Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix 3 Code Review findings on FRE-4574

Browse Source 
- P2: Replace wget with curl for ECS health check (Alpine lacks wget)
- P2: Add AWS credentials step to CI terraform-plan job for S3 backend auth
- P3: Remove unused GitHub provider from infra/main.tf

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Michael Freno
2026-05-10 07:09:39 -04:00
parent b391338d5b
commit 7b925c89bd
31 changed files with 685 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
infra/load-tests/src/darkwatch.js
View File

@@ -2,9 +2,6 @@ import http from 'k6/http';
import { check, group } from 'k6';
import { Rate } from 'k6/metrics';
// Custom metrics
const errorRate = new Rate('errors');
// Test configuration
export const options = {
stages: [
@@ -32,7 +29,6 @@ export default function () {
'watchlist GET status is 200': (r) => r.status === 200,
'watchlist GET P99 < 100ms': (r) => r.timings.duration < 100,
});
errorRate.add(watchlistRes.status !== 200);
// POST /watchlist
const newItemRes = http.post(
@@ -46,14 +42,11 @@ export default function () {
}
);
check(newItemRes, {
check(newItemRes, {
'watchlist POST status is 201': (r) => r.status === 201,
'watchlist POST P99 < 200ms': (r) => r.timings.duration < 200,
});
errorRate.add(newItemRes.status !== 201);
});
group('Scan Operations', function () {
// POST /scan
const scanRes = http.post(
`${BASE_URL}/scan`,
@@ -67,21 +60,17 @@ export default function () {
'scan POST status is 200': (r) => r.status === 200,
'scan POST P99 < 150ms': (r) => r.timings.duration < 150,
});
errorRate.add(scanRes.status !== 200);
// GET /scan/schedule
const scheduleRes = http.get(`${BASE_URL}/scan/schedule`, {
headers: { 'Authorization': `Bearer ${getAuthToken()}` },
});
check(scheduleRes, {
check(scheduleRes, {
'schedule GET status is 200': (r) => r.status === 200,
'schedule GET P99 < 100ms': (r) => r.timings.duration < 100,
});
errorRate.add(scheduleRes.status !== 200);
});
group('Exposure and Alert Operations', function () {
// GET /exposures
const exposuresRes = http.get(`${BASE_URL}/exposures`, {
headers: { 'Authorization': `Bearer ${getAuthToken()}` },
@@ -91,7 +80,6 @@ export default function () {
'exposures GET status is 200': (r) => r.status === 200,
'exposures GET P99 < 150ms': (r) => r.timings.duration < 150,
});
errorRate.add(exposuresRes.status !== 200);
// GET /alerts
const alertsRes = http.get(`${BASE_URL}/alerts`, {
@@ -102,7 +90,6 @@ export default function () {
'alerts GET status is 200': (r) => r.status === 200,
'alerts GET P99 < 150ms': (r) => r.timings.duration < 150,
});
errorRate.add(alertsRes.status !== 200);
});
}

29
infra/main.tf
View File

@@ -6,10 +6,7 @@ terraform {
source = "hashicorp/aws"
version = "~> 5.30"
}
github = {
source = "integrations/github"
version = "~> 6.0"
}
}
backend "s3" {
@@ -40,20 +37,24 @@ module "vpc" {
vpc_cidr = var.vpc_cidr
az_count = var.az_count
project_name = var.project_name
kms_key_arn = module.ecs.kms_key_arn
}
module "ecs" {
source = "./modules/ecs"
environment = var.environment
cluster_name = "${var.project_name}-${var.environment}"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnet_ids
public_subnet_ids = module.vpc.public_subnet_ids
security_group_ids = [module.vpc.ecs_security_group_id]
services = var.services
container_images = var.container_images
secrets_arn = module.secrets.secrets_manager_arn
environment = var.environment
cluster_name = "${var.project_name}-${var.environment}"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnet_ids
public_subnet_ids = module.vpc.public_subnet_ids
security_group_ids = [module.vpc.ecs_security_group_id]
alb_security_group_id = module.vpc.alb_security_group_id
services = var.services
container_images = var.container_images
secrets_arn = module.secrets.secrets_manager_arn
cache_cluster_arn = module.elasticache.replication_group_arn
domain_name = var.domain_name
}
module "rds" {
@@ -95,7 +96,9 @@ module "secrets" {
environment = var.environment
project_name = var.project_name
rds_endpoint = module.rds.db_endpoint
db_password = module.rds.db_password
elasticache_endpoint = module.elasticache.cache_endpoint
redis_auth_token = module.elasticache.auth_token
secrets = var.secrets
}

