From abcacd6f84f5ddf6d3e1cadf77aa21fe362f3549 Mon Sep 17 00:00:00 2001
From: Maxwell Plotkin <maxwell.a.plotkin@jpl.nasa.gov>
Date: Fri, 16 Aug 2024 14:54:40 -0700
Subject: [PATCH 1/2] Create MMGIS-IAC dir

---
 .gitignore                                    |   3 +
 .../terraform/modules/ec2-docker/add-mmgis.sh |  55 +++++
 MMGIS-IAC/terraform/modules/ec2-docker/bk.tf  |  44 ++++
 MMGIS-IAC/terraform/modules/ec2-docker/lb.tf  |  70 ++++++
 .../terraform/modules/ec2-docker/main.tf      |  18 ++
 .../terraform/modules/ec2-docker/output.tf    |  84 +++++++
 .../terraform/modules/ec2-docker/variables.tf | 108 +++++++++
 MMGIS-IAC/terraform/terraform.tf              | 128 +++++++++++
 MMGIS-IAC/terraform/terraform.tfvars          |   8 +
 MMGIS-IAC/terraform/variables.tf              | 211 ++++++++++++++++++
 10 files changed, 729 insertions(+)
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/add-mmgis.sh
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/main.tf
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/output.tf
 create mode 100644 MMGIS-IAC/terraform/modules/ec2-docker/variables.tf
 create mode 100644 MMGIS-IAC/terraform/terraform.tf
 create mode 100644 MMGIS-IAC/terraform/terraform.tfvars
 create mode 100644 MMGIS-IAC/terraform/variables.tf

