ExternalVendorCode/sondehub-infra
1
0
Fork 0
mirror of https://github.com/projecthorus/sondehub-infra.git synced 2024-12-18 12:56:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

IAM cleanup (#132)

Browse Source 
Co-authored-by: xss <michaela@michaela.lgbt>
This commit is contained in:
Michaela Wheeler 2023-10-23 16:26:28 +11:00 committed by GitHub
parent 032fe81cce
commit 07461c75e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 699 additions and 974 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

265
es.tf
View File

@ -1,4 +1,14 @@
data "aws_iam_policy_document" "es_access_policy" {
statement {
resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
actions = ["es:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
}
}
resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
domain_name = "sondes-v2-7-9"
@ -21,24 +31,12 @@ resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
custom_endpoint = "es.v2.sondehub.org"
custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:143841941773:certificate/a7da821c-bdbc-404b-aa12-bce28d86cdeb"
custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/a7da821c-bdbc-404b-aa12-bce28d86cdeb"
custom_endpoint_enabled = true
}
access_policies = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
}
]
}
EOF
access_policies = data.aws_iam_policy_document.es_access_policy.json
encrypt_at_rest {
enabled = true
kms_key_id = data.aws_kms_key.es.arn
@ -49,7 +47,7 @@ EOF
advanced_security_options {
enabled = true
master_user_options {
master_user_arn = "arn:aws:iam::143841941773:role/es-admin"
master_user_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/es-admin"
}
}
advanced_options = {
@ -63,17 +61,17 @@ EOF
iops = 3000
}
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/application-logs"
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/application-logs"
enabled = true
log_type = "ES_APPLICATION_LOGS"
}
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/index-logs"
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/index-logs"
enabled = true
log_type = "INDEX_SLOW_LOGS"
}
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:143841941773:log-group:/aws/aes/domains/sondes-v2/search-logs"
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/aes/domains/sondes-v2/search-logs"
enabled = true
log_type = "SEARCH_SLOW_LOGS"
}
@ -245,7 +243,7 @@ resource "aws_route53_record" "auth" {
type = each.key
alias {
name = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
zone_id = "Z2FDTNDATAQYW2"
zone_id = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
evaluate_target_health = false
}
zone_id = aws_route53_zone.Route53HostedZone.zone_id
@ -261,74 +259,82 @@ resource "aws_route53_record" "es" {
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
data "aws_iam_policy_document" "es_auth_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = [aws_cognito_identity_pool.CognitoIdentityPool.id]
}
condition {
test = "ForAnyValue:StringLike"
variable = "cognito-identity.amazonaws.com:amr"
values = ["authenticated"]
}
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
}
}
resource "aws_iam_role" "auth_role" {
path = "/"
name = "Cognito_sondesAuth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.es_auth_role.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "es_unauth_role" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = ["${aws_cognito_identity_pool.CognitoIdentityPool.id}"]
}
condition {
test = "ForAnyValue:StringLike"
variable = "cognito-identity.amazonaws.com:amr"
values = ["unauthenticated"]
}
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
}
}
resource "aws_iam_role" "unauth_role" {
path = "/"
name = "Cognito_sondesUnauth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.es_unauth_role.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "es_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["es.amazonaws.com"]
}
}
}
resource "aws_iam_role" "IAMRole3" {
path = "/service-role/"
name = "CognitoAccessForAmazonES"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.es_assume_role_policy.json
max_session_duration = 3600
}
@ -337,87 +343,64 @@ resource "aws_iam_service_linked_role" "IAMServiceLinkedRole" {
aws_service_name = "es.amazonaws.com"
}
data "aws_iam_policy_document" "es_access" {
statement {
resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"]
actions = ["es:*"]
}
statement {
resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"]
actions = ["es:*"]
}
}
resource "aws_iam_role_policy" "IAMPolicy" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-*"
}
]
}
EOF
policy = data.aws_iam_policy_document.es_access.json
role = aws_iam_role.auth_role.name
}
data "aws_iam_policy_document" "unauth_cognito_policy" {
statement {
resources = ["*"]
actions = [
"mobileanalytics:PutEvents",
"cognito-sync:*",
]
}
}
resource "aws_iam_role_policy" "IAMPolicy2" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": [
"*"
]
}
]
}
EOF
policy = data.aws_iam_policy_document.unauth_cognito_policy.json
role = aws_iam_role.unauth_role.name
}
resource "aws_iam_role_policy" "IAMPolicy3" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
data "aws_iam_policy_document" "auth_cognito_policy" {
statement {
resources = ["*"]
actions = [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*",
]
}
}
EOF
resource "aws_iam_role_policy" "IAMPolicy3" {
policy = data.aws_iam_policy_document.auth_cognito_policy.json
role = aws_iam_role.auth_role.name
}
resource "aws_iam_role_policy" "IAMPolicy4" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:*"
],
"Resource": [
"arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:${aws_apigatewayv2_api.main.id}/*/*/amateur/flightdoc"
]
}
]
data "aws_iam_policy_document" "flight_doc_cognito" {
statement {
resources = ["arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:${aws_apigatewayv2_api.main.id}/*/*/amateur/flightdoc"]
actions = ["execute-api:*"]
}
}
EOF
resource "aws_iam_role_policy" "IAMPolicy4" {
policy = data.aws_iam_policy_document.flight_doc_cognito.json
role = aws_iam_role.auth_role.name
}

