Skip to content

Latest commit

 

History

History
216 lines (162 loc) · 15.3 KB

README.md

File metadata and controls

216 lines (162 loc) · 15.3 KB

Metaco Harmonize Trusted Components Terraform Scripts for AWS ECS

This project simplifies the creation and update of AWS ECS over Fargate, hosting Harmonize Trusted Components with a software HMZ KMS provider.

Request information to our Customer success team to become familiar with the software HMZ KMS provider.

Architecture

The Terraform scripts deploy the following Harmonize Trusted Components over AWS ECS:

AWS Architecture

Required Dependencies

To get started, install all required dependencies on the host machine.

Check versions

To check terraform version, run terraform version:

Example output:

Terraform v1.6.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.26.0
+ provider registry.terraform.io/hashicorp/random v2.3.2

Initialize the Terraform scripts:

terraform init

Local configuration

The Terraform scripts uses two configuration files:

  • .env file (for AWS Credentials)
  • tfvars.terraform file (for deployment parameters)

Copy the provided sample configuration files

cp .env.sample .env
cp terraform.tfvars.sample terraform.tfvars

AWS Login

AWS Credentials

Fill the environment variables file with you AWS Account credentials

export AWS_ACCESS_KEY_ID='<YOUR_AWS_ACCESS_KEY>'
export AWS_SECRET_ACCESS_KEY='<YOUR_AWS_ACCESS_KEY>'

The official AWS IAM Documentation provide detailed steps to create an AWS Access Key. An AWS Access Key can be created for the root user by following this documentation.

AWS SSO Login

aws sso login --profile "<YOUR_AWS_ACCOUNT_NAME>"
export AWS_PROFILE="<YOUR_AWS_ACCOUNT_NAME>"

Ripple Custody Container Registry Credentials

Retrieve the provided Metaco Container Registry Credentials (user and password) and fill the tfvars.terraform file.

Harmonize Version

The OCI (Open Container Initiative) tags MUST be provided in the file tfvars.terraform for the following HMZ Trusted Components:

  • Harmonize KMS Connect
  • Harmonize Notary
  • Harmonize Vault

Harmonize SaaS instance endpoints

Retrieve the provided dedicated Harmonize endpoint:

  • Harmonize Core API endpoint (for the Vault)
  • Harmonize Notary Bridge endpoint (for the Notary)

The tfvars.terraform file MUST be filled with those values.

Harmonize Vault Config

For each Harmonize Vault instance, fill the values:

  • Vault ID
  • Vault Log Level
  • Vault Bridge Log Level
  • Vault Trusted Notary Messaging Public Key (retrieved after Genesis is executed successfully)

Notary Message Public Key retrieval

First apply the Genesis against the Harmonize API (HTTP POST request @ /v1/genesis)

curl -s \
    --location -g \
    --request POST "$HMZ_URL_API/v1/genesis" \
    --header 'Content-Type: application/json' \
    --data @"$FILE_NAME_GENESIS_CONFIG_JSON"

Then, after a successful Genesis application, fetch from the Harmonize API, the Notary Messaging Public Key:

curl \
    --location -g \
    --request GET \
    --url "$HMZ_URL_API/internal/v1/system/information"

Requirements

Name Version
aws >= 5.25.0

Providers

Name Version
aws 5.33.0
random 3.6.0

Modules

Name Source Version
notary ./modules/notary n/a
vault ./modules/vault n/a
vpc ./modules/vpc n/a

Resources

Name Type
aws_ecs_cluster.cluster resource
aws_iam_role.ecs_task_role_for_hmz_trusted_components resource
aws_iam_role_policy_attachment.ecs_task_execution_role_policy resource
aws_secretsmanager_secret.hmz_oci_registry_credentials resource
aws_secretsmanager_secret_version.hmz_oci_registry_credentials resource
aws_security_group.ecs_https_egress resource
random_pet.random_name resource
aws_ecs_cluster.aws_ecs_cluster_for_hmz_trusted_components data source
aws_secretsmanager_secret.hmz_oci_registry_credentials data source
aws_security_group.hmz_trusted_components_sg data source
aws_subnet.hmz_trusted_components_subnet data source
aws_vpc.aws_vpc_hmz_trusted_components data source

