Update main to match reality of recent infra changes (#181)

irvingpop · web-flow · commit e288f0ba0e0e · 2023-05-26T09:47:32.000-07:00
* update to reflect reality - pybot prod is temporarily in our ECS cluster

Signed-off-by: Irving Popovetsky &lt;irving@honeycomb.io&gt;

* TF module lock bump

Signed-off-by: Irving Popovetsky &lt;irving@honeycomb.io&gt;

* Rollout new cert and update the https security policy

Signed-off-by: Irving Popovetsky &lt;irving@honeycomb.io&gt;

---------

Signed-off-by: Irving Popovetsky &lt;irving@honeycomb.io&gt;
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/alb.tf b/terraform/alb.tf
@@ -69,8 +69,8 @@ resource "aws_lb_listener" "default_https" {
   load_balancer_arn = aws_lb.ecs.arn
   protocol          = "HTTPS"
   port              = 443
-  certificate_arn   = "arn:aws:acm:us-east-2:633607774026:certificate/8de9fd02-191c-485f-b952-e5ba32e90acb"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = "arn:aws:acm:us-east-2:633607774026:certificate/cebe8639-6144-409d-b384-c0b4b4880898"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
 
   default_action {
     type = "fixed-response"
diff --git a/terraform/apps.tf b/terraform/apps.tf
@@ -189,3 +189,36 @@ resource "aws_lb_listener_rule" "shutdown_sites_redirector" {
 #     }
 #   }
 # }
+
+# Pybot Prod
+module "pybot_prod" {
+  source = "./pybot"
+
+  env                 = "prod"
+  vpc_id              = data.aws_vpc.use2.id
+  logs_group          = aws_cloudwatch_log_group.ecslogs.name
+  ecs_cluster_id      = module.ecs.cluster_id
+  task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+  image_tag           = "master"
+}
+
+resource "aws_lb_listener_rule" "pybot_prod" {
+  listener_arn = aws_lb_listener.default_https.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = module.pybot_prod.lb_tg_arn
+  }
+
+  condition {
+    host_header {
+      values = ["pybot.operationcode.org"]
+    }
+  }
+
+  condition {
+    path_pattern {
+      values = ["/slack/*", "/pybot/*", "/airtable/*"]
+    }
+  }
+}
diff --git a/terraform/asg.tf b/terraform/asg.tf
@@ -64,6 +64,9 @@ module "autoscaling" {
   # Required for  managed_termination_protection = "ENABLED"
   protect_from_scale_in = false
 
+  # reduce cloudwatch costs
+  enable_monitoring = false
+
   tags = local.tags
 }
 
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -35,16 +35,10 @@ module "ecs" {
 
   cluster_name = local.name
 
-  cluster_configuration = {
-    execute_command_configuration = {
-      # logging = "OVERRIDE"
-      # log_configuration = {
-      #   # You can set a simple string and ECS will create the CloudWatch log group for you
-      #   # or you can create the resource yourself as shown here to better manage retetion, tagging, etc.
-      #   # Embedding it into the module is not trivial and therefore it is externalized
-      #   cloud_watch_log_group_name = aws_cloudwatch_log_group.this.name
-      # }
-    }
+  # disable container insights to save a bit of money
+  cluster_settings = {
+    name  = "containerInsights"
+    value = "disabled"
   }
 
   default_capacity_provider_use_fargate = false

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,9 @@ module "autoscaling" {`
`64`	`64`	`# Required for managed_termination_protection = "ENABLED"`
`65`	`65`	`protect_from_scale_in = false`
`66`	`66`
	`67`	`+ # reduce cloudwatch costs`
	`68`	`+ enable_monitoring = false`
	`69`	`+`
`67`	`70`	`tags = local.tags`
`68`	`71`	`}`
`69`	`72`