openbraininstitute · bilalesi · Oct 22, 2025 · Oct 26, 2025 · Oct 28, 2025 · Oct 29, 2025
@@ -0,0 +1,43 @@
+resource "aws_lb_target_group" "auth_manager_private_tg" {
+  #ts:skip=AC_AWS_0492
+  name        = "auth-manager-private"
+  port        = 8000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.vpc_id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    enabled  = true
+    path     = "${var.root_path}/health"
+    protocol = "HTTP"
+  }
+
+  tags = var.auth_manager_svc_tags
+}
+
+resource "aws_lb_listener_rule" "auth_manager_private_listener_rule" {
+  listener_arn = var.private_alb_listener_arn
+  priority     = 612
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.auth_manager_private_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["${var.root_path}*"]
+    }
+  }
+
+  condition {
+    source_ip {
+      values = var.allowed_source_ip_cidr_blocks
+    }
+  }
+  tags = var.auth_manager_svc_tags
+}
@@ -0,0 +1,58 @@
+locals {
+  clustername = "auth_manager_ecs_cluster"
+  servicename = "auth_manager_ecs_service"
+}
+
+resource "aws_cloudwatch_dashboard" "main" {
+  dashboard_name = "auth_manager"
+
+  dashboard_body = jsonencode({
+    widgets = [
+      {
+        type   = "metric"
+        x      = 0
+        y      = 0
+        width  = 12
+        height = 6
+
+        properties = {
+          metrics = [
+            ["AWS/ECS",
+              "CPUUtilization",
+              "ClusterName", local.clustername,
+              "ServiceName", local.servicename,
+              { "stat" : "Average",
+            "region" : var.aws_region }]
+          ]
+          view    = "timeSeries"
+          stacked = false
+          region  = var.aws_region
+          title   = "CPUUtilization: Average"
+          period  = 300
+        }
+      },
+      {
+        type   = "metric"
+        x      = 12
+        y      = 0
+        width  = 12
+        height = 6
+
+        properties = {
+          metrics = [
+            ["AWS/ECS",
+              "MemoryUtilization",
+              "ClusterName", local.clustername,
+              "ServiceName", local.servicename,
+            { "stat" : "Average", "region" : var.aws_region }]
+          ]
+          view    = "timeSeries"
+          stacked = false
+          region  = var.aws_region
+          title   = "MemoryUtilization: Average"
+          period  = 300
+        }
+      }
+    ]
+  })
+}
@@ -0,0 +1,52 @@
+resource "aws_db_subnet_group" "auth_manager_db_cluster_subnet_group" {
+  name       = "auth-manager-db-cluster-group"
+  subnet_ids = [aws_subnet.auth_manager_db_a.id, aws_subnet.auth_manager_db_b.id]
+
+  tags = var.auth_manager_svc_tags
+}
+
+data "aws_secretsmanager_secret_version" "auth_manager_database_password" {
+  secret_id = var.auth_manager_secrets_arn
+}
+
+# tfsec:ignore:aws-rds-enable-performance-insights-encryption
+resource "aws_db_instance" "auth_manager" {
+  #ts:skip=AC_AWS_0053
+  #ts:skip=AC_AWS_0454
+  #ts:skip=AC_AWS_0058
+
+  engine                      = "postgres"
+  engine_version              = "17"
+  allow_major_version_upgrade = true
+  multi_az                    = true
+  instance_class              = "db.t3.small"
+
+  deletion_protection = true #tfsec:ignore:AVD-AWS-0177
+  allocated_storage   = 10   # in gigabytes
+
+  backup_retention_period = 14 # in days
+  backup_window           = "01:00-02:00"
+  maintenance_window      = "sun:05:00-sun:06:00"
+
+  db_subnet_group_name = aws_db_subnet_group.auth_manager_db_cluster_subnet_group.name
+
+  identifier = "auth-manager"
+  db_name    = var.db_name
+  username   = var.db_username
+  password   = jsondecode(data.aws_secretsmanager_secret_version.auth_manager_database_password.secret_string)["DATABASE_PASSWORD"]
+
+  publicly_accessible          = false
+  performance_insights_enabled = true
+  storage_encrypted            = false #tfsec:ignore:aws-rds-encrypt-instance-storage-data
+
+  vpc_security_group_ids = [aws_security_group.auth_manager_sg.id]
+
+  iam_database_authentication_enabled = false
+
+  copy_tags_to_snapshot = true
+
+  tags = {
+    Name            = "auth-manager-db"
+    obi_backup_plan = "obi_plan"
+  }
+}
@@ -0,0 +1,4 @@
+output "private_lb_rule_suffix" {
+  description = "auth manager Private Loadbalancer Rule Suffix"
+  value       = aws_lb_target_group.auth_manager_private_tg.arn_suffix
+}
@@ -0,0 +1,24 @@
+resource "aws_iam_policy" "auth_manager_secrets_access" {
+  name        = "auth_manager-secrets-access-policy"
+  description = "Policy that gives access to the auth_manager service secrets"
+
+  policy = <<-EOT
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "ssm:GetParameters",
+          "secretsmanager:GetSecretValue"
+        ],
+        "Resource": [
+          "${var.auth_manager_secrets_arn}"
+        ]
+      }
+    ]
+  }
+  EOT
+}
+
+
@@ -0,0 +1,34 @@
+resource "aws_security_group" "auth_manager_sg" {
+  vpc_id = var.vpc_id
+
+  name        = "main_auth_manager_sg"
+  description = "main security group for auth manager database"
+
+  ingress {
+    description = "Allow Postgres access from the VPC"
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.allowed_source_ip_cidr_blocks
+  }
+
+  tags = var.auth_manager_svc_tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "main_subnet_ingress" {
+  security_group_id = aws_security_group.auth_manager_sg.id
+  description       = "Allow everything incoming from the VPC"
+  ip_protocol       = -1
+  cidr_ipv4         = data.aws_vpc.main.cidr_block
+  from_port         = -1
+  to_port           = -1
+}
+
+resource "aws_vpc_security_group_egress_rule" "main_subnet_egress" {
+  security_group_id = aws_security_group.auth_manager_sg.id
+  description       = "Allow everything outgoing"
+  ip_protocol       = -1
+  cidr_ipv4         = "0.0.0.0/0"
+  from_port         = -1
+  to_port           = -1
+}