[terraform] Consolidate tagging and set up streaming replication

terraform/aiff_lambda.tf

@@ -23,14 +23,12 @@ data "archive_file" "aiff_lambda" {
 resource "aws_iam_policy" "aiff_lambda_policy" {
   name    = "stack-avr-aiff-to-wav"
   policy  = data.aws_iam_policy_document.this_bucket_access.json
-  tags    = local.tags
-}
+  }
 
 resource "aws_iam_role" "aiff_lambda_role" {
   name                  = "stack-avr-aiff-to-wav"
   assume_role_policy    = data.aws_iam_policy_document.lambda_assume_role.json
-  tags                  = local.tags
-}
+  }
 
 resource "aws_iam_role_policy_attachment" "aiff_lambda_role_policy" {
   role          = aws_iam_role.aiff_lambda_role.name
@@ -56,5 +54,4 @@ resource "aws_lambda_function" "aiff_lambda" {
   timeout       = 300
   layers        = [data.aws_lambda_layer_version.ffmpeg.arn]
   publish       = true
-  tags          = local.tags
-}
+  }

terraform/batch_lambda.tf

@@ -31,14 +31,12 @@ data "aws_iam_policy_document" "batch_lambda_policy" {
 resource "aws_iam_policy" "batch_lambda_policy" {
   name    = "stack-avr-batch-ingest"
   policy  = data.aws_iam_policy_document.batch_lambda_policy.json
-  tags    = local.tags
-}
+  }
 
 resource "aws_iam_role" "batch_lambda_role" {
   name                  = "stack-avr-batch-ingest"
   assume_role_policy    = data.aws_iam_policy_document.lambda_assume_role.json
-  tags                  = local.tags
-}
+  }
 
 resource "aws_iam_role_policy_attachment" "batch_lambda_role_policy" {
   role          = aws_iam_role.batch_lambda_role.name
@@ -59,8 +57,7 @@ resource "aws_lambda_function" "batch_lambda" {
   memory_size   = 128
   timeout       = 5
   publish       = true
-  tags          = local.tags
-
+
   environment {
     variables = {
       JobClassName    = "BatchIngestJob"

terraform/ecs.tf

@@ -1,7 +1,6 @@
 resource "aws_ecs_cluster" "avr" {
   name = var.app_name
-  tags = local.tags
-}
+  }
 
 data "aws_acm_certificate" "avr_cert" {
   domain = local.avr_certificate_domain
@@ -106,8 +105,7 @@ resource "aws_security_group" "avr_load_balancer" {
   name          = "${var.app_name}-lb"
   description   = "avr Load Balancer Security Group"
   vpc_id        = module.core.outputs.vpc.id
-  tags          = local.tags
-
+
   egress {
     from_port   = 0
     to_port     = 0
@@ -139,14 +137,12 @@ data "aws_iam_policy" "ecs_exec_command" {
 resource "aws_iam_role" "avr_role" {
   name               = "${var.app_name}-task-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
-  tags               = local.tags
-}
+  }
 
 resource "aws_iam_policy" "avr_role_policy" {
   name   = "${var.app_name}-policy"
   policy = data.aws_iam_policy_document.avr_role_permissions.json
-  tags   = local.tags
-}
+  }
 
 resource "aws_iam_role_policy_attachment" "avr_role_policy" {
   role       = aws_iam_role.avr_role.id
@@ -156,8 +152,7 @@ resource "aws_iam_role_policy_attachment" "avr_role_policy" {
 resource "aws_iam_policy" "this_bucket_policy" {
   name   = "avr-bucket-access"
   policy = data.aws_iam_policy_document.this_bucket_access.json
-  tags   = local.tags
-}
+  }
 
 resource "aws_iam_role_policy_attachment" "bucket_role_access" {
   role       = aws_iam_role.avr_role.name
@@ -176,16 +171,14 @@ resource "aws_iam_role_policy_attachment" "avr_transcode_passrole" {
 
