ECS service running the latest Helix Swarm container ([perforce/helix-swarm](https://hub.docker.com/r/perforce/helix-swarm)) available. - An Application Load Balancer for TLS termination of the Helix Swarm service. +- A single node [AWS Elasticache Redis OSS](https://aws.amazon.com/elasticache/redis/) cluster. - Supporting resources such as Cloudwatch log groups, IAM roles, and security groups. ## Deployment Architecture -![HelixSwarm Module Architecture](../../../media/images/helix-swarm-architecture.png) +![Helix Swarm Module Architecture](../../../media/images/helix-swarm-architecture.png){: style="max-width:100%;max-height:100vh;margin:auto"} ## Prerequisites diff --git a/docs/modules/perforce/perforce.md b/docs/modules/perforce/perforce.md new file mode 100644 index 00000000..3c79d6f2 --- /dev/null +++ b/docs/modules/perforce/perforce.md @@ -0,0 +1,15 @@ +# Perforce + +[Perforce](https://www.perforce.com/) provides a number of products commonly used in Game development. The modules included in the Cloud Game Development Toolkit provision [Helix Core](https://www.perforce.com/products/helix-core), [Helix Swarm](https://www.perforce.com/products/helix-swarm), and the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service). These modules can be stitched together to provision version control and code review tools for your developers. + +## Modules + +| Template | Description | +| :--------------------------------------------------------------- | :- | +| [__Helix Core__](./helix-core/helix-core.md) | A Terraform module for provisioning a [Helix Core](https://www.perforce.com/products/helix-core) version control server on AWS EC2. | +| [__Helix Swarm__](./helix-swarm/helix-swarm.md) | A Terraform module for provisioning [Helix Swarm](https://www.perforce.com/products/helix-swarm) on AWS Elastic Container Service. | +| [__Helix Authentication Service__](./helix-authentication-service/helix-authentication-service.md) | A Terraform module for provisioning the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service) on AWS Elastic Container Service. | + +## Examples + +We currently provide a single, [complete example](./examples/complete.md) demonstrating deployment of all three modules in a single VPC. This example configures connectivity between each of the three modules and creates DNS records in an existing [AWS Route53](https://aws.amazon.com/route53/) for simple routing. Please use it as a starting point for your Perforce version control and code review deployments. diff --git a/modules/perforce/examples/complete/dns.tf b/modules/perforce/examples/complete/dns.tf new file mode 100644 index 00000000..6c238e68 --- /dev/null +++ b/modules/perforce/examples/complete/dns.tf @@ -0,0 +1,105 @@ + +########################################## +# Route53 Hosted Zone for FQDN +########################################## +data "aws_route53_zone" "root" { + name = var.root_domain_name + private_zone = false +} + +########################################## +# Perforce Helix DNS +########################################## +resource "aws_route53_zone" "helix_private_zone" { + name = "helix.perforce.internal" + #checkov:skip=CKV2_AWS_38: Hosted zone is private (vpc association) + #checkov:skip=CKV2_AWS_39: Query logging disabled by design + vpc { + vpc_id = aws_vpc.perforce_vpc.id + } +} + + +resource "aws_route53_record" "helix_swarm" { + zone_id = data.aws_route53_zone.root.id + name = "swarm.helix.${data.aws_route53_zone.root.name}" + type = "A" + alias { + name = module.perforce_helix_swarm.alb_dns_name + zone_id = module.perforce_helix_swarm.alb_zone_id + evaluate_target_health = true + } +} + +resource "aws_route53_record" "helix_authentication_service" { + zone_id = data.aws_route53_zone.root.zone_id + name = "auth.helix.${data.aws_route53_zone.root.name}" + type = "A" + alias { + name = module.perforce_helix_authentication_service.alb_dns_name + zone_id = module.perforce_helix_authentication_service.alb_zone_id + evaluate_target_health = true + } +} + +resource "aws_route53_record" "perforce_helix_core" { + zone_id = data.aws_route53_zone.root.zone_id + name = "core.helix.${data.aws_route53_zone.root.name}" + type = "A" + ttl = 300 + #checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit + records = [module.perforce_helix_core.helix_core_eip_public_ip] +} + +resource "aws_route53_record" "perforce_helix_core_pvt" { + zone_id = aws_route53_zone.helix_private_zone.zone_id + name = "core.${aws_route53_zone.helix_private_zone.name}" + type = "A" + ttl = 300 + #checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit + records = [module.perforce_helix_core.helix_core_eip_private_ip] +} + +########################################## +# Helix Certificate Management +########################################## + +resource "aws_acm_certificate" "helix" { + domain_name = "helix.${var.root_domain_name}" + subject_alternative_names = ["*.helix.${var.root_domain_name}"] + + validation_method = "DNS" + + tags = { + Environment = "dev" + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "helix_cert" { + for_each = { + for dvo in aws_acm_certificate.helix.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = data.aws_route53_zone.root.id +} + +resource "aws_acm_certificate_validation" "helix" { + timeouts { + create = "15m" + } + certificate_arn = aws_acm_certificate.helix.arn + validation_record_fqdns = [for record in aws_route53_record.helix_cert : record.fqdn] +} diff --git a/modules/perforce/examples/complete/local.tf b/modules/perforce/examples/complete/local.tf new file mode 100644 index 00000000..d9bdc9c7 --- /dev/null +++ b/modules/perforce/examples/complete/local.tf @@ -0,0 +1,13 @@ +data "aws_availability_zones" "available" {} + +locals { + # VPC Configuration + vpc_cidr_block = "10.0.0.0/16" + public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"] + private_subnet_cidrs = ["10.0.3.0/24", "10.0.4.0/24"] + + tags = { + environment = "cgd" + } + azs = slice(data.aws_availability_zones.available.names, 0, 2) +} diff --git a/modules/perforce/examples/complete/main.tf b/modules/perforce/examples/complete/main.tf new file mode 100644 index 00000000..674c5166 --- /dev/null +++ b/modules/perforce/examples/complete/main.tf @@ -0,0 +1,88 @@ +########################################## +# Shared ECS Cluster for Services +########################################## + +resource "aws_ecs_cluster" "perforce_cluster" { + name = "perforce-cluster" + + setting { + name = "containerInsights" + value = "enabled" + } +} + +resource "aws_ecs_cluster_capacity_providers" "providers" { + cluster_name = aws_ecs_cluster.perforce_cluster.name + + capacity_providers = ["FARGATE"] + + default_capacity_provider_strategy { + base = 1 + weight = 100 + capacity_provider = "FARGATE" + } +} + +########################################## +# Perforce Helix Core +########################################## + +module "perforce_helix_core" { + source = "../../helix-core" + vpc_id = aws_vpc.perforce_vpc.id + server_type = "p4d_commit" + instance_subnet_id = aws_subnet.public_subnets[0].id + instance_type = "c6g.large" + instance_architecture = "arm64" + + storage_type = "EBS" + depot_volume_size = 64 + metadata_volume_size = 32 + logs_volume_size = 32 + + fully_qualified_domain_name = "core.helix.perforce.${var.root_domain_name}" + + helix_authentication_service_url = "https://${aws_route53_record.helix_authentication_service.name}" +} + +########################################## +# Perforce Helix Authentication Service +########################################## + +module "perforce_helix_authentication_service" { + source = "../../helix-authentication-service" + vpc_id = aws_vpc.perforce_vpc.id + cluster_name = aws_ecs_cluster.perforce_cluster.name + helix_authentication_service_alb_subnets = aws_subnet.public_subnets[*].id + helix_authentication_service_subnets = aws_subnet.private_subnets[*].id + certificate_arn = aws_acm_certificate.helix.arn + + enable_web_based_administration = true + fully_qualified_domain_name = "auth.helix.${var.root_domain_name}" + + depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix] +} + +########################################## +# Perforce Helix Swarm +########################################## + +module "perforce_helix_swarm" { + source = "../../helix-swarm" + vpc_id = aws_vpc.perforce_vpc.id + cluster_name = aws_ecs_cluster.perforce_cluster.name + helix_swarm_alb_subnets = aws_subnet.public_subnets[*].id + helix_swarm_service_subnets = aws_subnet.private_subnets[*].id + certificate_arn = aws_acm_certificate.helix.arn + p4d_port = "ssl:${aws_route53_record.perforce_helix_core_pvt.name}:1666" + p4d_super_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn + p4d_super_user_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn + p4d_swarm_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn + p4d_swarm_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn + + enable_sso = true + + fully_qualified_domain_name = "swarm.helix.