58
ham_aprs.tf
View File

@ -15,7 +15,7 @@ resource "aws_ecs_task_definition" "aprsgw" {
{ "name" : "SNS", "value" : aws_sns_topic.ham_telem.arn }
],
essential = true
image = "143841941773.dkr.ecr.us-east-1.amazonaws.com/aprsgw:latest"
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.us-east-1.amazonaws.com/aprsgw:latest"
logConfiguration = {
logDriver = "awslogs"
options = {
@ -33,34 +33,20 @@ resource "aws_ecs_task_definition" "aprsgw" {
]
)
cpu = "256"
execution_role_arn = "arn:aws:iam::143841941773:role/aprsgw"
execution_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aprsgw"
memory = "512"
network_mode = "awsvpc"
requires_compatibilities = [
"FARGATE",
]
tags = {}
task_role_arn = "arn:aws:iam::143841941773:role/aprsgw"
task_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aprsgw"
}
resource "aws_iam_role" "aprsgw" {
name = "aprsgw"
description = "Allows EC2 instances to call AWS services on your behalf."
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
max_session_duration = 3600
}
@ -71,29 +57,27 @@ resource "aws_iam_role_policy_attachment" "aprsgw" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
data "aws_iam_policy_document" "aprsgw" {
statement {
resources = ["*"]
actions = ["sns:Publish"]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "aprsgw" {
name = "aprsgw"
role = aws_iam_role.aprsgw.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.aprsgw.json
}
resource "aws_ecs_cluster" "aprsgw" {

148
ham_ingestion.tf
View File

@ -22,64 +22,48 @@ EOF
resource "aws_iam_role" "ham_sqs_to_elk" {
path = "/service-role/"
name = "ham_sqs-to-elk"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "ham_sqs_to_elk" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = ["*"]
actions = ["sqs:*"]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "ham_sqs_to_elk" {
name = "ham_sqs_to_elk"
role = aws_iam_role.ham_sqs_to_elk.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.ham_sqs_to_elk.json
}
resource "aws_lambda_function" "ham_sqs_to_elk" {
@ -137,39 +121,39 @@ resource "aws_sqs_queue" "ham_sqs_to_elk_dlq" {
}
data "aws_iam_policy_document" "ham_sqs_to_elk_queue" {
statement {
sid = "__owner_statement"
resources = [aws_sqs_queue.ham_sqs_to_elk.arn]
actions = ["SQS:*"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
statement {
sid = "to-elk"
resources = [aws_sqs_queue.ham_sqs_to_elk.arn]
actions = ["SQS:SendMessage"]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [aws_sns_topic.ham_telem.arn]
}
principals {
type = "AWS"
identifiers = ["*"]
}
}
}
resource "aws_sqs_queue_policy" "ham_sqs_to_elk" {
queue_url = aws_sqs_queue.ham_sqs_to_elk.id
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "SQS:*",
"Resource": "${aws_sqs_queue.ham_sqs_to_elk.arn}"
},
{
"Sid": "to-elk",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": "${aws_sqs_queue.ham_sqs_to_elk.arn}",
"Condition": {
"ArnLike": {
"aws:SourceArn": "${aws_sns_topic.ham_telem.arn}"
}
}
}
]
}
EOF
policy = data.aws_iam_policy_document.ham_sqs_to_elk_queue.json
}

