Moving fargate things to their own folder

2023-10-04 01:15:32 -07:00
parent caf09a63cb
commit 3029fbb3f6
10 changed files with 127 additions and 4 deletions
--- a/infra/fargate/Makefile
+++ b/infra/fargate/Makefile
@@ -0,0 +1,24 @@
+plan=out.plan
+
+SHELL := /bin/bash
+
+$(plan): *.tf
+	source ../secrets/set-env.sh && terraform plan -input=false -out $(plan)
+
+push: build
+	source ../secrets/set-env.sh && terraform apply $(plan)
+
+refresh:
+	source ../secrets/set-env.sh && terraform apply -refresh-only
+
+test:
+	terraform validate
+
+
+rip:
+	source ../secrets/set-env.sh && terraform destroy
+
+clean:
+	rm -f $(plan)
+
+.PHONY: test build clean push rip
--- a/infra/fargate/alpha.tf
+++ b/infra/fargate/alpha.tf
@@ -0,0 +1,18 @@
+# Alpha houses all of our containerized applications
+# Essentially it is a cluster with services that we
+# choose to expose to the internet in one form or another
+
+# Alpha cluster definition 
+###########################
+resource "aws_ecs_cluster" "alpha" {
+  name = "${var.athens_prefix}-alpha-cluster"
+  configuration {
+    execute_command_configuration {
+      logging = "OVERRIDE"
+      log_configuration {
+        cloud_watch_log_group_name = aws_cloudwatch_log_group.alpha.name
+      }
+    }
+  }
+}
+
--- a/infra/fargate/backend.tf
+++ b/infra/fargate/backend.tf
@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">= 0.13"
+  backend "s3" {
+      bucket  = "project-athens"
+      key     = "infra/fargate/state/build.tfstate"
+      region  = "us-west-1"
+      encrypt = true
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.13.0"
+    }
+  }
+}
+
+# Base config for using AWS features w/ Terraform
+provider "aws" {
+  access_key = var.aws_key
+  secret_key = var.aws_secret
+  region = var.aws_region
+  max_retries = 1
+}
+
--- a/infra/fargate/cluster-logging.tf
+++ b/infra/fargate/cluster-logging.tf
@@ -0,0 +1,10 @@
+# Logging Configuration for services inside the cluster
+#######################################################
+
+# Alpha Cloudwatch logging configuration
+########################################
+resource "aws_cloudwatch_log_group" "alpha" {
+  name = "${var.athens_prefix}-alpha-log"
+  retention_in_days = 7
+}
+
--- a/infra/fargate/data.tf
+++ b/infra/fargate/data.tf
@@ -0,0 +1,12 @@
+data "aws_vpc" "athens" {
+  id = var.vpc_id
+}
+
+data "aws_subnet" "delphi" {
+  id = "subnet-0a1943f26e4338cf6"
+}
+
+data "aws_subnet" "crete" {
+  id = "subnet-09302319a6678643f"
+}
+
--- a/infra/fargate/ecr.tf
+++ b/infra/fargate/ecr.tf
@@ -0,0 +1,7 @@
+resource "aws_ecr_repository" "this" {
+  for_each = {
+    for index, repo in local.repos:
+      index => repo
+  }
+  name = each.value
+}
--- a/infra/fargate/local.tf
+++ b/infra/fargate/local.tf
@@ -0,0 +1,13 @@
+locals {
+  # ECR 
+  repos = [
+    "reverse-proxy",
+  ]
+  buckets = [
+    "shockrah.xyz",
+    "resume.shockrah.xyz"
+  ]
+  nginx_name = "${var.athens_prefix}-nginx-static-content"
+  nginx_hp_check_interval = 300
+}
+
--- a/infra/fargate/nginx.tf
+++ b/infra/fargate/nginx.tf
@@ -0,0 +1,63 @@
+resource "aws_ecs_task_definition" "beta" {
+  family = "${var.athens_prefix}-beta"
+
+  network_mode = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  execution_role_arn = aws_iam_role.alpha_iam_role.arn
+
+  cpu = 256
+  memory = 512
+
+  container_definitions = jsonencode([
+    {
+      name = local.nginx_name
+      image = "805875567437.dkr.ecr.us-west-1.amazonaws.com/reverse-proxy:latest"