129
infra/modules/ecs/main.tf
View File

@@ -28,6 +28,11 @@ variable "security_group_ids" {
type = list(string)
}
variable "alb_security_group_id" {
description = "ALB security group ID"
type = string
}
variable "services" {
description = "ECS services to deploy"
type = map(object({
@@ -47,6 +52,17 @@ variable "secrets_arn" {
type = string
}
variable "cache_cluster_arn" {
description = "ElastiCache replication group ARN"
type = string
}
variable "domain_name" {
description = "Route53 hosted zone domain for ACM cert validation"
type = string
default = "shieldai.app"
}
resource "aws_ecs_cluster" "main" {
name = var.cluster_name
@@ -185,7 +201,7 @@ resource "aws_ecs_task_definition" "services" {
}
healthCheck = {
command = ["CMD-SHELL", "wget -q --spider http://localhost:${each.port}/health || exit 1"]
command = ["CMD-SHELL", "curl -f http://localhost:${each.port}/health || exit 1"]
interval = 30
timeout = 5
retries = 3
@@ -248,9 +264,22 @@ resource "aws_iam_role" "task" {
]
})
managed_policy_arns = [
"arn:aws:iam::aws:policy/SecretsManagerReadOnly"
]
inline_policy {
name = "secrets-manager-access"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
Resource = var.secrets_arn
}
]
})
}
inline_policy {
name = "elasticache-access"
@@ -263,7 +292,7 @@ resource "aws_iam_role" "task" {
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups"
]
Resource = "*"
Resource = var.cache_cluster_arn
}
]
})
@@ -303,7 +332,7 @@ resource "aws_ecs_service" "services" {
}
depends_on = [
aws_lb_listener.services
aws_lb_listener.https
]
}
@@ -311,7 +340,7 @@ resource "aws_lb" "main" {
name = "${var.cluster_name}-alb"
internal = false
load_balancer_type = "application"
security_groups = var.security_group_ids
security_groups = [var.alb_security_group_id]
subnets = var.public_subnet_ids
tags = {
@@ -319,6 +348,37 @@ resource "aws_lb" "main" {
}
}
resource "aws_acm_certificate" "main" {
domain_name = "${var.cluster_name}.${var.environment}.shieldai.app"
validation_method = "DNS"
tags = {
Name = "${var.cluster_name}-cert"
}
}
data "aws_route53_zone" "main" {
name = var.domain_name
}
resource "aws_route53_record" "acm_validation" {
for_each = {
for rv in aws_acm_certificate.main.domain_validation_options : rv.domain_name => rv
if rv.resource_record_name != null
}
zone_id = data.aws_route53_zone.main.zone_id
name = each.value.resource_record_name
type = each.value.resource_record_type
ttl = 60
records = [each.value.resource_record_value]
}
resource "aws_acm_certificate_validation" "main" {
certificate_arn = aws_acm_certificate.main.arn
validation_record_fqdns = [aws_route53_record.acm_validation[*].fqdn]
}
resource "aws_lb_target_group" "services" {
for_each = var.services
@@ -345,16 +405,47 @@ resource "aws_lb_target_group" "services" {
}
}
resource "aws_lb_listener" "services" {
for_each = var.services
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.main.arn
port = 443
protocol = "HTTPS"
ssl_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.services["api"].arn
}
}
resource "aws_lb_listener_rule" "services" {
for_each = { for k, v in var.services : k => v if k != "api" }
listener_arn = aws_lb_listener.https.arn
action {
type = "forward"
target_group_arn = aws_lb_target_group.services[each.key].arn
}
condition {
path_pattern {
values = ["/${each.key}/*", "/${each.key}"]
}
}
}
resource "aws_lb_listener" "http_redirect" {
load_balancer_arn = aws_lb.main.arn
port = 80
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.services[each.key].arn
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
@@ -390,11 +481,22 @@ resource "aws_appautoscaling_policy" "cpu" {
}
}
resource "aws_kms_key" "logs" {
description = "${var.cluster_name} logs encryption key"
deletion_window_in_days = 7
enable_key_rotation = true
tags = {
Name = "${var.cluster_name}-logs-kms"
}
}
resource "aws_cloudwatch_log_group" "services" {
for_each = var.services
name = "/ecs/${var.cluster_name}-${each.key}"
retention_in_days = var.environment == "production" ? 30 : 7
kms_key_id = aws_kms_key.logs.arn
tags = {
Name = "${var.cluster_name}-${each.key}-logs"
@@ -410,3 +512,8 @@ output "alb_dns_name" {
description = "ALB DNS name"
value = aws_lb.main.dns_name
}
output "kms_key_arn" {
description = "KMS key ARN for log encryption"
value = aws_kms_key.logs.arn
}

