Added staging terraform

Author: mpon

terraform/stg/access_logs_bucket.tf

@@ -0,0 +1,27 @@
+resource "random_pet" "access_logs" {
+  length = 3
+}
+
+resource "aws_s3_bucket" "access_logs" {
+  bucket        = "${local.env}-access-logs-${random_pet.access_logs.id}"
+  acl           = "private"
+  force_destroy = true # to make it easier to destroy at this repository example
+}
+
+resource "aws_s3_bucket_policy" "access_logs" {
+  bucket = aws_s3_bucket.access_logs.id
+  policy = data.aws_iam_policy_document.access_logs.json
+}
+
+data "aws_iam_policy_document" "access_logs" {
+  # Allow from Elastic Load Balancing account in ap-northeast-1
+  statement {
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.access_logs.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::582318560864:root"]
+    }
+  }
+}

terraform/stg/alb.tf

@@ -0,0 +1,124 @@
+resource "aws_lb" "public" {
+  name                       = "${local.env}-public"
+  security_groups            = [aws_security_group.public.id, aws_security_group.private.id]
+  subnets                    = module.vpc.public_subnets
+  enable_deletion_protection = false # to make it easier to destroy at this repository example
+
+  tags = {
+    Name        = "${local.env}-public"
+    Environment = local.env
+  }
+
+  access_logs {
+    bucket  = aws_s3_bucket.access_logs.bucket
+    prefix  = "ALB/${local.env}-public"
+    enabled = true
+  }
+}
+
+resource "aws_lb_listener" "public_http" {
+  load_balancer_arn = aws_lb.public.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "404 Not Found"
+      status_code  = "404"
+    }
+  }
+}
+
+resource "aws_lb_target_group" "api_blue" {
+  name        = "${local.env}-api-blue"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = module.vpc.vpc_id
+
+  health_check {
+    path = "/okcomputer/all"
+  }
+}
+
+resource "aws_lb_target_group" "api_green" {
+  name        = "${local.env}-api-green"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = module.vpc.vpc_id
+
+  health_check {
+    path = "/okcomputer/all"
+  }
+}
+
+resource "aws_lb_target_group" "web_blue" {
+  name        = "${local.env}-web-blue"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = module.vpc.vpc_id
+
+  health_check {
+    path = "/okcomputer/all"
+  }
+}
+
+resource "aws_lb_target_group" "web_green" {
+  name        = "${local.env}-web-green"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = module.vpc.vpc_id
+
+  health_check {
+    path = "/" # TODO: change healthcheck path
+  }
+}
+
+
+resource "aws_lb_listener_rule" "api" {
+  listener_arn = aws_lb_listener.public_http.arn
+  priority     = 100
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.api_blue.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/api/*"]
+    }
+  }
+
+  lifecycle {
+    # Target group will be updated by CodeDeploy
+    ignore_changes = [action]
+  }
+}
+
+resource "aws_lb_listener_rule" "web" {
+  listener_arn = aws_lb_listener.public_http.arn
+  priority     = 200
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web_blue.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/*"]
+    }
+  }
+
+  lifecycle {
+    # Target group will be updated by CodeDeploy
+    ignore_changes = [action]
+  }
+}

