From 9d426917f74786a9b4c897afee3e53998aabcb2f Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 9 Dec 2022 20:55:30 -0800 Subject: [PATCH 01/22] Working sample service with ECS for now this is just a hello world service with a public IP --- infra/eip.tf | 4 ++-- infra/security-groups.tf | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/infra/eip.tf b/infra/eip.tf index c91a760..a68e414 100644 --- a/infra/eip.tf +++ b/infra/eip.tf @@ -1,8 +1,8 @@ resource "aws_eip" "alpha_eip" { - instance = aws_instance.alpha.id + instance = aws_instance.atlas.id vpc = true tags = { - Name = "Alpha EIP" + Name = "Atlas EIP" } } diff --git a/infra/security-groups.tf b/infra/security-groups.tf index e8ab64e..bb53df1 100644 --- a/infra/security-groups.tf +++ b/infra/security-groups.tf @@ -1,5 +1,39 @@ # Here are general definitions for security rulesets +resource "aws_security_group" "ecs_web_ingress" { + name = "Alpha-Web-Ingress" + description = "Allow web traffic into the host" + vpc_id = aws_vpc.athens_vpc.id + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } +} + +resource "aws_security_group" "base_ecs" { + vpc_id = aws_vpc.athens_vpc.id + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 2049 + to_port = 2049 + protocol = "tcp" + } +} + resource "aws_security_group" "general_web_req" { name = "Athens General web server ruleset" description = "Allowing strictly web traffic" From 6212a7d8cc96b64084a47068ad87a0fd29581575 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 9 Dec 2022 21:49:17 -0800 Subject: [PATCH 02/22] Removing atlas host --- infra/alpha.tf | 124 ++++++++++++++++++++++++++++++++++++++----------- infra/atlas.tf | 38 ++------------- infra/eip.tf | 9 ---- 3 files changed, 101 insertions(+), 70 deletions(-) diff --git a/infra/alpha.tf b/infra/alpha.tf index 01f233d..2745f4c 100644 --- a/infra/alpha.tf +++ b/infra/alpha.tf @@ -5,16 +5,66 @@ # Logging Configuration for services inside the cluster ####################################################### -resource "aws_cloudwatch_log_group" "alpha" { - name = "alpha-log" +locals { + subnet = "subnet-09302319a6678643f" } +# Alpha Cloudwatch logging configuration +######################################## +resource "aws_cloudwatch_log_group" "alpha" { + name = "${var.athens_prefix}-alpha-log" + retention_in_days = 7 +} + +# Alpha logging role +##################### +resource "aws_iam_role" "alpha_iam_role" { + name = "${var.athens_prefix}-alpha-iam-role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Principal = { + Service = [ "ecs-tasks.amazonaws.com" ] + } + Effect = "Allow" + } + ] + }) +} + +resource "aws_iam_policy" "alpha_iam_policy" { + name = "${var.athens_prefix}-alpha-iam-policy" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + ] + "Resource" = "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "alpha_logs" { + role = aws_iam_role.alpha_iam_role.name + policy_arn = aws_iam_policy.alpha_iam_policy.arn +} + # Alpha cluster definition ########################### resource "aws_ecs_cluster" "alpha" { - name = "alpha" + name = "${var.athens_prefix}-athens-alpha" configuration { execute_command_configuration { + logging = "OVERRIDE" log_configuration { cloud_watch_log_group_name = aws_cloudwatch_log_group.alpha.name } @@ -25,36 +75,58 @@ resource "aws_ecs_cluster" "alpha" { # Lewdlad Service Definition ############################ -resource "aws_ecs_task_definition" "lewdlad" { - family = "lewdlad-task-definition" +resource "aws_ecs_task_definition" "sample" { + family = "${var.athens_prefix}-sample" + + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE"] + execution_role_arn = aws_iam_role.alpha_iam_role.arn + + cpu = 256 + memory = 512 + container_definitions = jsonencode([ { - name = "lewdlad-container" - image = "registry.gitlab.com/shockrah/left-coast-server-bot:latest" - # Literally the smallest amount that fargate will allow - cpu = 256 - memory = 512 + name = "${var.athens_prefix}-sample-container" + image = "nginxdemos/nginx-hello:latest" + cpu = 128 + memory = 256 essential = true - environment = [ - { name: DISCORD_ID, value: var.DISCORD_ID }, - { name: DISCORD_TOKEN, value: var.DISCORD_TOKEN }, - { name: AWS_API_ID, value: var.AWS_API_ID }, - { name: AWS_API_STAGE, value: var.AWS_API_STAGE }, - { name: AWS_API_REGION, value: var.AWS_API_REGION }, - { name: AWS_API_KEY, value: var.AWS_API_KEY }, - { name: DEV_GUILD_ID, value: var.DEV_GUILD_ID }, - { name: BEEHIVE_ID, value: var.BEEHIVE_ID }, + portMappings = [ + { + containerPort = 8080 + hostPort = 8080 + } ] + logConfiguration = { + logDriver = "awslogs" + options = { + awslogs-group = aws_cloudwatch_log_group.alpha.name + awslogs-region = "us-west-1" + awslogs-stream-prefix = "sample-container" + } + } } ]) + tags = { + Name = "${var.athens_prefix}-sample-task-def-container" + } } -resource "aws_ecs_service" "lewdlad" { - name = "lewdlad" - cluster = aws_ecs_cluster.alpha.arn - task_definition = aws_ecs_task_definition.lewdlad.arn +# Service level definition +########################## +resource "aws_ecs_service" "sample" { + name = "${var.athens_prefix}-sample-service" + cluster = aws_ecs_cluster.alpha.id + task_definition = aws_ecs_task_definition.sample.arn desired_count = 1 + launch_type = "FARGATE" + network_configuration { + assign_public_ip = true + subnets = [ local.subnet ] + security_groups = [ + aws_security_group.ecs_web_ingress.id, + aws_security_group.base_ecs.id + ] + } } - - - diff --git a/infra/atlas.tf b/infra/atlas.tf index 3798b69..c0216fb 100644 --- a/infra/atlas.tf +++ b/infra/atlas.tf @@ -1,3 +1,6 @@ +# NOTE: this will no longer be used and is getting removed once we seutp the +# new alpha cluster correctly + # This is the continuation of the old alpha host but with much cleaner code # and less manual infra setup involved. Key differences are that block storage # is now completely kept in this module instead of yolo'd out like before. @@ -29,38 +32,3 @@ resource "aws_ebs_volume" "clips-shockrah-xyz" { Description = "Used for the clippable instance" } } - -######################### ATTACHMENT FOR files.leftcoast.space ################# -resource "aws_volume_attachment" "files-leftcoast-space" { - device_name = "/dev/sdf" - volume_id = aws_ebs_volume.files-leftcoast-space.id - instance_id = aws_instance.atlas.id -} - - -######################### ATTACHMENT FOR clips.shockrah.xyz #################### -resource "aws_volume_attachment" "clips-shockrah-xyz" { - device_name = "/dev/sdg" - volume_id = aws_ebs_volume.clips-shockrah-xyz.id - instance_id = aws_instance.atlas.id -} - -######################### INSTANCE CONFIGURATION ############################### -resource "aws_instance" "atlas" { - ami = var.atlas_ami_id - instance_type = var.atlas_instance_type - - key_name = var.atlas_ssh_key_name - - private_ip = "10.0.1.20" - vpc_security_group_ids = [ - aws_security_group.general_web_req.id, - aws_security_group.remote_ssh_rec.id - ] - subnet_id = aws_subnet.crete_subnet.id - tags = { - Name = "Atlas Host" - Description = "Simple Docker host for some personal stuff" - } - -} diff --git a/infra/eip.tf b/infra/eip.tf index a68e414..3a65d6b 100644 --- a/infra/eip.tf +++ b/infra/eip.tf @@ -1,12 +1,3 @@ -resource "aws_eip" "alpha_eip" { - instance = aws_instance.atlas.id - vpc = true - tags = { - Name = "Atlas EIP" - } -} - - resource "aws_eip" "beta_eip" { vpc = true instance = aws_instance.beta.id From d4dae7618b8a8c4ff313402db9824763ac2f62b2 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 9 Dec 2022 22:22:47 -0800 Subject: [PATCH 03/22] Hooking service to a load balancer --- infra/alpha.tf | 6 ++++++ infra/load-balancer.tf | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 infra/load-balancer.tf diff --git a/infra/alpha.tf b/infra/alpha.tf index 2745f4c..ff7cfa7 100644 --- a/infra/alpha.tf +++ b/infra/alpha.tf @@ -121,6 +121,12 @@ resource "aws_ecs_service" "sample" { task_definition = aws_ecs_task_definition.sample.arn desired_count = 1 launch_type = "FARGATE" + load_balancer { + target_group_arn = aws_lb_target_group.alpha_cluster.arn + container_name = "${var.athens_prefix}-sample-container" + container_port = 8080 + } + network_configuration { assign_public_ip = true subnets = [ local.subnet ] diff --git a/infra/load-balancer.tf b/infra/load-balancer.tf new file mode 100644 index 0000000..b5ea059 --- /dev/null +++ b/infra/load-balancer.tf @@ -0,0 +1,36 @@ +# Here is the application load balancer that we use for services hosted on ECS +############################################################################## + + +# The