build(tf): add terraform ecs

Signed-off-by: Jayne Doe <[email protected]>

Author: J4Numbers

.github/workflows/aws.yml

@@ -4,6 +4,9 @@ on:
       env:
         required: true
         type: string
+      deploy_version:
+        required: true
+        type: string
     secrets:
       AWS_ACCESS_KEY_ID:
         required: true
@@ -29,37 +32,19 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: eu-west-2
 
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v1
-
-    - name: Build, tag, and push image to Amazon ECR
-      id: build-image
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        ECR_REPOSITORY: j4numbers/personal-website
-        IMAGE_TAG: ${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
-
     - name: HashiCorp - Setup Terraform
       uses: hashicorp/[email protected]
       with:
         # The version of Terraform CLI to install. Defaults to `latest`.
-        terraform_version: "> 0.15.5"
+        terraform_version: "> 1.1.0"
 
     - name: Validate and plan deployment Terraform
       id: terraform-plan-validate
       env:
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
-        TF_VAR_deploy_version: ${{ github.sha }}
+        TF_VAR_deploy_version: ${{ inputs.deploy_version }}
         TF_VAR_vpc_id: ${{ secrets.DEPLOY_VPC_ID }}
         TF_VAR_application_debug_mode: "false"
 

.github/workflows/npm-build-and-test.yml

@@ -115,7 +115,7 @@ jobs:
         npm run generate-certs
         npm run test:unit
 
-  deploy:
+  deploy-ecr:
     if: github.ref_name == 'main'
     needs:
     - test
@@ -126,3 +126,15 @@ jobs:
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
+
+  deploy-terraform:
+    if: github.ref_name == 'main'
+    needs:
+    - deploy-ecr
+    uses: ./.github/workflows/aws.yml
+    with:
+      env: production
+      deploy_version: ${{ github.sha }}
+    secrets:
+      AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}

tf/site/asg.tf

@@ -0,0 +1,22 @@
+resource "aws_launch_configuration" "website_asg_lc" {
+  name                 = "${var.application_name}-asg-lc"
+  image_id             = data.aws_ami.base_ami.id
+  iam_instance_profile = aws_iam_instance_profile.website_ecs_instance_profile.name
+  security_groups      = [aws_security_group.personal_website_sg.id]
+  user_data            = data.template_file.user_data.rendered
+  instance_type        = "t2.micro"
+  key_name             = "ssh-key-aws-override"
+}
+
+resource "aws_autoscaling_group" "website_asg" {
+  name                 = "${var.application_name}-asg"
+  vpc_zone_identifier  = data.aws_subnet_ids.root_vpc_subnets.ids
+  launch_configuration = aws_launch_configuration.website_asg_lc.name
+
+  desired_capacity = 1
+  max_size         = 1
+  min_size         = 1
+
+  health_check_grace_period = 300
+  health_check_type         = "EC2"
+}

tf/site/assets/ecs/personal-website.json

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "ECS_CLUSTER=${env}-${application_name}" >> /etc/ecs/ecs.config;
+echo "ECS_BACKEND_HOST=" >> /etc/ecs/ecs.config;

tf/site/assets/user_data.bash

@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "ecs_website_log_group" {
+  name              = "/ecs/${var.application_name}/logs"
+  retention_in_days = 5
+}

tf/site/cloudwatch.tf

@@ -1,3 +1,49 @@
+data "aws_iam_policy_document" "base_ec2_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ec2.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "base_ecs_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_ecr_repository" "website_registry" {
+  name = "j4numbers/personal-website"
+}
+
+data "aws_ami" "base_ami" {
+  owners = ["amazon"]
+
+  most_recent = true
+
+  filter {
+    name   = "AMI name"
+    values = ["amzn2-ami-ecs*"]
+  }
+}
+
+data "template_file" "user_data" {
+  template = file("${path.module}/assets/user_data.tmpl.bash")
+
+  vars = {
+    env              = local.dev-env
+    application_name = var.application_name
+  }
+}
+
 data "aws_vpc" "root_vpc" {
   count = 1
 
@@ -8,17 +54,17 @@ data "aws_vpc" "root_vpc" {
 }
 
 data "aws_subnet_ids" "root_vpc_subnets" {
-  vpc_id = "${data.aws_vpc.root_vpc.id}"
+  vpc_id = data.aws_vpc.root_vpc.id
 }
 
 data "aws_route53_zone" "hosted_zone" {
-  name         = "${var.dns_hosted_zones[local.dev-env]}"
+  name         = var.dns_hosted_zones[local.dev-env]
   private_zone = false
 }
 
 data "aws_subnet" "personal_website_subnet" {
   filter {
     name   = "tag:Name"
-    values = ["${var.subnet[local.dev-env]}"]
+    values = [var.subnet[local.dev-env]]
   }
 }

tf/site/data.tf

@@ -1,24 +1,52 @@
 resource "aws_ecs_cluster" "personal_website_cluster" {
-  name = "${local.dev-env}-personal-website"
+  name = "${local.dev-env}-${var.application_name}"
 }
 
 resource "aws_ecs_task_definition" "personal_website_task" {
-  container_definitions = "${file("./assets/ecs/personal-website.json")}"
+  family = "${var.application_name}-definition"
 