${var.root_domain_name}" + + depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix] +} diff --git a/modules/perforce/examples/complete/security.tf b/modules/perforce/examples/complete/security.tf new file mode 100644 index 00000000..a682b045 --- /dev/null +++ b/modules/perforce/examples/complete/security.tf @@ -0,0 +1,33 @@ +########################################## +# Internal Access - service to service +########################################## + +# Helix Swarm -> Helix Core +resource "aws_vpc_security_group_ingress_rule" "helix_core_inbound_swarm" { + security_group_id = module.perforce_helix_core.security_group_id + ip_protocol = "TCP" + from_port = 1666 + to_port = 1666 + referenced_security_group_id = module.perforce_helix_swarm.service_security_group_id + description = "Enables Helix Swarm to access Helix Core." +} + +# Helix Core -> Helix Swarm +resource "aws_vpc_security_group_ingress_rule" "helix_swarm_inbound_core" { + security_group_id = module.perforce_helix_swarm.alb_security_group_id + ip_protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32" + description = "Enables Helix Core to access Helix Swarm" +} + +# Helix Core -> Helix Authentication Service +resource "aws_vpc_security_group_ingress_rule" "helix_auth_inbound_core" { + security_group_id = module.perforce_helix_authentication_service.alb_security_group_id + ip_protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32" + description = "Enables Helix Core to access Helix Authentication Service" +} diff --git a/modules/perforce/examples/complete/variables.tf b/modules/perforce/examples/complete/variables.tf new file mode 100644 index 00000000..cde652cd --- /dev/null +++ b/modules/perforce/examples/complete/variables.tf @@ -0,0 +1,4 @@ +variable "root_domain_name" { + type = string + description = "The root domain name you would like to use for DNS." +} diff --git a/modules/perforce/examples/complete/versions.tf b/modules/perforce/examples/complete/versions.tf new file mode 100644 index 00000000..a49b9edb --- /dev/null +++ b/modules/perforce/examples/complete/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.66.0" + } + } +} diff --git a/modules/perforce/examples/complete/vpc.tf b/modules/perforce/examples/complete/vpc.tf new file mode 100644 index 00000000..8a0b4e59 --- /dev/null +++ b/modules/perforce/examples/complete/vpc.tf @@ -0,0 +1,130 @@ +########################################## +# VPC +########################################## + +resource "aws_vpc" "perforce_vpc" { + cidr_block = local.vpc_cidr_block + tags = merge(local.tags, + { + Name = "perforce-vpc" + } + ) + enable_dns_hostnames = true + #checkov:skip=CKV2_AWS_11: VPC flow logging disabled by design +} + +# Set default SG to restrict all traffic +resource "aws_default_security_group" "default" { + vpc_id = aws_vpc.perforce_vpc.id +} + +########################################## +# Subnets +########################################## + +resource "aws_subnet" "public_subnets" { + count = length(local.public_subnet_cidrs) + vpc_id = aws_vpc.perforce_vpc.id + cidr_block = element(local.public_subnet_cidrs, count.index) + availability_zone = element(local.azs, count.index) + + tags = merge(local.tags, + { + Name = "pub-subnet-${count.index + 1}" + } + ) +} + +resource "aws_subnet" "private_subnets" { + count = length(local.private_subnet_cidrs) + vpc_id = aws_vpc.perforce_vpc.id + cidr_block = element(local.private_subnet_cidrs, count.index) + availability_zone = element(local.azs, count.index) + + tags = merge(local.tags, + { + Name = "pvt-subnet-${count.index + 1}" + } + ) +} + +########################################## +# Internet Gateway +########################################## + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.perforce_vpc.id + tags = merge(local.tags, + { + Name = "perforce-igw" + } + ) +} + +########################################## +# Route Tables & NAT Gateway +########################################## + +resource "aws_route_table" "public_rt" { + vpc_id = aws_vpc.perforce_vpc.id + + # public route to the internet + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + + tags = merge(local.tags, + { + Name = "perforce-public-rt" + } + ) +} + +resource "aws_route_table_association" "public_rt_asso" { + count = length(aws_subnet.public_subnets) + route_table_id = aws_route_table.public_rt.id + subnet_id = aws_subnet.public_subnets[count.index].id +} + +resource "aws_eip" "nat_gateway_eip" { + depends_on = [aws_internet_gateway.igw] + #checkov:skip=CKV2_AWS_19:EIP associated with NAT Gateway through association ID + tags = merge(local.tags, + { + Name = "perforce-nat-eip" + } + ) +} + +resource "aws_route_table" "private_rt" { + vpc_id = aws_vpc.perforce_vpc.id + + # route to the internet through NAT gateway + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway.id + } + + tags = merge(local.tags, + { + Name = "perforce-private-rt" + } + ) +} + +resource "aws_route_table_association" "private_rt_asso" { + count = length(aws_subnet.private_subnets) + route_table_id = aws_route_table.private_rt.id + subnet_id = aws_subnet.private_subnets[count.index].id +} + +resource "aws_nat_gateway" "nat_gateway" { + allocation_id = aws_eip.nat_gateway_eip.id + subnet_id = aws_subnet.public_subnets[0].id + tags = merge(local.tags, + { + Name = "perforce-nat" + } + ) +} diff --git a/modules/perforce/helix-authentication-service/README.md b/modules/perforce/helix-authentication-service/README.md index e937817b..ee65c411 100644 --- a/modules/perforce/helix-authentication-service/README.md +++ b/modules/perforce/helix-authentication-service/README.md @@ -6,9 +6,9 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | 5.59.0 | -| [awscc](#requirement\_awscc) | 1.6.0 | -| [random](#requirement\_random) | 3.6.2 | +| [aws](#requirement\_aws) | 5.68.0 | +| [awscc](#requirement\_awscc) | 1.15.0 | +| [random](#requirement\_random) | 3.6.3 | ## Providers @@ -26,39 +26,39 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.helix_authentication_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/cloudwatch_log_group) | resource | -| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ecs_cluster) | resource | -| [aws_ecs_cluster_capacity_providers.helix_authentication_service_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ecs_cluster_capacity_providers) | resource | -| [aws_ecs_service.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ecs_service) | resource | -| [aws_ecs_task_definition.helix_authentication_service_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ecs_task_definition) | resource | -| [aws_iam_policy.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_policy) | resource | -| [aws_iam_role.helix_authentication_service_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_role) | resource | -| [aws_iam_role.helix_authentication_service_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_role) | resource | -| [aws_lb.helix_authentication_service_alb](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/lb) | resource | -| [aws_lb_listener.helix_authentication_service_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/lb_listener) | resource | -| [aws_lb_target_group.helix_authentication_service_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/lb_target_group) | resource | -| [aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_security_group.helix_authentication_service_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/security_group) | resource | -| [aws_security_group.helix_authentication_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/security_group) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_authentication_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [awscc_secretsmanager_secret.helix_authentication_service_admin_password](https://registry.terraform.io/providers/hashicorp/awscc/1.6.0/docs/resources/secretsmanager_secret) | resource | -| [awscc_secretsmanager_secret.helix_authentication_service_admin_username](https://registry.terraform.io/providers/hashicorp/awscc/1.6.0/docs/resources/secretsmanager_secret) | resource | -| [random_string.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource | -| [random_string.helix_authentication_service_alb_access_logs_bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource | -| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/ecs_cluster) | data source | -| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/region) | data source | +| [aws_cloudwatch_log_group.helix_authentication_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster) | resource | +| [aws_ecs_cluster_capacity_providers.helix_authentication_service_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster_capacity_providers) | resource | +| [aws_ecs_service.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.helix_authentication_service_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_task_definition) | resource | +| [aws_iam_policy.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_policy) | resource | +| [aws_iam_policy.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_policy) | resource | +| [aws_iam_role.helix_authentication_service_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_role) | resource | +| [aws_iam_role.helix_authentication_service_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_role) | resource | +| [aws_lb.helix_authentication_service_alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb) | resource | +| [aws_lb_listener.helix_authentication_service_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.helix_authentication_service_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb_target_group) | resource | +| [aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_security_group.helix_authentication_service_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_security_group.helix_authentication_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_authentication_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [awscc_secretsmanager_secret.helix_authentication_service_admin_password](https://registry.terraform.io/providers/hashicorp/awscc/1.15.0/docs/resources/secretsmanager_secret) | resource | +| [awscc_secretsmanager_secret.helix_authentication_service_admin_username](https://registry.terraform.io/providers/hashicorp/awscc/1.15.0/docs/resources/secretsmanager_secret) | resource | +| [random_string.