Improve tagging of AWS resources (#63)

* Add git author and repo slug to tags
* Upgrade to latest Terraform ECS service module which supports tagging
* Remove host port so ports are allocated dynamically
* Remove task level CPU and Memory limits when using EC2 launch type

Author: Bhavik Kumar

.travis.yml

@@ -35,6 +35,7 @@ before_install:
 - chmod +x $HOME/bin/terraform
 - export AWS_ACCESS_KEY_ID=$DEPLOYMENT_ACCESS_KEY_ID
 - export AWS_SECRET_ACCESS_KEY=$DEPLOYMENT_SECRET_ACCESS_KEY
+- export AUTHOR_NAME="$(git log -1 $TRAVIS_COMMIT --pretty="%aN")"
 before_cache:
 - rm -f  $HOME/.gradle/caches/modules-2/modules-2.lock
 - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
@@ -54,7 +55,7 @@ jobs:
     script:
     - cd deployment/terraform/ecr
     - terraform init -backend-config="bucket=${STATE_S3_BUCKET}" -backend-config="region=${AWS_DEFAULT_REGION}" -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE}" -backend-config="kms_key_id=${KMS_KEY_ID}" -backend-config="key=${KEY}" -backend-config="role_arn=${ROLE_ARN}" 1>/dev/null || exit 1
-    - terraform apply -backup="-" -input=false -auto-approve -var role_arn=${ROLE_ARN} -var service_name=${SERVICE_NAME} 1>/dev/null || exit 1
+    - terraform apply -backup="-" -input=false -auto-approve -var role_arn=${ROLE_ARN} -var service_name=${SERVICE_NAME} -var tags="{\"AuthorName\":\"${AUTHOR_NAME}\",\"GitRepository\":\"${TRAVIS_REPO_SLUG}\"}" 1>/dev/null || exit 1
     - REPOSITORY_URI=$(terraform output repository_url)
     - cd $TRAVIS_BUILD_DIR
     - eval $(aws sts assume-role --role-arn "$OPERATIONS_ROLE_ARN" --role-session-name "${TRAVIS_REPO_SLUG//\//-}" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')
@@ -63,7 +64,6 @@ jobs:
     after_success:
     - ./gradlew sonarqube
   - stage: deploy to development
-    jdk: openjdk11
     env:
     - TF_WORKSPACE=development
     - SPLUNK_TOKEN=
@@ -78,7 +78,6 @@ jobs:
         all_branches: true
   - stage: deploy to production
     if: env(DEPLOY_PRODUCTION) IS present
-    jdk: openjdk11
     env:
     - TF_WORKSPACE=production
     - SPLUNK_TOKEN=

deployment/script/travis_deploy.sh

@@ -3,7 +3,7 @@
 cd $TRAVIS_BUILD_DIR
 cd deployment/terraform/ecs-service
 terraform init -backend-config="bucket=${STATE_S3_BUCKET}" -backend-config="region=${AWS_DEFAULT_REGION}" -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE}" -backend-config="kms_key_id=${KMS_KEY_ID}" -backend-config="key=${SERVICE_KEY}" -backend-config="role_arn=${ROLE_ARN}" 1> /dev/null || exit 1
-terraform apply -backup="-" -input=false -auto-approve -var role_arn=${ROLE_ARN} -var service_name=${SERVICE_NAME} -var service_version=${TRAVIS_BUILD_NUMBER} -var splunk_url=${SPLUNK_URL} -var splunk_token=${SPLUNK_TOKEN} 1> /dev/null || exit 1
+terraform apply -backup="-" -input=false -auto-approve -var role_arn=${ROLE_ARN} -var service_name=${SERVICE_NAME} -var service_version=${TRAVIS_BUILD_NUMBER} -var splunk_url=${SPLUNK_URL} -var splunk_token=${SPLUNK_TOKEN} -var tags="{\"AuthorName\":\"${AUTHOR_NAME}\",\"GitRepository\":\"${TRAVIS_REPO_SLUG}\"}" 1> /dev/null || exit 1
 eval $(terraform output -json | jq -r .' | @sh "export CLUSTER_NAME=\(.ecs_cluster_name.value)\nexport DEPLOYMENT_ROLE_ARN=\(.deployment_role_arn.value) "')
 eval $(aws sts assume-role --role-arn "$DEPLOYMENT_ROLE_ARN" --role-session-name "${TRAVIS_REPO_SLUG//\//-}" | jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) "')
 aws ecs wait services-stable --services ${SERVICE_NAME} --cluster ${CLUSTER_NAME} || exit 1

deployment/terraform/ecr/main.tf

@@ -15,7 +15,7 @@ locals {
 
 provider "aws" {
   region  = var.aws_default_region
-  version = "~> 2.36.0"
+  version = "~> 2.38.0"
   profile = var.profile
 
   allowed_account_ids = [

deployment/terraform/ecs-service/ecs.tf

@@ -55,7 +55,7 @@ module "container_definition" {
   portMappings      = [
     {
       containerPort = 8080
-      hostPort      = 8080,
+      hostPort      = 0,
       protocol      = "tcp"
     }
   ]
@@ -64,7 +64,7 @@ module "container_definition" {
 resource "aws_iam_role" "execution_task_role" {
   name               = format("%s-execution", var.service_name)
   assume_role_policy = data.aws_iam_policy_document.task_service_assume_role.json
-  tags               = var.tags
+  tags               = merge(local.common_tags, var.tags)
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_default_policy" {
@@ -75,21 +75,19 @@ resource "aws_iam_role_policy_attachment" "ecs_task_default_policy" {
 resource "aws_iam_role" "task_role" {
   name               = format("%s-task", var.service_name)
   assume_role_policy = data.aws_iam_policy_document.task_service_assume_role.json
-  tags               = var.tags
+  tags               = merge(local.common_tags, var.tags)
 }
 
 resource "aws_ecs_task_definition" "task_definition" {
   container_definitions = "[${module.container_definition.container_definition}]"
   family                = var.service_name
-  cpu                   = var.cpu
-  memory                = var.memory
   execution_role_arn    = aws_iam_role.execution_task_role.arn
   task_role_arn         = aws_iam_role.task_role.arn
   tags                  = merge(local.common_tags, var.tags)
 }
 
 module "ecs_service" {
-  source                   = "git::https://github.com/bnc-projects/terraform-ecs-service.git?ref=1.3.2"
+  source                   = "git::https://github.com/bnc-projects/terraform-ecs-service.git?ref=1.3.4"
   application_path         = "/v1/sbjb"
   attach_load_balancer     = true
   cluster                  = data.terraform_remote_state.market_data.outputs.ecs_cluster_name

deployment/terraform/ecs-service/variables.tf

@@ -31,12 +31,6 @@ variable "role_arn" {
   description = "The role to assume to access the terraform remote state"
 }
 
-variable "tags" {
-  type        = map(string)
-  description = "A map of tags to add to all resources"
-  default     = {}
-}
-
 variable "service_name" {
   type        = string
   description = "The name of the ECS service"
@@ -56,3 +50,9 @@ variable "splunk_token" {
   type        = string
   description = "The token used to send log to Splunk collector"
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to add to all resources"
+  default     = {}
+}