Break cycles in module dependencies (#4)

module.metaflow-metadata-service depended upon module.metaflow-datastore for database,
but at the same time the latter also depended upon former for ingress rule. We break
the dependency by moving ingress rule over to the former module.

Author: sarthak

iam.tf

@@ -248,3 +248,25 @@ resource "aws_iam_role_policy" "grant_cloudwatch" {
   role   = aws_iam_role.batch_s3_task_role.name
   policy = data.aws_iam_policy_document.cloudwatch.json
 }
+
+# Create ECS Task Execution IAM role and policy to run ECS tasks
+resource "aws_iam_role" "ecsTaskExecutionRole" {
+  name               = "${var.resource_prefix}ecsTaskExecutionRole${var.resource_suffix}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
+  role       = aws_iam_role.ecsTaskExecutionRole.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}

main.tf

@@ -4,17 +4,17 @@ module "metaflow-datastore" {
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
-  metadata_service_security_group_id = module.metaflow-metadata-service.metadata_service_security_group_id
-  metaflow_vpc_id                    = var.vpc_id
-  subnet1_id                         = var.subnet1_id
-  subnet2_id                         = var.subnet2_id
+  metaflow_vpc_id = var.vpc_id
+  subnet1_id      = var.subnet1_id
+  subnet2_id      = var.subnet2_id
 
   db_engine         = var.datastore_db_engine
   db_engine_version = var.datastore_db_engine_version
 
   standard_tags = var.tags
 }
 
+# depends-on: metaflow-datastore
 module "metaflow-metadata-service" {
   source = "./modules/metadata-service"
 
@@ -26,8 +26,9 @@ module "metaflow-metadata-service" {
   database_name                    = module.metaflow-datastore.database_name
   database_password                = module.metaflow-datastore.database_password
   database_username                = module.metaflow-datastore.database_username
+  database_sg_id                   = module.metaflow-datastore.database_sg_id
   datastore_s3_bucket_kms_key_arn  = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
-  fargate_execution_role_arn       = module.metaflow-computation.ecs_execution_role_arn
+  fargate_execution_role_arn       = aws_iam_role.ecsTaskExecutionRole.arn
   iam_partition                    = var.iam_partition
   metadata_service_container_image = local.metadata_service_container_image
   metaflow_vpc_id                  = var.vpc_id
@@ -41,6 +42,7 @@ module "metaflow-metadata-service" {
   standard_tags = var.tags
 }
 
+# depends-on: metaflow-datastore, metaflow-metadata-service
 module "metaflow-ui" {
   source = "./modules/ui"
   count  = var.ui_certificate_arn == "" ? 0 : 1
@@ -52,7 +54,7 @@ module "metaflow-ui" {
   database_password               = module.metaflow-datastore.database_password
   database_username               = module.metaflow-datastore.database_username
   datastore_s3_bucket_kms_key_arn = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
-  fargate_execution_role_arn      = module.metaflow-computation.ecs_execution_role_arn
+  fargate_execution_role_arn      = aws_iam_role.ecsTaskExecutionRole.arn
   iam_partition                   = var.iam_partition
   metaflow_vpc_id                 = var.vpc_id
   rds_master_instance_endpoint    = module.metaflow-datastore.rds_master_instance_endpoint
@@ -78,6 +80,7 @@ module "metaflow-ui" {
 
 }
 
+# depends-on: 
 module "metaflow-computation" {
   source = "./modules/computation"
 
@@ -98,6 +101,7 @@ module "metaflow-computation" {
   standard_tags = var.tags
 }
 
+# depends-on: metaflow-computation, metaflow-datastore
 module "metaflow-step-functions" {
   source = "./modules/step-functions"
 

modules/datastore/rds.tf

@@ -26,16 +26,6 @@ resource "aws_security_group" "rds_security_group" {
   tags = var.standard_tags
 }
 
-# ingress only from port 5432
-resource "aws_security_group_rule" "rds_sg_ingress" {
-  type = "ingress"
-  from_port = 5432
-  to_port = 5432
-  protocol = "tcp"
-  source_security_group_id = var.metadata_service_security_group_id
-  security_group_id = aws_security_group.rds_security_group.id
-}
-
 # egress to anywhere
 resource "aws_security_group_rule" "rds_sg_egress" {
   type = "egress"

modules/datastore/variables.tf

@@ -31,11 +31,6 @@ variable "db_username" {
   default     = "metaflow"
 }
 
-variable "metadata_service_security_group_id" {
-  type        = string
-  description = "The security group ID used by the MetaData service. We'll grant this access to our DB."
-}
-
 variable "metaflow_vpc_id" {
   type        = string
   description = "ID of the Metaflow VPC this SageMaker notebook instance is to be deployed in"

modules/metadata-service/ec2.tf

@@ -44,6 +44,16 @@ resource "aws_security_group" "metadata_service_security_group" {
   )
 }
 
+# Inject a ingress rule to RDS's sg to allow ingress only from port 5432
+resource "aws_security_group_rule" "rds_sg_ingress" {
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.metadata_service_security_group.id
+  security_group_id        = var.database_sg_id
+}
+
 resource "aws_lb" "this" {
   name               = "${var.resource_prefix}nlb${var.resource_suffix}"
   internal           = true

modules/metadata-service/variables.tf

@@ -25,6 +25,11 @@ variable "database_username" {
   description = "The database username"
 }
 
+variable "database_sg_id" {
+  type        = string
+  description = "We will use this to add a ingress rule to RDS sg to allow metadata service access"
+}
+
 variable "datastore_s3_bucket_kms_key_arn" {
   type        = string
   description = "The ARN of the KMS key used to encrypt the Metaflow datastore S3 bucket"