Skip to content

CDCgov/terraform-aws-dibbs-ecr-viewer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Table of Contents

1. Overview
2. Notices

1. Overview

The Data Integration Building Blocks (DIBBs) project is an effort to help state, local, territorial, and tribal public health departments better make sense of and utilize their data. You can read more about the project on the main DIBBs repository.

This repository is specifically to develop an AWS "starter kit" for the DIBBs project. This will enable our jurisdictional partners to build from this repository to provision their own AWS infrastructure.

2. Notices

2.1 Public Domain Standard Notice

This repository constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. This repository is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication. All contributions to this repository will be released under the CC0 dedication. By submitting a pull request you are agreeing to comply with this waiver of copyright interest.

2.2 License Standard Notice

The repository utilizes code licensed under the terms of the Apache Software License and therefore is licensed under ASL v2 or later.

This source code in this repository is free: you can redistribute it and/or modify it under the terms of the Apache Software License version 2, or (at your option) any later version.

This source code in this repository is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the Apache Software License for more details.

You should have received a copy of the Apache Software License along with this program. If not, see http://www.apache.org/licenses/LICENSE-2.0.html.

The source code forked from other open source projects will inherit its license.

2.3 Privacy Standard Notice

This repository contains only non-sensitive, publicly available data and information. All material and community participation is covered by the Disclaimer and Code of Conduct. For more information about CDC's privacy policy, please visit http://www.cdc.gov/other/privacy.html.

2.4 Contributing Standard Notice

Anyone is encouraged to contribute to the repository by forking and submitting a pull request. (If you are new to GitHub, you might start with a basic tutorial.) By contributing to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, non-exclusive, transferable license to all users under the terms of the Apache Software License v2 or later.

All comments, messages, pull requests, and other submissions received through CDC including this GitHub page may be subject to applicable federal law, including but not limited to the Federal Records Act, and may be archived. Learn more at http://www.cdc.gov/other/privacy.html.

2.5 Records Management Standard Notice

This repository is not a source of government records, but is a copy to increase collaboration and collaborative potential. All government records will be published through the CDC web site.

2.6 Additional Standard Notices

Please refer to CDC's Template Repository for more information about contributing to this repository, public domain notices and disclaimers, and code of conduct.

3. Architectural Design

The current architectural design for dibbs-aws is as follows:

Current DIBBS Architecture as of 6-24-2024

Requirements

Name Version
terraform ~> 1.9.0
aws ~> 5.56.1
dockerless ~> 0.1.1
null ~> 3.2.3
random ~> 3.6.3

Providers

Name Version
aws ~> 5.56.1
dockerless ~> 0.1.1
null ~> 3.2.3
random ~> 3.6.3

Modules

No modules.

Resources

Name Type
aws_alb.ecs resource
aws_alb_listener.http resource
aws_alb_listener.https resource
aws_alb_listener_rule.http resource
aws_alb_listener_rule.https resource
aws_alb_target_group.this resource
aws_appautoscaling_policy.cpu resource
aws_appautoscaling_policy.memory resource
aws_appautoscaling_target.this resource
aws_appmesh_mesh.this resource
aws_appmesh_virtual_node.this resource
aws_cloudwatch_log_group.ecs_cloudwatch_logs resource
aws_ecr_repository.this resource
aws_ecs_cluster.dibbs_app_cluster resource
aws_ecs_service.this resource
aws_ecs_task_definition.this resource
aws_flow_log.ecs_flow_log resource
aws_iam_policy.s3_bucket_ecr_viewer resource
aws_iam_role.ecs_task resource
aws_iam_role.ecs_task_execution resource
aws_iam_role.s3_role_for_ecr_viewer resource
aws_s3_bucket.ecr_viewer resource
aws_s3_bucket_public_access_block.ecr_viewer resource
aws_s3_bucket_server_side_encryption_configuration.ecr_viewer resource
aws_s3_bucket_versioning.ecr_viewer resource
aws_security_group.alb resource
aws_security_group.ecs resource
aws_security_group_rule.alb_egress resource
aws_security_group_rule.alb_http_ingress resource
aws_security_group_rule.alb_https_ingress resource
aws_security_group_rule.ecs_alb_ingress resource
aws_security_group_rule.ecs_all_egress resource
aws_security_group_rule.ecs_ecs_ingress resource
aws_service_discovery_private_dns_namespace.this resource
aws_vpc_endpoint.endpoints resource
aws_vpc_endpoint.s3 resource
dockerless_remote_image.dibbs resource
null_resource.target_groups resource
random_string.s3_viewer resource
aws_caller_identity.current data source
aws_ecr_authorization_token.this data source
aws_iam_policy.amazon_ec2_container_service_for_ec2_role data source
aws_iam_policy.ecs_task_execution data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.ecr_viewer_s3 data source
aws_route_table.this data source
aws_secretsmanager_secret_version.postgres_database_url data source
aws_secretsmanager_secret_version.sqlserver_host data source
aws_secretsmanager_secret_version.sqlserver_password data source
aws_secretsmanager_secret_version.sqlserver_user data source