98
ham_predictor.tf
View File

@ -1,69 +1,55 @@
resource "aws_iam_role" "ham_predict_updater" {
path = "/service-role/"
name = "ham-predict-updater"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "ham_predict_updater" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = ["*"]
actions = ["sqs:*"]
}
statement {
resources = ["*"]
actions = ["s3:*"]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "ham_predict_updater" {
name = "ham_predict_updater"
role = aws_iam_role.ham_predict_updater.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.ham_predict_updater.json
}

173
historic.tf
View File

@ -3,62 +3,45 @@
resource "aws_iam_role" "historic" {
path = "/service-role/"
name = "historic"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "historic" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = ["*"]
actions = ["sqs:*"]
}
statement {
resources = ["*"]
actions = ["s3:*"]
}
}
resource "aws_iam_role_policy" "historic" {
name = "historic"
role = aws_iam_role.historic.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
EOF
policy = data.aws_iam_policy_document.historic.json
}
@ -157,18 +140,7 @@ resource "aws_lambda_permission" "history_cron" {
resource "aws_iam_role" "history" {
name = "history"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
@ -182,50 +154,45 @@ resource "aws_apigatewayv2_integration" "history" {
payload_format_version = "2.0"
}
data "aws_iam_policy_document" "history" {
statement {
resources = ["arn:aws:s3:::sondehub-open-data/*"]
actions = ["s3:*"]
}
statement {
resources = ["arn:aws:s3:::sondehub-open-data"]
actions = ["s3:*"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
actions = ["es:*"]
}
statement {
resources = ["arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"]
actions = ["es:*"]
}
}
resource "aws_iam_role_policy" "history" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::sondehub-open-data/*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::sondehub-open-data"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2*"
}
]
}
EOF
policy = data.aws_iam_policy_document.history.json
role = aws_iam_role.history.name
}

19
iam.tf Normal file
View File

@ -0,0 +1,19 @@
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "ecs_task_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}

145
ingestion.tf
View File

@ -2,95 +2,76 @@
resource "aws_iam_role" "ingestion_lambda_role" { # need a specific role so that we can disable cloudwatch logs
path = "/service-role/"
name_prefix = "sonde-ingestion-"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "edgelambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "ingestion" {
statement {
resources = ["*"]
actions = ["s3:*"]
}
statement {
resources = ["*"]
actions = ["sns:*"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion",
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt",
]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion*",
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt*",
]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface",
]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "ingestion_lambda_role" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion",
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/ingestion*",
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/sns_to_mqtt*"
]
},
{
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.ingestion.json
role = aws_iam_role.ingestion_lambda_role.name
}

117
main.tf
View File

@ -19,82 +19,61 @@ data "aws_caller_identity" "current" {}
resource "aws_iam_role" "basic_lambda_role" {
path = "/service-role/"
name = "sonde-api-to-iot-core-role-z9zes3f5"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "edgelambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "basic_lambda_role" {
statement {
resources = ["*"]
actions = ["s3:*"]
}
statement {
resources = ["*"]
actions = ["sns:*"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface",
]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "basic_lambda_role" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.basic_lambda_role.json
role = aws_iam_role.basic_lambda_role.name
}

183
predictor.tf
View File

@ -1,80 +1,67 @@
resource "aws_iam_role" "predict_updater" {
path = "/service-role/"
name = "predict-updater"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "predict_updater" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = ["*"]
actions = ["sqs:*"]
}
statement {
resources = ["*"]
actions = ["s3:*"]
}
statement {
resources = ["*"]
actions = [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface",
]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "predict_updater" {
name = "predict_updater"
role = aws_iam_role.predict_updater.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.predict_updater.json
}
@ -609,51 +596,33 @@ resource "aws_route53_record" "tawhiri_AAAA" {
resource "aws_iam_role" "predictor_update_trigger_lambda" {
path = "/service-role/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
resource "aws_iam_role_policy" "predictor_update_trigger_lambda" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:UpdateService",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
}
data "aws_iam_policy_document" "predictor_update_trigger_lambda" {
statement {
resources = ["*"]
actions = ["ecs:UpdateService"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
}
EOF
resource "aws_iam_role_policy" "predictor_update_trigger_lambda" {
policy = data.aws_iam_policy_document.predictor_update_trigger_lambda.json
role = aws_iam_role.predictor_update_trigger_lambda.name
}