diff --git a/.gitignore b/.gitignore
index 1758360..8e9281e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,6 @@ aws_role_create/identity.txt
 aws_role_create/output.txt
 aws_role_create/policies.list
 aws_role_create/role.txt
+
+MMGIS-IAC/terraform/.terraform
+MMGIS-IAC/terraform/.terraform*
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/add-mmgis.sh b/MMGIS-IAC/terraform/modules/ec2-docker/add-mmgis.sh
new file mode 100644
index 0000000..0c051a3
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/add-mmgis.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# From https://gist.github.com/jamesmishra/18ee5d7d053db9958d0e4ccbb37f8e1d
+set -Eeuxo pipefail
+# Filesystem code is adapted from:
+# https://github.com/GSA/devsecops-example/blob/03067f68ee2765f8477ae84235f7faa1d2f2cb70/terraform/files/attach-data-volume.sh
+DEVICE=${local.block_device_path}
+DEST=${var.persistent_volume_mount_path}
+devpath=$(readlink -f $DEVICE)
+
+if [[ $(file -s $devpath) != *ext4* && -b $devpath ]]; then
+    # Filesystem has not been created. Create it!
+    mkfs -t ext4 $devpath
+fi
+# add to fstab if not present
+if ! egrep "^$devpath" /etc/fstab; then
+  echo "$devpath $DEST ext4 defaults,nofail,noatime,nodiratime,barrier=0,data=writeback 0 2" | tee -a /etc/fstab > /dev/null
+fi
+mkdir -p $DEST
+mount $DEST
+chown ec2-user:ec2-user $DEST
+chmod 0755 $DEST
+
+# Filesystem code is over
+# Now we install docker and docker-compose.
+# Adapted from:
+# https://gist.github.com/npearce/6f3c7826c7499587f00957fee62f8ee9
+yum update -y
+amazon-linux-extras install docker
+systemctl start docker.service
+usermod -a -G docker ec2-user
+chkconfig docker on
+yum install -y python3-pip
+python3 -m pip install docker-compose
+
+# Put the docker-compose.yml file at the root of our persistent volume
+cat > $DEST/docker-compose.yml <<-TEMPLATE
+${var.docker_compose_str}
+TEMPLATE
+
+# Write the systemd service that manages us bringing up the service
+cat > /etc/systemd/system/mmgis.service <<-TEMPLATE
+[Unit]
+Description=${var.description}
+After=${var.systemd_after_stage}
+[Service]
+Type=simple
+User=${var.user}
+ExecStart=/usr/local/bin/docker-compose -f $DEST/docker-compose.yml up
+Restart=on-failure
+[Install]
+WantedBy=multi-user.target
+TEMPLATE
+
+# Start the service.
+systemctl start mmgis
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf b/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
new file mode 100644
index 0000000..d464a42
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
@@ -0,0 +1,44 @@
+locals {
+    block_device_path = "/dev/sdh"
+}
+
+resource "aws_iam_instance_profile" "unity_mmgis_instance_profile" {
+  name = "unity-mmgis-instance-profile-tf"
+
+  role = var.role
+
+  tags = {
+    Name = "unity_mmgis_instance_profile"
+  }
+}
+
+resource "aws_ebs_volume" "persistent" {
+    availability_zone = aws_instance.unity_mmgis_instance.availability_zone
+    size = var.persistent_volume_size_gb
+}
+
+resource "aws_volume_attachment" "persistent" {
+    device_name = local.block_device_path
+    volume_id = aws_ebs_volume.persistent.id
+    instance_id = aws_instance.unity_mmgis_instance.id
+}
+
+
+resource "aws_instance" "unity_mmgis_instance" {
+  ami           = var.ami
+  instance_type = var.instance_type
+
+  tags = {
+    Name = "unity-mmgis-instance-tf"
+  }
+
+  key_name = var.key_name
+
+  vpc_security_group_ids = [var.sg_id]
+
+  subnet_id = var.subnet_id
+
+  iam_instance_profile = aws_iam_instance_profile.unity_mmgis_instance_profile.name
+
+  user_data = file("./modules/ec2-docker/add-mmgis.sh")
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf b/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
new file mode 100644
index 0000000..0a5ea2b
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
@@ -0,0 +1,70 @@
+# target group
+resource "aws_lb_target_group" "unity_mmgis_tg_tf" {
+  name        = "unity-mmgis-tg-tf"
+  port        = 8080
+  protocol    = "TCP"
+  target_type = "instance"
+  #vpc_id      = data.aws_vpc.default.id
+  vpc_id      = var.vpc_id
+
+  health_check {
+    enabled             = true
+    protocol            = "HTTP"
+    port                = 8080
+    path                = "/unity/v0/collections/MUR25-JPL-L4-GLOB-v4.2_analysed_sst/processes"
+    interval            = 30
+    timeout             = 10
+    matcher             = 200
+    healthy_threshold   = 5
+    unhealthy_threshold = 2
+  }
+
+  tags = {
+    Name = "unity_mmgis_tg_tf"
+  }
+}
+
+# attach instance
+resource "aws_lb_target_group_attachment" "unity_mmgis_tg_attachment_tf" {
+  target_group_arn = aws_lb_target_group.unity_mmgis_tg_tf.arn
+  target_id        = aws_instance.unity_mmgis_instance.id
+  port             = 8080
+}
+
+# create alb
+resource "aws_lb" "unity-mmgis-lb-tf" {
+  name               = "unity-mmgis-lb-tf"
+  load_balancer_type = "network"
+  internal           = true
+  #security_groups    = [var.sg_id]
