Provision Blockchain Resources Using AWS CDK instead of terraform

[amarouane-ABDELHAK]

The goal of this task is to refactor and enhance the existing infrastructure provisioning for blockchain resources by migrating from Terraform to AWS CDK. This shift will help us standardize the IaC process by adopting AWS CDK across all projects.

[rajeshpandey2053]

• Used already created VPC(devbc-BC-VPC)
• Created a IAM stack with permissions allowing ecr, ecs
• Created an ECS Stack with image downloading directly from ecr
• Created ALB for ecs

Todo:

• [x] Create and Attach security groups where necessary
• [x] - Create an EFS Volume for storing credentials and mount it to the container
• [x] - Create a aws_route53_record for ALB
• [x] - Add target group, rules and listeners to ALB
• [x] Add https routing to the ALB
• [x] Create a log configuration for the container

[rajeshpandey2053]

Completed:

• Created a security group for ecs_task

Issues `CDK deployment getting stuck while ecs_stack_service is in_progress state for a long period of time Fixed

• Environment variables like --secret-id was not configured for containers in the ecs task

[rajeshpandey2053]

2024-01-22T00:21:31.528Z - [31merror[39m: [FabricCAClientService.js]: Failed to enroll hecuser, error:%o message=Calling enrollment endpoint failed with error [Error: getaddrinfo ENOTFOUND [ca.m-cgpza7kwybbojhfduornap4psq.n-qeeynndp4fhnfpbt2hqh4n7ba4.managedblockchain.us-east-1.amazonaws.com](http://ca.m-cgpza7kwybbojhfduornap4psq.n-qeeynndp4fhnfpbt2hqh4n7ba4.managedblockchain.us-east-1.amazonaws.com/) Tried Approach:

• Found this issue while trying to deploy ECS resources in HEC. The root of this cause is that the blockchain network was created in default VPC, and we tried to launch ECS resources in dev VPC.
• Another problem we found out was, there is a vpc endpoint that allow ecs resources to connect to blockchain network. In that vpc endpoint we need add security of ecs service to make sure ecs resources can connect easily to the blockchain network
• Check security groups of ECS to make sure you have defined proper inbound and outbound rules
• Check credentials of blockchain if it is correct

[rajeshpandey2053]

There were some issues with the security groups. The inbound rules for connecting to the blockchain network should be 30000 - 34000 as defined in this documentation. This should be defined for the instance that interacts with the blockchain network. https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/managed-blockchain-security-sgs.html

After creating a security group for ECS tasks, attach the task security to the VPC endpoints

[rajeshpandey2053]

Completed and Pushed to this branch. I do not have access to create a PR :(

[xhagrg]

you should have access. share screen shot of what issue you are facing.

[rajeshpandey2053]

@xhagrg , The ticket has been created in this repo. But the code has been pushed in cdk-blockchain-openscience repo. I was talking about not having permissions to create a PR in the cdk-blockchain-openscience repo

Solved: Seems like there was only 1 development branch in that repo which was default one. Hence, no any option for PR was shown because there was only 1 branch. I assumed I did not have permissions to do it.