fix: added cloudwatch capabilities to ec2 instances

feat: separated egress and ingress into separate resources
2025-01-11 22:12:58 -05:00 · 2025-01-11 18:23:24 -05:00
6 changed files with 80 additions and 85 deletions
--- a/gitea/custom/conf/app.ini
+++ b/gitea/custom/conf/app.ini
@@ -37,6 +37,8 @@ DB_TYPE = sqlite3
 [session]
 PROVIDER_CONFIG = /var/lib/gitea/data/sessions
 PROVIDER = file
+GC_INTERVAL_TIME = 86400
+SESSION_LIFE_TIME = 86400

 [picture]
 AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
--- a/playbooks/gitea/deployment.yml
+++ b/playbooks/gitea/deployment.yml
@@ -31,25 +31,6 @@
        path: /root/image.tar.xz
      register: image

-    - name: Fetch repository.
-      amazon.aws.s3_object:
-        mode: get
-        bucket: "{{ boot_bucket }}"
-        object: "{{ boot_key }}"
-        dest: /root/boot.tar.xz
-
-        region: "{{ aws_region }}"
-        access_key: "{{ aws_access_key }}"
-        secret_key: "{{ aws_secret_key }}"
-
-    - name: Unarchive image.
-      ansible.builtin.unarchive:
-        src: /root/boot.tar.xz
-        remote_src: true
-        dest: /root
-        group: 1000
-        owner: 1000
-
    - name: Run image.
      community.docker.docker_container:
        name: server
@@ -57,6 +38,8 @@
        state: started
        recreate: true
        restart_policy: unless-stopped
+        memory: 425m
+        memory_swap: 900m
        ports: [80:80, 2222:2222]
        env:
          GITEA__security__INTERNAL_TOKEN: "{{ internal_secret }}"
--- a/terraform/compute.tf
+++ b/terraform/compute.tf
@@ -24,6 +24,12 @@ resource "aws_iam_instance_profile" "ssm" {
  role = "AmazonSSMRoleForInstancesQuickSetup"
 }

+# An instance profile for access via AWS SSM.
+resource "aws_iam_instance_profile" "ssm_cloud" {
+  name = "SSMAndCloudProfile"
+  role = aws_iam_role.ec2_role.name
+}
+
 # An elastic IP, so if the reverse proxy is modified, the route tables won't.
 resource "aws_eip" "public" {
  instance = aws_instance.public.id
@@ -37,7 +43,9 @@ resource "aws_instance" "public" {
  instance_type          = "t4g.nano"
  subnet_id              = module.vpc.public_subnets[0]
  vpc_security_group_ids = [aws_security_group.public_access.id]
-  user_data              = file("install.sh")
+
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true

  iam_instance_profile = aws_iam_instance_profile.ssm.name

@@ -57,9 +65,11 @@ resource "aws_instance" "private" {
  ami           = "ami-0adec96dc0cdc7bca"
  instance_type = "t4g.nano"
  subnet_id     = module.vpc.private_subnets[0]
-  user_data     = file("install.sh")

-  iam_instance_profile = aws_iam_instance_profile.ssm.name
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true
+
+  iam_instance_profile = aws_iam_instance_profile.ssm_cloud.name

  root_block_device {
    volume_type = "gp3"
@@ -77,7 +87,9 @@ resource "aws_instance" "runner" {
  ami           = "ami-0adec96dc0cdc7bca"
  instance_type = "t4g.nano"
  subnet_id     = module.vpc.private_subnets[0]
-  user_data     = file("install.sh")
+
+  user_data                   = file("install.sh")
+  user_data_replace_on_change = true

  iam_instance_profile = aws_iam_instance_profile.ssm.name

--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -29,3 +29,41 @@ resource "aws_iam_user_policy_attachment" "attachment" {
 resource "aws_iam_access_key" "gitea_boot_key" {
  user = aws_iam_user.gitea_boot_user.name
 }
+
+# ---------------------------------------------------------------------------- #
+
+data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
+  name = "AmazonSSMManagedInstanceCore"
+}
+
+data "aws_iam_policy" "CloudWatchAgentServerPolicy" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
+data "aws_iam_policy_document" "ec2_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "ec2_role" {
+  name               = "EC2Role"
+  assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "cloud_watch_attach" {
+  for_each = toset([
+    data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn,
+    data.aws_iam_policy.CloudWatchAgentServerPolicy.arn
+  ])
+
+  role       = aws_iam_role.ec2_role.name
+  policy_arn = each.key
+}
--- a/terraform/install.sh
+++ b/terraform/install.sh
@@ -11,9 +11,10 @@ usermod -a -G docker ssm-user
 ln -sf /usr/bin/python3.8 /usr/bin/python3
 ln -sf /usr/bin/pip3.8 /usr/bin/pip3
 pip3 install botocore boto3 requests
+python3 -m pip install -U pip

 # Add some swap space.
-sudo dd if=/dev/zero of=/swapfile bs=128M count=8
-sudo chmod 600 /swapfile
-sudo mkswap /swapfile
-sudo swapon /swapfile
+dd if=/dev/zero of=/swapfile bs=128M count=8
+chmod 600 /swapfile
+mkswap /swapfile
+swapon /swapfile
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -19,69 +19,28 @@ module "vpc" {
 # Only allow HTTP(s) and SSH traffic. Allow full access to internet.
 resource "aws_security_group" "public_access" {
  vpc_id = module.vpc.vpc_id
+}

-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_vpc_security_group_ingress_rule" "ingress" {
+  for_each = toset(["80", "443", "22", "2222", "81", "8080", "4321", "1234"])

-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  security_group_id = aws_security_group.public_access.id

-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  from_port   = each.value
+  to_port     = each.value
+  ip_protocol = "tcp"
+  cidr_ipv4   = "0.0.0.0/0"
+}

-  ingress {
-    from_port   = 2222
-    to_port     = 2222
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_vpc_security_group_egress_rule" "egress" {
+  for_each = toset(["-1"])

-  ingress {
-    from_port   = 81
-    to_port     = 81
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  security_group_id = aws_security_group.public_access.id

-  ingress {
-    from_port   = 8080
-    to_port     = 8080
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port   = 4321
-    to_port     = 4321
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port   = 1234
-    to_port     = 1234
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  from_port   = each.value
+  to_port     = each.value
+  ip_protocol = "-1"
+  cidr_ipv4   = "0.0.0.0/0"
 }

 # Give the private subnet full access to the internet, too.
@@ -99,4 +58,4 @@ module "fck-nat" {
  tags = {
    Name = "Codebase: Nat"
  }
-}
+}
Author	SHA1	Message	Date
Max	7e88fd8890	fix: added cloudwatch capabilities to ec2 instances	2025-01-11 22:12:58 -05:00
Max	d9dd1a2a7e	feat: separated egress and ingress into separate resources	2025-01-11 18:23:24 -05:00