update infra+ci configs

Author: j4p3

.github/workflows/ecr.yml .github/workflows/deploy.yml.github/workflows/ecr.yml renamed to .github/workflows/deploy.yml

@@ -33,6 +33,7 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master'
 
     steps:
     - name: Checkout
@@ -41,9 +42,9 @@ jobs:
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        aws-access-key-id: ${{ secrets.dev.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.dev.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ secrets.dev.AWS_REGION }}
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ secrets.AWS_REGION }}
 
     - name: Login to Amazon ECR
       id: login-ecr
@@ -64,17 +65,17 @@ jobs:
         echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
     
     # - name: Fill in the new image ID in the Amazon ECS task definition
-    #   id: task-def
-    #   uses: aws-actions/amazon-ecs-render-task-definition@v1
-    #   with:
-    #     task-definition: task-definition.json
-    #     container-name: short_stuff
-    #     image: ${{ steps.build-image.outputs.image }}
+      id: task-def
+      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      with:
+        task-definition: task-definition.json
+        container-name: short_stuff
+        image: ${{ steps.build-image.outputs.image }}
 
-    # - name: Deploy Amazon ECS task definition
-    #   uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-    #   with:
-    #     task-definition: ${{ steps.task-def.outputs.task-definition }}
-    #     service: short_stuff-service
-    #     cluster: default
-    #     wait-for-service-stability: true
+    - name: Deploy Amazon ECS task definition
+      uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+      with:
+        task-definition: ${{ steps.task-def.outputs.task-definition }}
+        service: dev-shortstuff-service
+        cluster: default
+        wait-for-service-stability: true

terraform/deploy_user.tf

@@ -21,10 +21,35 @@ resource "aws_iam_user_policy" "ci_ecr_access" {
         "ecr:*"
       ],
       "Effect": "Allow",
-      "Resource": "${aws_ecr_repository.myapp_repo.arn}"
+      "Resource": "${aws_ecr_repository.short_stuff.arn}"
     }
   ]
 }
 EOF
+}
+
+resource "aws_iam_user_policy" "ecs-fargate-deploy" {
+  user = aws_iam_user.ci_user.name
 
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ecs:UpdateService",
+        "ecs:UpdateTaskDefinition",
+        "ecs:DescribeServices",
+        "ecs:DescribeTaskDefinition",
+        "ecs:DescribeTasks",
+        "ecs:RegisterTaskDefinition",
+        "ecs:ListTasks"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
 }
+

terraform/ecr.tf

@@ -1,3 +1,3 @@
-resource "aws_ecr_repository" "myapp_repo" {
+resource "aws_ecr_repository" "short_stuff" {
   name = "${var.environment_name}-${var.name}"
 }

terraform/ecs.tf

@@ -0,0 +1,103 @@
+# Role for ECS task
+# This is because our Fargate ECS must be able to pull images from ECS
+# and put logs from application container to log driver
+
+data "aws_iam_policy_document" "ecs_task_exec_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecsTaskExecutionRole" {
+  name               = "${var.environment_name}-${var.name}-taskrole-ecs"
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_exec_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_exec_role" {
+  role       = aws_iam_role.ecsTaskExecutionRole.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# Cloudwatch logs
+
+resource "aws_cloudwatch_log_group" "short_stuff" {
+  name = "/fargate/${var.environment_name}-${var.name}"
+}
+
+# Cluster
+
+resource "aws_ecs_cluster" "default" {
+  depends_on = [aws_cloudwatch_log_group.short_stuff]
+  name       = "${var.environment_name}-${var.name}"
+}
+
+# Task definition for the application
+
+resource "aws_ecs_task_definition" "short_stuff" {
+  family                   = "${var.environment_name}-${var.name}-td"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.ecs_fargate_application_cpu
+  memory                   = var.ecs_fargate_application_mem
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.ecsTaskExecutionRole.arn
+  container_definitions    = <<DEFINITION
+[
+  {
+    "environment": [
+      {"name": "SECRET_KEY_BASE", "value": "generate one with mix phx.gen.secret"}
+    ],
+    "image": "${aws_ecr_repository.short_stuff.repository_url}:latest",
+    "name": "${var.environment_name}-${var.name}",
+    "portMappings": [
+        {
+            "containerPort": 4000
+        }
+      ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${aws_cloudwatch_log_group.short_stuff.name}",
+        "awslogs-region": "${var.aws_region}",
+        "awslogs-stream-prefix": "ecs-fargate"
+      }
+    }
+  }
+]
+DEFINITION
+}
+
+
+resource "aws_ecs_service" "short_stuff" {
+  name            = "${var.environment_name}-${var.name}-service"
+  cluster         = aws_ecs_cluster.default.id
+  launch_type     = "FARGATE"
+  task_definition = aws_ecs_task_definition.short_stuff.arn
+  desired_count   = var.ecs_application_count
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.short_stuff.arn
+    container_name   = "${var.environment_name}-${var.name}"
+    container_port   = 4000
+  }
+
+  network_configuration {
+    assign_public_ip = false
+
+    security_groups = [
+      aws_security_group.egress-all.id,
+      aws_security_group.short_stuff-service.id
+    ]
+    subnets = [aws_subnet.private.id]
+  }
+
+  depends_on = [
+    aws_lb_listener.short_stuff_http,
+    aws_lb_listener.short_stuff_https,
+    aws_ecs_task_definition.short_stuff
+  ]
+}

