implement services infrastructure

modules/sqs/main.tf

@@ -1,6 +1,6 @@
 # SQS Queue
 resource "aws_sqs_queue" "queue" {
-  name                      = var.name
+  name = var.name
   tags = {
     Environment = var.env
   }
@@ -29,10 +29,3 @@ resource "aws_iam_policy" "sqs_access_policy" {
   description = "IAM policy for accessing SQS"
   policy      = data.aws_iam_policy_document.sqs_policy.json
 }
-
-# Attach policy to an existing IAM role
-# Replace YOUR_EXISTING_ROLE_NAME with the actual name of your service's IAM role
-resource "aws_iam_role_policy_attachment" "sqs_policy_attach" {
-  role       = "YOUR_EXISTING_ROLE_NAME"
-  policy_arn = aws_iam_policy.sqs_access_policy.arn
-}

modules/sqs/variables.tf

@@ -1,7 +1,9 @@
-variable name {
-  default = "default-queue"
+variable "name" {
+  type        = string
+  description = "Name of the SQS queue"
 }
 
-variable env {
-  type = string
-}
+variable "env" {
+  type        = string
+  description = "Environment name"
+}

modules/workloads/backend.tf

@@ -12,7 +12,8 @@ resource "aws_ecs_service" "backend" {
   deployment_minimum_healthy_percent = 50
   launch_type                        = "FARGATE"
   scheduling_strategy                = "REPLICA"
-  enable_ecs_managed_tags           = var.backend_remote_access
+  enable_ecs_managed_tags            = true
+  enable_execute_command             = var.backend_remote_access
 
   network_configuration {
     security_groups  = [aws_security_group.backend.id]
@@ -70,9 +71,9 @@ resource "aws_ecs_task_definition" "backend" {
     content {
       name = volume.value.efs_name
       efs_volume_configuration {
-        file_system_id = var.available_efs[volume.value.efs_name].id
-        root_directory = var.available_efs[volume.value.efs_name].root_directory
-        transit_encryption = "ENABLED"
+        file_system_id          = var.available_efs[volume.value.efs_name].id
+        root_directory          = var.available_efs[volume.value.efs_name].root_directory
+        transit_encryption      = "ENABLED"
         transit_encryption_port = 2049
         authorization_config {
           access_point_id = var.available_efs[volume.value.efs_name].access_point_id
@@ -97,7 +98,7 @@ resource "aws_ecs_task_definition" "backend" {
           type  = "s3"
         }
       ]
-      essential   = true
+      essential = true
       mountPoints = [
         for mount in var.backend_efs_mounts : {
           sourceVolume  = mount.efs_name
@@ -322,7 +323,7 @@ resource "aws_iam_role_policy_attachment" "sqs_access" {
 # Modify the IAM policy to allow access to multiple files
 resource "aws_iam_role_policy" "backend_s3_env" {
   count = length(local.env_files_s3) > 0 ? 1 : 0
-  
+
   name = "${local.backend_name}-s3-env"
   role = aws_iam_role.backend_task_execution.name
 
@@ -365,8 +366,8 @@ resource "null_resource" "create_env_files" {
 resource "aws_iam_role_policy" "ecs_exec_policy" {
   count = var.backend_remote_access ? 1 : 0
 
-  name   = "${var.project}-ecs-exec-policy-${var.env}"
-  role   = aws_iam_role.backend_task.id
+  name = "${var.project}-ecs-exec-policy-${var.env}"
+  role = aws_iam_role.backend_task.id
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [

modules/workloads/efs.tf

@@ -1,22 +1,26 @@
 # Add IAM permissions to task role
 data "aws_iam_policy_document" "efs_access" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "elasticfilesystem:ClientMount",
-      "elasticfilesystem:ClientWrite",
-      "elasticfilesystem:DescribeMountTargets",
-      "elasticfilesystem:ClientRootAccess"
-    ]
-    resources = [
-      for mount in var.backend_efs_mounts :
-      "arn:aws:elasticfilesystem:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:file-system/${var.available_efs[mount.efs_name].id}"
-    ]
+  dynamic "statement" {
+    for_each = length(var.backend_efs_mounts) > 0 ? [1] : []
+    content {
+      effect = "Allow"
+      actions = [
+        "elasticfilesystem:ClientMount",
+        "elasticfilesystem:ClientWrite",
+        "elasticfilesystem:DescribeMountTargets",
+        "elasticfilesystem:ClientRootAccess"
+      ]
+      resources = [
+        for mount in var.backend_efs_mounts :
+        "arn:aws:elasticfilesystem:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:file-system/${var.available_efs[mount.efs_name].id}"
+      ]
+    }
   }
 }
 
 resource "aws_iam_role_policy" "efs_access" {
+  count  = length(var.backend_efs_mounts) > 0 ? 1 : 0
   name   = "efs-access"
   role   = aws_iam_role.backend_task.id
   policy = data.aws_iam_policy_document.efs_access.json
-}
+}

modules/workloads/services.tf

@@ -88,7 +88,8 @@ resource "aws_ecs_service" "services" {
   deployment_minimum_healthy_percent = 50
   launch_type                        = "FARGATE"
   scheduling_strategy                = "REPLICA"
-  enable_ecs_managed_tags            = each.value.remote_access
+  enable_ecs_managed_tags            = true
+  enable_execute_command             = each.value.remote_access
 
 
   network_configuration {
@@ -140,7 +141,7 @@ resource "aws_ecs_task_definition" "services" {
       // 1. from SSM
       // 2. from env_files_s3
       // 3. from env_vars variable
-      secrets     = local.services_env_ssm[each.key]
+      secrets = local.services_env_ssm[each.key]
       environment = concat(local.services_env, [
         for name, value in each.value.env_vars : {
           name  = name
@@ -351,7 +352,7 @@ resource "null_resource" "create_services_env_files" {
 
 # Remote exec policy for services
 resource "aws_iam_role_policy" "services_ecs_exec_policy" {
-  for_each = { for k, v in local.service_names : k => v if var.backend_remote_access }
+  for_each = { for k, v in local.service_names : k => v if v.remote_access }
 
   name = "${var.project}-${each.key}-ecs-exec-policy-${var.env}"
   role = aws_iam_role.services_task[each.key].id

version.txt

@@ -1 +1 @@
-v2.1.1
+v2.2.1