PRMP-763: Weekly ODS update ecs task (#194)

Author: NogaNHS

.gitignore

@@ -31,6 +31,7 @@ terraform.rc
 node_modules/
 tfplan
 *.zip
+*tf.plan
 
 .idea/
 .vscode/

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.62.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
 
 ## Modules
 
@@ -84,9 +84,11 @@
 | <a name="module_ndr-app-config"></a> [ndr-app-config](#module\_ndr-app-config) | ./modules/app_config | n/a |
 | <a name="module_ndr-bulk-staging-store"></a> [ndr-bulk-staging-store](#module\_ndr-bulk-staging-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-docker-ecr-ui"></a> [ndr-docker-ecr-ui](#module\_ndr-docker-ecr-ui) | ./modules/ecr/ | n/a |
+| <a name="module_ndr-docker-ecr-weekly-ods-update"></a> [ndr-docker-ecr-weekly-ods-update](#module\_ndr-docker-ecr-weekly-ods-update) | ./modules/ecr/ | n/a |
 | <a name="module_ndr-document-store"></a> [ndr-document-store](#module\_ndr-document-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-ecs-container-port-ssm-parameter"></a> [ndr-ecs-container-port-ssm-parameter](#module\_ndr-ecs-container-port-ssm-parameter) | ./modules/ssm_parameter | n/a |
-| <a name="module_ndr-ecs-fargate"></a> [ndr-ecs-fargate](#module\_ndr-ecs-fargate) | ./modules/ecs | n/a |
+| <a name="module_ndr-ecs-fargate-app"></a> [ndr-ecs-fargate-app](#module\_ndr-ecs-fargate-app) | ./modules/ecs | n/a |
+| <a name="module_ndr-ecs-fargate-ods-update"></a> [ndr-ecs-fargate-ods-update](#module\_ndr-ecs-fargate-ods-update) | ./modules/ecs | n/a |
 | <a name="module_ndr-feedback-mailbox"></a> [ndr-feedback-mailbox](#module\_ndr-feedback-mailbox) | ./modules/ses | n/a |
 | <a name="module_ndr-lloyd-george-store"></a> [ndr-lloyd-george-store](#module\_ndr-lloyd-george-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-vpc-ui"></a> [ndr-vpc-ui](#module\_ndr-vpc-ui) | ./modules/vpc/ | n/a |
@@ -188,6 +190,8 @@
 | [aws_iam_role.ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.manifest_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.mesh_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.ods_weekly_update_ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.ods_weekly_update_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.s3_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.sns_failure_feedback_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -218,6 +222,7 @@
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.staging-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_policy.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_scheduler_schedule.ods_weekly_update_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule) | resource |
 | [aws_security_group.ndr_mesh_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_sns_topic.alarm_notifications_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_subscription.alarm_notifications_sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |

infrastructure/api.tf

@@ -13,7 +13,7 @@ resource "aws_api_gateway_rest_api" "ndr_doc_store_api" {
 
 resource "aws_api_gateway_domain_name" "custom_api_domain" {
   domain_name              = local.api_gateway_full_domain_name
-  regional_certificate_arn = module.ndr-ecs-fargate.certificate_arn
+  regional_certificate_arn = module.ndr-ecs-fargate-app.certificate_arn
 
   endpoint_configuration {
     types = ["REGIONAL"]

infrastructure/ecr.tf

@@ -5,3 +5,11 @@ module "ndr-docker-ecr-ui" {
   environment = var.environment
   owner       = var.owner
 }
+module "ndr-docker-ecr-weekly-ods-update" {
+  count    = local.is_sandbox ? 0 : 1
+  source   = "./modules/ecr/"
+  app_name = "${terraform.workspace}-weekly-ods-update"
+
+  environment = var.environment
+  owner       = var.owner
+}