terraform/lb.tf

@@ -0,0 +1,89 @@
+resource "aws_lb" "short_stuff" {
+  name = "${var.environment_name}-${var.name}"
+
+  subnets = [
+    aws_subnet.public.id,
+    aws_subnet.private.id
+  ]
+
+  security_groups = [
+    aws_security_group.http.id,
+    aws_security_group.https.id,
+    aws_security_group.egress-all.id
+  ]
+
+  tags = {
+    Environment = var.environment_name
+  }
+}
+
+resource "aws_acm_certificate" "short_stuff" {
+  domain_name       = "isthesqueezesquoze.com"
+  validation_method = "DNS"
+
+  tags = {
+    Environment = var.environment_name
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_target_group" "short_stuff" {
+  port        = "4000"
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.default.id
+  target_type = "ip"
+
+  health_check {
+    enabled = true
+    path = "/health"
+    matcher = "200"
+    interval = 30
+    unhealthy_threshold = 10
+    timeout = 25
+  }
+
+  tags = {
+    Environment = var.environment_name
+  }
+
+  depends_on = [aws_lb.short_stuff]
+}
+
+resource "aws_lb_listener" "short_stuff_http" {
+  load_balancer_arn = aws_lb.short_stuff.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.short_stuff.arn
+    type             = "forward"
+  }
+
+  # default_action {
+  #   type = "redirect"
+
+  #   redirect {
+  #     port        = "443"
+  #     protocol    = "HTTPS"
+  #     status_code = "HTTP_301"
+  #   }
+  # }
+}
+
+resource "aws_lb_listener" "short_stuff_https" {
+  load_balancer_arn = aws_lb.short_stuff.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate.short_stuff.arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.short_stuff.arn
+  }
+}
+
+

terraform/main.tf

@@ -1,3 +1,54 @@
 provider "aws" {
   region = "us-west-1"
 }
+
+resource "aws_vpc" "default" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Environment = var.environment_name
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.default.id
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.default.id
+}
+
+resource "aws_route_table_association" "public_subnet" {
+  subnet_id      = aws_subnet.public.id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table_association" "private_subnet" {
+  subnet_id      = aws_subnet.private.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_eip" "nat_ip" {
+  vpc = true
+}
+
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.default.id
+}
+
+resource "aws_nat_gateway" "ngw" {
+  subnet_id     = aws_subnet.public.id
+  allocation_id = aws_eip.nat_ip.id
+}
+
+resource "aws_route" "public_igw" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.igw.id
+}
+
+resource "aws_route" "private_ngw" {
+  route_table_id         = aws_route_table.private.id
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.ngw.id
+}

terraform/outputs.tf

@@ -0,0 +1,3 @@
+output "load_balancer_dns" {
+  value = aws_lb.short_stuff.dns_name
+}

terraform/rds.tf

@@ -0,0 +1,20 @@
+resource "aws_db_instance" "default" {
+  allocated_storage = var.db_storage
+  engine            = var.db_engine
+  engine_version    = var.db_engine_version
+  instance_class    = var.db_instance_type
+  name              = var.db_name
+  username          = var.db_username
+  password          = var.db_password
+
+  availability_zone = var.aws_default_zone
+
+  publicly_accessible    = false
+  vpc_security_group_ids = [aws_security_group.db.id]
+  db_subnet_group_name   = aws_db_subnet_group.default.name
+
+  tags = {
+    App         = var.name
+    Environment = var.environment_name
+  }
+}