Terraform reference implementation example to create and run Snyk Broker as an AWS Elastic Container Service (ECS) Fargate Service.
❗ Note
Requires a public hosted domain name managed by AWS Route53 Domain Name System (DNS) zone
- Create a S3 bucket to store deployment terraform state
- Create GitHub repository dev environment
- Modify
env/dev/config.s3.backend
- Modify
env/dev/terraform.tfvars
This GitHub CI workflow (ci.yml) accepts input for running Snyk broker and deploys necessary AWS resources running SnykBroker as a Fargate Service.
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- DOCKERHUB_ACCESS_TOKEN
- DOCKERHUB_USERNAME
- SNYK_TOKEN
- AWS_REGION
- BROKER_ENV_VARS
This Environment variable value is specified as a map(string). Example:
{"BROKER_TOKEN":"xxx","GITHUB_TOKEN":"yyy"}
Mode | Description | Variable Settings |
---|---|---|
HTTP | No SSL certificate | broker_protocol="http", private_ssl_cert=false |
HTTPS/HTTP | Public SSL certificate, internal HTTP | broker_protocol="https", private_ssl_cert=false |
HTTPS | Public SSL certificate, internal private SSL cert | broker_protocol="https", private_ssl_cert=true |
Public SSL certificate for <broker_hostname>.<public_domain_name>
is created and managed by AWS Certificate Manager (ACM) with its renewal automatically handled.
- Upload private SSL certificate (.pem) and its private key (.key) to a S3 bucket
- Verify S3 bucket and these objects are accessible to Terraform assumed credentials
- Set variable
config_bucket_name="<S3_bucket_name>"
- Set variable
broker_private_key_object="<S3_folder>/<key_name.key>"
- Set variable
broker_ssl_cert_object="<S3_folder>/<cert_name.pem>"
Private SSL certificate validity and renewal are handled independently by Customer.
- Upload custom integration type accept.json to S3 bucket
- Verify S3 bucket and accept.json are accessible to Terraform assumed credentials
- Set variable
config_bucket_name="<S3_bucket_name>"
- Set variable
custom_listing_filter="<S3_folder>/accept.json"
- Configure S3 backend for terraform state
- Setup Terraform input tfvars
- Invoke the commands defined below to create the Fargate Service that launches corresponding SnykBroker dockerized container.
$ terraform init -backend-config="env/dev/config.s3.tfbackend"
$ terraform plan -input=false -var-file="env/dev/terraform.tfvars" -out=tfplan
$ terraform apply "tfplan"
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.9 |
Name | Version |
---|---|
aws | 4.25.0 |
null | 3.1.1 |
Name | Source | Version |
---|---|---|
public_route53_zone | terraform-aws-modules/route53/aws//modules/zones | 2.9.0 |
snykbroker_acm | terraform-aws-modules/acm/aws | 4.0.1 |
snykbroker_cert_handler_lambda | terraform-aws-modules/lambda/aws | 4.0.1 |
snykbroker_ecs_cluster | terraform-aws-modules/ecs/aws | 4.1.1 |
snykbroker_ecs_task_definition | umotif-public/ecs-fargate-task-definition/aws | 2.1.2 |
snykbroker_efs | terraform-iaac/efs/aws | 2.0.4 |
snykbroker_kms | terraform-aws-modules/kms/aws | 1.1.0 |
snykbroker_kms_iam_policy | terraform-aws-modules/iam/aws//modules/iam-policy | 3.5.0 |
snykbroker_lambda_security_group | terraform-aws-modules/security-group/aws | 4.13.0 |
snykbroker_lb | terraform-aws-modules/alb/aws | 7.0.0 |
snykbroker_lb_route53_record | terraform-aws-modules/route53/aws//modules/records | 2.9.0 |
snykbroker_lb_security_group | terraform-aws-modules/security-group/aws | 4.13.0 |
snykbroker_log_group | terraform-aws-modules/cloudwatch/aws//modules/log-group | 3.3.0 |
snykbroker_secrets | lgallard/secrets-manager/aws | 0.6.0 |
snykbroker_security_group | terraform-aws-modules/security-group/aws | 4.13.0 |
snykbroker_vpc | terraform-aws-modules/vpc/aws | 3.14.3 |
Name | Type |
---|---|
aws_ecs_service.snykbroker_service | resource |
aws_efs_access_point.snykbroker_cert_access_point | resource |
aws_iam_role_policy_attachment.snykbroker_fargate_exe_efs | resource |
aws_iam_role_policy_attachment.snykbroker_fargate_exe_kms | resource |
aws_iam_role_policy_attachment.snykbroker_fargate_task_efs | resource |
aws_lambda_invocation.snykbroker_lambda_invocation | resource |
aws_ssm_parameter.tokens | resource |
null_resource.wait_lambda_efs | resource |
aws_availability_zones.available | data source |
aws_caller_identity.current | data source |
aws_iam_policy_document.snykbroker_logs_policy_doc | data source |
aws_iam_policy_document.snykbroker_secrets_policy_doc | data source |
aws_partition.current | data source |
aws_region.current | data source |