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | +| [random_string.helix_authentication_service_alb_access_logs_bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | +| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/ecs_cluster) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/region) | data source | ## Inputs @@ -73,13 +73,14 @@ No modules. | [create\_helix\_authentication\_service\_default\_policy](#input\_create\_helix\_authentication\_service\_default\_policy) | Optional creation of Helix Authentication Service default IAM Policy. Default is set to true. | `bool` | `true` | no | | [create\_helix\_authentication\_service\_default\_role](#input\_create\_helix\_authentication\_service\_default\_role) | Optional creation of Helix Authentication Service default IAM Role. Default is set to true. | `bool` | `true` | no | | [custom\_helix\_authentication\_service\_role](#input\_custom\_helix\_authentication\_service\_role) | ARN of the custom IAM Role you wish to use with Helix Authentication Service. | `string` | `null` | no | +| [debug](#input\_debug) | Set this flag to enable execute command on service containers and force redeploys. | `bool` | `false` | no | | [desired\_container\_count](#input\_desired\_container\_count) | The desired number of containers running the Helix Authentication Service. | `number` | `1` | no | | [enable\_helix\_authentication\_service\_alb\_access\_logs](#input\_enable\_helix\_authentication\_service\_alb\_access\_logs) | Enables access logging for the Helix Authentication Service ALB. Defaults to true. | `bool` | `true` | no | | [enable\_helix\_authentication\_service\_alb\_deletion\_protection](#input\_enable\_helix\_authentication\_service\_alb\_deletion\_protection) | Enables deletion protection for the Helix Authentication Service ALB. Defaults to true. | `bool` | `true` | no | | [enable\_web\_based\_administration](#input\_enable\_web\_based\_administration) | Flag for enabling web based administration of Helix Authentication Service. | `bool` | `false` | no | | [environment](#input\_environment) | The current environment (e.g. dev, prod, etc.) | `string` | `"dev"` | no | | [existing\_security\_groups](#input\_existing\_security\_groups) | A list of existing security group IDs to attach to the Helix Authentication Service load balancer. | `list(string)` | `[]` | no | -| [fqdn](#input\_fqdn) | The fully qualified domain name of Helix Authentication Service. | `string` | `"localhost"` | no | +| [fully\_qualified\_domain\_name](#input\_fully\_qualified\_domain\_name) | The fully qualified domain name where Helix Authentication Service will be available. | `string` | `"localhost"` | no | | [helix\_authentication\_service\_admin\_password\_secret\_arn](#input\_helix\_authentication\_service\_admin\_password\_secret\_arn) | Optionally provide the ARN of an AWS Secret for the Helix Authentication Service Administrator password. | `string` | `null` | no | | [helix\_authentication\_service\_admin\_username\_secret\_arn](#input\_helix\_authentication\_service\_admin\_username\_secret\_arn) | Optionally provide the ARN of an AWS Secret for the Helix Authentication Service Administrator username. | `string` | `null` | no | | [helix\_authentication\_service\_alb\_access\_logs\_bucket](#input\_helix\_authentication\_service\_alb\_access\_logs\_bucket) | ID of the S3 bucket for Helix Authentication Service ALB access log storage. If access logging is enabled and this is null the module creates a bucket. | `string` | `null` | no | diff --git a/modules/perforce/helix-authentication-service/main.tf b/modules/perforce/helix-authentication-service/main.tf index 431baf61..ffa6a349 100644 --- a/modules/perforce/helix-authentication-service/main.tf +++ b/modules/perforce/helix-authentication-service/main.tf @@ -77,17 +77,16 @@ resource "aws_ecs_task_definition" "helix_authentication_service_task_definition environment = concat([ { name = "SVC_BASE_URI" - value = var.fqdn + value = "https://${var.fully_qualified_domain_name}" }, { name = "ADMIN_ENABLED" value = var.enable_web_based_administration ? "true" : "false" }, { - name = "TRUST_PROXY" + name = "TRUST_PROXY" value = "true" }, - ], var.enable_web_based_administration ? [ { @@ -110,6 +109,11 @@ resource "aws_ecs_task_definition" "helix_authentication_service_task_definition containerPath = "/var/has" } ], + healthCheck = { + command = [ + "CMD-SHELL", "curl http://localhost:${var.container_port} || exit 1" + ] + } dependsOn = [ { containerName = "helix-auth-svc-config" @@ -165,13 +169,14 @@ resource "aws_ecs_task_definition" "helix_authentication_service_task_definition resource "aws_ecs_service" "helix_authentication_service" { name = local.name_prefix - cluster = var.cluster_name != null ? data.aws_ecs_cluster.helix_authentication_service_cluster[0].arn : aws_ecs_cluster.helix_authentication_service_cluster[0].arn - task_definition = aws_ecs_task_definition.helix_authentication_service_task_definition.arn - launch_type = "FARGATE" - desired_count = var.desired_container_count - force_new_deployment = true + cluster = var.cluster_name != null ? data.aws_ecs_cluster.helix_authentication_service_cluster[0].arn : aws_ecs_cluster.helix_authentication_service_cluster[0].arn + task_definition = aws_ecs_task_definition.helix_authentication_service_task_definition.arn + launch_type = "FARGATE" + desired_count = var.desired_container_count + force_new_deployment = var.debug + enable_execute_command = var.debug - enable_execute_command = true + wait_for_steady_state = true load_balancer { target_group_arn = aws_lb_target_group.helix_authentication_service_alb_target_group.arn @@ -246,8 +251,3 @@ resource "aws_vpc_security_group_ingress_rule" "helix_authentication_service_inb to_port = var.container_port ip_protocol = "tcp" } - - - - - diff --git a/modules/perforce/helix-authentication-service/variables.tf b/modules/perforce/helix-authentication-service/variables.tf index adbc0caf..97b2a8f0 100644 --- a/modules/perforce/helix-authentication-service/variables.tf +++ b/modules/perforce/helix-authentication-service/variables.tf @@ -93,9 +93,9 @@ variable "desired_container_count" { # - Environment Variables - -variable "fqdn" { +variable "fully_qualified_domain_name" { type = string - description = "The fully qualified domain name of Helix Authentication Service." + description = "The fully qualified domain name where Helix Authentication Service will be available." default = "localhost" } @@ -194,3 +194,9 @@ variable "helix_authentication_service_admin_password_secret_arn" { description = "Optionally provide the ARN of an AWS Secret for the Helix Authentication Service Administrator password." default = null } + +variable "debug" { + type = bool + description = "Set this flag to enable execute command on service containers and force redeploys." + default = false +} diff --git a/modules/perforce/helix-core/README.md b/modules/perforce/helix-core/README.md index fc30947d..97eeda4e 100644 --- a/modules/perforce/helix-core/README.md +++ b/modules/perforce/helix-core/README.md @@ -6,9 +6,9 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | 5.59.0 | -| [awscc](#requirement\_awscc) | 1.6.0 | -| [random](#requirement\_random) | 3.6.2 | +| [aws](#requirement\_aws) | 5.68.0 | +| [awscc](#requirement\_awscc) | 1.15.0 | +| [random](#requirement\_random) | 3.6.3 | ## Providers @@ -26,41 +26,43 @@ No modules. | Name | Type | |------|------| -| [aws_ebs_volume.depot](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ebs_volume) | resource | -| [aws_ebs_volume.logs](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ebs_volume) | resource | -| [aws_ebs_volume.metadata](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/ebs_volume) | resource | -| [aws_eip.helix_core_eip](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/eip) | resource | -| [aws_iam_instance_profile.helix_core_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_instance_profile) | resource | -| [aws_iam_policy.helix_core_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_policy) | resource | -| [aws_iam_role.helix_core_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/iam_role) | resource | -| [aws_instance.helix_core_instance](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/instance) | resource | -| [aws_security_group.helix_core_security_group](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/security_group) | resource | -| [aws_volume_attachment.depot_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/volume_attachment) | resource | -| [aws_volume_attachment.logs_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/volume_attachment) | resource | -| [aws_volume_attachment.metadata_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/volume_attachment) | resource | -| [aws_vpc_security_group_egress_rule.helix_core_internet](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [awscc_secretsmanager_secret.helix_core_super_user_password](https://registry.terraform.io/providers/hashicorp/awscc/1.6.0/docs/resources/secretsmanager_secret) | resource | -| [awscc_secretsmanager_secret.helix_core_super_user_username](https://registry.terraform.io/providers/hashicorp/awscc/1.6.0/docs/resources/secretsmanager_secret) | resource | -| [random_string.helix_core](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource | -| [aws_ami.helix_core_ami](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/ami) | data source | -| [aws_iam_policy_document.ec2_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_core_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/iam_policy_document) | data source | -| [aws_subnet.instance_subnet](https://registry.terraform.io/providers/hashicorp/aws/5.59.0/docs/data-sources/subnet) | data source | +| [aws_ebs_volume.depot](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ebs_volume) | resource | +| [aws_ebs_volume.logs](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ebs_volume) | resource | +| [aws_ebs_volume.metadata](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ebs_volume) | resource | +| [aws_eip.helix_core_eip](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/eip) | resource | +| [aws_iam_instance_profile.helix_core_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_instance_profile) | resource | +| [aws_iam_policy.helix_core_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_policy) | resource | +| [aws_iam_role.helix_core_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_role) | resource | +| [aws_instance.helix_core_instance](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/instance) | resource | +| [aws_security_group.helix_core_security_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_volume_attachment.depot_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/volume_attachment) | resource | +| [aws_volume_attachment.logs_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/volume_attachment) | resource | +| [aws_volume_attachment.metadata_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/volume_attachment) | resource | +| [aws_vpc_security_group_egress_rule.helix_core_internet](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [awscc_secretsmanager_secret.helix_core_super_user_password](https://registry.terraform.io/providers/hashicorp/awscc/1.15.0/docs/resources/secretsmanager_secret) | resource | +| [awscc_secretsmanager_secret.helix_core_super_user_username](https://registry.terraform.io/providers/hashicorp/awscc/1.15.0/docs/resources/secretsmanager_secret) | resource | +| [random_string.helix_core](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | +| [aws_ami.helix_core_ami](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/ami) | data source | +| [aws_iam_policy_document.ec2_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_core_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_subnet.instance_subnet](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/subnet) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [FQDN](#input\_FQDN) | The FQDN that should be used to generate the self-signed SSL cert on the Helix Core instance. | `string` | `null` | no | | [create\_default\_sg](#input\_create\_default\_sg) | Whether to create a default security group for the Helix Core instance. | `bool` | `true` | no | | [create\_helix\_core\_default\_role](#input\_create\_helix\_core\_default\_role) | Optional creation of Helix Core default IAM Role with SSM managed instance core policy attached. Default is set to true. | `bool` | `true` | no | | [custom\_helix\_core\_role](#input\_custom\_helix\_core\_role) | ARN of the custom IAM Role you wish to use with Helix Core. | `string` | `null` | no | | [depot\_volume\_size](#input\_depot\_volume\_size) | The size of the depot volume in GiB. Defaults to 128 GiB. | `number` | `128` | no | | [environment](#input\_environment) | The current environment (e.g. dev, prod, etc.) | `string` | `"dev"` | no | | [existing\_security\_groups](#input\_existing\_security\_groups) | A list of existing security group IDs to attach to the Helix Core load balancer. | `list(string)` | `[]` | no | +| [fully\_qualified\_domain\_name](#input\_fully\_qualified\_domain\_name) | The fully qualified domain name where Helix Core will be available. This is used to generate self-signed certificates on the Helix Core server. | `string` | `null` | no | | [helix\_authentication\_service\_url](#input\_helix\_authentication\_service\_url) | The URL for the Helix Authentication Service. | `string` | `null` | no | +| [helix\_case\_sensitive](#input\_helix\_case\_sensitive) | Whether or not the server should be case insensitive (Server will run '-C1' mode), or if the server will run with case sensitivity default of the underlying platform. False enables '-C1' mode | `bool` | `true` | no | | [helix\_core\_super\_user\_password\_secret\_arn](#input\_helix\_core\_super\_user\_password\_secret\_arn) | If you would like to manage your own super user credentials through AWS Secrets Manager provide the ARN for the super user's password here. | `string` | `null` | no | | [helix\_core\_super\_user\_username\_secret\_arn](#input\_helix\_core\_super\_user\_username\_secret\_arn) | If you would like to manage your own super user credentials through AWS Secrets Manager provide the ARN for the super user's username here. Otherwise, the default of 'perforce' will be used. | `string` | `null` | no | +| [instance\_architecture](#input\_instance\_architecture) | The architecture of the Helix Core instance. Allowed values are 'arm64' or 'x86\_64'. | `string` | `"x86_64"` | no | | [instance\_subnet\_id](#input\_instance\_subnet\_id) | The subnet where the Helix Core instance will be deployed. | `string` | n/a | yes | | [instance\_type](#input\_instance\_type) | The instance type for Perforce Helix Core. Defaults to c6in.large. | `string` | `"c6in.large"` | no | | [internal](#input\_internal) | Set this flag to true if you do not want the Helix Core instance to have a public IP. | `bool` | `false` | no | @@ -80,6 +82,7 @@ No modules. | [helix\_core\_eip\_id](#output\_helix\_core\_eip\_id) | The ID of the Elastic IP associated with your Helix Core instance. | | [helix\_core\_eip\_private\_ip](#output\_helix\_core\_eip\_private\_ip) | The private IP of your Helix Core instance. | | [helix\_core\_eip\_public\_ip](#output\_helix\_core\_eip\_public\_ip) | The public IP of your Helix Core instance. | +| [helix\_core\_instance\_id](#output\_helix\_core\_instance\_id) | Instance ID for the Helix Core instance | | [helix\_core\_super\_user\_password\_secret\_arn](#output\_helix\_core\_super\_user\_password\_secret\_arn) | The ARN of the AWS Secrets Manager secret holding your Helix Core super user's password. | | [helix\_core\_super\_user\_username\_secret\_arn](#output\_helix\_core\_super\_user\_username\_secret\_arn) | The ARN of the AWS Secrets Manager secret holding your Helix Core super user's username. | | [security\_group\_id](#output\_security\_group\_id) | The default security group of your Helix Core instance. | diff --git a/modules/perforce/helix-core/data.tf b/modules/perforce/helix-core/data.tf index d39bc874..382051b5 100644 --- a/modules/perforce/helix-core/data.tf +++ b/modules/perforce/helix-core/data.tf @@ -22,7 +22,7 @@ data "aws_ami" "helix_core_ami" { name = "virtualization-type" values = ["hvm"] } - filter { + filter { name = "architecture" values = [var.instance_architecture] } diff --git a/modules/perforce/helix-core/main.tf b/modules/perforce/helix-core/main.tf index 99078aab..767437e8 100644 --- a/modules/perforce/helix-core/main.tf +++ b/modules/perforce/helix-core/main.tf @@ -39,8 +39,8 @@ resource "aws_instance" "helix_core_instance" { --p4d_type ${var.server_type} \ --username ${var.helix_core_super_user_username_secret_arn == null ? awscc_secretsmanager_secret.helix_core_super_user_username[0].secret_id : var.helix_core_super_user_username_secret_arn} \ --password ${var.helix_core_super_user_password_secret_arn == null ? awscc_secretsmanager_secret.helix_core_super_user_password[0].secret_id : var.helix_core_super_user_password_secret_arn} \ - --fqdn ${var.FQDN == null ? "" : var.FQDN} \ - --auth ${var.helix_authentication_service_url == null ? "" : var.helix_authentication_service_url} \ + ${var.fully_qualified_domain_name == null ? "" : "--fqdn ${var.fully_qualified_domain_name}"} \ + ${var.helix_authentication_service_url == null ? "" : "--auth ${var.helix_authentication_service_url}"} \ --case_sensitive ${var.helix_case_sensitive ? 1 : 0} EOT diff --git a/modules/perforce/helix-core/variables.tf b/modules/perforce/helix-core/variables.tf index e42ea3c6..d867a109 100644 --- a/modules/perforce/helix-core/variables.tf +++ b/modules/perforce/helix-core/variables.tf @@ -76,9 +76,9 @@ variable "internal" { default = false } -variable "FQDN" { +variable "fully_qualified_domain_name" { type = string - description = "The FQDN that should be used to generate the self-signed SSL cert on the Helix Core instance." + description = "The fully qualified domain name where Helix Core will be available. This is used to generate self-signed certificates on the Helix Core server." default = null } @@ -174,4 +174,4 @@ variable "helix_case_sensitive" { type = bool description = "Whether or not the server should be case insensitive (Server will run '-C1' mode), or if the server will run with case sensitivity default of the underlying platform. False enables '-C1' mode" default = true -} \ No newline at end of file +} diff --git a/modules/perforce/helix-swarm/README.md b/modules/perforce/helix-swarm/README.md index bc17e481..6378cd02 100644 --- a/modules/perforce/helix-swarm/README.md +++ b/modules/perforce/helix-swarm/README.md @@ -6,8 +6,8 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | 5.66.0 | -| [random](#requirement\_random) | 3.6.2 | +| [aws](#requirement\_aws) | 5.68.0 | +| [random](#requirement\_random) | 3.6.3 | ## Providers @@ -24,46 +24,42 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.helix_swarm_redis_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_group.helix_swarm_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/cloudwatch_log_group) | resource | -| [aws_ecs_cluster.helix_swarm_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_cluster) | resource | -| [aws_ecs_cluster_capacity_providers.helix_swarm_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_cluster_capacity_providers) | resource | -| [aws_ecs_service.helix_swarm_service](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_service) | resource | -| [aws_ecs_task_definition.helix_swarm_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_task_definition) | resource | -| [aws_efs_access_point.helix_swarm_efs_access_point](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/efs_access_point) | resource | -| [aws_efs_access_point.redis_efs_access_point](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/efs_access_point) | resource | -| [aws_efs_file_system.helix_swarm_efs_file_system](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/efs_file_system) | resource | -| [aws_efs_mount_target.helix_swarm_efs_mount_target](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/efs_mount_target) | resource | -| [aws_iam_policy.helix_swarm_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy.helix_swarm_efs_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy.helix_swarm_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/iam_policy) | resource | -| [aws_iam_role.helix_swarm_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/iam_role) | resource | -| [aws_iam_role.helix_swarm_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/iam_role) | resource | -| [aws_lb.helix_swarm_alb](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/lb) | resource | -| [aws_lb_listener.swarm_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/lb_listener) | resource | -| [aws_lb_target_group.helix_swarm_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/lb_target_group) | resource | -| [aws_s3_bucket.helix_swarm_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_security_group.helix_swarm_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/security_group) | resource | -| [aws_security_group.helix_swarm_efs_security_group](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/security_group) | resource | -| [aws_security_group.helix_swarm_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/security_group) | resource | -| [aws_vpc_security_group_egress_rule.helix_swarm_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_swarm_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_swarm_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_swarm_efs_inbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_swarm_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [random_string.helix_swarm](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource | -| [random_string.helix_swarm_alb_access_logs_bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.2/docs/resources/string) | resource | -| [aws_ecs_cluster.helix_swarm_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/ecs_cluster) | data source | -| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_swarm_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_swarm_efs_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_swarm_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/region) | data source | +| [aws_cloudwatch_log_group.helix_swarm_redis_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.helix_swarm_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_ecs_cluster.helix_swarm_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster) | resource | +| [aws_ecs_cluster_capacity_providers.helix_swarm_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster_capacity_providers) | resource | +| [aws_ecs_service.helix_swarm_service](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.helix_swarm_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_task_definition) | resource | +| [aws_elasticache_cluster.swarm](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/elasticache_cluster) | resource | +| [aws_elasticache_subnet_group.swarm](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/elasticache_subnet_group) | resource | +| [aws_iam_policy.helix_swarm_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_policy) | resource | +| [aws_iam_policy.helix_swarm_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_policy) | resource | +| [aws_iam_role.helix_swarm_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_role) | resource | +| [aws_iam_role.helix_swarm_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/iam_role) | resource | +| [aws_lb.helix_swarm_alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb) | resource | +| [aws_lb_listener.swarm_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.helix_swarm_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/lb_target_group) | resource | +| [aws_s3_bucket.helix_swarm_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_security_group.helix_swarm_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_security_group.helix_swarm_elasticache_sg](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_security_group.helix_swarm_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_vpc_security_group_egress_rule.helix_swarm_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_swarm_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_swarm_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_swarm_elasticache_ingress](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_swarm_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [random_string.helix_swarm](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | +| [random_string.helix_swarm_alb_access_logs_bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | +| [aws_ecs_cluster.helix_swarm_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/ecs_cluster) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_swarm_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_swarm_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/region) | data source | ## Inputs @@ -74,13 +70,16 @@ No modules. | [create\_helix\_swarm\_default\_policy](#input\_create\_helix\_swarm\_default\_policy) | Optional creation of Helix Swarm default IAM Policy. Default is set to true. | `bool` | `true` | no | | [create\_helix\_swarm\_default\_role](#input\_create\_helix\_swarm\_default\_role) | Optional creation of Helix Swarm Default IAM Role. Default is set to true. | `bool` | `true` | no | | [custom\_helix\_swarm\_role](#input\_custom\_helix\_swarm\_role) | ARN of the custom IAM Role you wish to use with Helix Swarm. | `string` | `null` | no | -| [enable\_elastic\_filesystem](#input\_enable\_elastic\_filesystem) | Flag to enable/disable elastic filesystem for persistent storage. Defaults to false. | `bool` | `false` | no | +| [debug](#input\_debug) | Debug flag to enable execute command on service for container access. | `bool` | `false` | no | +| [elasticache\_node\_count](#input\_elasticache\_node\_count) | Number of cache nodes to provision in the Elasticache cluster. | `number` | `1` | no | +| [elasticache\_node\_type](#input\_elasticache\_node\_type) | The type of nodes provisioned in the Elasticache cluster. | `string` | `"cache.t4g.micro"` | no | | [enable\_helix\_swarm\_alb\_access\_logs](#input\_enable\_helix\_swarm\_alb\_access\_logs) | Enables access logging for the Helix Swarm ALB. Defaults to true. | `bool` | `true` | no | | [enable\_helix\_swarm\_alb\_deletion\_protection](#input\_enable\_helix\_swarm\_alb\_deletion\_protection) | Enables deletion protection for the Helix Swarm ALB. Defaults to true. | `bool` | `true` | no | +| [enable\_sso](#input\_enable\_sso) | Set this to true if using SSO for Helix Swarm authentication. | `bool` | `false` | no | | [environment](#input\_environment) | The current environment (e.g. dev, prod, etc.) | `string` | `"dev"` | no | -| [existing\_redis\_host](#input\_existing\_redis\_host) | The hostname where the Redis cache that Swarm should use is running. | `string` | `null` | no | +| [existing\_redis\_connection](#input\_existing\_redis\_connection) | The connection specifications to use for an existing Redis deployment. | 
object({
    host = string
    port = number
  })
| `null` | no | | [existing\_security\_groups](#input\_existing\_security\_groups) | A list of existing security group IDs to attach to the Helix Swarm service load balancer. | `list(string)` | `[]` | no | -| [fqdn](#input\_fqdn) | The fully qualified domain name that Swarm should use for internal URLs. | `string` | `null` | no | +| [fully\_qualified\_domain\_name](#input\_fully\_qualified\_domain\_name) | The fully qualified domain name that Swarm should use for internal URLs. | `string` | `null` | no | | [helix\_swarm\_alb\_access\_logs\_bucket](#input\_helix\_swarm\_alb\_access\_logs\_bucket) | ID of the S3 bucket for Helix Swarm ALB access log storage. If access logging is enabled and this is null the module creates a bucket. | `string` | `null` | no | | [helix\_swarm\_alb\_access\_logs\_prefix](#input\_helix\_swarm\_alb\_access\_logs\_prefix) | Log prefix for Helix Swarm ALB access logs. If null the project prefix and module name are used. | `string` | `null` | no | | [helix\_swarm\_alb\_subnets](#input\_helix\_swarm\_alb\_subnets) | A list of subnets to deploy the Helix Swarm load balancer into. Public subnets are recommended. | `list(string)` | n/a | yes | @@ -90,8 +89,6 @@ No modules. | [helix\_swarm\_container\_name](#input\_helix\_swarm\_container\_name) | The name of the swarm container. | `string` | `"helix-swarm-container"` | no | | [helix\_swarm\_container\_port](#input\_helix\_swarm\_container\_port) | The container port that swarm runs on. | `number` | `80` | no | | [helix\_swarm\_desired\_container\_count](#input\_helix\_swarm\_desired\_container\_count) | The desired number of containers running the Helix Swarm service. | `number` | `1` | no | -| [helix\_swarm\_efs\_performance\_mode](#input\_helix\_swarm\_efs\_performance\_mode) | The performance mode of the EFS file system used by the Helix Swarm service. Defaults to general