add auth manager service components

Author: bilalesi

auth-manager/alb.tf

@@ -0,0 +1,43 @@
+resource "aws_lb_target_group" "auth_manager_private_tg" {
+  #ts:skip=AC_AWS_0492
+  name        = "auth-manager-private"
+  port        = 8000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.vpc_id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    enabled  = true
+    path     = "${var.root_path}/health"
+    protocol = "HTTP"
+  }
+
+  tags = var.auth_manager_svc_tags
+}
+
+resource "aws_lb_listener_rule" "auth_manager_private_listener_rule" {
+  listener_arn = var.private_alb_listener_arn
+  priority     = 610
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.auth_manager_private_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["${var.root_path}*"]
+    }
+  }
+
+  condition {
+    source_ip {
+      values = var.allowed_source_ip_cidr_blocks
+    }
+  }
+  tags = var.auth_manager_svc_tags
+}

auth-manager/dashboard.tf

@@ -0,0 +1,58 @@
+locals {
+  clustername = "auth_manager_ecs_cluster"
+  servicename = "auth_manager_ecs_service"
+}
+
+resource "aws_cloudwatch_dashboard" "main" {
+  dashboard_name = "auth_manager"
+
+  dashboard_body = jsonencode({
+    widgets = [
+      {
+        type   = "metric"
+        x      = 0
+        y      = 0
+        width  = 12
+        height = 6
+
+        properties = {
+          metrics = [
+            ["AWS/ECS",
+              "CPUUtilization",
+              "ClusterName", local.clustername,
+              "ServiceName", local.servicename,
+              { "stat" : "Average",
+            "region" : var.aws_region }]
+          ]
+          view    = "timeSeries"
+          stacked = false
+          region  = var.aws_region
+          title   = "CPUUtilization: Average"
+          period  = 300
+        }
+      },
+      {
+        type   = "metric"
+        x      = 12
+        y      = 0
+        width  = 12
+        height = 6
+
+        properties = {
+          metrics = [
+            ["AWS/ECS",
+              "MemoryUtilization",
+              "ClusterName", local.clustername,
+              "ServiceName", local.servicename,
+            { "stat" : "Average", "region" : var.aws_region }]
+          ]
+          view    = "timeSeries"
+          stacked = false
+          region  = var.aws_region
+          title   = "MemoryUtilization: Average"
+          period  = 300
+        }
+      }
+    ]
+  })
+}

auth-manager/db.tf

@@ -1,6 +1,8 @@
 resource "aws_db_subnet_group" "auth_manager_db_cluster_subnet_group" {
   name       = "auth-manager-db-cluster-group"
   subnet_ids = [aws_subnet.auth_manager_db_a.id, aws_subnet.auth_manager_db_b.id]
+
+  tags = var.auth_manager_svc_tags
 }
 
 data "aws_secretsmanager_secret_version" "auth_manager_database_password" {

auth-manager/outputs.tf

@@ -0,0 +1,4 @@
+output "private_lb_rule_suffix" {
+  description = "auth manager Private Loadbalancer Rule Suffix"
+  value       = aws_lb_target_group.auth_manager_private_tg.arn_suffix
+}

auth-manager/policies.tf

@@ -0,0 +1,24 @@
+resource "aws_iam_policy" "auth_manager_secrets_access" {
+  name        = "auth_manager-secrets-access-policy"
+  description = "Policy that gives access to the auth_manager service secrets"
+
+  policy = <<-EOT
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "ssm:GetParameters",
+          "secretsmanager:GetSecretValue"
+        ],
+        "Resource": [
+          "${var.auth_manager_secrets_arn}"
+        ]
+      }
+    ]
+  }
+  EOT
+}
+
+

auth-manager/security-groups.tf

@@ -0,0 +1,34 @@
+resource "aws_security_group" "auth_manager_sg" {
+  vpc_id = var.vpc_id
+
+  name        = "main_auth_manager_sg"
+  description = "main security group for auth manager database"
+
+  ingress {
+    description = "Allow Postgres access from the VPC"
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.allowed_source_ip_cidr_blocks
+  }
+
+  tags = var.auth_manager_svc_tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "main_subnet_ingress" {
+  security_group_id = aws_security_group.acc_sg.id
+  description       = "Allow everything incoming from the VPC"
+  ip_protocol       = -1
+  cidr_ipv4         = data.aws_vpc.main.cidr_block
+  from_port         = -1
+  to_port           = -1
+}
+
+resource "aws_vpc_security_group_egress_rule" "main_subnet_egress" {
+  security_group_id = aws_security_group.acc_sg.id
+  description       = "Allow everything outgoing"
+  ip_protocol       = -1
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = -1
+  to_port           = -1
+}