Inputs

Name Description Type Default Required
appmesh_name Name of the AWS App Mesh string "" no
certificate_arn ARN of the SSL certificate that enables ssl termination on the ALB string "" no
cloudmap_namespace_name Name of the AWS Cloud Map namespace string "" no
cw_retention_in_days Retention period in days for CloudWatch logs number 30 no
disable_ecr Flag to disable the aws ecr service for docker image storage, defaults to false bool false no
ecr_viewer_app_env The current environment that is running. This may modify behavior of auth between dev and prod. string "prod" no
ecr_viewer_auth_pub_key The public key used to validate the incoming authenication for the eCR Viewer. string "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqjrH9PprQCB5dX15zYfd\nS6K2ezNi/ZOu8vKEhQuLqwHACy1iUt1Yyp2PZLIV7FVDgBHMMVWPVx3GJ2wEyaJw\nMHkv6XNpUpWLhbs0V1T7o/OZfEIqcNua07OEoBxX9vhKIHtaksWdoMyKRXQJz0js\noWpawfOWxETnLqGvybT4yvY2RJhquTXLcLu90L4LdvIkADIZshaOtAU/OwI5ATcb\nfE3ip15E6jIoUm7FAtfRiuncpI5l/LJPP6fvwf8QCbbUJBZklLqcUuf4qe/L/nIq\npIONb8KZFWPhnGeRZ9bwIcqYWt3LAAshQLSGEYl2PGXaqbkUD2XLETSKDjisxd0g\n9j8bIMPgBKi+dBYcmBZnR7DxJe+vEDDw8prHG/+HRy5fim/BcibTKnIl8PR5yqHa\nmWQo7N+xXhILdD9e33KLRgbg97+erHqvHlNMdwDhAfrBT+W6GCdPwp3cePPsbhsc\noGSHOUDhzyAujr0J8h5WmZDGUNWjGzWqubNZD8dBXB8x+9dDoWhfM82nw0pvAeKf\nwJodvn3Qo8/S5hxJ6HyGkUTANKN8IxWh/6R5biET5BuztZP6jfPEaOAnt6sq+C38\nhR9rUr59dP2BTlcJ19ZXobLwuJEa81S5BrcbDwYNOAzC8jl2EV1i4bQIwJJaY27X\nIynom6unaheZpS4DFIh2w9UCAwEAAQ==\n-----END PUBLIC KEY-----\n" no
ecs_alb_name Name of the Application Load Balancer (ALB) string "" no
ecs_alb_tg_name Name of the ALB Target Group string "" no
ecs_cloudwatch_group Name of the AWS CloudWatch Log Group for ECS string "" no
ecs_cluster_name Name of the ECS Cluster string "" no
ecs_task_execution_role_name Name of the ECS Task Execution Role string "" no
ecs_task_role_name Name of the ECS Task Role string "" no
enable_autoscaling Flag to enable autoscaling for the ECS services bool true no
internal Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). bool true no
owner Owner of the resources string "CDC" no
phdi_version Version of the PHDI application string "v1.6.9" no
postgres_database_data n/a
object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_postgres_database_url_name = string
})
{
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_postgres_database_url_name": ""
}
no
private_subnet_ids List of private subnet IDs list(string) n/a yes
project The project name string "dibbs" no
public_subnet_ids List of public subnet IDs list(string) n/a yes
region The AWS region where resources are created string n/a yes
s3_viewer_bucket_name Name of the S3 bucket for the viewer string "" no
s3_viewer_bucket_role_name Name of the IAM role for the ecr-viewer bucket string "" no
service_data Data for the DIBBS services
map(object({
short_name = string
fargate_cpu = number
fargate_memory = number
min_capacity = number
max_capacity = number
app_repo = string
app_image = string
app_version = string
container_port = number
host_port = number
public = bool
registry_url = string
env_vars = list(object({
name = string
value = string
}))
}))
{} no
sqlserver_database_data n/a
object({
non_integrated_viewer = string
metadata_database_type = string
metadata_database_schema = string
secrets_manager_sqlserver_user_name = string
secrets_manager_sqlserver_password_name = string
secrets_manager_sqlserver_host_name = string
})
{
"metadata_database_schema": "",
"metadata_database_type": "",
"non_integrated_viewer": "false",
"secrets_manager_sqlserver_host_name": "",
"secrets_manager_sqlserver_password_name": "",
"secrets_manager_sqlserver_user_name": ""
}
no
tags Tags to apply to resources map(string) {} no
vpc_id ID of the VPC string n/a yes

Outputs

Name Description
alb_arn n/a
alb_listener_arn n/a
alb_security_group_arn n/a
alb_target_groups_arns n/a
ecs_cluster_arn n/a
ecs_security_group_arn n/a
ecs_task_definitions_arns n/a
ecs_task_execution_role_arn n/a
ecs_task_role_arn n/a
http_alb_listener_rules_arns n/a
https_alb_listener_rules_arns n/a
s3_bucket_arn The ARN of the S3 bucket
s3_bucket_ecr_viewer_policy_arn n/a
s3_role_for_ecr_viewer_arn n/a
service_data n/a