diff --git a/cicd/devnet/terraform/efs.tf b/cicd/devnet/terraform/efs.tf new file mode 100644 index 0000000000..3fd03f692d --- /dev/null +++ b/cicd/devnet/terraform/efs.tf @@ -0,0 +1,39 @@ + +# EFS +resource "aws_efs_file_system" "devnet_efs" { + creation_token = "efs" + performance_mode = "generalPurpose" + throughput_mode = "bursting" + encrypted = "true" + tags = { + Name = "TfDevnetEfs" + } + } + +resource "aws_efs_mount_target" "devnet_efs_efs_mount_target" { + file_system_id = aws_efs_file_system.devnet_efs.id + subnet_id = aws_subnet.devnet_subnet.id + security_groups = [aws_security_group.devnet_efs_security_group.id] +} + +resource "aws_efs_access_point" "devnet_efs_access_point" { + file_system_id = aws_efs_file_system.devnet_efs.id + for_each = var.devnet_node_kyes + root_directory { + path = "/${each.key}/database" + creation_info { + owner_gid = 1001 + owner_uid = 1001 + permissions = 777 + } + } + posix_user { + gid = 1001 + uid = 1001 + secondary_gids = [0] + } + + tags = { + Name = "TfDevnetEfsAccessPoint-${each.key}" + } +} \ No newline at end of file diff --git a/cicd/devnet/terraform/main.tf b/cicd/devnet/terraform/main.tf index f0a4b16adf..772e79e034 100644 --- a/cicd/devnet/terraform/main.tf +++ b/cicd/devnet/terraform/main.tf @@ -75,4 +75,78 @@ resource "aws_route_table" "devnet_route_table" { resource "aws_route_table_association" "devnet_route_table_association" { subnet_id = aws_subnet.devnet_subnet.id route_table_id = aws_route_table.devnet_route_table.id -} \ No newline at end of file +} + +resource "aws_default_security_group" "devnet_xdcnode_security_group" { + vpc_id = aws_vpc.devnet_vpc.id + + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "TfDevnetNode" + } +} + +resource "aws_security_group" "devnet_efs_security_group" { + name = "TfDevnetEfsSecurityGroup" + description = "Allow HTTP in and out of devnet EFS" + vpc_id = aws_vpc.devnet_vpc.id + + ingress { + from_port = 2049 + to_port = 2049 + protocol = "TCP" + security_groups = [aws_default_security_group.devnet_xdcnode_security_group.id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "TfDevnetEfs" + } +} + +# IAM policies + +data "aws_iam_policy_document" "xdc_ecs_tasks_execution_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +# Create the role +resource "aws_iam_role" "devnet_xdc_ecs_tasks_execution_role" { + name = "devnet-xdc-ecs-task-execution-role" + assume_role_policy = "${data.aws_iam_policy_document.xdc_ecs_tasks_execution_role.json}" +} + +# Attached the AWS managed policies to the new role +resource "aws_iam_role_policy_attachment" "devnet_xdc_ecs_tasks_execution_role" { + for_each = toset([ + "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils" + ]) + role = aws_iam_role.devnet_xdc_ecs_tasks_execution_role.name + policy_arn = each.value +} diff --git a/cicd/devnet/terraform/variables.tf b/cicd/devnet/terraform/variables.tf new file mode 100644 index 0000000000..f6a9b8bf3b --- /dev/null +++ b/cicd/devnet/terraform/variables.tf @@ -0,0 +1,19 @@ +variable "devnet_node_kyes" { + description = "Array of nodes keys." + type = map(any) + + /** + Below is the list of private keys you need to specify. It follows the pattern of + {{Name of the node}}: { + pk: {{Value of the node private key}}, + ... any other configuration we want to pass. + } + Note: No `n` is allowed in the node name + **/ + default = { + xdc-1 = { + pk = "3efdb44088929167487da052125162b48d8d54fe8f7b7db11b5d5cc3b9a1c14b", + isChaosNode = false # This is a placeholder, config not supported yet + } + } +} \ No newline at end of file