aws_route53_zone.public_zone | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_env_vars | Additional environment variables | map(string) |
{} |
no |
broker_accept_json_object | S3 object of SnykBroker listing filter accept.json. Example /accept.json | string |
null |
no |
broker_env_vars | SnykBroker environment variables key-value pairs. PORT, BROKER_CLIENT_URL not required | map(string) |
{} |
yes |
broker_hostname | SnykBroker hostname. <broker_hostname>.<public_domain_name> forms its FQDN for SCM webhooks calls | string |
"snykbroker" |
no |
broker_port | Default snykbroker client port. Set a non-system port i.e. >= 1024 as container run-as non-root user | number |
7341 |
no |
broker_private_key_object | S3 object of SnykBroker certificate private key. Example /.key | string |
null |
no |
broker_protocol | Protocol for running connections to SnykBroker. Either http or https | string |
"https" |
no |
broker_ssl_cert_object | S3 object of SnykBroker certificate. Example /.pem | string |
null |
no |
cloudwatch_log_group_name | SnykBroker CloudWatch log group name | string |
"/aws/ecs/snykbroker" |
no |
cloudwatch_log_retention_days | SnykBroker CloudWatch log retention in days | number |
7 |
no |
config_bucket_name | Configuration S3 bucket name storing SnykBroker private key, SSL certificate, accept.json filter, etc | string |
null |
no |
container_name | Snyk broker container name behind the Service | string |
"snykbroker" |
no |
cpu | Broker service task CPU. min 256 i.e. 0.25 vCPU, max 4096 i.e. 4 vCPU | number |
256 |
no |
custom_listing_filter | Use custom approved listing filter i.e. a revised accept.json | bool |
false |
no |
default_tags | Default Tags at aws provider scope | map(string) |
{ |
no |
dockerhub_access_token | DockerHub personal access token | string |
null |
no |
dockerhub_username | DockerHub username | string |
null |
no |
fargate_capacity_base | Fargate capacity provider base as minimum number of Tasks. Only this or fargate_spot_capacity_base can be >0 | number |
0 |
no |
fargate_capacity_weight | Fargate capacity provider weight as a relative percentage of total service_desired_count Tasks | number |
50 |
no |
fargate_spot_capacity_base | Fargate Spot capacity provider base as minimum number of Tasks. Only this or fargate_capacity_base can be >0 | number |
0 |
no |
fargate_spot_capacity_weight | Fargate Spot capacity provider weight as a relative percentage of total service_desired_count Tasks | number |
50 |
no |
image | Broker image to pull from DockerHub. May be custom derived broker image | string |
null |
no |
integration_type | Snyk Integration type. Choice of artifactory, azurerepos, bitbucket, gh, ghe, gitlab, jira or nexus | string |
"" |
yes |
lambda_runtime | Lambda function runtime. Defined by AWS supported versions. | string |
"python3.9" |
no |
launch_type | SnykBroker service launch type | string |
"FARGATE" |
no |
log_bucket_name | snykbbroker requests access log bucket name for logging webhooks requests | string |
null |
no |
memory | Broker service memory in MiB. Min 512, max 30720 | number |
512 |
no |
private_ssl_cert | Use private SSL certificate at SnykBroker client | bool |
false |
no |
public_domain_name | Customer public domain e.g. example.com | string |
null |
yes |
scheduling_strategy | Snyk broker scheduling strategy | string |
"REPLICA" |
no |
service_azs | count of service availability zones to use | number |
2 |
no |
service_desired_count | Snyk broker service instance count | number |
1 |
no |
service_name | Snyk broker service name | string |
"snykbroker" |
no |
snyk_integration_env_vars | Map of Snyk integration type to environment values at the broker container | map(list(string)) |
{ |
no |
snyk_integration_images | Map of Snyk integration type to default official Snyk Docker image tag | map(string) |
{ |
no |
snykbroker_repo | DockerHub snyk broker repo | string |
"snyk/broker" |
no |
tags | Tags | map(string) |
{} |
no |
use_existing_route53_zone | Use existing public hosted zone of <public_domain_name> or create new zone | bool |
true |
no |
vpc_cidr | SnykBroker VPC cidr. Linked to service_azs to be created | string |
"192.168.0.0/20" |
no |
Name | Description |
---|---|
snykbroker_aws_dns_name | SnykBroker Client AWS DNS name |
snykbroker_client_healthcheck_url | SnykBroker Client healthcheck URL |
snykbroker_client_systemcheck_url | SnykBroker Client systemcheck URL |
snykbroker_lb_dns_name | SnykBroker Client hosted domain DNS name |