+  #security_groups    = []
+  #subnets            = [for subnet in aws_subnet.public : subnet.id]
+  subnets            = var.subnet_ids
+
+  enable_deletion_protection = false
+
+  #access_logs {
+  #  bucket  = "tbd"
+  #  prefix  = "mmgis/tbd/unity-mmgis-lb"
+  #  enabled = true
+  #}
+
+  tags = {
+    Name = "unity-mmgis-lb-tf"
+  }
+}
+
+resource "aws_lb_listener" "unity_mmgis_lb_listener" {
+  load_balancer_arn = aws_lb.unity-mmgis-lb-tf.arn
+  port              = 80
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.unity_mmgis_tg_tf.arn
+  }
+
+  tags = {
+    Name = "unity_mmgis_lb_listener"
+  }
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/main.tf b/MMGIS-IAC/terraform/modules/ec2-docker/main.tf
new file mode 100644
index 0000000..d727f24
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/main.tf
@@ -0,0 +1,18 @@
+data "aws_ssm_parameter" "vpc_id" {
+  name = "/unity/account/network/vpc_id"
+}
+
+data "aws_ssm_parameter" "subnet_list" {
+  name = "/unity/account/network/subnet_list"
+}
+
+#data "aws_ssm_parameter" "u-cs-ecs" {
+#  name = "/unity/account/ecs/execution_role_arn"
+#}
+
+
+locals {
+  subnet_map = jsondecode(data.aws_ssm_parameter.subnet_list.value)
+  subnet_ids = nonsensitive(local.subnet_map["private"])
+  public_subnet_ids = nonsensitive(local.subnet_map["public"])
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/output.tf b/MMGIS-IAC/terraform/modules/ec2-docker/output.tf
new file mode 100644
index 0000000..7136f94
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/output.tf
@@ -0,0 +1,84 @@
+# We try to match the API contract that `aws_instance` has.
+# Descriptions for these outputs are copied from:
+# https://www.terraform.io/docs/providers/aws/r/instance.html
+output "id" {
+    description = "The instance ID"
+    value = aws_instance.unity_mmgis_instance.id
+}
+
+output "arn" {
+    description = "The ARN of the instance"
+    value = aws_instance.unity_mmgis_instance.arn
+}
+
+output "availability_zone" {
+    description = "The availability zone of the instance"
+    value = aws_instance.unity_mmgis_instance.availability_zone
+}
+
+output "placement_group" {
+    description = "The placement group of the instance"
+    value = aws_instance.unity_mmgis_instance.placement_group
+}
+
+output "public_dns" {
+    description = "The public DNS name assigned to the instance. For EC2-VPC, this is only available if you've enabled DNS hostnames for your VPC"
+    value = aws_instance.unity_mmgis_instance.public_dns
+}
+
+output "public_ip" {
+    description  = "The public IP address assigned to the instance, if applicable. NOTE: If you are using an aws_eip with your instance, you should refer to the EIP's address directly and not use public_ip, as this field will change after the EIP is attached."
+    value = aws_instance.unity_mmgis_instance.public_ip
+}
+
+output "ipv6_addresses" {
+    description = "A list of assigned IPv6 addresses, if any"
+    value = aws_instance.unity_mmgis_instance.ipv6_addresses
+}
+
+output "primary_network_interface_id" {
+    description = "The ID of the instance's primary network interface"
+    value = aws_instance.unity_mmgis_instance.primary_network_interface_id
+}
+
+output "private_dns" {
+    description = " The private DNS name assigned to the instance. Can only be used inside the Amazon EC2, and only available if you've enabled DNS hostnames for your VPC"
+    value = aws_instance.unity_mmgis_instance.private_dns
+}
+
+output "private_ip" {
+    description = "The private IP address assigned to the instance"
+    value = aws_instance.unity_mmgis_instance.private_ip
+}
+
+output "security_groups" {
+    description = " The associated security groups."
+    value = aws_instance.unity_mmgis_instance.security_groups
+}
+
+output "vpc_security_group_ids" {
+    description = "The associated security groups in non-default VPC."
+    value = aws_instance.unity_mmgis_instance.vpc_security_group_ids
+}
+
+output "subnet_id" {
+    description = "The VPC subnet ID."
+    value = aws_instance.unity_mmgis_instance.subnet_id
+}
+
+output "credit_specification" {
+    description = " Credit specification of instance."
+    value = aws_instance.unity_mmgis_instance.credit_specification
+}
+
+output "instance_state" {
+    description = "The state of the instance. One of: pending, running, shutting-down, terminated, stopping, stopped. See Instance Lifecycle for more information."
+    value = aws_instance.unity_mmgis_instance.instance_state
+}
+
+# TODO: This is a list with the `aws_instance` resource and we are just
+# returning a string. I know there is an obvious solution for this...
+output "ebs_block_device_id" {
+    description = "The persistent block device that we are storing information on."
+    value = aws_ebs_volume.persistent.id
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/variables.tf b/MMGIS-IAC/terraform/modules/ec2-docker/variables.tf
new file mode 100644