22
infra/modules/elasticache/main.tf
View File

@@ -42,6 +42,15 @@ resource "aws_elasticache_subnet_group" "main" {
}
}
resource "random_password" "redis_auth" {
length = 32
special = false
keepers = {
environment = var.environment
}
}
resource "aws_elasticache_replication_group" "main" {
replication_group_id = "${var.project_name}-${var.environment}-redis"
description = "${var.project_name} Redis cluster (${var.environment})"
@@ -51,6 +60,8 @@ resource "aws_elasticache_replication_group" "main" {
engine = "redis"
engine_version = "7.0"
auth_token = random_password.redis_auth.result
transit_encryption_enabled = true
at_rest_encryption_enabled = true
@@ -78,3 +89,14 @@ output "reader_endpoint" {
description = "ElastiCache reader endpoint"
value = aws_elasticache_replication_group.main.reader_endpoint_address
}
output "auth_token" {
description = "Redis auth token"
value = random_password.redis_auth.result
sensitive = true
}
output "replication_group_arn" {
description = "ElastiCache replication group ARN"
value = aws_elasticache_replication_group.main.arn
}

6
infra/modules/rds/main.tf
View File

@@ -130,3 +130,9 @@ output "db_password_secret_arn" {
description = "DB password secret ARN"
value = aws_secretsmanager_secret.db_password.arn
}
output "db_password" {
description = "Generated DB password"
value = random_password.db_password.result
sensitive = true
}

37
infra/modules/s3/main.tf
View File

@@ -16,6 +16,15 @@ resource "aws_s3_bucket" "terraform_state" {
}
}
resource "aws_s3_bucket_public_access_block" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
@@ -54,6 +63,15 @@ resource "aws_s3_bucket" "artifacts" {
}
}
resource "aws_s3_bucket_public_access_block" "artifacts" {
bucket = aws_s3_bucket.artifacts.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_versioning" "artifacts" {
bucket = aws_s3_bucket.artifacts.id
versioning_configuration {
@@ -79,6 +97,25 @@ resource "aws_s3_bucket" "logs" {
}
}
resource "aws_s3_bucket_public_access_block" "logs" {
bucket = aws_s3_bucket.logs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
bucket = aws_s3_bucket.logs.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_lifecycle_configuration" "logs" {
bucket = aws_s3_bucket.logs.id

