Dell Boomi Atom on AWS ECS Fargate Deployment

This repository contains the Infrastructure as Code (IaC) configurations required to set up a highly available Dell Boomi Atom running on AWS ECS Fargate using Terraform. Additionally, it features a Python-based AWS Lambda function responsible for AWS Secrets Manager rotation.

This repo is configured for the intention of use for Coforma. If you intend to use it please fork it and make your own customizations.

Overview

Fargate Task: Runs a single task that is allocated 1 vCPU and 2GB of memory. The task is responsible for running the Dell Boomi Atom.
Lambda Function for Secrets Rotation: It rotates the secrets every 12 hours using the environment variables boomi_account_id, boomi_username, and boomi_auth_token. This ensures that the task can always pull a new version if an issue arises.
VPC Configuration: The Boomi Atom operates inside a private VPC but can connect to the internet using dedicated egress rules routed through a NAT Gateway and an Internet Gateway (IGW) pair.
Deploy Jar GHA Workflow: Make sure to run this if a new deployment goes out or a failover event. This can be updated to be more automated in the future.

Requirements

Name	Version
terraform	< 1.6
aws	~> 5.30.0

Providers

Name	Version
aws	5.19.0

Modules

Name	Source	Version
ecs	terraform-aws-modules/ecs/aws	~> 5.7.0
lambda	terraform-aws-modules/lambda/aws	~> 6.5.0
secrets_manager	terraform-aws-modules/secrets-manager/aws	~> 1.1.1
vpc	terraform-aws-modules/vpc/aws	~> 5.4.0

Resources

Name	Type
aws_cloudwatch_log_group.logs	resource
aws_ecs_service.service	resource
aws_ecs_task_definition.task_definition	resource
aws_iam_policy.ssm_policy	resource
aws_iam_policy.task_permissions	resource
aws_iam_role.ecs_task_execution_role	resource
aws_iam_role_policy_attachment.ecs_task_execution_log_role_policy	resource
aws_iam_role_policy_attachment.ecs_task_execution_ssm_role_policy	resource
aws_security_group.task_security_group	resource
aws_ssm_parameter.boomi_account_id	resource
aws_ssm_parameter.boomi_auth_token	resource
aws_ssm_parameter.boomi_username	resource
aws_availability_zones.available	data source
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role_policy	data source
aws_iam_policy_document.lambda	data source
aws_iam_policy_document.ssm_policy	data source
aws_iam_policy_document.task_permissions	data source

Inputs

Name	Description	Type	Default	Required
boomi_account_id	The account ID for the boomi platform	`string`	n/a	yes
boomi_auth_token	The auth token for the boomi platform	`string`	n/a	yes
boomi_username	The username for the boomi platform	`string`	n/a	yes
application	The name of the application	`string`	`"co-boomi-atom"`	no
atom_name	The name of the atom	`string`	`"coforma-atom-1"`	no
atom_security_group_egress	Atom security group egress rules	list(object({ from_port = number to_port = number description = string protocol = string cidr_blocks = list(string) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "description": "Unanet traffic", "from_port": 31001, "protocol": "tcp", "to_port": 31001 } ]	no
atom_version	The version of the atom	`string`	`"4.3.5"`	no
aws_region	The AWS region to deploy to	`string`	`"us-east-1"`	no
boomi_environment_id	The environment ID of the atom is to be attached	`string`	`""`	no
container_port	The port of the container	`number`	`9090`	no
environment	The environment to deploy to	`string`	`"prod"`	no
owner	The owner of the application	`string`	`"devsecops"`	no
private_subnet_cidrs	The CIDR block for the subnet	`list(string)`	[ "10.1.0.0/27", "10.1.0.32/27" ]	no
public_subnet_cidrs	The CIDR block for the subnet	`list(string)`	[ "10.1.0.64/27", "10.1.0.96/27" ]	no
retention_in_days	The number of days to retain logs	`number`	`7`	no
vpc_cidr	The CIDR block for the VPC	`string`	`"10.1.0.0/24"`	no

Outputs

No outputs.

Prerequisites

Terraform/OpenTofu: Ensure that Terraform is installed and appropriately configured with your AWS credentials.
AWS Account: Necessary permissions to create and manage the mentioned AWS resources.
Python: Required for the AWS Lambda function. Ensure you have the AWS SDK for Python (Boto3) installed and requests.
terraform-docs: Tool used to generate terraform docs.

Deployment Steps

Clone the Repository:

git clone <repository-url>
cd <repository-name>

Ensure Python requirements are installed next to the lambda function
```
pip3 install --target ./lambda/package boto3 requests
```
Initialize Terraform:
```
terraform init
```
Apply Terraform Configurations: Before applying, always make sure to review the changes Terraform will perform.
```
terraform plan
terraform apply
```
Lambda Function Configuration: Ensure that the Lambda function has the three environment variables set:
- boomi_account_id
- boomi_username
- boomi_auth_token
Monitoring: Monitor the task and lambda logs via AWS CloudWatch for any potential issues.

Security Considerations

Ensure that your AWS credentials are stored securely and are not exposed in any Terraform configurations.
Make sure the Boomi credentials used in the Lambda environment variables are securely stored in AWS Secrets Manager or another secrets management tool.
Ensure that the VPC egress and ingress rules are set appropriately to minimize any potential security risks.

Contributing

If you'd like to contribute, please fork the repository and make changes as you'd like. Pull requests are warmly welcomed.

Before submitting a PR please make sure to run the following:

terraform fmt
terraform-docs markdown table --output-file README.md --output-mode inject --sort-by required .

License

This project is licensed under the MIT License. See the LICENSE file for details.

coforma/co-boomi-atom-fargate