LB that we'll use to move traffic into our services +######################################################### +resource "aws_lb" "alpha" { + name = "alpha-lb" + internal = false + load_balancer_type = "application" + subnets = [ aws_subnet.delphi.id, aws_subnet.crete_subnet.id ] + security_groups = [ aws_security_group.ecs_web_ingress.id ] + # TODO: change this to true later + enable_deletion_protection = false +} + +# ECS services manage themselves when it comes to registering to the +# target group so we only need to provide the pool +#################################################################### +resource "aws_lb_target_group" "alpha_cluster" { + name = "${var.athens_prefix}-alpha-cluster" + port = 80 + protocol = "HTTP" + target_type = "ip" + vpc_id = aws_vpc.athens_vpc.id +} + +resource "aws_lb_listener" "http" { + load_balancer_arn = aws_lb.alpha.arn + port = 80 + protocol = "HTTP" + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.alpha_cluster.arn + } +} From 4d15923af94330aa8a6b36343d66cce0e6690d5c Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 9 Dec 2022 22:23:04 -0800 Subject: [PATCH 04/22] ALB requires two subnets to sit across --- infra/subnet.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/subnet.tf b/infra/subnet.tf index 682a0d7..f3c1fb5 100644 --- a/infra/subnet.tf +++ b/infra/subnet.tf @@ -11,3 +11,9 @@ resource "aws_subnet" "crete_subnet" { Name = "Crete Subnet - Internal" } } + +resource "aws_subnet" "delphi" { + vpc_id = aws_vpc.athens_vpc.id + cidr_block = "10.0.2.0/24" + availability_zone = "us-west-1c" +} From 791d95082129509ceda524c7ecfb2d08969c9d7e Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 9 Dec 2022 22:23:13 -0800 Subject: [PATCH 05/22] Moving prefix to vars file --- infra/input-vars.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/infra/input-vars.tf b/infra/input-vars.tf index afb9896..9e233ef 100644 --- a/infra/input-vars.tf +++ b/infra/input-vars.tf @@ -103,3 +103,11 @@ variable "athens_cidr" { description = "VPC Subnet CIDR block" type = string } + +######################### Alpha Cluster variables + +variable "athens_prefix" { + description = "Prefix for all things in alpha cluster" + type = string + default = "athens" +} From fafaae4ba77448f1897cf7eb88d7ae736f8260f2 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 16 Dec 2022 22:05:21 -0800 Subject: [PATCH 06/22] Logging and role configuration speerated --- infra/cluster-logging.tf | 28 ++++++++++++++++++++++++++++ infra/roles.tf | 24 ++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 infra/cluster-logging.tf create mode 100644 infra/roles.tf diff --git a/infra/cluster-logging.tf b/infra/cluster-logging.tf new file mode 100644 index 0000000..f06ed82 --- /dev/null +++ b/infra/cluster-logging.tf @@ -0,0 +1,28 @@ +# Logging Configuration for services inside the cluster +####################################################### + +# Alpha Cloudwatch logging configuration +######################################## +resource "aws_cloudwatch_log_group" "alpha" { + name = "${var.athens_prefix}-alpha-log" + retention_in_days = 7 +} + +# Alpha logging role +##################### +resource "aws_iam_role" "alpha_iam_role" { + name = "${var.athens_prefix}-alpha-iam-role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Principal = { + Service = [ "ecs-tasks.amazonaws.com" ] + } + Effect = "Allow" + } + ] + }) +} + diff --git a/infra/roles.tf b/infra/roles.tf new file mode 100644 index 0000000..a21bd56 --- /dev/null +++ b/infra/roles.tf @@ -0,0 +1,24 @@ +resource "aws_iam_policy" "alpha_iam_policy" { + name = "${var.athens_prefix}-alpha-iam-policy" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + ] + "Resource" = "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "alpha_logs" { + role = aws_iam_role.alpha_iam_role.name + policy_arn = aws_iam_policy.alpha_iam_policy.arn +} + From 6b0f985cd95f10242ecc11b7c083e075d1141519 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 16 Dec 2022 22:49:55 -0800 Subject: [PATCH 07/22] Adding generic health check for sample service --- infra/load-balancer.tf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/infra/load-balancer.tf b/infra/load-balancer.tf index b5ea059..4a65d7e 100644 --- a/infra/load-balancer.tf +++ b/infra/load-balancer.tf @@ -14,15 +14,21 @@ resource "aws_lb" "alpha" { enable_deletion_protection = false } -# ECS services manage themselves when it comes to registering to the -# target group so we only need to provide the pool -#################################################################### +## ECS services manage themselves when it comes to registering to the +## target group so we only need to provide the pool +##################################################################### resource "aws_lb_target_group" "alpha_cluster" { name = "${var.athens_prefix}-alpha-cluster" port = 80 protocol = "HTTP" target_type = "ip" vpc_id = aws_vpc.athens_vpc.id + health_check { + path = "/" + matcher = "200-299" + port = 80 + interval = 60 + } } resource "aws_lb_listener" "http" { @@ -34,3 +40,4 @@ resource "aws_lb_listener" "http" { target_group_arn = aws_lb_target_group.alpha_cluster.arn } } + From f47ce5e4ff5ac89d9fcf02f597199b859657fca9 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 16 Dec 2022 22:50:15 -0800 Subject: [PATCH 08/22] Adding fallback for port 80 on base ecs --- infra/security-groups.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/security-groups.tf b/infra/security-groups.tf index bb53df1..8738a7a 100644 --- a/infra/security-groups.tf +++ b/infra/security-groups.tf @@ -20,6 +20,12 @@ resource "aws_security_group" "ecs_web_ingress" { resource "aws_security_group" "base_ecs" { vpc_id = aws_vpc.athens_vpc.id + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } egress { cidr_blocks = ["0.0.0.0/0"] from_port = 443 From c4e169efee97469400720336495194c5a2823991 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 16 Dec 2022 22:50:45 -0800 Subject: [PATCH 09/22] Tagging subnets --- infra/subnet.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/subnet.tf b/infra/subnet.tf index f3c1fb5..328562f 100644 --- a/infra/subnet.tf +++ b/infra/subnet.tf @@ -9,6 +9,7 @@ resource "aws_subnet" "crete_subnet" { tags = { Name = "Crete Subnet - Internal" + Description = "Main subnet for EC2 and Alpha-LB" } } @@ -16,4 +17,8 @@ resource "aws_subnet" "delphi" { vpc_id = aws_vpc.athens_vpc.id cidr_block = "10.0.2.0/24" availability_zone = "us-west-1c" + tags = { + Name = "Delphi Subnet - Internal" + Description = "Secondary subnet for the Alpha-LB mostly" + } } From ae61177661a89e3a8128b82f19be56ad6a1779e4 Mon Sep 17 00:00:00 2001 From: shockrah Date: Fri, 16 Dec 2022 22:51:05 -0800 Subject: [PATCH 10/22] Alpha configuration which still wont register --- infra/alpha.tf | 77 +++++++++----------------------------------------- 1 file changed, 14 insertions(+), 63 deletions(-) diff --git a/infra/alpha.tf b/infra/alpha.tf index ff7cfa7..255d740 100644 --- a/infra/alpha.tf +++ b/infra/alpha.tf @@ -2,60 +2,7 @@ # Essentially it is a cluster with services that we # choose to expose to the internet in one form or another -# Logging Configuration for services inside the cluster -####################################################### -locals { - subnet = "subnet-09302319a6678643f" -} -# Alpha Cloudwatch logging configuration -######################################## -resource "aws_cloudwatch_log_group" "alpha" { - name = "${var.athens_prefix}-alpha-log" - retention_in_days = 7 -} - -# Alpha logging role -##################### -resource "aws_iam_role" "alpha_iam_role" { - name = "${var.athens_prefix}-alpha-iam-role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Principal = { - Service = [ "ecs-tasks.amazonaws.com" ] - } - Effect = "Allow" - } - ] - }) -} - -resource "aws_iam_policy" "alpha_iam_policy" { - name = "${var.athens_prefix}-alpha-iam-policy" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:PutLogEvents", - ] - "Resource" = "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "alpha_logs" { - role = aws_iam_role.alpha_iam_role.name - policy_arn = aws_iam_policy.alpha_iam_policy.arn -} # Alpha cluster definition @@ -73,8 +20,9 @@ resource "aws_ecs_cluster" "alpha" { } -# Lewdlad Service Definition -############################ +# Lewdlad Task Definition +# This is what the service will launch to actually provide the lewdlad service +############################################################################## resource "aws_ecs_task_definition" "sample" { family = "${var.athens_prefix}-sample" @@ -88,14 +36,14 @@ resource "aws_ecs_task_definition" "sample" { container_definitions = jsonencode([ { name = "${var.athens_prefix}-sample-container" - image = "nginxdemos/nginx-hello:latest" - cpu = 128 - memory = 256 + image = "nginx" + cpu = 256 + memory = 512 essential = true portMappings = [ { - containerPort = 8080 - hostPort = 8080 + containerPort = 80 + hostPort = 80 } ] logConfiguration = { @@ -124,15 +72,18 @@ resource "aws_ecs_service" "sample" { load_balancer { target_group_arn = aws_lb_target_group.alpha_cluster.arn container_name = "${var.athens_prefix}-sample-container" - container_port = 8080 + container_port = 80 } network_configuration { assign_public_ip = true - subnets = [ local.subnet ] + subnets = [ + aws_subnet.delphi.id, + aws_subnet.crete_subnet.id + ] security_groups = [ aws_security_group.ecs_web_ingress.id, aws_security_group.base_ecs.id - ] + ] } } From 4e46f344408e15130b03413c3cca874451f910e0 Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 17:33:23 -0800 Subject: [PATCH 11/22] Imported route53 zone + records --- infra/route53.tf | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 infra/route53.tf diff --git a/infra/route53.tf b/infra/route53.tf new file mode 100644 index 0000000..5572649 --- /dev/null +++ b/infra/route53.tf @@ -0,0 +1,33 @@ + +# This entry is just for the sample service that is just plain nginx +# No TLS will be placed on this just yet as we need to make sure this +# and the load balancer are setup to receive things properly +resource "aws_route53_zone" "project-athens" { + name = "project-athens.xyz" + comment = "Project Athens domain zone" +} + + +resource "aws_route53_record" "main_ns" { + zone_id = aws_route53_zone.project-athens.id + name = "project-athens.xyz" + type = "NS" + ttl = 172800 + records = [ + "ns-806.awsdns-36.net.", + "ns-1881.awsdns-43.co.uk.", + "ns-1109.awsdns-10.org.", + "ns-11.awsdns-01.com.", + ] +} + +resource "aws_route53_record" "main_soa" { + zone_id = aws_route53_zone.project-athens.id + name = "project-athens.xyz" + type = "SOA" + ttl = 900 + records = [ + "ns-806.awsdns-36.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" + ] +} + From f58fa4ae697b64a0fbc5ed9c7950b72ab9e3944e Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 20:45:32 -0800 Subject: [PATCH 12/22] Adding shockrah.xyz public dns records --- infra/route53-shockrah-xyz.tf | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 infra/route53-shockrah-xyz.tf diff --git a/infra/route53-shockrah-xyz.tf b/infra/route53-shockrah-xyz.tf new file mode 100644 index 0000000..d407d21 --- /dev/null +++ b/infra/route53-shockrah-xyz.tf @@ -0,0 +1,52 @@ +############################# +# shockrah.xyz DNS ZONE +############################# + +resource "aws_route53_zone" "shockrah-xyz" { + name = "shockrah.xyz" + comment = "Main shockrah.xyz zone - for personal stuff" +} + +locals { + records = [ + { + name = "shockrah.xyz" + type = "NS" + ttl = 172800 + records = [ + "ns-612.awsdns-12.net.", + "ns-285.awsdns-35.com.", + "ns-1702.awsdns-20.co.uk.", + "ns-1360.awsdns-42.org.", + ] + }, + { + name = "shockrah.xyz" + type = "SOA" + records = [ + "ns-612.awsdns-12.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" + ] + }, + { + name = "shockrah.xyz" + type = "TXT" + ttl = 300 + records = [ "v=spf1 include:_mailcust.gandi.net ?all" ] + } + ] +} + +resource "aws_route53_record" "shockrah-xyz-record" { + for_each = { + for index, record in local.records: + index => record + } + #for_each = toset(local.records) + + zone_id = aws_route53_zone.shockrah-xyz.id + name = each.value.name + type = lookup(each.value, "type", "A") + ttl = lookup(each.value, "ttl", 900) + records = each.value.records +} + From 52a9a94b32d9f07d48d27fe70e8271bd0e932cd2 Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 21:01:46 -0800 Subject: [PATCH 13/22] Importing shockrah.xyz A records into terraform --- infra/route53-shockrah-xyz.tf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/infra/route53-shockrah-xyz.tf b/infra/route53-shockrah-xyz.tf index d407d21..a4db2a1 100644 --- a/infra/route53-shockrah-xyz.tf +++ b/infra/route53-shockrah-xyz.tf @@ -23,6 +23,7 @@ locals { { name = "shockrah.xyz" type = "SOA" + ttl = 900 records = [ "ns-612.awsdns-12.