update docs

oavdeev · oavdeev · commit caa34cc681ea · 2021-12-02T11:56:15.000-08:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -22,3 +22,6 @@ repos:
       - id: terraform-docs-go
         name: "Step Functions terraform module docs"
         args: ["-c", "modules/.terraform-docs.yml", "markdown", "modules/step-functions"]
+      - id: terraform-docs-go
+        name: "UI terraform module docs"
+        args: ["-c", "modules/.terraform-docs.yml", "markdown", "modules/ui"]
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ This module consists of submodules that can be used separately as well:
 - resources to deploy Metaflow flows on Step Functions processing ([`metaflow-step-functions`](./modules/step-functions))
 - Metaflow UI([`metaflow-ui`](./modules/ui))
 
+![modules diagram](./docs/terraform_modules.png)
+
 You can either use this high-level module, or submodules individually. See each module's corresponding `README.md` for more details.
 
 This module requires an Amazon VPC to be set up by the module user beforehand. The output of the project `infra` is an example configuration of an Amazon VPC that can be passed to this module.
diff --git a/docs/terraform_modules.png b/docs/terraform_modules.png
diff --git a/modules/ui/README.md b/modules/ui/README.md
@@ -1,6 +1,8 @@
 # UI
 
-Metaflow operational UI
+Metaflow operational UI. This module deploys the UI as a set of Fargate tasks. It connects to an existing RDS instance, that can be created by Metaflow [`datastore`](../datastore) module.
+
+The services are deployed behind an AWS ALB, and the module will output the ALB DNS name. Note that the UI is deployed with no auth by default, you can limit the users by IP by using `ui_cidr_allow_list` parameter.
 
 <!-- BEGIN_TF_DOCS -->
 ## Inputs
@@ -26,9 +28,9 @@ Metaflow operational UI
 | <a name="input_standard_tags"></a> [standard\_tags](#input\_standard\_tags) | The standard tags to apply to every AWS resource. | `map(string)` | n/a | yes |
 | <a name="input_subnet1_id"></a> [subnet1\_id](#input\_subnet1\_id) | First private subnet used for availability zone redundancy | `string` | n/a | yes |
 | <a name="input_subnet2_id"></a> [subnet2\_id](#input\_subnet2\_id) | Second private subnet used for availability zone redundancy | `string` | n/a | yes |
+| <a name="input_ui_allow_list"></a> [ui\_allow\_list](#input\_ui\_allow\_list) | A list of CIDRs the UI will be available to | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_ui_backend_container_image"></a> [ui\_backend\_container\_image](#input\_ui\_backend\_container\_image) | Container image for UI backend | `string` | `"netflixoss/metaflow_metadata_service:2.1.0"` | no |
-| <a name="input_ui_static_container_image"></a> [ui\_static\_container\_image](#input\_ui\_static\_container\_image) | Container image for UI static app | `string` | `"public.ecr.aws/outerbounds/metaflow_ui:v1.0.1"` | no |
-| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The VPC CIDR block that we'll access list on our Metadata Service API to allow all internal communications | `string` | n/a | yes |
+| <a name="input_ui_static_container_image"></a> [ui\_static\_container\_image](#input\_ui\_static\_container\_image) | Container image for the UI frontend app | `string` | `"public.ecr.aws/outerbounds/metaflow_ui:v1.0.1"` | no |
 
 ## Outputs
 
diff --git a/modules/ui/ec2.tf b/modules/ui/ec2.tf
@@ -44,7 +44,7 @@ resource "aws_security_group" "ui_lb_security_group" {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = var.cidr_allow_list
     description = "Allow public HTTPS"
   }
 
diff --git a/modules/ui/variables.tf b/modules/ui/variables.tf
@@ -76,11 +76,6 @@ variable "subnet2_id" {
   description = "Second private subnet used for availability zone redundancy"
 }
 
-variable "vpc_cidr_block" {
-  type        = string
-  description = "The VPC CIDR block that we'll access list on our Metadata Service API to allow all internal communications"
-}
-
 variable "certificate_arn" {
   type        = string
   description = "SSL certificate ARN"
@@ -112,5 +107,11 @@ variable "ui_backend_container_image" {
 variable "ui_static_container_image" {
   type = string
   default = "public.ecr.aws/outerbounds/metaflow_ui:v1.0.1"
-  description = "Container image for UI static app"
+  description = "Container image for the UI frontend app"
+}
+
+variable "ui_allow_list" {
+  type        = list(string)
+  description = "A list of CIDRs the UI will be available to"
+  default     = ["0.0.0.0/0"]
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ resource "aws_security_group" "ui_lb_security_group" {`
`44`	`44`	`from_port = 443`
`45`	`45`	`to_port = 443`
`46`	`46`	`protocol = "tcp"`
`47`		`- cidr_blocks = ["0.0.0.0/0"]`
	`47`	`+ cidr_blocks = var.cidr_allow_list`
`48`	`48`	`description = "Allow public HTTPS"`
`49`	`49`	`}`
`50`	`50`