-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
446 lines (386 loc) · 12.8 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.16"
}
}
required_version = ">= 1.2.0"
}
provider "aws" {
region = var.aws_region
profile = var.aws_profile
}
variable "project_name" {
description = "The name of the project"
type = string
default = "rails-tf-example"
}
variable "env" {
description = "The environment of the project"
type = string
default = "prod"
}
variable "aws_region" {
description = "The AWS region"
type = string
default = "us-east-2"
}
variable "aws_profile" {
description = "The AWS profile to use"
type = string
default = "default"
}
variable "rails_cpu_arch" {
description = "The CPU architecture of the Rails container"
type = string
default = "arm64"
}
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
assign_generated_ipv6_cidr_block = true
}
resource "aws_subnet" "public_subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.0.0/20"
ipv6_cidr_block = aws_vpc.vpc.ipv6_cidr_block
map_public_ip_on_launch = true
assign_ipv6_address_on_creation = true
availability_zone = "${var.aws_region}a"
}
resource "aws_subnet" "private_egress_subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.80.0/20"
map_public_ip_on_launch = false
availability_zone = "${var.aws_region}a"
}
resource "aws_subnet" "private_isolated_subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.129.0/24"
map_public_ip_on_launch = false
availability_zone = "${var.aws_region}a"
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_egress_only_internet_gateway" "eigw" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_route" "route_eigw" {
route_table_id = aws_vpc.vpc.main_route_table_id
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = aws_egress_only_internet_gateway.eigw.id
}
resource "aws_route" "route_igw" {
route_table_id = aws_vpc.vpc.main_route_table_id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
resource "aws_ecr_repository" "ecr_repo" {
name = "${var.project_name}-ecr-repo-${var.env}"
image_tag_mutability = "MUTABLE"
force_delete = true
image_scanning_configuration {
scan_on_push = true
}
}
locals {
rails_image_hash = md5(join(
"",
[
join("", [for x in fileset("${path.module}", "../{app,config,db,lib,public,vendor}/**") : filemd5(x)]),
join("", [for x in fileset("${path.module}", "../{config.ru,Dockerfile,Gemfile.lock,Rakefile}") : filemd5(x)])
]
))
}
resource "null_resource" "image" {
triggers = {
hash = "${local.rails_image_hash}"
}
provisioner "local-exec" {
command = <<EOF
aws ecr get-login-password --profile ${var.aws_profile} --region ${var.aws_region} | docker login --username AWS --password-stdin ${aws_ecr_repository.ecr_repo.repository_url}
docker build --platform=linux/${var.rails_cpu_arch} -t ${aws_ecr_repository.ecr_repo.repository_url}:${local.rails_image_hash} ../
docker push ${aws_ecr_repository.ecr_repo.repository_url}:${local.rails_image_hash}
EOF
}
}
data "aws_ecr_image" "latest" {
repository_name = aws_ecr_repository.ecr_repo.name
image_tag = local.rails_image_hash
depends_on = [null_resource.image]
}
resource "aws_service_discovery_private_dns_namespace" "discovery_namespace" {
vpc = aws_vpc.vpc.id
name = "${var.project_name}-${var.env}.internal"
}
resource "aws_ecs_cluster" "ecs_cluster" {
name = "${var.project_name}-cluster-${var.env}"
service_connect_defaults {
namespace = aws_service_discovery_private_dns_namespace.discovery_namespace.arn
}
}
resource "aws_ecs_cluster_capacity_providers" "ecs_cluster_capacity_providers" {
cluster_name = aws_ecs_cluster.ecs_cluster.name
capacity_providers = ["FARGATE", "FARGATE_SPOT"]
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "ssm_policy_document" {
statement {
effect = "Allow"
actions = [
"ssm:GetParameter*"
]
resources = ["arn:aws:ssm:*:*:parameter/${var.project_name}/${var.env}/*"]
}
statement {
effect = "Allow"
actions = [
"kms:Decrypt"
]
resources = ["*"]
}
}
resource "aws_security_group" "internal_service_sg" {
vpc_id = aws_vpc.vpc.id
description = "Security group that may be used for allowing traffic between services in the environment."
