Move clamav on ECS (#4190)

pythonitalia · Nov 30, 2024 · 6d5c60e · 6d5c60e
1 parent 5277de4
commit 6d5c60e
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 18 deletions.
diff --git a/infrastructure/applications/.terraform.lock.hcl b/infrastructure/applications/.terraform.lock.hcl
diff --git a/infrastructure/applications/applications.tf b/infrastructure/applications/applications.tf
@@ -34,6 +34,17 @@ module "pycon_backend" {
   }
 }
 
+module "clamav" {
+  source       = "./clamav"
+  cluster_id = module.cluster.cluster_id
+  logs_group_name = module.cluster.logs_group_name
+
+  providers = {
+    aws    = aws
+    aws.us = aws.us
+  }
+}
+
 # Other resources
 
 module "database" {

diff --git a/infrastructure/applications/clamav/task.tf b/infrastructure/applications/clamav/task.tf
@@ -0,0 +1,54 @@
+resource "aws_ecs_task_definition" "clamav" {
+  family = "pythonit-${terraform.workspace}-clamav"
+
+  container_definitions = jsonencode([
+    {
+      name              = "clamav"
+      image             = "clamav/clamav-debian:1.4.1"
+      memoryReservation = 1000
+      essential         = true
+
+      portMappings = [
+        {
+          containerPort = 3310
+          hostPort      = 3310
+        },
+      ]
+
+      mountPoints = []
+
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = var.logs_group_name
+          "awslogs-region"        = "eu-central-1"
+          "awslogs-stream-prefix" = "clamav"
+        }
+      }
+
+      healthCheck = {
+        retries = 3
+        command = [
+          "CMD-SHELL",
+          "echo 1"
+        ]
+        timeout  = 3
+        interval = 10
+      }
+
+      stopTimeout = 300
+    }
+  ])
+
+  requires_compatibilities = []
+  tags                     = {}
+}
+
+resource "aws_ecs_service" "clamav" {
+  name                               = "clamav"
+  cluster                            = var.cluster_id
+  task_definition                    = aws_ecs_task_definition.clamav.arn
+  desired_count                      = 1
+  deployment_minimum_healthy_percent = 0
+  deployment_maximum_percent         = 100
+}
diff --git a/infrastructure/applications/clamav/variables.tf b/infrastructure/applications/clamav/variables.tf
@@ -0,0 +1,2 @@
+variable "cluster_id" {}
+variable "logs_group_name" {}
diff --git a/infrastructure/applications/cluster/security.tf b/infrastructure/applications/cluster/security.tf
@@ -41,6 +41,25 @@ resource "aws_security_group_rule" "out_redis" {
   security_group_id = aws_security_group.server.id
 }
 
+resource "aws_security_group_rule" "in_clamav" {
+  type              = "egress"
+  from_port         = 3310
+  to_port           = 3310
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.server.id
+  security_group_id = aws_security_group.server.id
+}
+
+resource "aws_security_group_rule" "out_clamav" {
+  # needed by fargate to connect to the server with clamav
+  type              = "ingress"
+  from_port         = 3310
+  to_port           = 3310
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.server.id
+  security_group_id = aws_security_group.server.id
+}
+
 resource "aws_security_group_rule" "web_http" {
   type              = "ingress"
   from_port         = 80

diff --git a/infrastructure/applications/pycon_backend/worker.tf b/infrastructure/applications/pycon_backend/worker.tf
@@ -162,7 +162,7 @@ locals {
     },
     {
       name = "CLAMAV_HOST",
-      value = module.secrets.value.clamav_host
+      value = var.server_ip
     },
     {
       name = "ECS_NETWORK_CONFIG",