feat: support multiple sidecar container (#38)

* feat: support select container to attached lb

* fix: error in target group

* feat: configuration mem, cpu as task level

* feat: secret base on container inside

* feat: secret separate by container

* fix: secrets typo

* fix: code smell and example usage

* fix: security issue log group with kms (#39)

* feat: add defualt kms with additional override kms

* fix: typo

* fix: count depends on undetermined resource

* fix: fix provider version to 4.65 dua to bug of 4.66

* fix: ref to non created resource

---------

Co-authored-by: Brian - oozou <98243528+lycbrian@users.noreply.github.com>

Author: xshot9011

CHANGELOG.md

@@ -1,5 +1,30 @@
 # Change Log
 
+## [v1.2.0] - 2023-10-11
+
+### Added
+
+- Support custom and built-in module KMS for cloudwatch log group
+  - resources: `data.aws_iam_policy_document.cloudwatch_log_group_kms_policy`, `module.cloudwatch_log_group_kms`
+  - variables: `is_create_default_kms`, `cloudwatch_log_group_kms_key_arn`
+- Validation condition `local.raise_multiple_container_attach_to_alb`
+- New method to create task definition with support multiple container `local.container_task_definitions`
+  - variables: `container`
+- Support for 1 secretManager: N secret
+  - resources: `aws_secretsmanager_secret.this`, `aws_secretsmanager_secret_version.this`, `aws_iam_role_policy.task_execution_role_access_secret`
+
+### Changed
+
+- Update example of simple usage `examples/simple/main.tf`, `examples/simple/versions.tf` and `examples/simple/outputs.tf`
+
+### Removed 
+
+- Non-used module level validation `local.raise_vpc_id_empty`, `local.raise_service_port_empty`, `local.raise_health_check_empty` and `local.raise_alb_listener_arn_empty`
+- Remove all previous method to construct the task definition for ECS
+- Remove all secrets usage 1 key : 1 secret; use 1 secret in JSON form
+  - resources: `aws_secretsmanager_secret.service_secrets`, `aws_secretsmanager_secret_version.service_secrets`, `aws_iam_role_policy.task_execution_secrets`
+- Remove unused variables `is_attach_service_with_lb`, `service_info`, `apm_sidecar_ecr_url`, `apm_config`. `unix_max_connection`, `entry_point` and `command`
+
 ## [v1.1.12] - 2023-01-23
 