}
resource "aws_security_group_rule" "internal_service_sg_egress" {
security_group_id = aws_security_group.internal_service_sg.id
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
// Allow all IPv6 and IPv4 traffic
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
resource "aws_apigatewayv2_api" "rails_api" {
name = "rails-api-${var.project_name}-${var.env}"
protocol_type = "HTTP"
# When using a custom domain name, you must set this to true
# disable_execute_api_endpoint = true
}
resource "aws_apigatewayv2_stage" "rails_api_stage" {
api_id = aws_apigatewayv2_api.rails_api.id
name = "$default"
auto_deploy = true
}
resource "aws_apigatewayv2_integration" "rails_integration" {
api_id = aws_apigatewayv2_api.rails_api.id
connection_id = aws_apigatewayv2_vpc_link.apigw_vpc_link.id
connection_type = "VPC_LINK"
integration_type = "HTTP_PROXY"
integration_method = "ANY"
integration_uri = aws_service_discovery_service.rails_service_discovery.arn
payload_format_version = "1.0"
}
resource "aws_apigatewayv2_route" "rails_route" {
api_id = aws_apigatewayv2_api.rails_api.id
route_key = "ANY /{proxy+}"
target = "integrations/${aws_apigatewayv2_integration.rails_integration.id}"
}
resource "aws_apigatewayv2_vpc_link" "apigw_vpc_link" {
name = "${var.project_name}-rails-link-${var.env}"
security_group_ids = [aws_security_group.internal_service_sg.id]
subnet_ids = [aws_subnet.public_subnet.id]
}
resource "aws_iam_role" "ecs_task_role" {
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}
resource "aws_iam_policy" "ssm_policy" {
name = "ssm-policy"
description = "Allow ECS tasks to access SSM parameters"
policy = data.aws_iam_policy_document.ssm_policy_document.json
}
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
role = aws_iam_role.ecs_task_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_iam_role_policy_attachment" "ecs_task_role_policy" {
role = aws_iam_role.ecs_task_role.name
policy_arn = aws_iam_policy.ssm_policy.arn
}
resource "aws_ecs_task_definition" "rails_task" {
family = "${var.project_name}-rails-${var.env}"
container_definitions = <<DEFINITION
[
{
"name": "rails-container",
"image": "${aws_ecr_repository.ecr_repo.repository_url}:${data.aws_ecr_image.latest.image_tag}",
"essential": true,
"portMappings": [
{
"containerPort": 3000,
"hostPort": 3000
}
],
"linuxParameters": {
"initProcessEnabled": true
},
"memory": 512,
"cpu": 256,
"secrets": [
{
"name": "RAILS_MASTER_KEY",
"valueFrom": "${data.aws_ssm_parameter.rails_master_key.arn}"
}
]
}
]
DEFINITION
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
memory = 512
cpu = 256
runtime_platform {
cpu_architecture = upper(var.rails_cpu_arch)
operating_system_family = "LINUX"
}
execution_role_arn = aws_iam_role.ecs_task_role.arn
depends_on = [ data.aws_ecr_image.latest ]
}
data "aws_ssm_parameter" "rails_master_key" {
name = "/${var.project_name}/${var.env}/RAILS_MASTER_KEY"
}
resource "aws_ecs_service" "rails_service" {
name = "${var.project_name}-rails"
cluster = aws_ecs_cluster.ecs_cluster.id
task_definition = aws_ecs_task_definition.rails_task.arn
desired_count = 1
capacity_provider_strategy {
capacity_provider = "FARGATE"
weight = 1
}
deployment_maximum_percent = 200
deployment_minimum_healthy_percent = 50 # Using 50% ensures the service is available but makes rolling updates much faster
# Cause the deployment to fail and rollback if the service is unable to stabilize
deployment_circuit_breaker {
enable = true
rollback = true
}
network_configuration {
subnets = [aws_subnet.public_subnet.id] # Deploy the public subnet, bypassing the need for a NAT gateway
assign_public_ip = true # Assign a public IP to the container for internet access
security_groups = [aws_security_group.rails_service_sg.id]
}
# Register the service with the service discovery namespace
service_registries {
registry_arn = aws_service_discovery_service.rails_service_discovery.arn
container_name = "rails-container"
container_port = 3000
}
lifecycle {
ignore_changes = [desired_count]
}
}
resource "aws_service_discovery_service" "rails_service_discovery" {
name = "dns.rails" # dns.rails.${var.project_name}-${var.env}.internal
dns_config {
namespace_id = aws_service_discovery_private_dns_namespace.discovery_namespace.id
dns_records {
ttl = 60
type = "A"
}
dns_records {
ttl = 60
type = "AAAA"
}
dns_records {
ttl = 60
type = "SRV"
}
routing_policy = "MULTIVALUE"
}
health_check_custom_config {
failure_threshold = 1
}
}
resource "aws_security_group" "rails_service_sg" {
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
# Only allowing traffic in from the vpc link security group
security_groups = [aws_security_group.internal_service_sg.id]
}
egress {
from_port = 0 # Allow any incoming port
to_port = 0 # Allow any outgoing port
protocol = "-1" # Allow any outgoing protocol
# Allow all IPv6 and IPv4 traffic
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_cloudfront_distribution" "rails_cdn" {
enabled = true
is_ipv6_enabled = true
origin {
origin_id = "default"
# Use the API gateway as the origin
domain_name = "${aws_apigatewayv2_api.rails_api.id}.execute-api.${var.aws_region}.amazonaws.com"
custom_origin_config {
origin_keepalive_timeout = 60
origin_read_timeout = 60
origin_protocol_policy = "https-only"
http_port = 80
https_port = 443
origin_ssl_protocols = ["TLSv1.2"]
}
}
# This is the cheapest price class, targets the US, Canada, and Europe
price_class = "PriceClass_100"
default_cache_behavior {
allowed_methods =["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "default"
viewer_protocol_policy = "redirect-to-https"
cache_policy_id = aws_cloudfront_cache_policy.rails_cdn_cache_policy.id
origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer_except_host_header.id
compress = true # Compress response objects automatically
}
viewer_certificate {
cloudfront_default_certificate = true
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
}
resource "aws_cloudfront_cache_policy" "rails_cdn_cache_policy" {
name = "rails-cdn-cache-policy"
parameters_in_cache_key_and_forwarded_to_origin {
cookies_config {
cookie_behavior = "none"
}
headers_config {
header_behavior = "none"
}
query_strings_config {
query_string_behavior = "all"
}
enable_accept_encoding_gzip = true
enable_accept_encoding_brotli = true
}
min_ttl = 0
default_ttl = 0 # Force the CDN to always check the origin for the latest content unless a cache-control header is set
}
# When not using a custom domain name, ignore the host header. Otherwise you'd use
# the "AllViewerAndCloudFrontHeaders-2022-06" policy with ID "33f36d7e-f396-46d9-90e0-52428a34d9dc"
data "aws_cloudfront_origin_request_policy" "all_viewer_except_host_header" {
# See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer-except-host-header
id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
}