Functional non parametrized ecs api template

1 year ago · 62c8acb0e8
17 changed files with 472 additions and 77 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 .terraform
 .terraform*
-*.tfstate*
+*.tfstate
--- a/README.md
+++ b/README.md
@ -4,5 +4,7 @@ Provisioning scripts for personal learning.
 References
 - [gruntwork](https://blog.gruntwork.io/an-introduction-to-terraform-f17df9c6d180)
- - https://section411.com/2019/07/hello-world/
+ - [section41 blog post](https://section411.com/2019/07/hello-world/) tutorial on aws fargate with terraform
- - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition
+-  aws ecs task definition [[terraform]] [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition)
 -  [dwmkerr](https://dwmkerr.com/dynamic-and-configurable-availability-zones-in-terraform/) blog tutorial on how to use terraform interpotaion to create dynamic resources given an array of parameters
 -  [Setup ECS Fargate and CloudFront with Terraform](https://awstip.com/ecs-fargate-with-terraform-9cd755d46039) tutorial that works but I can't figure how its connected to all subents
--- a/aws_fargate/alb.tf
+++ b/aws_fargate/alb.tf
@ -0,0 +1,40 @@
 resource "aws_lb_target_group" "api_lb_target" {
  name        = "my-api"
  port        = 3000
  protocol    = "HTTP"
  target_type = "ip"
  vpc_id      = aws_vpc.app_vpc.id
  health_check {
    enabled = true
    path    = "/health"
  }
  depends_on = [aws_alb.api_lb]
 }
 resource "aws_alb" "api_lb" {
  name               = "${var.project}-api-lb"
  internal           = false
  load_balancer_type = "application"
  subnets            = [for s in aws_subnet.public_subnet : s.id]
  security_groups = [
    aws_security_group.http.id,
    aws_security_group.https.id,
    aws_security_group.egress_all.id,
    aws_security_group.ingress_api.id,
  ]
  depends_on = [aws_internet_gateway.igw]
 }
 resource "aws_alb_listener" "api_http_listener" {
  load_balancer_arn = aws_alb.api_lb.arn
  port              = "80"
  protocol          = "HTTP"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.api_lb_target.arn
  }
 }
 output "alb_url" {
  value = "http://${aws_alb.api_lb.dns_name}"
 }
--- a/aws_fargate/ecs.tf
+++ b/aws_fargate/ecs.tf
@ -0,0 +1,61 @@
 locals {
  api_name = "${var.project}-api"
 }
 resource "aws_ecs_cluster" "my_cluster" {
  name = "my_cluster"
 }
 resource "aws_ecs_service" "api_ecs" {
  name            = local.api_name
  task_definition = aws_ecs_task_definition.api_task.arn
  cluster         = aws_ecs_cluster.my_cluster.id
  launch_type     = "FARGATE"
  load_balancer {
    target_group_arn = aws_lb_target_group.api_lb_target.arn
    container_name   = local.api_name
    container_port   = "3000"
  }
  desired_count = 1
  network_configuration {
    assign_public_ip = false
    security_groups = [
      aws_security_group.egress_all.id,
      aws_security_group.ingress_api.id,
    ]
    subnets = [for s in aws_subnet.private_subnet : s.id]
  }
 }
 resource "aws_ecs_task_definition" "api_task" {
  family                   = local.api_name
  execution_role_arn       = aws_iam_role.api_exec_role.arn
  cpu                      = 256
  memory                   = 512
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
  container_definitions = jsonencode([
    {
      name  = local.api_name,
      image = var.container_image,
      portMappings = [
        {
          containerPort = 3000
        }
      ],
      logConfiguration = {
        logDriver = "awslogs",
        options = {
          awslogs-region        = var.region,