77
recovered.tf
View File

@ -2,59 +2,44 @@
resource "aws_iam_role" "recovered" {
path = "/service-role/"
name = "recovered"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "recovered" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "recovered" {
name = "recovered"
role = aws_iam_role.recovered.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.recovered.json
}

151
sqs_to_elk.tf
View File

@ -1,64 +1,49 @@
resource "aws_iam_role" "sqs_to_elk" {
path = "/service-role/"
name = "sqs-to-elk"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
data "aws_iam_policy_document" "sqs_to_elk" {
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"]
actions = ["logs:CreateLogGroup"]
}
statement {
resources = ["arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"]
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
}
statement {
resources = ["*"]
actions = ["es:*"]
}
statement {
resources = ["*"]
actions = ["sqs:*"]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "sqs_to_elk" {
name = "sqs_to_elk"
role = aws_iam_role.sqs_to_elk.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
]
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
}
EOF
policy = data.aws_iam_policy_document.sqs_to_elk.json
}
resource "aws_lambda_function" "sqs_to_elk" {
@ -103,44 +88,44 @@ resource "aws_sqs_queue" "sqs_to_elk" {
redrive_policy = jsonencode(
{
deadLetterTargetArn = "arn:aws:sqs:us-east-1:143841941773:to-elk-dlq"
deadLetterTargetArn = "arn:aws:sqs:us-east-1:${data.aws_caller_identity.current.account_id}:to-elk-dlq"
maxReceiveCount = 100
}
)
visibility_timeout_seconds = 10
}
data "aws_iam_policy_document" "sqs_to_elk_queue_policy" {
statement {
sid = "__owner_statement"
resources = ["${aws_sqs_queue.sqs_to_elk.arn}"]
actions = ["SQS:*"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
statement {
sid = "to-elk"
resources = ["${aws_sqs_queue.sqs_to_elk.arn}"]
actions = ["SQS:SendMessage"]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = ["${aws_sns_topic.sonde_telem.arn}"]
}
principals {
type = "AWS"
identifiers = ["*"]
}
}
}
resource "aws_sqs_queue_policy" "sqs_to_elk" {
queue_url = aws_sqs_queue.sqs_to_elk.id
policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "SQS:*",
"Resource": "${aws_sqs_queue.sqs_to_elk.arn}"
},
{
"Sid": "to-elk",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": "${aws_sqs_queue.sqs_to_elk.arn}",
"Condition": {
"ArnLike": {
"aws:SourceArn": "${aws_sns_topic.sonde_telem.arn}"
}
}
}
]
}
EOF
policy = data.aws_iam_policy_document.sqs_to_elk_queue_policy.json
}