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" ] @@ -32,7 +33,11 @@ locals { type = "TXT" ttl = 300 records = [ "v=spf1 include:_mailcust.gandi.net ?all" ] - } + }, + { name = "shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "freechat.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "resume.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "www.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, ] } @@ -41,12 +46,11 @@ resource "aws_route53_record" "shockrah-xyz-record" { for index, record in local.records: index => record } - #for_each = toset(local.records) zone_id = aws_route53_zone.shockrah-xyz.id name = each.value.name type = lookup(each.value, "type", "A") - ttl = lookup(each.value, "ttl", 900) + ttl = lookup(each.value, "ttl", 300) records = each.value.records } From 00edcc64af17d86933716d021d1f6f451579948f Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 21:02:56 -0800 Subject: [PATCH 14/22] Formatting and comments --- infra/route53.tf | 3 +++ infra/security-groups.tf | 20 ++++++++++---------- infra/subnet.tf | 5 ++--- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/infra/route53.tf b/infra/route53.tf index 5572649..e602387 100644 --- a/infra/route53.tf +++ b/infra/route53.tf @@ -1,3 +1,6 @@ +############################# +# project-athens.xyz DNS ZONE +############################# # This entry is just for the sample service that is just plain nginx # No TLS will be placed on this just yet as we need to make sure this diff --git a/infra/security-groups.tf b/infra/security-groups.tf index 8738a7a..6f88905 100644 --- a/infra/security-groups.tf +++ b/infra/security-groups.tf @@ -7,14 +7,14 @@ resource "aws_security_group" "ecs_web_ingress" { ingress { cidr_blocks = ["0.0.0.0/0"] from_port = 443 - to_port = 443 - protocol = "tcp" + to_port = 443 + protocol = "tcp" } ingress { cidr_blocks = ["0.0.0.0/0"] from_port = 80 - to_port = 80 - protocol = "tcp" + to_port = 80 + protocol = "tcp" } } @@ -23,20 +23,20 @@ resource "aws_security_group" "base_ecs" { egress { cidr_blocks = ["0.0.0.0/0"] from_port = 80 - to_port = 80 - protocol = "tcp" + to_port = 80 + protocol = "tcp" } egress { cidr_blocks = ["0.0.0.0/0"] from_port = 443 - to_port = 443 - protocol = "tcp" + to_port = 443 + protocol = "tcp" } egress { cidr_blocks = ["0.0.0.0/0"] from_port = 2049 - to_port = 2049 - protocol = "tcp" + to_port = 2049 + protocol = "tcp" } } diff --git a/infra/subnet.tf b/infra/subnet.tf index 328562f..7576df2 100644 --- a/infra/subnet.tf +++ b/infra/subnet.tf @@ -1,6 +1,5 @@ # This script represents the subnet structure for Crete(primary subnet) -# Crete will serve as the private subnet with internal services resource "aws_subnet" "crete_subnet" { vpc_id = aws_vpc.athens_vpc.id # 10.0.1.0/24 @@ -8,7 +7,7 @@ resource "aws_subnet" "crete_subnet" { availability_zone = var.athens_availability_zone tags = { - Name = "Crete Subnet - Internal" + Name = "Crete Subnet" Description = "Main subnet for EC2 and Alpha-LB" } } @@ -18,7 +17,7 @@ resource "aws_subnet" "delphi" { cidr_block = "10.0.2.0/24" availability_zone = "us-west-1c" tags = { - Name = "Delphi Subnet - Internal" + Name = "Delphi Subnet" Description = "Secondary subnet for the Alpha-LB mostly" } } From dcd3da5e470250f7a71d35627d1e892821eba206 Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 21:06:20 -0800 Subject: [PATCH 15/22] Removing custom health check for now --- infra/load-balancer.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/infra/load-balancer.tf b/infra/load-balancer.tf index 4a65d7e..3d382d2 100644 --- a/infra/load-balancer.tf +++ b/infra/load-balancer.tf @@ -23,12 +23,6 @@ resource "aws_lb_target_group" "alpha_cluster" { protocol = "HTTP" target_type = "ip" vpc_id = aws_vpc.athens_vpc.id - health_check { - path = "/" - matcher = "200-299" - port = 80 - interval = 60 - } } resource "aws_lb_listener" "http" { From e2c4db294ad618f8d9cce7538a6c0728361183ba Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 21:08:19 -0800 Subject: [PATCH 16/22] Renaming project-athens.xyz route53 config --- infra/{route53.tf => route53-project-athens-xyz.