Terraform example improvements

[ag-adampike]

This issue is to track a few fairly minor issues with our AWS Terraform deployment example:

• [x] Public subnets are not consistently tagged in such a way that the script automatically selects them (in https://github.com/1Password/scim-examples/blob/master/aws-ecsfargate-terraform/main.tf#L34).
• [x] To meet AWS requirements for creating a load balancer, the deployment requires at least two public and private subnets, each across at least two availability zones
• [x] Default tags can be added more DRY-ly in the provider block (see https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider) rather than sprinkled throughout.
• [ ] The set of default tags should be expanded for best practices with AWS (see, for example, https://engineering.deptagency.com/best-practices-for-terraform-aws-tags).
• [ ] Some of the resource blocks have been renamed and should be updated (e.g. aws_alb is known as aws_lb: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
• [ ] Clean up the README for readability, length, and clarity (e.g. perhaps the optional headings could be under a collapsible section).

Some nice-to-haves, possibly for future work:

• [ ] Modularize the deployment to enable different sets of AWS credentials for certain resources (for example, if a separate account is required to manage Route53).
• [x] Gracefully handle TLS cert management for customers using something other than Route53. Currently the plan fails to apply until ACM validates the external domain.
• [x] We may be able to optionally create the necessary VPCs and subnets instead of choosing between using the default VPC or specifying an existing VPC. In my experience working directly with customers, subnets are often created specifically for the SCIM bridge anyway. If the script can automate that work as well, all the better.

[pingping95]

I agree with him. AWS Terraform Example is so poor and need to upgrade.

[mikedowler]

We seem to be hitting the first issue listed here - we get the following error:

creating ELBv2 application Load Balancer (xxx-alb): ValidationError: At least two subnets in two different Availability Zones must be specified

How do we go about specifying subnets - there doesn't seem to be anywhere to provide this information? Also, some guidance on creating a dedicated VPC and subnets would be great.

The example seems to assume a lot of knowledge of AWS and Terraform, which is not necessarily the case for a 1Password/IAM admin.

[ag-adampike]

Hey @mikedowler. I'm sorry I missed your comment here.

For using an existing, non-default VPC, you can specify the subnets to use by tagging them with a key of SubnetTier and a value of public. This line in the Terraform script selects the subnets with this tag:

https://github.com/1Password/scim-examples/blob/0b2e2b864e023dd233c3a43f008767ee74ebd36f/aws-ecsfargate-terraform/main.tf#L74-L75

You might also consider using our CloudFormation template which requires no interaction with Terraform, can be deployed using the console, and creates a dedicated VPC and subnets for you: https://github.com/1Password/scim-examples/tree/main/beta/aws-ecsfargate-cfn

[PeterBocan]

Hey!

I think the steps outlined here are missing some crucial step(s), namely, is this an official module to install?

https://github.com/1Password/scim-examples/blob/main/aws-ecsfargate-terraform/README.md

[scottisloud]

Hi Peter, the only dependencies here are Terraform/Terraform CLI, and the official AWS Terraform provider.

But let me know if I'm not interpreting your question correctly!

[PeterBocan]

Hey Scott, thanks for the reply.

I think this deserves a terraform module in the terraform registry. Makes things easier for me and (admittedly) I am not a big fan of copying terraform files from repos 😅 which may change.

It's very much done with some tweaks and separating the whole Google Workspace stuff out.