Inputs

Name Description Type Default Required
aws_cloud_watch_logs_group AWS CloudWatch Logs Group string "" no
aws_cloud_watch_logs_region AWS CloudWatch Logs Region string "" no
aws_cloud_watch_logs_stream_prefix AWS CloudWatch Logs Stream Prefix string "" no
aws_ecs_cluster_name AWS ECS Cluster Name string "" no
aws_enable_vpc_creation Set this flag to true to enable AWS VPC Creation bool false no
aws_region The AWS region where Cloud resources will be deployed string n/a yes
aws_resource_tags A map of labels to be applied to the resource ('Name' or 'name' keys excluded). map(string) {} no
aws_secrets_manager_arn_for_hmz_oci_registry_credentials AWS Secrets Manager Secret ARN for Harmonize OCI registry credentials string "" no
aws_security_group_id AWS Security Group ID string "" no
aws_subnet_id AWS Subnet ID string "" no
aws_vpc_id AWS VPC ID for Security Group HMZ Notary Anti-Rewind file string "" no
hmz_kms_connect_software_master_key HMZ KMS Connect Software Master Key (hexadecimal). (Environment Variable HMZ_KMS_CONNECT_SOFTWARE_MASTER_KEY, e.g. HMZ_KMS_CONNECT_SOFTWARE_MASTER_KEY='79acc37afb7b2e0da4afb3a350ce49b73a24555431b0211dbf0bf93886c0fbff') string "" no
hmz_kms_container_registry_password HMZ KMS Connect Container Registry Password string null no
hmz_kms_container_registry_user HMZ KMS Connect Container Registry User string null no
hmz_kms_oci_image HMZ KMS Connect OCI Image string "metaco.azurecr.io/harmonize/kms-soft" no
hmz_kms_oci_tag HMZ KMS Connect OCI Tag string n/a yes
hmz_metaco_container_registry_password Metaco Container Registry Password string n/a yes
hmz_metaco_container_registry_user Metaco Container Registry User string n/a yes
hmz_notary_bridge_http_endpoint Harmonize Notary bridge API endpoint string n/a yes
hmz_notary_cols_dir HMZ Notary storage folder of the Anti-Rewind File (Environment Variable HMZ_NOTARY_COLS_DIR) string "/data/anti-rewind" no
hmz_notary_container_registry_password HMZ Notary Container Registry Password string null no
hmz_notary_container_registry_user HMZ Notary Container Registry User string null no
hmz_notary_enabled Set this flag to true to enable Notary instance deployment. bool false no
hmz_notary_grpc_enabled Enables grpc communication with the Notary Bridge bool false no
hmz_notary_hc_tracing_enabled HMZ Notary enables or disables Health Check Tracing (Environment Variable HMZ_HC_TRACING_ENABLED) bool false no
hmz_notary_http_enabled Enables http communication with the Notary Bridge bool true no
hmz_notary_kms_grpc_keep_alive_interval HMZ Notary gRPC connection to KMS Connect: Keep alive interval in seconds number 10 no
hmz_notary_kms_grpc_keep_alive_timeout HMZ Notary gRPC connection to KMS Connect: Keep alive timeout in seconds number 10 no
hmz_notary_log_level HMZ Notary Logging level string "INFO" no
hmz_notary_oci_image HMZ Notary OCI Image string "metaco.azurecr.io/harmonize/approval-notary" no
hmz_notary_oci_tag HMZ Notary OCI Tag string n/a yes
hmz_notary_open_telemetry_type HMZ Notary type of Telemetry (Environment Variable HMZ_OPEN_TELEMETRY_TYPE) string "disabled" no
hmz_notary_otel_sdk_disabled HMZ Notary enables or disables Open Telemetry SDK (Environment Variable OTEL_SDK_DISABLED) bool true no
hmz_notary_state_manifest_file_path Path to manifest.json file that contains the Anti-Rewind state manifest string "manifest.json" no
hmz_notary_state_manifest_signature HMZ Notary Anti-Rewind state manifest signature (Disaster Recovery Procedure) string "" no
hmz_vault_container_registry_password HMZ Vault Container Registry Password string null no
hmz_vault_container_registry_user HMZ Vault Container Registry User string null no
hmz_vault_harmonize_core_endpoint HMZ Vault Environment Variable HARMONIZE_CORE_ENDPOINT (Vault Core Endpoint) string n/a yes
hmz_vault_harmonize_core_no_proxy_address HMZ Vault Environment Variable HARMONIZE_CORE_NO_PROXY_ADDRESS string "" no
hmz_vault_harmonize_core_proxy_address HMZ Vault Environment Variable HARMONIZE_CORE_PROXY_ADDRESS string "" no
hmz_vault_oci_image HMZ Vault OCI Image string "metaco.azurecr.io/harmonize/vault-releases" no
hmz_vault_oci_tag HMZ Vault OCI Tag string n/a yes
hmz_vault_trusted_notary_messaging_public_key System (Notary) public key, which is listed as part of the first system event confirming the genesis execution (Environment Variable VAULT_TRUSTED_SIG, without the 'pem:' at the beginning). string "" no
vaults List of Ripple Custody Vault instances. 
list(object({
    hmz_vault_id                     = string
    hmz_vault_log_level              = number
    hmz_vault_bridge_log_level       = number
    hmz_vault_feature_otlp_in_stdout = bool
    hmz_vault_optional_maximum_fee   = bool
  }))
 [] no

Outputs

No outputs.