index 0000000..84cbbcc
--- /dev/null
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/variables.tf
@@ -0,0 +1,108 @@
+variable role {
+    type = string
+    default = "unset"
+}
+
+variable vpc_id {
+    type = string
+    default = "unset"
+}
+
+variable subnet_ids {
+    type = list
+    default = ["unset"]
+}
+
+variable ami {
+    type = string
+    default = "unset"
+}
+
+variable sg_id {
+    type = string
+    default = "unset"
+}
+
+### 
+
+variable "name" {
+    description = "Name to be used on all resources"
+    type = string
+    default = "mmgis"
+}
+
+variable "description" {
+    description = "Description of the service for systemd"
+    type = string
+    default = ""
+}
+
+variable "availability_zone" {
+    description = "The availability zone for both the AWS instance and the EBS volume."
+    type = string
+    default = "us-gov-west-1"
+}
+
+variable "systemd_after_stage" {
+    description = "When to run our container. This usually does not need to change."
+    type = string
+    default = "network.target"
+}
+
+variable "user" {
+    description = "What user to run as. You will need to run as root to use one of the lower ports."
+    type = string
+    default = "root"
+}
+
+variable "key_name" {
+    description = "Name of the SSH key to log in with"
+    type = string
+    default = "mmgis-sds.ssh"
+}
+
+variable "instance_type" {
+    description = "The default AWS instance size to run these containers on"
+    type = string
+    default = "t3.medium"
+}
+
+variable "docker_compose_str" {
+    description = "The entire docker compose file to write."
+    type = string
+}
+
+variable "subnet_id" {
+    description = "The VPC subnet to launch the instance in"
+    type = string
+}
+
+variable "vpc_security_group_ids" {
+    description = "The security groups that the instance should have"
+    type = list(string)
+    default = []
+}
+
+variable "iam_instance_profile" {
+    description = "The name of the IAM instance profile to give to the EC2 instance"
+    type = string
+    default = ""
+}
+
+variable "associate_public_ip_address" {
+    description = "Whether to associate a public IP address in the VPC"
+    type = bool
+    default = false
+}
+
+variable "persistent_volume_size_gb" {
+    description = "The size of the volume mounted"
+    type = number
+    default = 20
+}
+
+variable "persistent_volume_mount_path" {
+    description = "Where on the filesystem to mount our persistent volume"
+    type = string
+    default = "/persistent"
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/terraform.tf b/MMGIS-IAC/terraform/terraform.tf
new file mode 100644
index 0000000..282a574
--- /dev/null
+++ b/MMGIS-IAC/terraform/terraform.tf
@@ -0,0 +1,128 @@
+provider "aws" {
+  region = var.region
+  profile = var.profile
+
+  default_tags {
+    tags = var.common_tags
+  }
+}
+
+# ===== OUR MAGIC DOCKER-COMPOSE.YML FILE HERE =====
+# It is also possible to get Terraform to read an external `docker-compose.yml`
+# file and load it into this variable.
+# We'll be showing off a demo nginx page.
+variable "docker-compose" {
+    type = string
+    default =  <<EOF
+version: "3"
+services:
+  mmgis:
+    image: ghcr.io/nasa-ammos/mmgis:development
+    depends_on:
+      - mmgis.db
+    environment:
+    volumes:
+      - /var/www/html/Missions/:/usr/src/app/Missions
+  mmgis.db:
+    image: postgis/postgis:10-2.5-alpine
+    environment:
+      - POSTGRES_PASSWORD         = var.db_pass
+      - SERVER                    = var.server
+      - AUTH                      = var.auth
+      - NODE_ENV                  = var.node_env
+      - DB_HOST                   = var.db_host
+      - DB_PORT                   = var.db_port
+      - DB_NAME                   = var.db_name
+      - DB_USER                   = var.db_user
+      - PORT                      = var.app_listening_port
+      - DB_POOL_MAX               = var.db_pool_max
+      - DB_POOL_TIMEOUT           = var.db_pool_timeout
+      - DB_POOL_IDLE              = var.db_pool_idle
+      - CSSO_GROUPS               = var.csso_groups
+      - VERBOSE_LOGGING           = var.verbose_logging
+      - FRAME_ANCESTORS           = var.frame_ancestors
+      - FRAME_SRC                 = var.frame_src
+      - THIRD_PARTY_COOKIES       = var.third_party_cookies
+      - ROOT_PATH                 = var.root_path
+      - WEBSOCKET_ROOT_PATH       = var.websocket_root_path
+      - CLEARANCE_NUMBER          = var.clearance_number
+      - DISABLE_LINK_SHORTENER    = var.disable_link_shortener
+      - HIDE_CONFIG               = var.hide_config
+      - FORCE_CONFIG_PATH         = var.force_config_path
+      - LEADS                     = var.leads
+      - ENABLE_MMGIS_WEBSOCKETS   = var.enable_mmgis_websockets
+      - ENABLE_CONFIG_WEBSOCKETS  = var.enable_config_websockets
+      - ENABLE_CONFIG_OVERRIDE    = var.enable_config_override
+      - MAIN_MISSION              = var.main_mission