purpose. | `string` | `"generalPurpose"` | no | -| [helix\_swarm\_efs\_throughput\_mode](#input\_helix\_swarm\_efs\_throughput\_mode) | The throughput mode of the EFS file system used by the Helix Swarm service. Defaults to bursting. | `string` | `"bursting"` | no | | [helix\_swarm\_service\_subnets](#input\_helix\_swarm\_service\_subnets) | A list of subnets to deploy the Helix Swarm service into. Private subnets are recommended. | `list(string)` | n/a | yes | | [internal](#input\_internal) | Set this flag to true if you do not want the Helix Swarm service load balancer to have a public IP. | `bool` | `false` | no | | [name](#input\_name) | The name attached to swarm module resources. | `string` | `"swarm"` | no | @@ -101,14 +98,7 @@ No modules. | [p4d\_swarm\_password\_arn](#input\_p4d\_swarm\_password\_arn) | The ARN of the parameter or secret where the swarm user password is stored. | `string` | n/a | yes | | [p4d\_swarm\_user\_arn](#input\_p4d\_swarm\_user\_arn) | The ARN of the parameter or secret where the swarm user username is stored. | `string` | n/a | yes | | [project\_prefix](#input\_project\_prefix) | The project prefix for this workload. This is appeneded to the beginning of most resource names. | `string` | `"cgd"` | no | -| [redis\_container\_cpu](#input\_redis\_container\_cpu) | CPU allotment for Helix Swarm Redis container. | `number` | `1024` | no | -| [redis\_container\_memory](#input\_redis\_container\_memory) | Memory allotment for Helix Swarm Redis container. | `number` | `2048` | no | -| [redis\_container\_name](#input\_redis\_container\_name) | The name of the Redis container. | `string` | `"swarm-redis"` | no | -| [redis\_container\_port](#input\_redis\_container\_port) | The port where the Redis cache that Swarm should use is running. | `number` | `6379` | no | -| [redis\_image](#input\_redis\_image) | The Redis image and version that Helix Swarm should use. | `string` | `"redis"` | no | | [tags](#input\_tags) | Tags to apply to resources. | `map(any)` | 
{
  "IAC_MANAGEMENT": "CGD-Toolkit",
  "IAC_MODULE": "swarm",
  "IAC_PROVIDER": "Terraform"
}
| no | -| [task\_cpu](#input\_task\_cpu) | The CPU allotment for the Helix Swarm task. | `number` | `2048` | no | -| [task\_memory](#input\_task\_memory) | The memory allotment for the Helix Swarm task. | `number` | `4096` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the existing VPC you would like to deploy swarm into. | `string` | n/a | yes | ## Outputs diff --git a/modules/perforce/helix-swarm/efs.tf b/modules/perforce/helix-swarm/efs.tf deleted file mode 100644 index cd1aa183..00000000 --- a/modules/perforce/helix-swarm/efs.tf +++ /dev/null @@ -1,73 +0,0 @@ - -################################################################################ -# Filesystem -################################################################################ - -# File system for Helix Swarm -resource "aws_efs_file_system" "helix_swarm_efs_file_system" { - count = var.enable_elastic_filesystem ? 1 : 0 - creation_token = "${local.name_prefix}-efs-file-system" - performance_mode = var.helix_swarm_efs_performance_mode - throughput_mode = var.helix_swarm_efs_throughput_mode - - #TODO: Parameterize encryption and customer managed key creation - encrypted = true - - lifecycle_policy { - transition_to_ia = "AFTER_30_DAYS" - } - - lifecycle_policy { - transition_to_primary_storage_class = "AFTER_1_ACCESS" - } - #checkov:skip=CKV_AWS_184: CMK encryption not supported currently - tags = merge(local.tags, { - Name = "${local.name_prefix}-efs-file-system" - }) -} - -# Mount targets for Helix Swarm containers -resource "aws_efs_mount_target" "helix_swarm_efs_mount_target" { - count = var.enable_elastic_filesystem ? length(var.helix_swarm_service_subnets) : 0 - file_system_id = aws_efs_file_system.helix_swarm_efs_file_system[0].id - subnet_id = var.helix_swarm_service_subnets[count.index] - security_groups = [aws_security_group.helix_swarm_efs_security_group[0].id] -} - -# Helix Swarm Home directory access point -resource "aws_efs_access_point" "helix_swarm_efs_access_point" { - count = var.enable_elastic_filesystem ? 1 : 0 - file_system_id = aws_efs_file_system.helix_swarm_efs_file_system[0].id - posix_user { - gid = 0 - uid = 0 - } - root_directory { - path = local.helix_swarm_config_path - creation_info { - owner_gid = 0 - owner_uid = 0 - permissions = 755 - } - } - tags = local.tags -} - -# Helix Swarm Redis data access point -resource "aws_efs_access_point" "redis_efs_access_point" { - count = var.enable_elastic_filesystem ? 1 : 0 - file_system_id = aws_efs_file_system.helix_swarm_efs_file_system[0].id - posix_user { - gid = 1001 - uid = 1001 - } - root_directory { - path = local.helix_swarm_redis_data_path - creation_info { - owner_gid = 1001 - owner_uid = 1001 - permissions = 755 - } - } - tags = local.tags -} diff --git a/modules/perforce/helix-swarm/elasticache.tf b/modules/perforce/helix-swarm/elasticache.tf new file mode 100644 index 00000000..799d6b18 --- /dev/null +++ b/modules/perforce/helix-swarm/elasticache.tf @@ -0,0 +1,20 @@ +# Subnet Group for Horde Elasticache +resource "aws_elasticache_subnet_group" "swarm" { + count = var.existing_redis_connection != null ? 0 : 1 + name = "${var.name}-elasticache-subnet-group" + subnet_ids = var.helix_swarm_service_subnets +} + +# Single Node Elasticache Cluster for Helix Swarm +resource "aws_elasticache_cluster" "swarm" { + count = var.existing_redis_connection != null ? 0 : 1 + cluster_id = "${var.name}-elasticache-redis-cluster" + engine = "redis" + node_type = var.elasticache_node_type + num_cache_nodes = var.elasticache_node_count + parameter_group_name = local.elasticache_redis_parameter_group_name + engine_version = local.elasticache_redis_engine_version + port = local.elasticache_redis_port + security_group_ids = [aws_security_group.helix_swarm_elasticache_sg[0].id] + subnet_group_name = aws_elasticache_subnet_group.swarm[0].name +} diff --git a/modules/perforce/helix-swarm/iam.tf b/modules/perforce/helix-swarm/iam.tf index 1c23cd66..b52f1e32 100644 --- a/modules/perforce/helix-swarm/iam.tf +++ b/modules/perforce/helix-swarm/iam.tf @@ -39,22 +39,6 @@ data "aws_iam_policy_document" "helix_swarm_default_policy" { } } -data "aws_iam_policy_document" "helix_swarm_efs_policy" { - count = var.enable_elastic_filesystem ? 1 : 0 - # EFS - statement { - effect = "Allow" - actions = [ - "elasticfilesystem:ClientWrite", - "elasticfilesystem:ClientRootAccess", - "elasticfilesystem:ClientMount" - ] - resources = [ - aws_efs_file_system.helix_swarm_efs_file_system[0].arn - ] - } -} - data "aws_iam_policy_document" "helix_swarm_ssm_policy" { # ssm statement { @@ -80,13 +64,6 @@ resource "aws_iam_policy" "helix_swarm_default_policy" { policy = data.aws_iam_policy_document.helix_swarm_default_policy[0].json } -resource "aws_iam_policy" "helix_swarm_efs_policy" { - count = var.enable_elastic_filesystem ? 1 : 0 - name = "${var.project_prefix}-helix-swarm-efs-policy" - description = "Policy granting permissions for Helix Swarm to access EFS." - policy = data.aws_iam_policy_document.helix_swarm_efs_policy[0].json -} - resource "aws_iam_policy" "helix_swarm_ssm_policy" { name = "${var.project_prefix}-helix-swarm-ssm-policy" description = "Policy granting permissions for Helix Swarm task execution role to access SSM." @@ -101,11 +78,9 @@ resource "aws_iam_role" "helix_swarm_default_role" { name = "${var.project_prefix}-helix-swarm-default-role" assume_role_policy = data.aws_iam_policy_document.ecs_tasks_trust_relationship.json - managed_policy_arns = concat([ - aws_iam_policy.helix_swarm_default_policy[0].arn - ], var.enable_elastic_filesystem ? [ - aws_iam_policy.helix_swarm_efs_policy[0].arn - ] : []) + managed_policy_arns = [ + aws_iam_policy.helix_swarm_default_policy[0].arn, + ] tags = local.tags } diff --git a/modules/perforce/helix-swarm/locals.tf b/modules/perforce/helix-swarm/locals.tf index c9e58147..d2e3bcbf 100644 --- a/modules/perforce/helix-swarm/locals.tf +++ b/modules/perforce/helix-swarm/locals.tf @@ -1,8 +1,13 @@ locals { - helix_swarm_image = "perforce/helix-swarm" - name_prefix = "${var.project_prefix}-${var.name}" - helix_swarm_config_path = "/opt/perforce/swarm/data" - helix_swarm_redis_data_path = "/data" + helix_swarm_image = "perforce/helix-swarm" + name_prefix = "${var.project_prefix}-${var.name}" + helix_swarm_data_path = "/opt/perforce/swarm/data" + + elasticache_redis_port = 6379 + elasticache_redis_engine_version = "7.0" + elasticache_redis_parameter_group_name = "default.redis7" + + helix_swarm_data_volume_name = "helix-swarm-data" tags = merge(var.tags, { "ENVIRONMENT" = var.environment diff --git a/modules/perforce/helix-swarm/main.tf b/modules/perforce/helix-swarm/main.tf index 89fe2656..4a0501c3 100644 --- a/modules/perforce/helix-swarm/main.tf +++ b/modules/perforce/helix-swarm/main.tf @@ -38,49 +38,21 @@ resource "aws_cloudwatch_log_group" "helix_swarm_redis_service_log_group" { tags = local.tags } - # Define swarm task definition resource "aws_ecs_task_definition" "helix_swarm_task_definition" { family = var.name requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" - cpu = var.task_cpu - memory = var.task_memory + cpu = var.helix_swarm_container_cpu + memory = var.helix_swarm_container_memory + + volume { + name = local.helix_swarm_data_volume_name + } container_definitions = jsonencode( - concat( - var.existing_redis_host == null ? [ - { - name = var.redis_container_name, - image = var.redis_image, - cpu = var.redis_container_cpu, - memory = var.redis_container_memory, - essential = true, - portMappings = [ - { - containerPort = var.redis_container_port - hostPort = var.redis_container_port - protocol = "tcp" - } - ] - logConfiguration = { - logDriver = "awslogs" - options = { - awslogs-group = aws_cloudwatch_log_group.helix_swarm_redis_service_log_group.name - awslogs-region = data.aws_region.current.name - awslogs-stream-prefix = "redis" - } - } - readonlyRootFilesystem = false - mountPoints = var.enable_elastic_filesystem ? [ - { - containerPath = local.helix_swarm_redis_data_path, - sourceVolume = "redis_data", - readOnly = false, - } - ] : [] - }] : [], - [{ + [ + { name = var.helix_swarm_container_name, image = local.helix_swarm_image, cpu = var.helix_swarm_container_cpu, @@ -93,6 +65,10 @@ resource "aws_ecs_task_definition" "helix_swarm_task_definition" { protocol = "tcp" } ] + healthCheck = { + command = ["CMD-SHELL", "curl -f http://localhost:${var.helix_swarm_container_port}/login || exit 1"] + startPeriod = 30 + } logConfiguration = { logDriver = "awslogs" options = { @@ -126,60 +102,64 @@ resource "aws_ecs_task_definition" "helix_swarm_task_definition" { }, { name = "SWARM_HOST" - value = var.fqdn + value = var.fully_qualified_domain_name }, { name = "SWARM_REDIS" - value = var.existing_redis_host != null ? var.existing_redis_host : "127.0.0.1" + value = var.existing_redis_connection != null ? var.existing_redis_connection.host : aws_elasticache_cluster.swarm[0].cache_nodes[0].address }, { name = "SWARM_REDIS_PORT" - value = tostring(var.redis_container_port) + value = var.existing_redis_connection != null ? tostring(var.existing_redis_connection.port) : tostring(aws_elasticache_cluster.swarm[0].cache_nodes[0].port) } ], readonlyRootFilesystem = false - mountPoints = var.enable_elastic_filesystem ? [ + mountPoints = [ { - containerPath = local.helix_swarm_config_path, - sourceVolume = "swarm_data", - readOnly = false, + sourceVolume = local.helix_swarm_data_volume_name + containerPath = local.helix_swarm_data_path + readOnly = false } - ] : [] - }] - )) - - task_role_arn = var.custom_helix_swarm_role != null ? var.custom_helix_swarm_role : aws_iam_role.helix_swarm_default_role[0].arn - execution_role_arn = aws_iam_role.helix_swarm_task_execution_role.arn + ], + }, + { + name = local.helix_swarm_data_volume_name + image = "bash" + essential = false + // Only run this command if enable_sso is set + command = concat([], var.enable_sso ? [ + "sh", + "-c", + "echo \"/p4/a\\\t'sso' => 'enabled',\" > ${local.helix_swarm_data_path}/sso.sed && sed -i -f ${local.helix_swarm_data_path}/sso.sed ${local.helix_swarm_data_path}/config.php && rm -rf ${local.helix_swarm_data_path}/cache", + ] : []), + readonly_root_filesystem = false - dynamic "volume" { - for_each = var.enable_elastic_filesystem ? [1] : [] - content { - name = "swarm_data" - efs_volume_configuration { - file_system_id = aws_efs_file_system.helix_swarm_efs_file_system[0].id - transit_encryption = "ENABLED" - authorization_config { - access_point_id = aws_efs_access_point.helix_swarm_efs_access_point[0].id - iam = "ENABLED" + logConfiguration = { + logDriver = "awslogs" + options = { + awslogs-group = aws_cloudwatch_log_group.helix_swarm_service_log_group.name + awslogs-region = data.aws_region.current.name + awslogs-stream-prefix = local.helix_swarm_data_volume_name + } } + mountPoints = [ + { + sourceVolume = local.helix_swarm_data_volume_name + containerPath = local.helix_swarm_data_path + } + ], + dependsOn = [ + { + containerName = var.helix_swarm_container_name + condition = "HEALTHY" + } + ] } - } - } + ] + ) - dynamic "volume" { - for_each = var.enable_elastic_filesystem ? [1] : [] - content { - name = "redis_data" - efs_volume_configuration { - file_system_id = aws_efs_file_system.helix_swarm_efs_file_system[0].id - transit_encryption = "ENABLED" - authorization_config { - access_point_id = aws_efs_access_point.redis_efs_access_point[0].id - iam = "ENABLED" - } - } - } - } + task_role_arn = var.custom_helix_swarm_role != null ? var.custom_helix_swarm_role : aws_iam_role.helix_swarm_default_role[0].arn + execution_role_arn = aws_iam_role.helix_swarm_task_execution_role.arn runtime_platform { operating_system_family = "LINUX" @@ -193,11 +173,12 @@ resource "aws_ecs_task_definition" "helix_swarm_task_definition" { resource "aws_ecs_service" "helix_swarm_service" { name = "${local.name_prefix}-service" - cluster = var.cluster_name != null ? data.aws_ecs_cluster.helix_swarm_cluster[0].arn : aws_ecs_cluster.helix_swarm_cluster[0].arn - task_definition = aws_ecs_task_definition.helix_swarm_task_definition.arn - launch_type = "FARGATE" - desired_count = var.helix_swarm_desired_container_count - force_new_deployment = true + cluster = var.cluster_name != null ? data.aws_ecs_cluster.helix_swarm_cluster[0].arn : aws_ecs_cluster.helix_swarm_cluster[0].arn + task_definition = aws_ecs_task_definition.helix_swarm_task_definition.arn + launch_type = "FARGATE" + desired_count = var.helix_swarm_desired_container_count + force_new_deployment = var.debug + enable_execute_command = var.debug load_balancer { target_group_arn = aws_lb_target_group.helix_swarm_alb_target_group.arn @@ -211,4 +192,6 @@ resource "aws_ecs_service" "helix_swarm_service" { } tags = local.tags + + depends_on = [aws_elasticache_cluster.swarm] } diff --git a/modules/perforce/helix-swarm/sg.tf b/modules/perforce/helix-swarm/sg.tf index a7177444..09bdff2f 100644 --- a/modules/perforce/helix-swarm/sg.tf +++ b/modules/perforce/helix-swarm/sg.tf @@ -59,26 +59,21 @@ resource "aws_vpc_security_group_egress_rule" "helix_swarm_alb_outbound_service" ip_protocol = "tcp" } - -######################################## -# SWARM FILE SYSTEM SECURITY GROUP -######################################## - -resource "aws_security_group" "helix_swarm_efs_security_group" { - count = var.enable_elastic_filesystem ? 1 : 0 - name = "${local.name_prefix}-efs" +# Helix Swarm Elasticache Redis Security Group +resource "aws_security_group" "helix_swarm_elasticache_sg" { + count = var.existing_redis_connection != null ? 0 : 1 + #checkov:skip=CKV2_AWS_5:Security group is attached to Elasticache cluster + name = "${local.name_prefix}-elasticache" vpc_id = var.vpc_id - description = "Helix Swarm EFS mount target Security Group" + description = "Helix Swarm Elasticache Redis Security Group" tags = local.tags } - -# Inbound access from Service to EFS mount targets -resource "aws_vpc_security_group_ingress_rule" "helix_swarm_efs_inbound_service" { - count = var.enable_elastic_filesystem ? 1 : 0 - security_group_id = aws_security_group.helix_swarm_efs_security_group[0].id - description = "Allow inbound access from Helix Swarm service containers to EFS." +resource "aws_vpc_security_group_ingress_rule" "helix_swarm_elasticache_ingress" { + count = var.existing_redis_connection != null ? 0 : 1 + security_group_id = aws_security_group.helix_swarm_elasticache_sg[0].id + description = "Allow inbound traffic from Helix Swarm service to Redis" referenced_security_group_id = aws_security_group.helix_swarm_service_sg.id - from_port = 2049 - to_port = 2049 + from_port = local.elasticache_redis_port + to_port = local.elasticache_redis_port ip_protocol = "tcp" } diff --git a/modules/perforce/helix-swarm/variables.tf b/modules/perforce/helix-swarm/variables.tf index 95115042..b58dc5c9 100644 --- a/modules/perforce/helix-swarm/variables.tf +++ b/modules/perforce/helix-swarm/variables.tf @@ -77,73 +77,25 @@ variable "p4d_port" { default = "ssl:perforce:1666" } -variable "fqdn" { +variable "fully_qualified_domain_name" { type = string description = "The fully qualified domain name that Swarm should use for internal URLs." default = null } -variable "redis_container_cpu" { - type = number - description = "CPU allotment for Helix Swarm Redis container." - default = 1024 -} - -variable "redis_container_memory" { - type = number - description = "Memory allotment for Helix Swarm Redis container." - default = 2048 -} - -variable "existing_redis_host" { - type = string - description = "The hostname where the Redis cache that Swarm should use is running." +variable "existing_redis_connection" { + type = object({ + host = string + port = number + }) + description = "The connection specifications to use for an existing Redis deployment." default = null } -variable "redis_container_port" { - type = number - description = "The port where the Redis cache that Swarm should use is running." - default = 6379 -} - -variable "redis_image" { - type = string - description = "The Redis image and version that Helix Swarm should use." - default = "redis" -} - -variable "redis_container_name" { - type = string - description = "The name of the Redis container." - default = "swarm-redis" -} - -variable "enable_elastic_filesystem" { - type = bool - description = "Flag to enable/disable elastic filesystem for persistent storage. Defaults to false." - default = false -} - -variable "task_cpu" { - type = number - description = "The CPU allotment for the Helix Swarm task." - default = 2048 - nullable = false -} - -variable "task_memory" { - type = number - description = "The memory allotment for the Helix Swarm task." - default = 4096 - nullable = false -} - variable "helix_swarm_desired_container_count" { type = number description = "The desired number of containers running the Helix Swarm service." default = 1 - nullable = false } # - Existing Cluster - @@ -205,19 +157,6 @@ variable "certificate_arn" { description = "The TLS certificate ARN for the Helix Swarm service load balancer." } -# - Filesystem - -variable "helix_swarm_efs_performance_mode" { - type = string - description = "The performance mode of the EFS file system used by the Helix Swarm service. Defaults to general purpose." - default = "generalPurpose" -} - -variable "helix_swarm_efs_throughput_mode" { - type = string - description = "The throughput mode of the EFS file