          awslogs-group         = "/ecs/${local.api_name}",
          awslogs-stream-prefix = "ecs"
        }
      }
    }
  ])
 }
 resource "aws_cloudwatch_log_group" "log_group" {
  name = "/ecs/${local.api_name}"
 }
--- a/aws_fargate/iam.tf
+++ b/aws_fargate/iam.tf
@ -1,24 +1,20 @@
 resource "aws_iam_role" "api_exec_role" {
  name               = "${var.project}-exec-role"
-  assume_role_policy = data.aws_iam_policy_document.api_exec_assume_role.json
+  assume_role_policy = data.aws_iam_policy_document.api_exec_assume_role_policy_statement.json
 }
-data "aws_iam_policy_document" "api_exec_assume_role" {
+data "aws_iam_policy_document" "api_exec_assume_role_policy_statement" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
-      identifiers = ["ecs-task.amazonaws.com"]
+      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
 }
 resource "aws_iam_role_policy_attachment" "ecs_exec_iam_attach_assume_role" {
  role       = aws_iam_role.api_exec_role.name
  policy_arn = data.aws_iam_policy_document.api_exec_assume_role
 }
-data "aws_iam_policy_document" "ecs_exec_role" {
+data "aws_iam_policy_document" "ecs_exec_policy_statement" {
  statement {
    effect = "Allow"
    actions = [
@ -29,11 +25,16 @@ data "aws_iam_policy_document" "ecs_exec_role" {
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
-    resources = ["*${var.project}*"]
+    resources = ["*"]
  }
 }
 resource "aws_iam_policy" "ecs_exec_policy" {
  name   = "${var.project}-ecs_exec_policy"
  policy = data.aws_iam_policy_document.ecs_exec_policy_statement.json
 }
 resource "aws_iam_role_policy_attachment" "ecs_exec_iam_attach_rules" {
  role       = aws_iam_role.api_exec_role.name
-  policy_arn = data.aws_iam_policy_document.ecs_exec_role.json
+  policy_arn = aws_iam_policy.ecs_exec_policy.arn
 }
--- a/aws_fargate/main.tf
+++ b/aws_fargate/main.tf
@ -1,39 +0,0 @@
 resource "aws_ecs_service" "api_ecs" {
  name            = "${var.project}-api"
  task_definition = aws_ecs_task_definition.api_task.arn
  launch_type     = "FARGATE"
 }
 resource "aws_ecs_task_definition" "api_task" {
  family                   = "${var.project}-api"
  cpu                      = 256
  memory                   = 512
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
  execution_role_arn = aws_iam_role.api_exec_role.arn
  container_definitions = jsonencode([
    {
      name  = "${var.project}-api",
      image = var.container_image,
      portMappings = [
        {
          containerPort = 3000
        }
      ],
      logConfiguration = {
        logDriver = "awslogs",
        options = {
          awslogs-region        = var.region,
          awslogs-group         = "/ecs/${var.project}-api",
          awslogs-stream-prefix = "ecs"
        }
      }
    }
  ])
 }
 resource "aws_cloudwatch_log_group" "log_group" {
  name = "/ecs/${var.project}-api"
 }
--- a/aws_fargate/network.tf
+++ b/aws_fargate/network.tf
@ -3,24 +3,24 @@ resource "aws_vpc" "app_vpc" {
 }
 resource "aws_subnet" "public_subnet" {
-  count = length(var.subnets)
+  count = length(var.public_subnets)
  vpc_id            = aws_vpc.app_vpc.id
-  availability_zone = element(keys(var.subnets), count.index)
+  availability_zone = element(keys(var.public_subnets), count.index)
-  cidr_block        = "10.0.${count.index}.0/25"
+  cidr_block        = element(values(var.public_subnets), count.index)
  tags = {
-    "Name" = "public | ${element(keys(var.subnets), count.index)}"
+    "Name" = "public | ${element(keys(var.public_subnets), count.index)}"