+      - SKIP_CLIENT_INITIAL_LOGIN = var.skip_client_initial_login
+      - GENERATE_SOURCEMAP        = var.generate_sourcemap
+      - SPICE_SCHEDULED_KERNEL_DOWNLOAD = var.spice_scheduled_kernel_download
+      - SPICE_SCHEDULED_KERNEL_DOWNLOAD_ON_START = var.spice_scheduled_kernel_download_on_start
+      - SPICE_SCHEDULED_KERNEL_cron_expr = var.spice_scheduled_kernel_cron_expr
+      - SECRET                    = var.secret
+      - DB_PASS                   = var.db_pass
+    ports:
+      - 5432:5432
+    restart: on-failure
+    volumes:
+      - mmgis-db:/var/lib/postgresql/data
+EOF
+}
+
+# Configure the VPC that we will use.
+# resource "aws_vpc" "prod" {
+  # cidr_block = "10.0.0.0/16"
+  # enable_dns_hostnames = true
+# }
+
+# resource "aws_internet_gateway" "prod" {
+  # vpc_id = aws_vpc.prod.id
+# }
+
+# resource "aws_route" "prod__to_internet" {
+  # route_table_id = aws_vpc.prod.main_route_table_id
+  # destination_cidr_block = "0.0.0.0/0"
+  # gateway_id = aws_internet_gateway.prod.id
+# }
+
+# resource "aws_subnet" "prod" {
+  # vpc_id = aws_vpc.prod.id
+  # availability_zone = var.region
+  # cidr_block = "10.0.0.0/18"
+  # map_public_ip_on_launch = true
+  # depends_on = [aws_internet_gateway.prod]
+# }
+
+# Allow port 80 so we can connect to the container.
+resource "aws_security_group" "allow_http" {
+    name = "allow_http"
+    description = "Show off how we run a docker-compose file."
+
+    ingress {
+        from_port = 80
+        to_port = 80
+        protocol = "tcp"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+    egress {
+        from_port = 0
+        to_port = 0
+        protocol = "-1"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+}
+
+# Make sure to download the other files into the `modules/ec2-docker`
+# directory
+module "run-mmgis-ec2-docker" {
+    source =  "./modules/ec2-docker"
+    name = "mmgis-ec2-docker"
+    key_name = var.key_name
+    instance_type = "t3.medium"
+    docker_compose_str = var.docker-compose
+    subnet_id = var.subnet_id
+    availability_zone = var.availability_zone
+    vpc_security_group_ids = [aws_security_group.allow_http.id]
+    associate_public_ip_address = true
+    persistent_volume_size_gb = 20 
+}
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/terraform.tfvars b/MMGIS-IAC/terraform/terraform.tfvars
new file mode 100644
index 0000000..35d7d28
--- /dev/null
+++ b/MMGIS-IAC/terraform/terraform.tfvars
@@ -0,0 +1,8 @@
+deployment_name = "mmgis"
+mgmt_dns = ""
+tags = { name = "mmgis" }
+secret = "secret"
+db_user = "postgres"
+db_pass = "postgres"
+region = "us-west-2"
+profile = "429178552491_mcp-tenantDeveloper"
\ No newline at end of file
diff --git a/MMGIS-IAC/terraform/variables.tf b/MMGIS-IAC/terraform/variables.tf
new file mode 100644
index 0000000..e72b005
--- /dev/null
+++ b/MMGIS-IAC/terraform/variables.tf
@@ -0,0 +1,211 @@
+# UNITY
+variable "region" {
+  description = "AWS region"
+  type = string
+  default = "us-gov-west-1"
+}
+
+variable "profile" {
+  description = "AWS profile"
+  type = string
+  default = "unset"
+}
+
+variable "common_tags" {
+  description = "Common AWS Tags"
+  type = map(string)
+  default = {}
+}
+
+variable "tags" {
+  description = "AWS Tags"
+  type = map(string)
+  default = {}
+}
+
+variable "deployment_name" {
+  description = "The deployment name"
+  type        = string
+  default = "mmgis"
+}
+
+variable "mgmt_dns" {
+  description = "The DNS or IP of the ALB or EC2 instance"
+  type = string
+}
+
+variable "project"{
+  description = "The unity project its installed into"
+  type = string
+  default = "UnknownProject"
+}
+
+variable "venue" {
+  description = "The unity venue its installed into"
+  type = string
+  default = "UnknownVenue"
+}
+
+variable "installprefix" {
+  description = "The management console install prefix"
+  type = string
+  default = "UnknownPrefix"
+}
+
+# INFRASTRUCTURE
+//TODO derive from SSM parameters
+variable "subnet_id" {
+  description = "Subnet ID"
+  type = string
+  default = "subnet-0cde2f69ef0ce1a7d"
+}
+
+//TODO derive from SSM parameters
+variable "availability_zone" {
+  description = "Subnet availability zone"
+  type = string
+  default = "usw2-az2"
+}
+
+variable "key_name" {
+    description = "Name of the SSH key to log in with"
+    type = string
+    default = "mmgis-sds.ssh"
+}
+
+# MMGIS
+
+variable "server" {
+  default = "node"
+}
+variable "auth" {
+  default = "none"
+}
+variable "node_env" {
+  default = "production"
+}
+variable "secret" {
+  description = "Some random string"
+  sensitive = true
+}
+variable "db_host" {
+  description = "postgres db endpoint"
+  default = "db"
+}
+variable "db_port" {
+  description = "postgres db port"
+  default     = 5432
+}
+variable "db_name" {
+  description = "postgres db name"
+  default = "db"
+}
+variable "db_user" {
+  description = "postgres db user"
+}
+variable "db_pass" {