terraform/stg/codebuild.tf

@@ -0,0 +1,66 @@
+module "codebuild_iam" {
+  source                            = "../modules/codebuild_iam"
+  name                              = "${local.env}-codebuild-service-role"
+  subnet_arns                       = module.vpc.private_subnet_arns
+  assets_bucket_arn                 = data.terraform_remote_state.common.outputs.assets_bucket.arn
+  codepipeline_artifacts_bucket_arn = aws_s3_bucket.codepipeline.arn
+  codebuild_bucket_arn              = aws_s3_bucket.codebuild.arn
+}
+
+resource "random_pet" "codebuild" {
+  length = 3
+}
+
+resource "aws_s3_bucket" "codebuild" {
+  bucket = "${local.env}-codebuild-${random_pet.codebuild.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "buildspec" {
+  bucket = aws_s3_bucket.codebuild.id
+  key    = "${local.env}/buildspec.yaml"
+  content = templatefile("${path.module}/templates/buildspec.yaml", {
+    repository_domain = dirname(data.terraform_remote_state.common.outputs.ecr_rails_blog_example_repository_url)
+    repository_url    = data.terraform_remote_state.common.outputs.ecr_rails_blog_example_repository_url
+    bucket            = aws_s3_bucket.codebuild.id
+    env               = local.env
+    database_url      = aws_ssm_parameter.database_url.name
+    secret_key_base   = aws_ssm_parameter.secret_key_base.name
+    asset_bucket      = aws_ssm_parameter.asset_bucket.name
+  })
+}
+
+resource "aws_codebuild_project" "build" {
+  name         = "${local.env}-build"
+  service_role = module.codebuild_iam.service_role_arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:2.0"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+    privileged_mode             = true
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = data.github_repository.repo.http_clone_url
+    git_clone_depth = 1
+    buildspec       = "${aws_s3_bucket.codebuild.arn}/${aws_s3_bucket_object.buildspec.key}"
+  }
+
+  cache {
+    type  = "LOCAL"
+    modes = ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"]
+  }
+
+  vpc_config {
+    vpc_id             = module.vpc.vpc_id
+    subnets            = module.vpc.private_subnets
+    security_group_ids = [aws_security_group.private.id, aws_security_group.db.id]
+  }
+}

terraform/stg/codedeploy.tf

@@ -0,0 +1,101 @@
+module "codedeploy_iam" {
+  source = "../modules/codedeploy_iam"
+  name   = "${local.env}-codedeploy-service-role"
+}
+
+resource "aws_codedeploy_app" "app" {
+  name             = "${local.env}-app"
+  compute_platform = "ECS"
+}
+
+# Deployment for API service
+
+resource "aws_codedeploy_deployment_group" "api" {
+  app_name               = aws_codedeploy_app.app.name
+  deployment_group_name  = "${local.env}-api"
+  deployment_config_name = "CodeDeployDefault.ECSAllAtOnce"
+  service_role_arn       = module.codedeploy_iam.service_role_arn
+
+  blue_green_deployment_config {
+    deployment_ready_option {
+      action_on_timeout = "CONTINUE_DEPLOYMENT"
+    }
+
+    terminate_blue_instances_on_deployment_success {
+      action                           = "TERMINATE"
+      termination_wait_time_in_minutes = 0
+    }
+  }
+
+  deployment_style {
+    deployment_option = "WITH_TRAFFIC_CONTROL"
+    deployment_type   = "BLUE_GREEN"
+  }
+
+  ecs_service {
+    cluster_name = aws_ecs_cluster.cluster.name
+    service_name = aws_ecs_service.api.name
+  }
+
+  load_balancer_info {
+    target_group_pair_info {
+      prod_traffic_route {
+        listener_arns = [aws_lb_listener.public_http.arn]
+      }
+
+      target_group {
+        name = aws_lb_target_group.api_blue.name
+      }
+
+      target_group {
+        name = aws_lb_target_group.api_green.name
+      }
+    }
+  }
+}
+
+# Deployment for Web service
+
+resource "aws_codedeploy_deployment_group" "web" {
+  app_name               = aws_codedeploy_app.app.name
+  deployment_group_name  = "${local.env}-web"
+  deployment_config_name = "CodeDeployDefault.ECSAllAtOnce"
+  service_role_arn       = module.codedeploy_iam.service_role_arn
+
+  blue_green_deployment_config {
+    deployment_ready_option {
+      action_on_timeout = "CONTINUE_DEPLOYMENT"
+    }
+
+    terminate_blue_instances_on_deployment_success {
+      action                           = "TERMINATE"
+      termination_wait_time_in_minutes = 0
+    }
+  }
+
+  deployment_style {
+    deployment_option = "WITH_TRAFFIC_CONTROL"
+    deployment_type   = "BLUE_GREEN"
+  }
+
+  ecs_service {
+    cluster_name = aws_ecs_cluster.cluster.name
+    service_name = aws_ecs_service.web.name
+  }
+
+  load_balancer_info {
+    target_group_pair_info {
+      prod_traffic_route {
+        listener_arns = [aws_lb_listener.public_http.arn]
+      }
+
+      target_group {
+        name = aws_lb_target_group.web_blue.name
+      }
+
+      target_group {
+        name = aws_lb_target_group.web_green.name
+      }
+    }
+  }
+}