239
websockets.tf
View File

@ -8,18 +8,7 @@ resource "aws_apigatewayv2_route" "sign_socket" {
resource "aws_iam_role" "sign_socket" {
name = "sign_socket"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
max_session_duration = 3600
}
@ -236,7 +225,7 @@ resource "aws_ecs_task_definition" "ws_reader_ec2" {
]
tags = {}
task_role_arn = "arn:aws:iam::143841941773:role/ws"
task_role_arn = aws_iam_role.ws.arn
volume {
@ -333,14 +322,14 @@ resource "aws_ecs_task_definition" "ws" {
]
)
cpu = "256"
execution_role_arn = "arn:aws:iam::143841941773:role/ws"
execution_role_arn = aws_iam_role.ws.arn
memory = "512"
network_mode = "awsvpc"
requires_compatibilities = [
"FARGATE",
]
tags = {}
task_role_arn = "arn:aws:iam::143841941773:role/ws"
task_role_arn = aws_iam_role.ws.arn
volume {
@ -527,34 +516,9 @@ resource "aws_security_group_rule" "ws_writer_lightsail_lb" {
cidr_blocks = ["172.26.0.0/16"]
}
# resource "aws_s3_bucket" "ws" {
# bucket = "sondehub-ws-config"
# acl = "private"
# versioning {
# enabled = true
# }
# lifecycle {
# ignore_changes = [bucket]
# }
# }
resource "aws_iam_role" "ecs_execution" {
name = "ecsTaskExecutionRole"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
max_session_duration = 3600
}
@ -563,105 +527,76 @@ resource "aws_iam_role_policy_attachment" "ecs_execution" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
data "aws_iam_policy_document" "efs" {
statement {
resources = ["*"]
actions = ["elasticfilesystem:*"]
}
}
resource "aws_iam_role_policy" "efs" {
name = "EFS"
role = aws_iam_role.ecs_execution.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticfilesystem:*",
"Resource": "*"
}
]
policy = data.aws_iam_policy_document.efs.json
}
EOF
data "aws_iam_policy_document" "ws_secrets" {
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "secrets" {
name = "secrests"
role = aws_iam_role.ecs_execution.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
policy = data.aws_iam_policy_document.ws_secrets.json
}
EOF
data "aws_iam_policy_document" "websocket_ssm" {
statement {
resources = ["*"]
actions = [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
]
}
}
resource "aws_iam_role_policy" "ssm" {
name = "SSM"
role = aws_iam_role.ecs_execution.id
policy = jsonencode(
{
Statement = [
{
Action = [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
]
Effect = "Allow"
Resource = "*"
}
]
Version = "2012-10-17"
}
)
policy = data.aws_iam_policy_document.websocket_ssm.json
}
data "aws_iam_policy_document" "ws_kms" {
statement {
resources = ["*"]
actions = ["kms:*"]
}
}
resource "aws_iam_role_policy" "kms" {
name = "kms"
role = aws_iam_role.ecs_execution.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
}
]
}
EOF
policy = data.aws_iam_policy_document.ws_kms.json
}
resource "aws_iam_role" "ws" {
name = "ws"
description = "Allows EC2 instances to call AWS services on your behalf."
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role_policy.json
max_session_duration = 3600
}
@ -670,68 +605,36 @@ resource "aws_iam_role_policy_attachment" "ws" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
data "aws_iam_policy_document" "ws_s3_config" {
statement {
resources = [
"arn:aws:s3:::sondehub-ws-config",
"arn:aws:s3:::sondehub-ws-config/*",
]
actions = [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket",
]
}
statement {
resources = [
aws_secretsmanager_secret.mqtt.arn,
aws_secretsmanager_secret.radiosondy.arn,
]
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "s3_config" {
name = "s3-config"
role = aws_iam_role.ws.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sondehub-ws-config",
"arn:aws:s3:::sondehub-ws-config/*"
]
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": ["${aws_secretsmanager_secret.mqtt.arn}", "${aws_secretsmanager_secret.radiosondy.arn}"]
}
]
policy = data.aws_iam_policy_document.ws_s3_config.json
}
EOF
}
# resource "aws_appautoscaling_target" "ws_reader" {
# service_namespace = "ecs"
# scalable_dimension = "ecs:service:DesiredCount"
# resource_id = "service/ws/ws-reader"
# min_capacity = 0
# max_capacity = 0
# }
# resource "aws_appautoscaling_policy" "ws_reader" {
# name = "ws-reader-tt"
# service_namespace = aws_appautoscaling_target.ws_reader.service_namespace
# scalable_dimension = aws_appautoscaling_target.ws_reader.scalable_dimension
# resource_id = aws_appautoscaling_target.ws_reader.resource_id
# policy_type = "TargetTrackingScaling"
# target_tracking_scaling_policy_configuration {
# predefined_metric_specification {
# predefined_metric_type = "ECSServiceAverageCPUUtilization"
# }
# target_value = 60
# scale_in_cooldown = 200
# scale_out_cooldown = 200
# }
# }
# TODO
# s3 config bucket
resource "aws_route53_record" "ws_reader_CNAME" {