+  description = "postgres db password"
+  sensitive = true
+}
+variable "port" {
+  description = "Port to run on"
+  default = 3000
+}
+variable "db_pool_max" {
+  description = "Max number connections in the database's pool. CPUs * 4 is a good number"
+  default = 10
+}
+variable "db_pool_timeout" {
+  description = "How many milliseconds until a DB connection times out"
+  default = 30000
+}
+variable "db_pool_idle" {
+  description = "How many milliseconds for an incoming connection to wait for a DB connection before getting kicked away"
+  default = 10000
+}
+variable "csso_groups" {
+  description = "A list of CSSO LDAP groups that have access"
+  type        = list(string)
+  default = []
+}
+variable "verbose_logging" {
+  description = "logs a bunch of extra stuff for development purposes"
+  default     = false
+}
+variable "frame_ancestors" {
+  description = "Sets the Content-Security-Policy: frame-ancestors header to allow the embedding of MMGIS in the specified external sites"
+  default = false
+}
+variable "frame_src" {
+  description = "Sets the Content-Security-Policy: frame-src header to allow the embedding iframes from external origins into MMGIS"
+  default = false
+}
+variable "third_party_cookies" {
+  description = "Sets 'SameSite=None; Secure' on the login cookie. Useful when using AUTH=local as an iframe within a cross-origin page."
+  default     = false
+}
+variable "root_path" {
+  description = "Set MMGIS to be deployed under a subpath. For example if serving at the subpath 'https://{domain}/path/where/I/serve/mmgis' is desired, set ROOT_PATH=/path/where/I/serve/mmgis. If no subpath, leave blank."
+  default     = ""
+}
+variable "websocket_root_path" {
+  description = "Overrides ROOT_PATH's use when the client connects via websocket. Websocket url: {ws_protocol}://{window.location.host}{WEBSOCKET_ROOT_PATH || ROOT_PATH || ''}/"
+  default     = ""
+}
+variable "clearance_number" {
+  description = "Sets a clearance number for the website"
+  default     = "CL##-####"
+}
+variable "disable_link_shortener" {
+  description = "If true, users that use the 'Copy Link' feature will receive a full-length deep link. Writing new short links will be disabled but expanding existing ones will still work."
+  default     = false
+}
+variable "hide_config" {
+  description = "make the configure page inaccessible to everyone"
+  default     = false
+}
+variable "force_config_path" {
+  description = "the path to a json config file that acts as the only configured mission for the instance"
+  default     = ""
+}
+variable "leads" {
+  description = "array of strings - default [] - when not using AUTH=csso, this is a list of usernames to be treated as leads (users with elevated permissions)"
+  type        = list(string)
+  default     = []
+}
+variable "enable_mmgis_websockets" {
+  description = "enables websockets so that clients can immediately respond to backend configuration changes"
+  default     = false
+}
+variable "enable_config_websockets" {
+  description = "If true, notifications are sent to /configure users whenever the current mission's configuration object changes out from under them and then puts (overridable) limits on saving"
+  default     = false
+}
+variable "enable_config_override" {
+  description = "For use when ENABLE_CONFIG_WEBSOCKETS=true (if ENABLE_CONFIG_WEBSOCKETS=false, all saves will freely overwrite already). If true, gives /configure users the ability to override changes made to the configuration while they were working on it with their own."
+  default     = false
+}
+variable "main_mission" {
+  description = "If the new MAIN_MISSION ENV is set to a valid mission, skip the landing page and go straight to that mission. Other missions will still be accessible by either forcing the landing page (clicking the top-left M logo) or by going to a link directly."
+  default     = ""
+}
+variable "skip_client_initial_login" {
+  description = "If true, MMGIS will not auto-login returning users. This can be useful when login is managed someplace else. The initial login process can be manually triggered with mmgisAPI.initialLogin()"
+  default     = false
+}
+variable "generate_sourcemap" {
+  description = "If true at build-time, JavaScript source maps will also be built"
+  default     = false
+}
+variable "spice_scheduled_kernel_download" {
+  description = "If true, then at every other midnight, MMGIS will read /Missions/spice-kernels-conf.json and re/download all the specified kernels. See /Missions/spice-kernels-conf.example.json"
+  default     = false
+}
+variable "spice_scheduled_kernel_download_on_start" {
+  description = "If true, then also triggers the kernel download when MMGIS starts"
+  default     = false
+}
+variable "spice_scheduled_kernel_cron_expr" {
+  description = "A cron schedule expression for use in the node-schedule npm library"
+  default     = "0 0 */2 * *"
+}
\ No newline at end of file