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename infra/{route53.tf => route53-project-athens-xyz.tf} (100%) diff --git a/infra/route53.tf b/infra/route53-project-athens-xyz.tf similarity index 100% rename from infra/route53.tf rename to infra/route53-project-athens-xyz.tf From 97205a216c8b67bc2ec0348b05facaaab2ce2caa Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 27 Dec 2022 22:03:46 -0800 Subject: [PATCH 17/22] Cleaning up route53 entries --- infra/route53-project-athens-xyz.tf | 49 ++++++++++++++++++----------- infra/route53-shockrah-xyz.tf | 8 ++--- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/infra/route53-project-athens-xyz.tf b/infra/route53-project-athens-xyz.tf index e602387..f831f9d 100644 --- a/infra/route53-project-athens-xyz.tf +++ b/infra/route53-project-athens-xyz.tf @@ -11,26 +11,39 @@ resource "aws_route53_zone" "project-athens" { } -resource "aws_route53_record" "main_ns" { - zone_id = aws_route53_zone.project-athens.id - name = "project-athens.xyz" - type = "NS" - ttl = 172800 - records = [ - "ns-806.awsdns-36.net.", - "ns-1881.awsdns-43.co.uk.", - "ns-1109.awsdns-10.org.", - "ns-11.awsdns-01.com.", +locals { + project-athens-records = [ + { + name = "project-athens.xyz" + type = "NS" + ttl = 172800 + records = [ + "ns-806.awsdns-36.net.", + "ns-1881.awsdns-43.co.uk.", + "ns-1109.awsdns-10.org.", + "ns-11.awsdns-01.com.", + ] + }, + { + name = "project-athens.xyz" + type = "SOA" + ttl = 900 + records = [ + "ns-806.awsdns-36.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" + ] + } ] } -resource "aws_route53_record" "main_soa" { - zone_id = aws_route53_zone.project-athens.id - name = "project-athens.xyz" - type = "SOA" - ttl = 900 - records = [ - "ns-806.awsdns-36.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" - ] +resource "aws_route53_record" "project-athens-record" { + for_each = { + for index, record in local.project-athens-records: + index => record + } + zone_id = aws_route53_zone.project-athens.id + name = each.value.name + type = lookup(each.value, "type", "A") + ttl = lookup(each.value, "ttl", 300) + records = each.value.records } diff --git a/infra/route53-shockrah-xyz.tf b/infra/route53-shockrah-xyz.tf index a4db2a1..f78e653 100644 --- a/infra/route53-shockrah-xyz.tf +++ b/infra/route53-shockrah-xyz.tf @@ -34,10 +34,10 @@ locals { ttl = 300 records = [ "v=spf1 include:_mailcust.gandi.net ?all" ] }, - { name = "shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, - { name = "freechat.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, - { name = "resume.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, - { name = "www.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "freechat.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "resume.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, + { name = "www.shockrah.xyz", records = [ aws_eip.beta_eip.public_ip ] }, ] } From f96f6569cfdaefe2b0c1eaad12bbb01a73cb27be Mon Sep 17 00:00:00 2001 From: shockrah Date: Mon, 2 Jan 2023 18:36:48 -0800 Subject: [PATCH 18/22] Cert with load balancer listener --- infra/cert.tf | 11 +++++++++++ infra/load-balancer.tf | 9 ++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 infra/cert.tf diff --git a/infra/cert.tf b/infra/cert.tf new file mode 100644 index 0000000..9dc1afb --- /dev/null +++ b/infra/cert.tf @@ -0,0 +1,11 @@ +# Here is the TLS cert that we create for the alpha cluster + +resource "aws_acm_certificate" "sample" { + domain_name = "sample.project-athens.xyz" + validation_method = "DNS" +} + +resource "aws_acm_certificate_validation" "sample" { + certificate_arn = aws_acm_certificate.sample.arn + validation_record_fqdns = [ aws_route53_record.project-athens-record["2"].fqdn ] +} diff --git a/infra/load-balancer.tf b/infra/load-balancer.tf index 3d382d2..f0b92b0 100644 --- a/infra/load-balancer.tf +++ b/infra/load-balancer.tf @@ -25,10 +25,13 @@ resource "aws_lb_target_group" "alpha_cluster" { vpc_id = aws_vpc.athens_vpc.id } -resource "aws_lb_listener" "http" { +resource "aws_lb_listener" "https" { load_balancer_arn = aws_lb.alpha.arn - port = 80 - protocol = "HTTP" + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + + certificate_arn = aws_acm_certificate_validation.sample.certificate_arn default_action { type = "forward" target_group_arn = aws_lb_target_group.alpha_cluster.arn From edbb647c18c3527915518e82e3961cad9d9a48e1 Mon Sep 17 00:00:00 2001 From: shockrah Date: Mon, 2 Jan 2023 18:37:16 -0800 Subject: [PATCH 19/22] Adding DNS entry for alpha load balancer cert --- infra/route53-project-athens-xyz.