wip

marcoacierno · marcoacierno · commit 1ffc74a32a60 · 2024-11-15T17:42:53.000+01:00
diff --git a/infrastructure/applications/.tool-versions b/infrastructure/applications/.tool-versions
@@ -0,0 +1 @@
+terraform 1.9.8
diff --git a/infrastructure/applications/cluster/load_balancer.tf b/infrastructure/applications/cluster/load_balancer.tf
@@ -0,0 +1,35 @@
+locals {
+  load_balancer_user_data = templatefile("${path.module}/userdata.sh", {
+    ecs_cluster = aws_ecs_cluster.cluster.name
+    swap_size = "1G"
+    role = "load_balancer"
+  })
+}
+
+resource "aws_instance" "load_balancer" {
+  ami               = "ami-09c79d1104c5634b4" #todo
+  instance_type     = "t4g.nano"
+  subnet_id         = data.aws_subnet.public_1a.id
+  availability_zone = "eu-central-1a"
+  vpc_security_group_ids = [
+    aws_security_group.load_balancer.id,
+  ]
+  source_dest_check    = false
+  user_data            = local.load_balancer_user_data
+  iam_instance_profile = aws_iam_instance_profile.load_balancer.name
+  key_name             = "pretix"
+  user_data_replace_on_change = true
+
+  root_block_device {
+    volume_size = 30
+  }
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-load-balancer"
+    Role = "load_balancer"
+  }
+}
+
+output "load_balancer_public_ip" {
+  value = aws_instance.load_balancer.public_ip
+}
diff --git a/infrastructure/applications/cluster/load_balancer_iam.tf b/infrastructure/applications/cluster/load_balancer_iam.tf
@@ -0,0 +1,49 @@
+resource "aws_iam_role" "load_balancer" {
+  name = "pythonit-${terraform.workspace}-load-balancer"
+  assume_role_policy = data.aws_iam_policy_document.lb_assume_role.json
+}
+
+resource "aws_iam_instance_profile" "load_balancer" {
+  name = "pythonit-${terraform.workspace}-load-balancer"
+  role = aws_iam_role.load_balancer.name
+}
+
+data "aws_iam_policy_document" "lb_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy" "lb" {
+  name   = "pythonit-${terraform.workspace}-load-balancer-policy"
+  role   = aws_iam_role.load_balancer.id
+  policy = data.aws_iam_policy_document.lb_role_policy.json
+}
+
+data "aws_iam_policy_document" "lb_role_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:PassRole",
+      "ecs:*",
+      "ecr:*",
+      "ec2:DescribeInstances",
+    ]
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["cloudwatch:PutMetricData", "logs:*"]
+    resources = ["*"]
+  }
+}
diff --git a/infrastructure/applications/cluster/load_balancer_security.tf b/infrastructure/applications/cluster/load_balancer_security.tf
@@ -0,0 +1,32 @@
+resource "aws_security_group" "load_balancer" {
+  name        = "pythonit-${terraform.workspace}-load-balancer"
+  description = "pythonit-${terraform.workspace} load balancer"
+  vpc_id      = data.aws_vpc.default.id
+}
+
+resource "aws_security_group_rule" "lb_web_http" {
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.load_balancer.id
+}
+
+resource "aws_security_group_rule" "lb_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.load_balancer.id
+}
+
+resource "aws_security_group_rule" "lb_out_all" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "all"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.load_balancer.id
+}
diff --git a/infrastructure/applications/cluster/logs.tf b/infrastructure/applications/cluster/logs.tf
@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "cluster" {
+  name              = "/ecs/pythonit-${terraform.workspace}-cluster"
+  retention_in_days = 3
+}
diff --git a/infrastructure/applications/cluster/security.tf b/infrastructure/applications/cluster/security.tf
@@ -21,3 +21,12 @@ resource "aws_security_group_rule" "web_http" {
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.server.id
 }
+
+resource "aws_security_group_rule" "server_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.server.id
+}
diff --git a/infrastructure/applications/cluster/task_traefik.tf b/infrastructure/applications/cluster/task_traefik.tf
@@ -0,0 +1,89 @@
+resource "aws_ecs_task_definition" "traefik" {
+  family = "pythonit-${terraform.workspace}-traefik"
+  container_definitions = jsonencode([
+    {
+      name              = "traefik"
+      image             = "traefik:v3.1.2"
+      memoryReservation = 200
+      essential         = true
+
+      environment = [
+        {
+          name  = "TRAEFIK_PROVIDERS_ECS_CLUSTERS"
+          value = aws_ecs_cluster.cluster.name
+        },
+        {
+          name  = "TRAEFIK_PROVIDERS_ECS_AUTODISCOVERCLUSTERS"
+          value = "false",
+        },
+        {
+          name  = "TRAEFIK_PROVIDERS_ECS_EXPOSEDBYDEFAULT",
+          value = "false",
+        },
+        {
+          name  = "TRAEFIK_ENTRYPOINTS_WEB_ADDRESS",
+          value = ":80"
+        },
+      ]
+
+      portMappings = [
+        {
+          containerPort = 80
+          hostPort      = 80
+        },
+      ]
+
+      mountPoints = []
+      systemControls = [
+        {
+          "namespace" : "net.core.somaxconn",
+          "value" : "4096"
+        }
+      ]
+
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.cluster.name
+          "awslogs-region"        = "eu-central-1"
+          "awslogs-stream-prefix" = "traefik"
+        }
+      }
+
+      healthCheck = {
+        retries = 3
+        command = [
+          "CMD-SHELL",
+          "echo 4"
+        ]
+        timeout  = 3
+        interval = 10
+      }
+
+      stopTimeout = 300
+    }
+  ])
+
+  requires_compatibilities = []
+  tags                     = {}
+}
+
+resource "aws_ecs_service" "traefik" {
+  name                               = "traefik"
+  cluster                            = aws_ecs_cluster.cluster.id
+  task_definition                    = aws_ecs_task_definition.traefik.arn
+  desired_count                      = 1
+  deployment_minimum_healthy_percent = 0
+  deployment_maximum_percent         = 100
+
+  lifecycle {
+    ignore_changes = [
+      capacity_provider_strategy
+    ]
+  }
+
+  # placement_constraints {
+  #   type       = "memberOf"
+  #   expression = "attribute:role == load_balancer"
+  # }
+}
diff --git a/infrastructure/applications/cluster/userdata.sh b/infrastructure/applications/cluster/userdata.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -x
+
+# change 2
+echo "ECS_CLUSTER=${ecs_cluster}" > /etc/ecs/ecs.config
+echo "ECS_INSTANCE_ATTRIBUTES={\"role\": \"${role}\"}" >> /etc/ecs/ecs.config
+
+sudo su
+sudo dd if=/dev/zero of=/swapfile bs=${swap_size} count=32
+sudo chmod 600 /swapfile
+sudo mkswap /swapfile
+sudo swapon /swapfile
+sudo echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