  }
 }
 resource "aws_subnet" "private_subnet" {
-  count = length(var.subnets)
+  count = length(var.private_subnets)
  vpc_id            = aws_vpc.app_vpc.id
-  availability_zone = element(keys(var.subnets), count.index)
+  availability_zone = element(keys(var.private_subnets), count.index)
-  cidr_block        = "10.0.${count.index}.128/25"
+  cidr_block        = element(values(var.private_subnets), count.index)
  tags = {
-    "Name" = "private | ${element(keys(var.subnets), count.index)}"
+    "Name" = "private | ${element(keys(var.private_subnets), count.index)}"
  }
 }
@ -39,16 +39,12 @@ resource "aws_route_table" "private" {
 }
 resource "aws_route_table_association" "public_subnet" {
-  count          = length(var.subnets)
+  subnet_id      = aws_subnet.public_subnet[0].id
  subnet_id      = element(aws_subnet.public_subnet.*.id, count.index)
  route_table_id = aws_route_table.public.id
 }
 resource "aws_route_table_association" "private_subnet" {
-  count          = length(var.subnets)
+  subnet_id      = aws_subnet.private_subnet[0].id
  subnet_id      = element(aws_subnet.private_subnet.*.id, count.index)
  route_table_id = aws_route_table.private.id
 }
@ -61,20 +57,18 @@ resource "aws_internet_gateway" "igw" {
 }
 resource "aws_nat_gateway" "ngw" {
-  count          = length(var.subnets)
+  subnet_id     = aws_subnet.private_subnet[0].id
  subnet_id      = element(aws_subnet.private_subnet.*.id, count.index)
  allocation_id = aws_eip.nat.id
  depends_on    = [aws_internet_gateway.igw]
 }
-resource "aws_route" "public_igw" {
+resource "aws_route" "igw" {
  route_table_id         = aws_route_table.public.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.igw.id
 }
-resource "aws_route" "private_ngw" {
+resource "aws_route" "ngw" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.ngw.id
--- a/aws_fargate/outputs.tf
+++ b/aws_fargate/outputs.tf
@ -0,0 +1,4 @@
 # output "ecs-ip" {
 #   description = "ecs-ip"
 #   value = [for s in aws_eip.nat.map : s.public_ip]
 # }
--- a/aws_fargate/variables.tf
+++ b/aws_fargate/variables.tf
@ -1,9 +1,9 @@
 variable "region" {
-  default = "us-east-1"
+  default = "ap-southeast-2"
 }
 variable "profile" {
-  default = "default"
+  default = "superuser"
 }
 variable "project" {
@ -14,12 +14,31 @@ variable "container_image" {
  default = "ghcr.io/jimmysawczuk/sun-api:latest"
 }
-variable "subnets" {
+variable "zones" {
  type = set(string)
  default =  [
    "ap-southeast-2a",
    "ap-southeast-2b",
    "ap-southeast-2c",
  ]
 }
 variable "public_subnets" {
  description = "Availability zone for instance associated with ip ranges"
  type        = map(any)
  default = {
    "ap-southeast-2a" = "10.0.1.0/25"
    "ap-southeast-2b" = "10.0.2.0/25"
-    "ap-southeast-2c" = "10.0.1.128/25"
+    "ap-southeast-2c" = "10.0.3.0/25"
  }
 }
 variable "private_subnets" {
  description = "Availability zone for instance associated with ip ranges"
  type        = map(any)
  default = {
    "ap-southeast-2a" = "10.0.1.128/25"
    "ap-southeast-2b" = "10.0.2.128/25"
    "ap-southeast-2c" = "10.0.3.128/25"
  }
 }
--- a/aws_fargate_2/alb.tf
+++ b/aws_fargate_2/alb.tf
@ -0,0 +1,38 @@
 resource "aws_lb_target_group" "my_api" {
  name        = "my-api"
  port        = 3000
  protocol    = "HTTP"
  target_type = "ip"
  vpc_id      = aws_vpc.prod_vpc.id
  health_check {
    enabled = true
    path    = "/health"
  }
  depends_on = [aws_alb.my_api]
 }
 resource "aws_alb" "my_api" {
  name               = "my-api-lb"
  internal           = false