From 11e965eea6038ef52d7cdc7f5e4b21ad5344e9e8 Mon Sep 17 00:00:00 2001
From: Maxwell Plotkin <maxwell.a.plotkin@jpl.nasa.gov>
Date: Fri, 13 Sep 2024 12:15:42 -0700
Subject: [PATCH 2/2] MMGIS terraform deploys without error

---
 MMGIS-IAC/terraform/modules/ec2-docker/bk.tf | 34 ++++++++++++++++----
 MMGIS-IAC/terraform/modules/ec2-docker/lb.tf |  4 +--
 MMGIS-IAC/terraform/terraform.tf             | 10 ++++++
 MMGIS-IAC/terraform/terraform.tfvars         |  2 +-
 4 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf b/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
index d464a42..67c4fde 100644
--- a/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/bk.tf
@@ -2,16 +2,38 @@ locals {
     block_device_path = "/dev/sdh"
 }
 
+data "aws_iam_role" "existing_role" {
+  name = "Unity-CS_Service_Role"
+}
+
+data "aws_ssm_parameter" "mmgis_ami_id" {
+  name = "/mcp/amis/ubuntu2004-cset"
+}
+
+data "aws_ssm_parameter" "subnet_id" {
+  name = "/unity/account/network/publicsubnet1"
+}
+
+resource "aws_security_group" "allow_tls" {
+  name        = "allow_tls"
+  description = "Allow TLS inbound traffic and all outbound traffic"
+  vpc_id      = data.aws_ssm_parameter.vpc_id.value
+
+  tags = {
+    Name = "allow_tls"
+  }
+}
+
 resource "aws_iam_instance_profile" "unity_mmgis_instance_profile" {
   name = "unity-mmgis-instance-profile-tf"
 