system used by the Helix Swarm service. Defaults to bursting." - default = "bursting" -} - # - Logging - variable "helix_swarm_cloudwatch_log_retention_in_days" { type = string @@ -263,3 +202,35 @@ variable "p4d_swarm_password_arn" { type = string description = "The ARN of the parameter or secret where the swarm user password is stored." } + +variable "debug" { + type = bool + default = false + description = "Debug flag to enable execute command on service for container access." +} + +variable "enable_sso" { + type = bool + default = false + description = "Set this to true if using SSO for Helix Swarm authentication." +} + +###################### +# ELASTICACHE CONFIG +###################### + +variable "elasticache_node_count" { + type = number + description = "Number of cache nodes to provision in the Elasticache cluster." + default = 1 + validation { + condition = var.elasticache_node_count > 0 + error_message = "The defined 'elasticache_node_count' must be greater than 0." + } +} + +variable "elasticache_node_type" { + type = string + description = "The type of nodes provisioned in the Elasticache cluster." + default = "cache.t4g.micro" +} diff --git a/samples/simple-build-pipeline/README.md b/samples/simple-build-pipeline/README.md index 91579696..dcf7c1d1 100644 --- a/samples/simple-build-pipeline/README.md +++ b/samples/simple-build-pipeline/README.md @@ -4,8 +4,7 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | 5.66.0 | - +| [aws](#requirement\_aws) | 5.68.0 | ## Providers @@ -26,41 +25,41 @@ | Name | Type | |------|------| -| [aws_acm_certificate.helix](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/acm_certificate) | resource | -| [aws_acm_certificate.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/acm_certificate) | resource | -| [aws_acm_certificate_validation.helix](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/acm_certificate_validation) | resource | -| [aws_acm_certificate_validation.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/acm_certificate_validation) | resource | -| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/default_security_group) | resource | -| [aws_ecs_cluster.build_pipeline_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_cluster) | resource | -| [aws_ecs_cluster_capacity_providers.providers](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/ecs_cluster_capacity_providers) | resource | -| [aws_eip.nat_gateway_eip](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/eip) | resource | -| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/internet_gateway) | resource | -| [aws_nat_gateway.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/nat_gateway) | resource | -| [aws_route53_record.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.helix_cert](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.helix_swarm](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.jenkins_cert](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.perforce_helix_core](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_record.perforce_helix_core_pvt](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_record) | resource | -| [aws_route53_zone.helix_private_zone](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route53_zone) | resource | -| [aws_route_table.private_rt](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route_table) | resource | -| [aws_route_table.public_rt](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route_table) | resource | -| [aws_route_table_association.private_rt_asso](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route_table_association) | resource | -| [aws_route_table_association.public_rt_asso](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/route_table_association) | resource | -| [aws_subnet.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/subnet) | resource | -| [aws_subnet.public_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/subnet) | resource | -| [aws_vpc.build_pipeline_vpc](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc) | resource | -| [aws_vpc_security_group_ingress_rule.helix_auth_access](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_auth_inbound_core](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_core_access](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_core_inbound_build_farm](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_core_inbound_swarm](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_swarm_access](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_swarm_inbound_core](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.jenkins_access](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/resources/vpc_security_group_ingress_rule) | resource | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/availability_zones) | data source | -| [aws_route53_zone.root](https://registry.terraform.io/providers/hashicorp/aws/5.66.0/docs/data-sources/route53_zone) | data source | +| [aws_acm_certificate.helix](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.helix](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate_validation) | resource | +| [aws_acm_certificate_validation.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate_validation) | resource | +| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/default_security_group) | resource | +| [aws_ecs_cluster.build_pipeline_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster) | resource | +| [aws_ecs_cluster_capacity_providers.providers](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/ecs_cluster_capacity_providers) | resource | +| [aws_eip.nat_gateway_eip](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/eip) | resource | +| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/internet_gateway) | resource | +| [aws_nat_gateway.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/nat_gateway) | resource | +| [aws_route53_record.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.helix_cert](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.helix_swarm](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.jenkins](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.jenkins_cert](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.perforce_helix_core](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.perforce_helix_core_pvt](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_zone.helix_private_zone](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_zone) | resource | +| [aws_route_table.private_rt](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route_table) | resource | +| [aws_route_table.public_rt](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route_table) | resource | +| [aws_route_table_association.private_rt_asso](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route_table_association) | resource | +| [aws_route_table_association.public_rt_asso](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route_table_association) | resource | +| [aws_subnet.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/subnet) | resource | +| [aws_subnet.public_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/subnet) | resource | +| [aws_vpc.build_pipeline_vpc](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc) | resource | +| [aws_vpc_security_group_ingress_rule.helix_auth_access](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_auth_inbound_core](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_core_access](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_core_inbound_build_farm](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_core_inbound_swarm](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_swarm_access](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_swarm_inbound_core](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.jenkins_access](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/availability_zones) | data source | +| [aws_route53_zone.root](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/route53_zone) | data source | ## Inputs diff --git a/samples/simple-build-pipeline/main.tf b/samples/simple-build-pipeline/main.tf index 8dbd36d3..3e41f352 100644 --- a/samples/simple-build-pipeline/main.tf +++ b/samples/simple-build-pipeline/main.tf @@ -40,7 +40,7 @@ module "perforce_helix_core" { metadata_volume_size = 32 logs_volume_size = 32 - FQDN = "core.helix.perforce.${var.root_domain_name}" + fully_qualified_domain_name = "core.helix.perforce.${var.root_domain_name}" helix_authentication_service_url = "https://${aws_route53_record.helix_authentication_service.name}" } @@ -58,7 +58,7 @@ module "perforce_helix_authentication_service" { certificate_arn = aws_acm_certificate.helix.arn enable_web_based_administration = true - fqdn = "https://auth.helix.${var.root_domain_name}" + fully_qualified_domain_name = "auth.helix.${var.root_domain_name}" depends_on = [aws_ecs_cluster.build_pipeline_cluster, aws_acm_certificate_validation.helix] } @@ -75,13 +75,14 @@ module "perforce_helix_swarm" { helix_swarm_service_subnets = aws_subnet.private_subnets[*].id certificate_arn = aws_acm_certificate.helix.arn p4d_port = "ssl:${aws_route53_record.perforce_helix_core_pvt.name}:1666" - enable_elastic_filesystem = false p4d_super_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn p4d_super_user_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn p4d_swarm_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn p4d_swarm_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn - fqdn = "swarm.helix.${var.root_domain_name}" + fully_qualified_domain_name = "swarm.helix.${var.root_domain_name}" + + enable_sso = true depends_on = [aws_ecs_cluster.build_pipeline_cluster, aws_acm_certificate_validation.helix] }