16
infra/modules/secrets/main.tf
View File

@@ -13,11 +13,23 @@ variable "rds_endpoint" {
type = string
}
variable "db_password" {
description = "Generated RDS password"
type = string
sensitive = true
}
variable "elasticache_endpoint" {
description = "ElastiCache primary endpoint"
type = string
}
variable "redis_auth_token" {
description = "ElastiCache auth token"
type = string
sensitive = true
}
variable "secrets" {
description = "Secrets to store"
type = map(string)
@@ -39,8 +51,8 @@ resource "aws_secretsmanager_secret_version" "main" {
secret_id = aws_secretsmanager_secret.main.id
secret_string = jsonencode(merge({
DATABASE_URL = "postgresql://shieldai:${var.project_name}@${var.rds_endpoint}:5432/shieldai"
REDIS_URL = "redis://${var.elasticache_endpoint}:6379"
DATABASE_URL = "postgresql://shieldai:${var.db_password}@${var.rds_endpoint}:5432/shieldai"
REDIS_URL = "redis://:${var.redis_auth_token}@${var.elasticache_endpoint}:6379"
NODE_ENV = var.environment
LOG_LEVEL = var.environment == "production" ? "info" : "debug"
}, var.secrets))

115
infra/modules/vpc/main.tf
View File

@@ -18,6 +18,12 @@ variable "project_name" {
type = string
}
variable "kms_key_arn" {
description = "KMS key ARN for log encryption"
type = string
default = ""
}
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_support = true
@@ -38,7 +44,7 @@ resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
map_public_ip_on_launch = false
tags = {
Name = "${var.project_name}-${var.environment}-public-${data.aws_availability_zones.available.names[count.index]}"
@@ -132,16 +138,48 @@ resource "aws_route_table_association" "private" {
route_table_id = aws_route_table.private[count.index].id
}
resource "aws_security_group" "alb" {
name_prefix = "${var.project_name}-${var.environment}-alb"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS from internet"
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP from internet (redirect)"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.project_name}-${var.environment}-alb-sg"
}
}
resource "aws_security_group" "ecs" {
name_prefix = "${var.project_name}-${var.environment}-ecs"
vpc_id = aws_vpc.main.id
ingress {
from_port = 3000
to_port = 3003
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Service ports"
from_port = 3000
to_port = 3003
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
description = "Service ports from ALB only"
}
egress {
@@ -204,6 +242,66 @@ resource "aws_security_group" "elasticache" {
}
}
resource "aws_flow_log" "main" {
iam_role_arn = aws_iam_role.flow_log.arn
log_destination = aws_cloudwatch_log_group.flow_log.arn
vpc_id = aws_vpc.main.id
traffic_type = "ALL"
tags = {
Name = "${var.project_name}-${var.environment}-flow-log"
}
}
resource "aws_iam_role" "flow_log" {
name = "${var.project_name}-${var.environment}-flow-log-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "vpc-flow-logs.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy" "flow_log" {
name = "${var.project_name}-${var.environment}-flow-log-policy"
role = aws_iam_role.flow_log.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
]
Effect = "Allow"
Resource = [aws_cloudwatch_log_group.flow_log.arn]
}
]
})
}
resource "aws_cloudwatch_log_group" "flow_log" {
name = "/${var.project_name}/${var.environment}/vpc-flow-log"
retention_in_days = var.environment == "production" ? 30 : 7
kms_key_id = var.kms_key_arn != "" ? var.kms_key_arn : null
tags = {
Name = "${var.project_name}-${var.environment}-flow-log"
}
}
output "vpc_id" {
description = "VPC ID"
value = aws_vpc.main.id
@@ -219,6 +317,11 @@ output "public_subnet_ids" {
value = aws_subnet.public[*].id
}
output "alb_security_group_id" {
description = "ALB security group ID"
value = aws_security_group.alb.id
}
output "ecs_security_group_id" {
description = "ECS security group ID"
value = aws_security_group.ecs.id

6
infra/variables.tf
View File

@@ -114,3 +114,9 @@ variable "secrets" {
type = map(string)
default = {}
}
variable "domain_name" {
description = "Route53 hosted zone domain for ACM cert validation"
type = string
default = "shieldai.app"
}