infrastructure/ecs.tf

@@ -1,6 +1,9 @@
-module "ndr-ecs-fargate" {
+module "ndr-ecs-fargate-app" {
   source                   = "./modules/ecs"
   ecs_cluster_name         = "app-cluster"
+  is_lb_needed             = true
+  is_autoscaling_needed    = true
+  is_service_needed        = true
   vpc_id                   = module.ndr-vpc-ui.vpc_id
   public_subnets           = module.ndr-vpc-ui.public_subnets
   private_subnets          = module.ndr-vpc-ui.private_subnets
@@ -22,9 +25,71 @@ module "ndr-ecs-container-port-ssm-parameter" {
   source              = "./modules/ssm_parameter"
   name                = "container_port"
   description         = "Docker container port number for ${var.environment}"
-  resource_depends_on = module.ndr-ecs-fargate
-  value               = module.ndr-ecs-fargate.container_port
+  resource_depends_on = module.ndr-ecs-fargate-app
+  value               = module.ndr-ecs-fargate-app.container_port
   type                = "SecureString"
   owner               = var.owner
   environment         = var.environment
+}
+
+module "ndr-ecs-fargate-ods-update" {
+  count                    = local.is_sandbox ? 0 : 1
+  source                   = "./modules/ecs"
+  ecs_cluster_name         = "ods-weekly-update"
+  vpc_id                   = module.ndr-vpc-ui.vpc_id
+  public_subnets           = module.ndr-vpc-ui.public_subnets
+  private_subnets          = module.ndr-vpc-ui.private_subnets
+  sg_name                  = "${terraform.workspace}-ods-weekly-update-sg"
+  ecs_launch_type          = "FARGATE"
+  ecs_cluster_service_name = "${terraform.workspace}-ods-weekly-update"
+  ecr_repository_url       = module.ndr-docker-ecr-weekly-ods-update[0].ecr_repository_url
+  environment              = var.environment
+  owner                    = var.owner
+  container_port           = 80
+  is_autoscaling_needed    = false
+  is_lb_needed             = false
+  is_service_needed        = false
+  alarm_actions_arn_list   = []
+  logs_bucket              = aws_s3_bucket.logs_bucket.bucket
+  task_role                = aws_iam_role.ods_weekly_update_task_role[0].arn
+  environment_vars = [
+    {
+      "name" : "table_name",
+      "value" : module.lloyd_george_reference_dynamodb_table.table_name
+    },
+    {
+      "name" : "PDS_FHIR_IS_STUBBED",
+      "value" : tostring(local.is_sandbox)
+    }
+  ]
+  ecs_container_definition_memory = 512
+  ecs_container_definition_cpu    = 256
+  ecs_task_definition_memory      = 512
+  ecs_task_definition_cpu         = 256
+}
+
+resource "aws_iam_role" "ods_weekly_update_task_role" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "${terraform.workspace}_ods_weekly_update_task_role"
+  managed_policy_arns = [
+    module.lloyd_george_reference_dynamodb_table.dynamodb_policy,
+    aws_iam_policy.ssm_access_policy.arn,
+  ]
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "",
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : [
+              "ecs-tasks.amazonaws.com"
+            ]
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
 }

infrastructure/firewall.tf

@@ -10,15 +10,15 @@ module "firewall_waf_v2" {
 }
 
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
-  resource_arn = module.ndr-ecs-fargate.load_balancer_arn
+  resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
 
   count = (terraform.workspace == "ndra" ||
     terraform.workspace == "ndrb" ||
     terraform.workspace == "ndrc" ||
   terraform.workspace == "ndrd") ? 0 : 1
   depends_on = [
-    module.ndr-ecs-fargate,
+    module.ndr-ecs-fargate-app,
     module.firewall_waf_v2[0]
   ]
 }