-  family       = "service"
-  network_mode = "host"
+  container_definitions = jsonencode([
+    {
+      name: "${var.application_name}-service",
+      image: "${data.aws_ecr_repository.website_registry.repository_url}:${var.deploy_version}",
+      environment: [],
+      secrets: [],
+      logConfiguration: {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "/ecs/${var.application_name}/logs",
+          "awslogs-region": "eu-west-2",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      cpu : 10,
+      memory : 512,
+      essential : true,
+      portMappings : [
+        {
+          "containerPort": 8080,
+          "hostPort": 8080
+        }
+      ]
+    }
+  ])
+
+  network_mode             = "host"
+  requires_compatibilities = ["EC2"]
+  execution_role_arn       = aws_iam_role.website_ecs_task_executor.arn
 }
 
 resource "aws_ecs_service" "personal_website_image" {
-  name            = "personal-website"
-  cluster         = "${aws_ecs_cluster.personal_website_cluster.id}"
-  task_definition = "${aws_ecs_task_definition.personal_website_task.arn}"
+  name                 = "${var.application_name}-service"
+  cluster              = aws_ecs_cluster.personal_website_cluster.arn
+  task_definition      = aws_ecs_task_definition.personal_website_task.family
+  force_new_deployment = true
 
   desired_count = 1
 
   load_balancer {
-    target_group_arn = "${aws_lb_target_group.central_lb_targets.arn}"
-    container_name   = "personal-website"
-    container_port   = "${var.application_port}"
+    target_group_arn = aws_lb_target_group.central_lb_targets.arn
+    container_name   = var.application_name
+    container_port   = var.application_port
   }
 }

tf/site/ecs.tf

@@ -1,5 +1,5 @@
 resource "aws_acm_certificate" "central_lb_cert" {
-  domain_name       = "j4numbers.co.uk"
+  domain_name       = var.dns_hosted_zones[local.dev-env]
   validation_method = "DNS"
 
   lifecycle {
@@ -8,45 +8,41 @@ resource "aws_acm_certificate" "central_lb_cert" {
 }
 
 resource "aws_lb" "central_load_balancer" {
-  name               = "${local.dev-env}-central-alb"
+  name               = "${local.dev-env}-${var.application_name}-central-alb"
   internal           = false
   load_balancer_type = "application"
-  security_groups    = ["${aws_security_group.personal_website.id}"]
-  subnets            = ["${data.aws_subnet_ids.root_vpc_subnets.ids}"]
+  security_groups    = [aws_security_group.personal_website_sg.id]
+  subnets            = [data.aws_subnet_ids.root_vpc_subnets.ids]
 
   enable_deletion_protection = false
   enable_http2               = true
-
-  tags {
-    Environment = "${local.dev-env}"
-  }
 }
 
 resource "aws_lb_target_group" "central_lb_targets" {
-  name                 = "${local.dev-env}-personal-website"
-  port                 = "${var.application_port}"
+  name                 = "${local.dev-env}-${var.application_name}"
+  port                 = var.application_port
   protocol             = "TCP"
-  vpc_id               = "${data.aws_subnet.personal_website_subnet.0.vpc_id}"
+  vpc_id               = data.aws_subnet.personal_website_subnet[0].vpc_id
   deregistration_delay = 60
 
   health_check {
     healthy_threshold   = 2
     unhealthy_threshold = 2
     interval            = 10
-    port                = "${var.application_port}"
+    port                = var.application_port
     protocol            = "TCP"
   }
 }
 
 resource "aws_lb_listener" "https_listener" {
-  load_balancer_arn = "${aws_lb.central_load_balancer.arn}"
+  load_balancer_arn = aws_lb.central_load_balancer.arn
   port              = 8080
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = "${aws_acm_certificate.central_lb_cert.arn}"
+  certificate_arn   = aws_acm_certificate.central_lb_cert.arn
 
   default_action {
     type             = "forward"
-    target_group_arn = "${aws_lb_target_group.central_lb_targets.arn}"
+    target_group_arn = aws_lb_target_group.central_lb_targets.arn
   }
 }

tf/site/elb.tf

@@ -0,0 +1,33 @@
+resource "aws_iam_role" "website_ecs_task_executor" {
+  name        = "${var.application_name}-ecs-executor"
+  description = "A startup executor for ECS containers"
+
+  assume_role_policy = data.aws_iam_policy_document.base_ecs_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_executor_default" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  role       = aws_iam_role.website_ecs_task_executor.name
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_read_only_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
+  role       = aws_iam_role.website_ecs_task_executor.name
+}
+
+resource "aws_iam_role" "website_base_ec2_asg" {
+  name        = "${var.application_name}-base-ecs-agent"
+  description = "IAM role for ECS ASG"
+
+  assume_role_policy = data.aws_iam_policy_document.base_ec2_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_agent" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+  role       = aws_iam_role.website_base_ec2_asg.name
+}
+
+resource "aws_iam_instance_profile" "website_ecs_instance_profile" {
+  name = "${var.application_name}-ecs-instance-profile"
+  role = aws_iam_role.website_base_ec2_asg.name
+}