VAOS Lessons Learned (#25)

* Switch team to vaos * Bump healthcheck * Thread healthcheck path through to base * Placehold RDS log exports until next provider release * Revert group for access * Enable query logging for Postgres * Fix postgresql log types * Update auth-user-data.tmpl
adhocteam · Dec 31, 2018 · d645a33 · d645a33
1 parent 8d90d06
commit d645a33
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -1,13 +1,18 @@
-# Foundation
+# Terraform Foundation
 
-This is an opinionated setup for a basic 3-tier app in AWS from the VPC on down.
+This is an opinionated setup for a basic 3-tier app in AWS from the VPC on up. Our primary goal is speed of setup over flexibility. Therefore, we try to restrict the number of variables per modules to a reasonable minimum.
 
-### Sources of inspiration
+## Examples
+
+- [VAOS Technical Demo](https://github.com/adhocteam/vaos)
+
+## Sources of inspiration
 
 The approach taken here was influenced by reviewing the following sources (some private to Ad Hoc)
 
 External Prior Art:
 - [Collection of Terraform AWS modules supported by the community](https://github.com/terraform-aws-modules/)
+- [18f Cloud.gov Provisioning](https://github.com/18F/cg-provision)
 - [GOV.UK Terraform resources](https://github.com/alphagov/govuk-aws/tree/master/terraform)
 - [Segment's Stack](https://github.com/segmentio/stack)
 
@@ -17,6 +22,6 @@ Ad Hoc's Work:
 - [QPP Foundational Challenge](https://github.com/adhocteam/qpp-infra-challenge)
 - [USCIS RFDS RFI Response](https://github.com/adhocteam/uscis_rfi_response)
 
-### AWS Provider version
+## AWS Provider version
 
-The modules rely on [implicit provider inheritance](https://www.terraform.io/docs/modules/usage.html#implicit-provider-inheritance). We suggest `version = "~> 1.41"` or higher.
+The modules rely on [implicit provider inheritance](https://www.terraform.io/docs/modules/usage.html#implicit-provider-inheritance). We suggest `version = "~> 1.52"` or higher. The database module requires PostgreSQL logging features enabled in that release.
diff --git a/database/main.tf b/database/main.tf
@@ -39,7 +39,7 @@ resource "aws_security_group_rule" "egress" {
 ####
 
 resource "aws_db_instance" "primary" {
-  identifier_prefix = "${var.env}-"
+  identifier_prefix = "${var.env}-${var.application_name}-"
 
   username = "${var.user}"
   password = "${var.password}"
@@ -51,15 +51,18 @@ resource "aws_db_instance" "primary" {
 
   instance_class = "db.t2.small"
   engine         = "postgres"
-  engine_version = "9.6.9"
+  engine_version = "10.5"
   port           = 5432
 
   storage_type        = "gp2"
   skip_final_snapshot = true
-  allocated_storage   = 10
+  allocated_storage   = 30
   storage_encrypted   = true
   kms_key_id          = "${data.aws_kms_key.main.arn}"
 
+  parameter_group_name            = "${aws_db_parameter_group.postgres.id}"
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+
   backup_retention_period = 7
 
   lifecycle {
@@ -76,6 +79,34 @@ resource "aws_db_instance" "primary" {
   }
 }
 
+# Enable query logging
+resource "aws_db_parameter_group" "postgres" {
+  name_prefix = "${var.env}-${var.application_name}-"
+  family      = "postgres10"
+
+  parameter {
+    name  = "log_connections"
+    value = "1"
+  }
+
+  parameter {
+    name  = "log_disconnections"
+    value = "1"
+  }
+
+  # Log only IP address to prevent potential performance penalty
+  # https://www.postgresql.org/docs/9.5/runtime-config-logging.html#what-to-log
+  parameter {
+    name  = "log_hostname"
+    value = "0"
+  }
+
+  parameter {
+    name  = "log_statement"
+    value = "all"
+  }
+}
+
 ####
 # Create internal DNS entry for easy reference by the application
 ####

diff --git a/fargate_cluster/main.tf b/fargate_cluster/main.tf
@@ -6,6 +6,7 @@ module "fargate_base" {
   application_name  = "${var.application_name}"
   application_port  = "${var.application_port}"
   loadbalancer_port = "${var.loadbalancer_port}"
+  health_check_path = "${var.health_check_path}"
 }
 
 # TODO(bob) May need a call to create a service linked role first:
@@ -38,8 +39,8 @@ resource "aws_ecs_task_definition" "app" {
 
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
-  cpu                      = "1024"      # 1 vCPU
-  memory                   = "2048"      # 2 GiB
+  cpu                      = "2048"      # 2 vCPU
+  memory                   = "4096"      # 4 GiB
 }
 
 resource "aws_ecs_service" "application" {

diff --git a/fargate_cluster/variables.tf b/fargate_cluster/variables.tf
@@ -30,6 +30,11 @@ variable "environment_variables" {
   default     = []
 }
 
+variable "health_check_path" {
+  description = "path used by load balancer to health check application. should return 200."
+  default     = "/"
+}
+
 # Currently not supported by Fargate. Placeholder until it is.
 # https://docs.amazonaws.cn/en_us/AmazonECS/latest/developerguide/specifying-sensitive-data.html
 # variable "secrets" {

diff --git a/utilities/teleport/auth-user-data.tmpl b/utilities/teleport/auth-user-data.tmpl
@@ -72,4 +72,4 @@ echo "Create GitHub authenticator"
 sleep 15
 for i in {1..5}; do sudo -u teleport /usr/local/bin/tctl create /var/lib/teleport/github.yaml && break || sleep 15; done
 
-echo "Teleport install complete"
+echo "Teleport install complete"