  load_balancer_type = "application"
  subnets = [
    aws_subnet.public_a.id,
    aws_subnet.public_b.id
  ]
  security_groups = [
    aws_security_group.http.id,
    aws_security_group.egress_all.id,
  ]
  depends_on = [aws_internet_gateway.igw]
 }
 resource "aws_alb_listener" "my_api_http" {
  load_balancer_arn = aws_alb.my_api.arn
  port              = "80"
  protocol          = "HTTP"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.my_api.arn
  }
 }
 output "alb_url" {
  value = "http://${aws_alb.my_api.dns_name}"
 }
--- a/aws_fargate_2/config.tf
+++ b/aws_fargate_2/config.tf
@ -0,0 +1,13 @@
 terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~>4.0"
    }
  }
 }
 provider "aws" {
  region = var.region
  profile = var.profile
 }
--- a/aws_fargate_2/ecs.tf
+++ b/aws_fargate_2/ecs.tf
@ -0,0 +1,39 @@
 resource "aws_ecs_cluster" "my_cluster" {
  name = "my_cluster"
 }
 resource "aws_ecs_task_definition" "my_api" {
  family                = "my-api"
  execution_role_arn    = aws_iam_role.my_api_task_execution_role.arn
  container_definitions = <<EOF
  [
    {
      "name": "my-api",
      "image": "mohitmutha/simplefastifyservice:1.0",
      "portMappings": [
        {
          "containerPort": 3000
        }
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-region": "ap-southeast-2",
          "awslogs-group": "/ecs/my-api",
          "awslogs-stream-prefix": "ecs"
        }
      }
    }
  ]
  EOF
  # These are the minimum values for Fargate containers.
  cpu                      = 256
  memory                   = 512
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
 }
 resource "aws_cloudwatch_log_group" "my_api" {
  name = "/ecs/my-api"
 }
--- a/aws_fargate_2/iam.tf
+++ b/aws_fargate_2/iam.tf
@ -0,0 +1,24 @@
 resource "aws_iam_role" "my_api_task_execution_role" {
  name               = "my-api-task-execution-role"
  assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role.json
 }
 data "aws_iam_policy_document" "ecs_task_assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
 }
 # Normally we'd prefer not to hardcode an ARN in our Terraform, but since this is
 # an AWS-managed policy, it's okay.
 data "aws_iam_policy" "ecs_task_execution_role" {
  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 # Attach the above policy to the execution role.
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
  role       = aws_iam_role.my_api_task_execution_role.name
  policy_arn = data.aws_iam_policy.ecs_task_execution_role.arn
 }
--- a/aws_fargate_2/network.tf
+++ b/aws_fargate_2/network.tf
@ -0,0 +1,132 @@
 resource "aws_vpc" "prod_vpc" {
  cidr_block = "10.0.0.0/16"
 }
 resource "aws_subnet" "public_a" {
  vpc_id            = aws_vpc.prod_vpc.id
  cidr_block        = "10.0.1.0/25"
  availability_zone = "ap-southeast-2a"
 tags = {
    "Name" = "public | ap-southeast-2a"
  }
 }
 resource "aws_subnet" "public_b" {
  vpc_id            = aws_vpc.prod_vpc.id
  cidr_block        = "10.0.1.128/25"
  availability_zone = "ap-southeast-2b"
 tags = {
    "Name" = "public | ap-southeast-2b"
  }
 }
 resource "aws_subnet" "private_a" {
  vpc_id            = aws_vpc.prod_vpc.id
  cidr_block        = "10.0.2.0/25"
  availability_zone = "ap-southeast-2a"
 tags = {
    "Name" = "private | ap-southeast-2a"
  }
 }
 resource "aws_subnet" "private_b" {
  vpc_id            = aws_vpc.prod_vpc.id
  cidr_block        = "10.0.2.128/25"
  availability_zone = "ap-southeast-2b"
 tags = {
    "Name" = "private | ap-southeast-2b"
  }
 }
 resource "aws_route_table" "public" {