infrastructure/modules/ecs/README.md

@@ -47,20 +47,32 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_alarm_actions_arn_list"></a> [alarm\_actions\_arn\_list](#input\_alarm\_actions\_arn\_list) | n/a | `list(string)` | n/a | yes |
+| <a name="input_autoscaling_max_capacity"></a> [autoscaling\_max\_capacity](#input\_autoscaling\_max\_capacity) | n/a | `number` | `6` | no |
+| <a name="input_autoscaling_min_capacity"></a> [autoscaling\_min\_capacity](#input\_autoscaling\_min\_capacity) | n/a | `number` | `3` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | n/a | `string` | `"eu-west-2"` | no |
-| <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | `""` | no |
 | <a name="input_container_port"></a> [container\_port](#input\_container\_port) | n/a | `number` | `8080` | no |
-| <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_desired_count"></a> [desired\_count](#input\_desired\_count) | n/a | `number` | `3` | no |
+| <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | `""` | no |
 | <a name="input_ecr_repository_url"></a> [ecr\_repository\_url](#input\_ecr\_repository\_url) | n/a | `any` | n/a | yes |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | n/a | `string` | n/a | yes |
 | <a name="input_ecs_cluster_service_name"></a> [ecs\_cluster\_service\_name](#input\_ecs\_cluster\_service\_name) | n/a | `string` | n/a | yes |
+| <a name="input_ecs_container_definition_cpu"></a> [ecs\_container\_definition\_cpu](#input\_ecs\_container\_definition\_cpu) | n/a | `number` | `512` | no |
+| <a name="input_ecs_container_definition_memory"></a> [ecs\_container\_definition\_memory](#input\_ecs\_container\_definition\_memory) | n/a | `number` | `1024` | no |
 | <a name="input_ecs_launch_type"></a> [ecs\_launch\_type](#input\_ecs\_launch\_type) | n/a | `string` | `"FARGATE"` | no |
+| <a name="input_ecs_task_definition_cpu"></a> [ecs\_task\_definition\_cpu](#input\_ecs\_task\_definition\_cpu) | n/a | `number` | `1024` | no |
+| <a name="input_ecs_task_definition_memory"></a> [ecs\_task\_definition\_memory](#input\_ecs\_task\_definition\_memory) | n/a | `number` | `2048` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
+| <a name="input_environment_vars"></a> [environment\_vars](#input\_environment\_vars) | n/a | `list` | <pre>[<br>  null<br>]</pre> | no |
+| <a name="input_is_autoscaling_needed"></a> [is\_autoscaling\_needed](#input\_is\_autoscaling\_needed) | n/a | `bool` | `true` | no |
+| <a name="input_is_lb_needed"></a> [is\_lb\_needed](#input\_is\_lb\_needed) | n/a | `bool` | `false` | no |
+| <a name="input_is_service_needed"></a> [is\_service\_needed](#input\_is\_service\_needed) | n/a | `bool` | `true` | no |
 | <a name="input_logs_bucket"></a> [logs\_bucket](#input\_logs\_bucket) | n/a | `any` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `any` | n/a | yes |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | n/a | `any` | n/a | yes |
 | <a name="input_sg_name"></a> [sg\_name](#input\_sg\_name) | n/a | `string` | n/a | yes |
+| <a name="input_task_role"></a> [task\_role](#input\_task\_role) | n/a | `any` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
 
 ## Outputs
@@ -70,5 +82,7 @@ No modules.
 | <a name="output_certificate_arn"></a> [certificate\_arn](#output\_certificate\_arn) | The arn of certificate that load balancer is using |
 | <a name="output_container_port"></a> [container\_port](#output\_container\_port) | The container port number of docker image, which was provided as input variable of this module |
 | <a name="output_dns_name"></a> [dns\_name](#output\_dns\_name) | n/a |
+| <a name="output_ecs_cluster_arn"></a> [ecs\_cluster\_arn](#output\_ecs\_cluster\_arn) | n/a |
 | <a name="output_load_balancer_arn"></a> [load\_balancer\_arn](#output\_load\_balancer\_arn) | The arn of the load balancer |
 | <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | n/a |
+| <a name="output_task_definition_arn"></a> [task\_definition\_arn](#output\_task\_definition\_arn) | n/a |

infrastructure/modules/ecs/alarms.tf

@@ -1,5 +1,6 @@
 resource "aws_cloudwatch_metric_alarm" "alb_alarm_4XX" {
-  alarm_name          = "4XX-status-${aws_lb.ecs_lb.name}"
+  count               = !local.is_sandbox && var.is_lb_needed ? 1 : 0
+  alarm_name          = "4XX-status-${aws_lb.ecs_lb[0].name}"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   namespace           = "AWS/ApplicationELB"
@@ -9,22 +10,21 @@ resource "aws_cloudwatch_metric_alarm" "alb_alarm_4XX" {
   threshold           = 20
   treat_missing_data  = "notBreaching"
   dimensions = {
-    LoadBalancer = aws_lb.ecs_lb.arn_suffix
+    LoadBalancer = aws_lb.ecs_lb[0].arn_suffix
   }
-  alarm_description = "This alarm indicates that at least 20 4XX statuses have occurred on ${aws_lb.ecs_lb.name} in a minute."
+  alarm_description = "This alarm indicates that at least 20 4XX statuses have occurred on ${aws_lb.ecs_lb[0].name} in a minute."
   alarm_actions     = var.alarm_actions_arn_list
 
   tags = {
-    Name        = "4XX-status-${aws_lb.ecs_lb.name}"
+    Name        = "4XX-status-${aws_lb.ecs_lb[0].name}"
     Owner       = var.owner
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-  count = local.is_sandbox ? 0 : 1
 }
 
