PLT-1445 Service module adoption for AB2D contracts, events and worker services

[jscott-nava]

🎫 Ticket

https://jira.cms.gov/browse/PLT-1445

🛠 Changes

This PR contains the changes required to migrate the AB2D contracts, events and worker services onto the CDAP service module.

The following two caveats should be noted:

• Due to the use of a shared platform module the tags for the services are updated from either contracts or events to microservices. If this is not desired then microservice-specific platform modules could be passed in instead.
• The events_service force_new_deployment flag is reverted from true to false which would indicate that during the previous tofu apply in the test environment this setting was overridden with an image tag which sets the flag to true.
• This PR depends on the CDAP service module updates pending review in PLT-1445 Service module updates for AB2D adoption cdap#360; prior to merging this PR, the CDAP PR must be merged and then the module references in this PR updated with the new commit hash.
• The unit-integration-test/sonarqube/test check on this PR failed (https://github.com/CMSgov/ab2d/actions/runs/20345958599/job/58458189335?pr=1663) with errors that appear to be unrelated to these changes. Please advise whether this test is flaky or whether it indicates an issue introduced by these changes.
• A health_check_grace_period_seconds variable was added to the service module to prevent errors from setting this value to 300 for the worker service given that it is not associated with a load balancer; see [Bug]: Breaking change: Health check grace period is only valid for services configured to use load balancers hashicorp/terraform-provider-aws#31104 for more details.

ℹ️ Context

With the AB2D api service having already been migrated to the CDAP service module, this PR addresses service module adoption for the remaining three AB2D services.

🧪 Validation

Tofu plan output for 20-microservices (AB2D-TEST)

OpenTofu will perform the following actions:

  # module.contracts_service.aws_ecs_service.this will be updated in-place
  # (moved from aws_ecs_service.contracts)
  ~ resource "aws_ecs_service" "this" {
        id                                 = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:service/ab2d-test-microservices/ab2d-test-contracts"
        name                               = "ab2d-test-contracts"
      ~ tags                               = {
          - "service" = "contracts" -> null
        }
      ~ tags_all                           = {
          ~ "service"        = "contracts" -> "microservices"
            # (6 unchanged elements hidden)
        }
      ~ task_definition                    = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-contracts:30" -> (known after apply)
        # (16 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.contracts_service.aws_ecs_task_definition.this must be replaced
  # (moved from aws_ecs_task_definition.contracts)
-/+ resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-contracts:30" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-contracts" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  - essential              = true
                  ~ logConfiguration       = {
                      ~ options   = {
                          ~ awslogs-group         = "/aws/ecs/fargate/ab2d-test/ab2d_contracts" -> "/aws/ecs/fargate/ab2d-test/contracts"
                            # (3 unchanged attributes hidden)
                        }
                        # (1 unchanged attribute hidden)
                    }
                  ~ name                   = "contracts-service-container" -> "contracts"
                  - systemControls         = []
                  - volumesFrom            = []
                    # (6 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "ab2d-test-contracts" -> (known after apply)
      ~ revision                 = 30 -> (known after apply)
      - tags                     = {} -> null
        # (10 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.events_service.aws_ecs_service.this will be updated in-place
  # (moved from aws_ecs_service.events)
  ~ resource "aws_ecs_service" "this" {
      ~ force_new_deployment               = true -> false
        id                                 = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:service/ab2d-test-microservices/ab2d-test-events"
        name                               = "ab2d-test-events"
      ~ tags                               = {
          - "service" = "events" -> null
        }
      ~ tags_all                           = {
          ~ "service"        = "events" -> "microservices"
            # (6 unchanged elements hidden)
        }
      ~ task_definition                    = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-events:18" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.events_service.aws_ecs_task_definition.this must be replaced
  # (moved from aws_ecs_task_definition.events)
-/+ resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-events:18" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:task-definition/ab2d-test-events" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  - essential              = true
                  ~ logConfiguration       = {
                      ~ options   = {
                          ~ awslogs-group         = "/aws/ecs/fargate/ab2d-test/ab2d_events" -> "/aws/ecs/fargate/ab2d-test/events"
                            # (3 unchanged attributes hidden)
                        }
                        # (1 unchanged attribute hidden)
                    }
                  ~ name                   = "events-service-container" -> "events"
                  - systemControls         = []
                  - volumesFrom            = []
                    # (6 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "ab2d-test-events" -> (known after apply)
      ~ revision                 = 18 -> (known after apply)
      - tags                     = {} -> null
        # (10 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 2 to add, 2 to change, 2 to destroy.

Tofu plan output for 30-worker (AB2D-TEST)

OpenTofu will perform the following actions:

  # module.service.aws_ecs_service.this will be updated in-place
  # (moved from aws_ecs_service.worker)
  ~ resource "aws_ecs_service" "this" {
        id                                 = "arn:aws:ecs:us-east-1:xxxxxxxxxxxx:service/ab2d-test-worker/ab2d-test-worker"
        name                               = "ab2d-test-worker"
      ~ platform_version                   = "LATEST" -> "1.4.0"
        tags                               = {}
        # (17 unchanged attributes hidden)

      ~ network_configuration {
          ~ subnets          = (sensitive value)
            # (2 unchanged attributes hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.worker has moved to module.service.aws_ecs_task_definition.this
    resource "aws_ecs_task_definition" "this" {
        id                       = "ab2d-test-worker"
        tags                     = {}
        # (15 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[bennavapbc]

Will likely want to merge #1666 first? cc @juliareynolds-nava

[jscott-nava]

Changes have been made both to this PR and the related CDAP service module PR - see the updated Tofu plans in the description.

[gsf]

Due to the use of a shared platform module the tags for the services are updated from either contracts or events to microservices. If this is not desired then microservice-specific platform modules could be passed in instead.

Apologies for not catching this earlier, but I'm fairly certain that the ab2d team will want contracts and events to have tags specific to each service. Please do create separate platform instances for each.

[bennavapbc]

I'm fairly certain that the ab2d team will want contracts and events to have tags specific to each service.

Correct.

[mjburling]

Apologies for not catching this earlier, but I'm fairly certain that the ab2d team will want contracts and events to have tags specific to each service.

This probably ought to split 20-microservices into 20-events and 20-contracts. This is a holdover from the legacy microservices module from archived ab2d-ops repository. There's no reason for them to continue to be bundled together.

Please do create separate platform instances for each.

Re-declaring the platform module here won't help matters without modifying CDAP's service module to allow for tag overrides–tagging is controlled by the provider definitions in ../root.tofu.tf included in this root module.

[juliareynolds-nava]

AB2D is going to need this TRUSTSTORE cert value for the mtls V3 update.

[mianava]

Can this be refined: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html

[gfreeman-navapbc]

Probably, it was just copied over from the /20-microservices/ directory since I wasn't quite sure which service depended on it

[mianava]

is this the same for every environment?

[gfreeman-navapbc]

It's taken from the old microservices directory that included both of these. So I would assume so.

[mianava]

I recommend sorting these so settings like cpu, image, memory, healtcheck grace period, are together, IAM roles are together or with other relevant settings, and then very common objects like platform are at the bottom

[gfreeman-navapbc]

Sure, I'll capture any of this cleanup work in a separate ticket.

[mianava]

Still relevant?

[gfreeman-navapbc]

I'm going to group these "relevancy" comments together, but this is a month old PR that has surely seen things come and go as it has been open. If this is no longer relevant I would suggest we take it out in a different ticket and get this work over the line.

[mianava]

Noting this is a lift and set of existing resources and there might be future work around terraform style.