+      cpu = 256
+      memory = 512
+      essential = true
+      portMappings = [
+        { 
+          containerPort = var.nginx_port, 
+          hostPort = var.nginx_port
+        }
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group  = aws_cloudwatch_log_group.alpha.name
+          awslogs-region = "us-west-1"
+          awslogs-stream-prefix  = "beta-container"
+        }
+      }
+    }
+  ])
+  tags = {
+    Name        = "${var.athens_prefix}-beta-task-def-container"
+    Description = "Reverse proxy for all static content"
+  }
+}
+
+resource "aws_ecs_service" "beta_reverse_proxy" {
+  name              = local.nginx_name
+  cluster           = aws_ecs_cluster.alpha.id
+  task_definition   = aws_ecs_task_definition.beta.arn
+  desired_count     = 1
+  launch_type       = "FARGATE"
+  load_balancer {
+    target_group_arn  = var.lb_target_group
+    container_name    = local.nginx_name
+    container_port    = var.nginx_port
+  }
+
+  network_configuration {
+    assign_public_ip  = true
+    subnets = [
+      data.aws_subnet.delphi.id,
+      data.aws_subnet.crete.id,
+    ]
+    security_groups = [
+      var.sg.ecs_web_ingress,
+      var.sg.base_ecs,
+    ]
+  }
+}
--- a/infra/fargate/roles.tf
+++ b/infra/fargate/roles.tf
@@ -0,0 +1,65 @@
+# Alpha container role 
+######################
+resource "aws_iam_role" "alpha_iam_role" {
+  name = "${var.athens_prefix}-alpha-iam-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = [ "ecs-tasks.amazonaws.com" ]
+        }
+        Effect = "Allow"
+      }
+    ]
+  })
+}
+
+
+resource "aws_iam_policy" "alpha_iam_policy" {
+  name = "${var.athens_prefix}-alpha-iam-policy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:DescribeLogStreams",
+          "logs:PutLogEvents",
+        ]
+        "Resource" = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "ecs_ecr_pull" {
+  name = "${var.athens_prefix}-allow-ecs-pull-ecr"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer"
+        ]
+        "Resource" = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "alpha_logs" {
+  role        = aws_iam_role.alpha_iam_role.name
+  policy_arn  = aws_iam_policy.alpha_iam_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_ecr_pull" {
+  role        = aws_iam_role.alpha_iam_role.name
+  policy_arn  = aws_iam_policy.ecs_ecr_pull.arn
+}
--- a/infra/fargate/variables.tf
+++ b/infra/fargate/variables.tf
@@ -0,0 +1,53 @@
+# All variables that are used in various places go here
+
+######################### General provider specific values
+
+variable "aws_key" {
+	description = "Access Key for AWS operations"
+	type = string
+	sensitive = true
+}
+
+variable "aws_secret" {
+	description = "Secret Key for AWS operations"
+	type = string
+	sensitive = true
+}
+
+variable "aws_region" {
+	description = "Region where the VPC is located"
+	type = string
+	sensitive = true
+}
+
+variable "vpc_id" {
+  description = "Project Athens VPC ID"
+  type = string
+}
+
+variable "athens_prefix" {
+	description = "Prefix for all things in alpha cluster"
+	type = string
+}
+
+######################### Nginx reverse proxy vars
+
+variable "nginx_port" {
+  description = "Port for shockrah.xyz"
+  type        = number
+}
+
+######################### Nginx reverse proxy vars
+
+variable "sg" {
+  type = object({
+    base_ecs        = string
+    ecs_web_ingress = string
+    lb_health_check = string
+  })
+}
+
+variable "lb_target_group" {
+  type = string
+}
+