 resource "aws_cloudwatch_log_group" "avr_logs" {
   name = "/ecs/${var.app_name}"
-  tags = local.tags
-}
+  }
 resource "aws_lb_target_group" "avr_target" {
   port                    = 3000
   deregistration_delay    = 30
   target_type             = "ip"
   protocol                = "HTTP"
   vpc_id                  = module.core.outputs.vpc.id
-  tags                    = local.tags
-
+
   stickiness {
     enabled = false
     type    = "lb_cookie"
@@ -199,8 +192,7 @@ resource "aws_lb" "avr_load_balancer" {
 
   subnets         = module.core.outputs.vpc.public_subnets.ids
   security_groups = [aws_security_group.avr_load_balancer.id]
-  tags    = local.tags
-}
+  }
 
 resource "aws_lb_listener" "avr_lb_listener_http" {
   load_balancer_arn = aws_lb.avr_load_balancer.arn
@@ -216,8 +208,6 @@ resource "aws_lb_listener" "avr_lb_listener_http" {
       status_code = "HTTP_301"
     }
   }
-
-  tags = local.tags
 }
 
 resource "aws_lb_listener" "avr_lb_listener_https" {
@@ -231,8 +221,6 @@ resource "aws_lb_listener" "avr_lb_listener_https" {
     type             = "forward"
     target_group_arn = aws_lb_target_group.avr_target.arn
   }
-
-  tags = local.tags
 }
 
 resource "random_id" "secret_key_base" {

terraform/ecs_services.tf

@@ -42,7 +42,6 @@ module "avr_task_webapp" {
   container_role   = "webapp"
   role_arn         = aws_iam_role.avr_role.arn
   app_name         = var.app_name
-  tags             = local.tags
 }
 
 resource "aws_ecs_service" "avr_webapp" {
@@ -77,8 +76,6 @@ resource "aws_ecs_service" "avr_webapp" {
     ]
     assign_public_ip = false
   }
-
-  tags = local.tags
 }
 
 module "avr_task_worker" {
@@ -89,7 +86,6 @@ module "avr_task_worker" {
   container_role   = "worker"
   role_arn         = aws_iam_role.avr_role.arn
   app_name         = var.app_name
-  tags             = local.tags
 }
 
 resource "aws_ecs_service" "avr_worker" {
@@ -116,6 +112,4 @@ resource "aws_ecs_service" "avr_worker" {
     ]
     assign_public_ip = false
   }
-
-  tags = local.tags
 }

terraform/main.tf

@@ -25,7 +25,20 @@ terraform {
   }
 }
 
-provider "aws" {}
+provider "aws" {
+  default_tags {
+    tags = local.tags
+  }
+}
+
+provider "aws" {
+  alias  = "west"
+  region = "us-west-2"
+
+  default_tags {
+    tags = local.tags
+  }
+}
 
 data "aws_region" "current" {}
 
@@ -62,8 +75,7 @@ data "aws_acm_certificate" "streaming_cert" {
 
 resource "aws_s3_bucket" "avr_masterfiles" {
   bucket = "${local.namespace}-avr-masterfiles"
-  tags   = local.tags
-
+
 
   lifecycle {
     ignore_changes = [bucket]
@@ -96,8 +108,7 @@ resource "aws_s3_bucket_cors_configuration" "avr_masterfiles" {
 
 resource "aws_s3_bucket" "avr_streaming" {
   bucket = "${local.namespace}-avr-derivatives"
-  tags   = local.tags
-
+
   lifecycle {
     ignore_changes = [bucket]
   }
@@ -128,10 +139,19 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "avr_streaming" {
   }
 }
 
+module "avr_streaming_replication" {
+  source              = "git::https://github.com/nulib/infrastructure.git//modules/replication?ref=main"
+  count               = module.core.outputs.stack.environment == "p" ? 1 : 0
+  source_bucket_arn   = aws_s3_bucket.avr_streaming.arn
+  providers = {
+    aws.source = aws
+    aws.target = aws.west
+  }
+}
+
 resource "aws_s3_bucket" "avr_preservation" {
   bucket = "${local.namespace}-avr-preservation"
-  tags   = local.tags
-
+
   lifecycle {
     ignore_changes = [bucket]
   }
@@ -203,8 +223,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "avr_preservation_production" {
 