  vpc_id = aws_vpc.prod_vpc.id
  tags = {
    "Name" = "public"
  }
 }
 resource "aws_route_table" "private" {
  vpc_id = aws_vpc.prod_vpc.id
  tags = {
    "Name" = "private"
  }
 }
 resource "aws_route_table_association" "public_a_subnet" {
  subnet_id      = aws_subnet.public_a.id
  route_table_id = aws_route_table.public.id
 }
 resource "aws_route_table_association" "private_a_subnet" {
  subnet_id      = aws_subnet.private_b.id
  route_table_id = aws_route_table.private.id
 }
 resource "aws_eip" "nat" {
 }
 resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.prod_vpc.id
 }
 resource "aws_nat_gateway" "ngw" {
  subnet_id     = aws_subnet.public_a.id
  allocation_id = aws_eip.nat.id
  depends_on = [aws_internet_gateway.igw]
 }
 resource "aws_route" "public_igw" {
  route_table_id         = aws_route_table.public.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.igw.id
 }
 resource "aws_route" "private_ngw" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.ngw.id
 }
 resource "aws_security_group" "http" {
  name        = "http"
  description = "HTTP traffic"
  vpc_id      = aws_vpc.prod_vpc.id
 ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
 resource "aws_security_group" "https" {
  name        = "https"
  description = "HTTPS traffic"
  vpc_id      = aws_vpc.prod_vpc.id
 ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
 resource "aws_security_group" "egress_all" {
  name        = "egress-all"
  description = "Allow all outbound traffic"
  vpc_id      = aws_vpc.prod_vpc.id
 egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
 resource "aws_security_group" "ingress_api" {
  name        = "ingress-api"
  description = "Allow ingress to API"
  vpc_id      = aws_vpc.prod_vpc.id
 ingress {
    from_port   = 3000
    to_port     = 3000
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
--- a/aws_fargate_2/service.tf
+++ b/aws_fargate_2/service.tf
@ -0,0 +1,23 @@
 resource "aws_ecs_service" "my_api" {
  name            = "my-api"
  task_definition = aws_ecs_task_definition.my_api.arn
  cluster         = aws_ecs_cluster.my_cluster.id
  launch_type     = "FARGATE"
  load_balancer {
    target_group_arn = aws_lb_target_group.my_api.arn
    container_name   = "my-api"
    container_port   = "3000"
  }
  desired_count = 1
  network_configuration {
    assign_public_ip = false
    security_groups = [
      aws_security_group.egress_all.id,
      aws_security_group.ingress_api.id,
    ]
    subnets = [
      aws_subnet.private_a.id,
      aws_subnet.private_b.id
    ]
  }
 }
--- a/aws_fargate_2/variables.tf
+++ b/aws_fargate_2/variables.tf
@ -0,0 +1,44 @@
 variable "region" {
  default = "ap-southeast-2"
 }
 variable "profile" {
  default = "superuser"
 }
 variable "project" {
  default = "template"
 }
 variable "container_image" {
  default = "ghcr.io/jimmysawczuk/sun-api:latest"
 }
 variable "zones" {
  type = set(string)
  default = [
    "ap-southeast-2a",
    "ap-southeast-2b",
    "ap-southeast-2c",
  ]
 }
 variable "public_subnets" {
  description = "Availability zone for instance associated with ip ranges"
  type        = map(any)
  default = {
    "ap-southeast-2a" = "10.0.1.0/25"
    "ap-southeast-2b" = "10.0.2.0/25"
    "ap-southeast-2c" = "10.0.3.0/25"
  }
 }
 variable "private_subnets" {
  description = "Availability zone for instance associated with ip ranges"
  type        = map(any)
  default = {
    "ap-southeast-2a" = "10.0.1.128/25"
    "ap-southeast-2b" = "10.0.2.128/25"
    "ap-southeast-2c" = "10.0.3.128/25"
  }
 }