-  role = var.role
+  role = data.aws_iam_role.existing_role.name
 
   tags = {
     Name = "unity_mmgis_instance_profile"
   }
 }
-
+ 
 resource "aws_ebs_volume" "persistent" {
     availability_zone = aws_instance.unity_mmgis_instance.availability_zone
     size = var.persistent_volume_size_gb
@@ -25,18 +47,16 @@ resource "aws_volume_attachment" "persistent" {
 
 
 resource "aws_instance" "unity_mmgis_instance" {
-  ami           = var.ami
+  ami           = data.aws_ssm_parameter.mmgis_ami_id.value
   instance_type = var.instance_type
 
   tags = {
     Name = "unity-mmgis-instance-tf"
   }
 
-  key_name = var.key_name
-
-  vpc_security_group_ids = [var.sg_id]
+  vpc_security_group_ids = [ aws_security_group.allow_tls.id ]
 
-  subnet_id = var.subnet_id
+  subnet_id = data.aws_ssm_parameter.subnet_id.value
 
   iam_instance_profile = aws_iam_instance_profile.unity_mmgis_instance_profile.name
 
diff --git a/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf b/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
index 0a5ea2b..658ad8f 100644
--- a/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
+++ b/MMGIS-IAC/terraform/modules/ec2-docker/lb.tf
@@ -5,7 +5,7 @@ resource "aws_lb_target_group" "unity_mmgis_tg_tf" {
   protocol    = "TCP"
   target_type = "instance"
   #vpc_id      = data.aws_vpc.default.id
-  vpc_id      = var.vpc_id
+  vpc_id      = data.aws_ssm_parameter.vpc_id.value
 
   health_check {
     enabled             = true
@@ -39,7 +39,7 @@ resource "aws_lb" "unity-mmgis-lb-tf" {
   #security_groups    = [var.sg_id]
   #security_groups    = []
   #subnets            = [for subnet in aws_subnet.public : subnet.id]
-  subnets            = var.subnet_ids
+  subnets            = jsondecode(data.aws_ssm_parameter.subnet_list.value).public
 
   enable_deletion_protection = false
 
diff --git a/MMGIS-IAC/terraform/terraform.tf b/MMGIS-IAC/terraform/terraform.tf
index 282a574..3a11844 100644
--- a/MMGIS-IAC/terraform/terraform.tf
+++ b/MMGIS-IAC/terraform/terraform.tf
@@ -7,6 +7,14 @@ provider "aws" {
   }
 }
 
+data "aws_ssm_parameter" "vpc_id" {
+  name = "/unity/account/network/vpc_id"
+}
+ 
+data "aws_ssm_parameter" "subnet_list" {
+  name = "/unity/account/network/subnet_list"
+}
+
 # ===== OUR MAGIC DOCKER-COMPOSE.YML FILE HERE =====
 # It is also possible to get Terraform to read an external `docker-compose.yml`
 # file and load it into this variable.
@@ -97,6 +105,8 @@ EOF
 resource "aws_security_group" "allow_http" {
     name = "allow_http"
     description = "Show off how we run a docker-compose file."
+    vpc_id = data.aws_ssm_parameter.vpc_id.value
+
 
     ingress {
         from_port = 80
diff --git a/MMGIS-IAC/terraform/terraform.tfvars b/MMGIS-IAC/terraform/terraform.tfvars
index 35d7d28..b140baa 100644
--- a/MMGIS-IAC/terraform/terraform.tfvars
+++ b/MMGIS-IAC/terraform/terraform.tfvars
@@ -5,4 +5,4 @@ secret = "secret"
 db_user = "postgres"
 db_pass = "postgres"
 region = "us-west-2"
-profile = "429178552491_mcp-tenantDeveloper"
\ No newline at end of file
+profile = "429178552491_mcp-tenantOperator"
\ No newline at end of file