 ### Added

SECURITY.md

@@ -20,4 +20,4 @@ Your can also report the vulnerabilities by emailing to Oozou DevOps team at:
 devops@oozou.com
 ```
 
-We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.
+We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.

examples/simple/main.tf

@@ -1,5 +1,8 @@
 data "aws_caller_identity" "this" {}
-data "aws_region" "this" {}
+
+locals {
+  name = format("%s-%s-%s", var.prefix, var.environment, var.name)
+}
 
 /* -------------------------------------------------------------------------- */
 /*                                     VPC                                    */
@@ -69,72 +72,182 @@ module "fargate_cluster" {
 /* -------------------------------------------------------------------------- */
 /*                                   Service                                  */
 /* -------------------------------------------------------------------------- */
-module "service_api" {
+module "api_service" {
   source = "../.."
 
-  # Generics
   prefix      = var.prefix
   environment = var.environment
-  name        = format("%s-service-api", var.name)
+  name        = format("%s-api-service", var.name)
 
-  # IAM Role
-  is_create_iam_role = true
+  # ECS service
+  task_cpu                    = 1024
+  task_memory                 = 2048
+  ecs_cluster_name            = module.fargate_cluster.ecs_cluster_name
+  service_discovery_namespace = module.fargate_cluster.service_discovery_namespace
+  is_enable_execute_command   = true
+  application_subnet_ids      = module.vpc.private_subnet_ids
+  security_groups = [
+    module.fargate_cluster.ecs_task_security_group_id
+  ]
   additional_ecs_task_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
   ]
 
   # ALB
-  is_attach_service_with_lb = true
-  alb_listener_arn          = module.fargate_cluster.alb_listener_http_arn
-  alb_host_header           = null
-  alb_paths                 = ["/*"]
-  alb_priority              = "100"
-  vpc_id                    = module.vpc.vpc_id
+  alb_listener_arn = module.fargate_cluster.alb_listener_http_arn
+  alb_host_header  = null
+  alb_paths        = ["/*"]
+  alb_priority     = "100"
+  vpc_id           = module.vpc.vpc_id
   health_check = {
     interval            = 20,
-    path                = "/",
+    path                = "",
     timeout             = 10,
     healthy_threshold   = 3,
     unhealthy_threshold = 3,
     matcher             = "200,201,204"
   }
 
-  # Logging
   is_create_cloudwatch_log_group = true
 
-  # Task definition
-  service_info = {
-    cpu_allocation = 256,
-    mem_allocation = 512,
-    port           = 80,
-    image          = "nginx"
-    mount_points   = []
+  container = {
+    main_container = {
+      name            = format("%s-api-service", local.name)
+      image           = "nginx"
+      cpu             = 128
+      memory          = 256
+      is_attach_to_lb = true
+      port_mappings = [
+        {
+          # If a container has multiple ports, index 0 will be used for target group
+          host_port      = 80
+          container_port = 80
+          protocol       = "tcp"
+        }
+      ]
+      entry_point = []
+      command     = []
+    }
+    side_container = {
+      name   = format("%s-nginx", local.name)
+      image  = "tutum/dnsutils"
+      cpu    = 128
+      memory = 256
+      port_mappings = [
+        {
+          host_port      = 443
+          container_port = 443
+          protocol       = "tcp"
+        },
+      ]
+    }
   }
-  is_application_scratch_volume_enabled = true
-
-  # Secret and Env
   environment_variables = {
-    THIS_IS_ENV  = "ENV1",
-    THIS_IS_ENVV = "ENVV",
+    main_container = {
+      THIS_IS_ENV  = "ENV1",
+      THIS_IS_ENVV = "ENVV",
+    }
+    side_container = {
+      XXXX  = "XXXX",
+      XXXXX = "XXXXX",
+    }
   }
-  # WARNING Secret should not be in plain text
   secret_variables = {
-    THIS_IS_SECRET       = "1xxxxx",
-    THIS_IS_SECRETT      = "2xxxxx",
-    THIS_IS_SECRETTT     = "3xxxxx",
-    THIS_IS_SECRETTTTT   = "4xxxxx",
-    THIS_IS_SECRETTTTTT  = "5xxxxx",
-    THIS_IS_SECRETTTTTTT = "6xxxxx",
+    main_container = {
+      THIS_IS_SECRET  = "1xxxxx",
+      THIS_IS_SECRETT = "2xxxxx",
+    }
   }
 
+  tags = var.custom_tags
+}
+
+module "payment_service" {
+  source = "../.."
+
+  prefix      = var.prefix
+  environment = var.environment
+  name        = format("%s-api-service", var.name)
+
   # ECS service
+  task_cpu                    = 1024
+  task_memory                 = 2048
   ecs_cluster_name            = module.fargate_cluster.ecs_cluster_name
   service_discovery_namespace = module.fargate_cluster.service_discovery_namespace
   is_enable_execute_command   = true
   application_subnet_ids      = module.vpc.private_subnet_ids
   security_groups = [
     module.fargate_cluster.ecs_task_security_group_id
   ]
+  additional_ecs_task_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
+  ]
+
+  # ALB
+  alb_listener_arn = module.fargate_cluster.alb_listener_http_arn
+  alb_host_header  = null
+  alb_paths        = ["/*"]
+  alb_priority     = "100"
+  vpc_id           = module.vpc.vpc_id
+  health_check = {
+    interval            = 20,
+    path                = "",
+    timeout             = 10,
+    healthy_threshold   = 3,
+    unhealthy_threshold = 3,
+    matcher             = "200,201,204"
+  }
+
+  is_create_cloudwatch_log_group = true
+
+  container = {
+    main_container = {
+      name            = format("%s-api-service", local.name)
+      image           = "nginx"
+      cpu             = 128
+      memory          = 256
+      is_attach_to_lb = true
+      port_mappings = [
+        {
+          # If a container has multiple ports, index 0 will be used for target group
+          host_port      = 80
+          container_port = 80
+          protocol       = "tcp"
+        }
+      ]
+      entry_point = []
+      command     = []
+    }
+    side_container = {
+      name   = format("%s-nginx", local.name)
+      image  = "tutum/dnsutils"
+      cpu    = 128
+      memory = 256
+      port_mappings = [
+        {
+          host_port      = 443
+          container_port = 443
+          protocol       = "tcp"
+        },
+      ]
+    }
+  }
+  environment_variables = {
+    main_container = {
+      THIS_IS_ENV  = "ENV1",
+      THIS_IS_ENVV = "ENVV",
+    }
+    side_container = {
+      XXXX  = "XXXX",
+      XXXXX = "XXXXX",
+    }
+  }
+  secret_variables = {
+    main_container = {
+      THIS_IS_SECRET  = "1xxxxx",
+      THIS_IS_SECRETT = "2xxxxx",
+    }
+  }
 
   tags = var.custom_tags
 }

examples/simple/outputs.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0, < 5.0.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.3.0"
+    }
+  }
+}