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/route53-project-athens-xyz.tf b/infra/route53-project-athens-xyz.tf index f831f9d..a472037 100644 --- a/infra/route53-project-athens-xyz.tf +++ b/infra/route53-project-athens-xyz.tf @@ -31,6 +31,11 @@ locals { records = [ "ns-806.awsdns-36.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400" ] + }, + { + name = tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_name + type = tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_type + records = [ tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_value ] } ] } From bdeb59e46d9f34d8b8cb513ca66a322b3800b834 Mon Sep 17 00:00:00 2001 From: shockrah Date: Mon, 2 Jan 2023 19:08:25 -0800 Subject: [PATCH 20/22] Health problems finally solved with LB and fargate --- infra/load-balancer.tf | 5 ++++- infra/route-table.tf | 7 +++++++ infra/security-groups.tf | 11 +++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/infra/load-balancer.tf b/infra/load-balancer.tf index f0b92b0..b8acc59 100644 --- a/infra/load-balancer.tf +++ b/infra/load-balancer.tf @@ -9,7 +9,10 @@ resource "aws_lb" "alpha" { internal = false load_balancer_type = "application" subnets = [ aws_subnet.delphi.id, aws_subnet.crete_subnet.id ] - security_groups = [ aws_security_group.ecs_web_ingress.id ] + security_groups = [ + aws_security_group.ecs_web_ingress.id, + aws_security_group.load_balancer_health_check.id + ] # TODO: change this to true later enable_deletion_protection = false } diff --git a/infra/route-table.tf b/infra/route-table.tf index 36f65ad..8901a67 100644 --- a/infra/route-table.tf +++ b/infra/route-table.tf @@ -10,7 +10,14 @@ resource "aws_route_table" "crete_route_table" { Name = "Crete IGW Route Table" } } + + resource "aws_route_table_association" "crete_gateway_association" { subnet_id = aws_subnet.crete_subnet.id route_table_id = aws_route_table.crete_route_table.id } + +resource "aws_route_table_association" "delphi_gateway_association" { + subnet_id = aws_subnet.delphi.id + route_table_id = aws_route_table.crete_route_table.id +} diff --git a/infra/security-groups.tf b/infra/security-groups.tf index 6f88905..41dd63c 100644 --- a/infra/security-groups.tf +++ b/infra/security-groups.tf @@ -40,6 +40,17 @@ resource "aws_security_group" "base_ecs" { } } +resource "aws_security_group" "load_balancer_health_check" { + name = "Load Balancer Health check" + vpc_id = aws_vpc.athens_vpc.id + egress { + cidr_blocks = ["10.0.0.0/8"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } +} + resource "aws_security_group" "general_web_req" { name = "Athens General web server ruleset" description = "Allowing strictly web traffic" From bc096af870622a275ab5e283b08a4fb581158a29 Mon Sep 17 00:00:00 2001 From: shockrah Date: Mon, 2 Jan 2023 19:10:08 -0800 Subject: [PATCH 21/22] Routing & TLS issues fixed with ACM --- infra/route53-project-athens-xyz.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/route53-project-athens-xyz.tf b/infra/route53-project-athens-xyz.tf index a472037..31cf342 100644 --- a/infra/route53-project-athens-xyz.tf +++ b/infra/route53-project-athens-xyz.tf @@ -36,6 +36,11 @@ locals { name = tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_name type = tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_type records = [ tolist(aws_acm_certificate.sample.domain_validation_options)[0].resource_record_value ] + }, + { + name = "sample.project-athens.xyz" + type = "CNAME" + records = [ aws_lb.alpha.dns_name ] } ] } From f48eb9610bf4386d2f0148273ec4b14f57a57bee Mon Sep 17 00:00:00 2001 From: shockrah Date: Mon, 9 Jan 2023 17:03:40 -0800 Subject: [PATCH 22/22] Wildcard for sample project --- infra/cert.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/infra/cert.tf b/infra/cert.tf index 9dc1afb..b18761f 100644 --- a/infra/cert.tf +++ b/infra/cert.tf @@ -1,8 +1,12 @@ # Here is the TLS cert that we create for the alpha cluster resource "aws_acm_certificate" "sample" { - domain_name = "sample.project-athens.xyz" + domain_name = "*.project-athens.xyz" validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } } resource "aws_acm_certificate_validation" "sample" {