diff --git a/sds/unity/terraform/terraform.tf b/sds/unity/terraform/terraform.tf index aed00701..c757fda4 100644 --- a/sds/unity/terraform/terraform.tf +++ b/sds/unity/terraform/terraform.tf @@ -10,15 +10,8 @@ data "aws_ssm_parameter" "subnet_list" { # name = "/unity/account/ecs/execution_role_arn" #} -locals { - subnet_map = jsondecode(data.aws_ssm_parameter.subnet_list.value) - subnet_ids = nonsensitive(local.subnet_map["private"]) - public_subnet_ids = nonsensitive(local.subnet_map["public"]) -} - - module "base" { - source = "git::ssh://git@github.jpl.nasa.gov/terraform/base?ref=6.0.0" + source = "" project = var.project venue = var.venue subsystem = var.subsystem @@ -40,12 +33,10 @@ module "base" { ebs_block_device_size = var.ebs_block_device_size root_block_device_size = var.root_block_device_size ebs_mount_directory = var.ebs_mount_directory - csso_proxy_only = var.csso_proxy_only application_endpoint_url = var.application_endpoint_url terraform_app_commit = var.terraform_app_commit deployment_method = var.deployment_method secrets = local.secrets - stickiness_enabled = var.stickiness_enabled docker_volume_path = var.docker_volume_path efs_config = { efs_id = var.efs_id @@ -53,42 +44,56 @@ module "base" { } } +locals { + subnet_map = jsondecode(data.aws_ssm_parameter.subnet_list.value) + subnet_ids = nonsensitive(local.subnet_map["private"]) + public_subnet_ids = nonsensitive(local.subnet_map["public"]) +} + + # Application environment variables locals { environment_vars = { AWS_DEFAULT_REGION = module.base.aws_region - CS3_GET_PARAMETERS = module.base.ps_path DOMAIN = module.base.cname SERVER = var.server AUTH = var.auth NODE_ENV = var.node_env - CSSO_LEAD_GROUP = var.csso_lead_group - SESSION_USER = var.session_user - INGEST_RATE = var.ingest_rate - SECRET = module.base.auto_generated_password DB_HOST = var.db_host DB_PORT = var.db_port DB_NAME = var.db_name DB_USER = var.db_user - CSSO_GROUPS = "[${join(", ", formatlist("\"%s\"", var.groups))}]" - SESSION_HOST = module.base.csso_login_url - TACTICAL_HOST = var.tactical_host - PLACES_HOST = var.places_host - SCIENCE_INTENT_HOST = var.science_intent_host - MTTTT_HOST = var.mtttt_host - ENABLE_MMGIS_WEBSOCKETS = var.enable_mmgis_websockets PORT = var.app_listening_port + DB_POOL_MAX = var.db_pool_max + DB_POOL_TIMEOUT = var.db_pool_timeout + DB_POOL_IDLE = var.db_pool_idle + CSSO_GROUPS = var.csso_groups VERBOSE_LOGGING = var.verbose_logging + FRAME_ANCESTORS = var.frame_ancestors + FRAME_SRC = var.frame_src + THIRD_PARTY_COOKIES = var.third_party_cookies + ROOT_PATH = var.root_path + WEBSOCKET_ROOT_PATH = var.websocket_root_path + CLEARANCE_NUMBER = var.clearance_number + DISABLE_LINK_SHORTENER = var.disable_link_shortener HIDE_CONFIG = var.hide_config - CONFIGCONFIG_PATH = var.configconfig_path FORCE_CONFIG_PATH = var.force_config_path LEADS = "[${join(", ", formatlist("\"%s\"", var.leads))}]" + ENABLE_MMGIS_WEBSOCKETS = var.enable_mmgis_websockets + ENABLE_CONFIG_WEBSOCKETS = var.enable_config_websockets + ENABLE_CONFIG_OVERRIDE = var.enable_config_override + MAIN_MISSION = var.main_mission + SKIP_CLIENT_INITIAL_LOGIN = var.skip_client_initial_login + GENERATE_SOURCEMAP = var.generate_sourcemap + SPICE_SCHEDULED_KERNEL_DOWNLOAD = var.spice_scheduled_kernel_download + SPICE_SCHEDULED_KERNEL_DOWNLOAD_ON_START = var.spice_scheduled_kernel_download_on_start + SPICE_SCHEDULED_KERNEL_cron_expr = var.spice_scheduled_kernel_cron_expr } } locals { secrets = { - DB_PASS = var.db_password - SESSION_PASS = var.session_pass + SECRET = var.secret + DB_PASS = var.db_pass } } \ No newline at end of file diff --git a/sds/unity/terraform/variables.tf b/sds/unity/terraform/variables.tf index 3fa11d99..bd8d2c66 100644 --- a/sds/unity/terraform/variables.tf +++ b/sds/unity/terraform/variables.tf @@ -31,25 +31,18 @@ variable "installprefix" { default = "UnknownPrefix" } + variable "server" { default = "node" } variable "auth" { - default = "csso" + default = "none" } variable "node_env" { default = "production" } -variable "csso_lead_group" { -} -variable "session_user" { - description = "application account for authorization to other services" -} -variable "session_pass" { - description = "application account for authorization to other services" -} -variable "ingest_rate" { - default = "0 7 * * *" +variable "secret" { + description = "Some random string" } variable "db_host" { description = "postgres db endpoint" @@ -64,37 +57,64 @@ variable "db_name" { variable "db_user" { description = "postgres db user" } -variable "db_password" { +variable "db_pass" { description = "postgres db password" } -variable "tactical_host" { - description = "url to tactical target db" +variable "port" { + description = "Port to run on" + default = 3000 } -variable "places_host" { - description = "url to PLACES" +variable "db_pool_max" { + description = "Max number connections in the database’s pool. CPUs * 4 is a good number" + default = 10 } -variable "science_intent_host" { - description = "url to science intent api" +variable "db_pool_timeout" { + description = "How many milliseconds until a DB connection times out" + default = 30000 } -variable "mtttt_host" { - description = "url to mtttt api" +variable "db_pool_idle" { + description = "How many milliseconds for an incoming connection to wait for a DB connection before getting kicked away" + default = 10000 } -variable "enable_mmgis_websockets" { - description = "enables websockets so that clients can immediately respond to backend configuration changes" - default = false +variable "csso_groups" { + description = "A list of CSSO LDAP groups that have access" + type = list(string) + default = [] } variable "verbose_logging" { description = "logs a bunch of extra stuff for development purposes" default = false } -variable "hide_config" { - description = "make the configure page inaccessible to everyone" +variable "frame_ancestors" { + description = "Sets the Content-Security-Policy: frame-ancestors header to allow the embedding of MMGIS in the specified external sites" +} +variable "frame_src" { + description = "Sets the Content-Security-Policy: frame-src header to allow the embedding iframes from external origins into MMGIS" +} +variable "third_party_cookies" { + description = "Sets 'SameSite=None; Secure' on the login cookie. Useful when using AUTH=local as an iframe within a cross-origin page." default = false } -variable "configconfig_path" { - description = "the path to a json file that sets up the configure page that overrides the database's recor" +variable "root_path" { + description = "Set MMGIS to be deployed under a subpath. For example if serving at the subpath ‘https://{domain}/path/where/I/serve/mmgis’ is desired, set ROOT_PATH=/path/where/I/serve/mmgis. If no subpath, leave blank." default = "" } +variable "websocket_root_path" { + description = "Overrides ROOT_PATH's use when the client connects via websocket. Websocket url: ${ws_protocol}://${window.location.host}${WEBSOCKET_ROOT_PATH || ROOT_PATH || ''}/" + default = "" +} +variable "clearance_number" { + description = "Sets a clearance number for the website" + default = "CL##-####" +} +variable "disable_link_shortener" { + description = "If true, users that use the 'Copy Link' feature will receive a full-length deep link. Writing new short links will be disabled but expanding existing ones will still work." + default = false +} +variable "hide_config" { + description = "make the configure page inaccessible to everyone" + default = false +} variable "force_config_path" { description = "the path to a json config file that acts as the only configured mission for the instance" default = "" @@ -103,4 +123,40 @@ variable "leads" { description = "array of strings - default [] - when not using AUTH=csso, this is a list of usernames to be treated as leads (users with elevated permissions)" type = list(string) default = [] +} +variable "enable_mmgis_websockets" { + description = "enables websockets so that clients can immediately respond to backend configuration changes" + default = false +} +variable "enable_config_websockets" { + description = "If true, notifications are sent to /configure users whenever the current mission's configuration object changes out from under them and then puts (overridable) limits on saving" + default = false +} +variable "enable_config_override" { + description = "For use when ENABLE_CONFIG_WEBSOCKETS=true (if ENABLE_CONFIG_WEBSOCKETS=false, all saves will freely overwrite already). If true, gives /configure users the ability to override changes made to the configuration while they were working on it with their own." + default = false +} +variable "main_mission" { + description = "If the new MAIN_MISSION ENV is set to a valid mission, skip the landing page and go straight to that mission. Other missions will still be accessible by either forcing the landing page (clicking the top-left M logo) or by going to a link directly." + default = "" +} +variable "skip_client_initial_login" { + description = "If true, MMGIS will not auto-login returning users. This can be useful when login is managed someplace else. The initial login process can be manually triggered with mmgisAPI.initialLogin()" + default = false +} +variable "generate_sourcemap" { + description = "If true at build-time, JavaScript source maps will also be built" + default = false +} +variable "spice_scheduled_kernel_download" { + description = "If true, then at every other midnight, MMGIS will read /Missions/spice-kernels-conf.json and re/download all the specified kernels. See /Missions/spice-kernels-conf.example.json" + default = false +} +variable "spice_scheduled_kernel_download_on_start" { + description = "If true, then also triggers the kernel download when MMGIS starts" + default = false +} +variable "spice_scheduled_kernel_cron_expr" { + description = "A cron schedule expression for use in the node-schedule npm library" + default = "0 0 */2 * *" } \ No newline at end of file