 resource "aws_s3_bucket" "avr_active_storage" {
   bucket = "${local.namespace}-avr-active-storage"
-  tags   = local.tags
-
+
   lifecycle {
     ignore_changes = [bucket]
   }
@@ -282,8 +301,6 @@ resource "aws_security_group" "avr" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-  tags = local.tags
 }
 
 resource "aws_security_group_rule" "allow_alb_access" {
@@ -309,8 +326,7 @@ resource "aws_route53_record" "app_hostname" {
 
 resource "aws_iam_role" "transcode_role" {
   name = "${var.app_name}-transcode-role"
-  tags = local.tags
-
+
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -379,26 +395,22 @@ data "aws_iam_policy_document" "pass_transcode_role" {
 resource "aws_iam_policy" "allow_transcode" {
   name   = "${var.app_name}-mediaconvert-access"
   policy = data.aws_iam_policy_document.pass_transcode_role.json
-  tags   = local.tags
-}
+  }
 
 resource "aws_media_convert_queue" "transcode_queue" {
   name   = var.app_name
   status = "ACTIVE"
-  tags   = local.tags
-}
+  }
 
 resource "aws_cloudwatch_log_group" "mediaconvert_state_change_log" {
   name              = "/aws/events/active-encode/mediaconvert/${aws_media_convert_queue.transcode_queue.name}"
   retention_in_days = 7
-  tags              = local.tags
-}
+  }
 
 resource "aws_cloudwatch_event_rule" "mediaconvert_state_change" {
   name        = "${var.app_name}-mediaconvert-state-change"
   description = "Send MediaConvert state changes to Meadow"
-  tags        = local.tags
-
+
   event_pattern = jsonencode({
     source        = ["aws.mediaconvert"]
     "detail-type" = ["MediaConvert Job State Change"]
@@ -470,8 +482,7 @@ resource "aws_cloudfront_distribution" "avr_streaming" {
   retain_on_delete = true
   aliases          = compact(concat([var.streaming_hostname], ["httpstream.${module.core.outputs.vpc.public_dns_zone.name}"]))
   price_class      = "PriceClass_100"
-  tags             = local.tags
-
+
   origin {
     domain_name = aws_s3_bucket.avr_streaming.bucket_domain_name
     origin_id   = "${local.namespace}-${var.app_name}-origin-hls"

terraform/maintenance.tf

@@ -2,8 +2,7 @@ resource "aws_cloudwatch_event_rule" "database_maintenance" {
   name                  = "${var.app_name}-db-maintenance"
   description           = "Clean and vacuum AVR searches and sessions tables"
   schedule_expression   = "cron(0 8 ? * * *)"
-  tags                  = local.tags
-}
+  }
 
 resource "aws_cloudwatch_event_target" "database_maintenance" {
   target_id = "${var.app_name}-db-maintenance-lambda"
@@ -55,8 +54,6 @@ resource "aws_iam_role" "restart_webapp" {
     name    = "${var.app_name}-restart-container"
     policy  = data.aws_iam_policy_document.restart_container.json
   }
-
-  tags = local.tags
 }
 
 resource "aws_scheduler_schedule" "restart_webapp" {

terraform/modules/avr_task/main.tf

@@ -102,5 +102,4 @@ resource "aws_ecs_task_definition" "this_task_definition" {
   requires_compatibilities = ["FARGATE"]
   cpu                      = var.cpu
   memory                   = var.memory
-  tags                     = var.tags
 }

terraform/modules/avr_task/variables.tf

@@ -21,8 +21,3 @@ variable "role_arn" {
 variable "app_name" {
   type    = string
 }
-
-variable "tags" {
-  type    = map(string)
-}
-

terraform/queues.tf

@@ -24,14 +24,12 @@ locals {
 
 resource "aws_sqs_queue" "avr_dead_letter_queue" {
   name     = "${var.app_name}-dead_letter_queue"
-  tags     = local.tags
-}
+  }
 resource "aws_sqs_queue" "active_job_queue" {
   for_each                      = local.queues
   name                          = "${var.app_name}-${each.key}"
   visibility_timeout_seconds    = each.value
-  tags                          = local.tags
-
+
   redrive_policy = jsonencode({
     deadLetterTargetArn = aws_sqs_queue.avr_dead_letter_queue.arn
     maxReceiveCount     = 5