 resource "aws_cloudwatch_metric_alarm" "alb_alarm_5XX" {
-  alarm_name          = "5XX-status-${aws_lb.ecs_lb.name}"
+  alarm_name          = "5XX-status-${aws_lb.ecs_lb[0].name}"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   namespace           = "AWS/ApplicationELB"
@@ -34,18 +34,18 @@ resource "aws_cloudwatch_metric_alarm" "alb_alarm_5XX" {
   threshold           = 5
   treat_missing_data  = "notBreaching"
   dimensions = {
-    LoadBalancer = aws_lb.ecs_lb.arn_suffix
+    LoadBalancer = aws_lb.ecs_lb[0].arn_suffix
   }
-  alarm_description = "This alarm indicates that at least 5 5XX statuses have occurred on ${aws_lb.ecs_lb.name} within 5 minutes."
+  alarm_description = "This alarm indicates that at least 5 5XX statuses have occurred on ${aws_lb.ecs_lb[0].name} within 5 minutes."
   alarm_actions     = var.alarm_actions_arn_list
 
   tags = {
-    Name        = "5XX-status-${aws_lb.ecs_lb.name}"
+    Name        = "5XX-status-${aws_lb.ecs_lb[0].name}"
     Owner       = var.owner
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-  count = local.is_sandbox ? 0 : 1
+  count = !local.is_sandbox && var.is_lb_needed ? 1 : 0
 }
 
 resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_high_alarm" {
@@ -60,7 +60,7 @@ resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_high_alarm" {
 
   dimensions = {
     ClusterName = aws_ecs_cluster.ndr_ecs_cluster.name
-    ServiceName = aws_ecs_service.ndr_ecs_service.name
+    ServiceName = aws_ecs_service.ndr_ecs_service[0].name
   }
 
   alarm_description = "The CPU usage for ${var.ecs_cluster_service_name} is currently above 85%, the autoscaling will begin scaling up."
@@ -72,7 +72,7 @@ resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_high_alarm" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-  count = local.is_sandbox ? 0 : 1
+  count = local.is_sandbox || !var.is_service_needed ? 0 : 1
 }
 
 resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_low_alarm" {
@@ -87,7 +87,7 @@ resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_low_alarm" {
 
   dimensions = {
     ClusterName = aws_ecs_cluster.ndr_ecs_cluster.name
-    ServiceName = aws_ecs_service.ndr_ecs_service.name
+    ServiceName = aws_ecs_service.ndr_ecs_service[0].name
   }
 
   alarm_description = "The CPU usage for ${var.ecs_cluster_service_name} is currently belowe 15%, the autoscaling will begin scaling down."
@@ -99,5 +99,5 @@ resource "aws_cloudwatch_metric_alarm" "ndr_ecs_service_cpu_low_alarm" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-  count = local.is_sandbox ? 0 : 1
+  count = local.is_sandbox || !var.is_service_needed ? 0 : 1
 }

infrastructure/modules/ecs/lb.tf

@@ -1,4 +1,5 @@
 resource "aws_lb" "ecs_lb" {
+  count                      = var.is_lb_needed ? 1 : 0
   name                       = "${terraform.workspace}-lb"
   internal                   = false
   load_balancer_type         = "application"
@@ -21,6 +22,8 @@ resource "aws_lb" "ecs_lb" {
 }
 
 resource "aws_lb_target_group" "ecs_lb_tg" {
+  count = var.is_lb_needed ? 1 : 0
+
   name        = "${terraform.workspace}-ecs"
   port        = 80
   protocol    = "HTTP"
@@ -46,32 +49,37 @@ resource "aws_lb_target_group" "ecs_lb_tg" {
 }
 
 resource "aws_lb_listener" "https" {
-  load_balancer_arn = aws_lb.ecs_lb.arn
+  count             = var.is_lb_needed ? 1 : 0
+  load_balancer_arn = aws_lb.ecs_lb[0].arn
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-  certificate_arn   = data.aws_acm_certificate.amazon_issued.arn
+  certificate_arn   = data.aws_acm_certificate.amazon_issued[0].arn
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.ecs_lb_tg.arn
+    target_group_arn = aws_lb_target_group.ecs_lb_tg[0].arn
   }
 }
 
 data "aws_acm_certificate" "amazon_issued" {
+  count = var.is_lb_needed ? 1 : 0
+
   domain      = var.certificate_domain
   types       = ["AMAZON_ISSUED"]
   most_recent = true
 }
 
 resource "aws_lb_listener" "http" {
-  load_balancer_arn = aws_lb.ecs_lb.arn
+  count = var.is_lb_needed ? 1 : 0
+
+  load_balancer_arn = aws_lb.ecs_lb[0].arn
   port              = "80"
   protocol          = "HTTP"
 
   default_action {
     type             = "redirect"
-    target_group_arn = aws_lb_target_group.ecs_lb_tg.arn
+    target_group_arn = aws_lb_target_group.ecs_lb_tg[0].arn
     redirect {
       port        = "443"
       protocol    = "HTTPS"