Add IaC definitions

spacelift-io · Aug 20, 2023 · 0f3f0eb · 0f3f0eb
1 parent 143bb6e
commit 0f3f0eb
Show file tree

Hide file tree

Showing 8 changed files with 163 additions and 0 deletions.
diff --git a/iac/api_secret.tf b/iac/api_secret.tf
@@ -0,0 +1,5 @@
+resource "aws_ssm_parameter" "spacelift_api_key_secret" {
+  name = "/ec2-autoscaler/spacelift-api-secret-${var.worker_pool_id}"
+  type = "SecureString"
+  value = var.spacelift_api_key_secret
+}
diff --git a/iac/aws.tf b/iac/aws.tf
@@ -0,0 +1,3 @@
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_region" "current" {}
diff --git a/iac/download.sh b/iac/download.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -ex
+
+# Download the data.
+code_version=$1
+local_path=$2
+
+curl -L -o $local_path https://github.com/spacelift-io/ec2-workerpool-autoscaler/releases/download/v${code_version}/ec2-workerpool-autoscaler_${code_version}_linux_amd64.zip
+
+source_code_hash=$(openssl dgst -binary -sha256 $local_path | openssl base64 -A)
+
+echo "{\"source_code_hash\": \"${source_code_hash}\"}"
diff --git a/iac/lambda.tf b/iac/lambda.tf
@@ -0,0 +1,32 @@
+data "external" "package" {
+  program = [
+    "${path.module}/download.sh",
+    local.code_version,
+    local.package_path,
+  ]
+}
+
+resource "aws_lambda_function" "test_lambda" {
+  filename         = local.package_path
+  source_code_hash = data.external.package.result.source_code_hash
+  function_name    = "ec2-autoscaler-${var.worker_pool_id}"
+  role             = aws_iam_role.lambda.arn
+  handler          = "ec2-workerpool-autoscaler_v${var.autoscaler_version}"
+
+  runtime = "go1.x"
+
+  environment {
+    variables = {
+      AUTOSCALING_GROUP_ARN         = var.autoscaling_group_arn
+      AUTOSCALING_REGION            = data.aws_region.current.name
+      SPACELIFT_API_KEY_ID          = var.spacelift_api_key_id
+      SPACELIFT_API_KEY_SECRET_NAME = aws_ssm_parameter.spacelift_api_key_secret.name
+      SPACELIFT_API_KEY_ENDPOINT    = var.spacelift_url
+      SPACELIFT_WORKER_POOL_ID      = var.worker_pool_id
+    }
+  }
+
+  tracing_config {
+    mode = "Active"
+  }
+}
diff --git a/iac/logging.tf b/iac/logging.tf
@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "log_group" {
+  name              = "/aws/lambda/${aws_lambda_function.test_lambda.function_name}"
+  retention_in_days = 7
+}
diff --git a/iac/policy.tf b/iac/policy.tf
@@ -0,0 +1,69 @@
+data "aws_iam_policy_document" "lambda_policy" {
+  # Allow the Lambda to write CloudWatch Logs.
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["${aws_cloudwatch_log_group.log_group.arn}/*"]
+  }
+
+  # Allow the Lambda to put X-Ray traces.
+  statement {
+    effect = "Allow"
+    actions = [
+      "xray:PutTraceSegments",
+      "xray:PutTelemetryRecords",
+    ]
+
+    resources = ["*"]
+  }
+
+  # Allow the Lambda to DescribeAutoScalingGroups, DetachInstances and SetDesiredCapacity
+  # on the AutoScalingGroup.
+  statement {
+    effect = "Allow"
+    actions = [
+      "autoscaling:DetachInstances",
+      "autoscaling:SetDesiredCapacity",
+    ]
+
+    resources = [var.autoscaling_group_arn]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["autoscaling:DescribeAutoScalingGroups"]
+    resources = ["*"]
+  }
+
+  # Allow the Lambda to DescribeInstances and TerminateInstances on the EC2 instances.
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeInstances",
+      "ec2:TerminateInstances",
+    ]
+
+    resources = ["*"]
+  }
+
+  # Allow the Lambda to read the secret from SSM Parameter Store.
+  statement {
+    effect    = "Allow"
+    actions   = ["ssm:GetParameter"]
+    resources = [aws_ssm_parameter.spacelift_api_key_secret.arn]
+  }
+}
+
+resource "aws_iam_role" "lambda" {
+  name               = "ec2-autoscaler-${var.worker_pool_id}"
+  assume_role_policy = data.aws_iam_policy_document.assume_lambda_role.json
+
+  inline_policy {
+    name   = "ec2-autoscaler-${var.worker_pool_id}"
+    policy = data.aws_iam_policy_document.lambda_policy.json
+  }
+}
diff --git a/iac/providers.tf b/iac/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}
diff --git a/iac/variables.tf b/iac/variables.tf
@@ -0,0 +1,30 @@
+variable "autoscaling_group_arn" {
+  type        = string
+  description = "ARN of the Spacelift worker pool's autoscaling group"
+}
+
+variable "autoscaler_version" {
+  type        = string
+  description = "Version of the autoscaler to deploy"
+}
+
+variable "spacelift_api_key_id" {
+  type        = string
+  description = "ID of the Spacelift API key to use"
+}
+
+variable "spacelift_api_key_secret" {
+  type        = string
+  sensitive   = true
+  description = "Secret corresponding to the Spacelift API key to use"
+}
+
+variable "spacelift_url" {
+  type        = string
+  description = "Full URL of the Spacelift API endpoint to use, eg. https://demo.app.spacelift.io"
+}
+
+variable "worker_pool_id" {
+  type        = string
+  description = "ID of the Spacelift worker pool to autoscale"
+}