More

Author: marcoacierno

infrastructure/applications/applications.tf

@@ -12,17 +12,20 @@ locals {
 
 module "pretix" {
   source       = "./pretix"
-  count        = local.deploy_pretix ? 1 : 0
+  count        = 1
   ecs_arm_ami  = local.ecs_arm_ami
+  server_ip = module.cluster.server_ip
+  cluster_id = module.cluster.cluster_id
+  logs_group_name = module.cluster.logs_group_name
 }
 
 module "pycon_backend" {
   source       = "./pycon_backend"
   ecs_arm_ami  = local.ecs_arm_ami
   cluster_id = module.cluster.cluster_id
-  service_connect_namespace = module.cluster.service_connect_namespace
   security_group_id = module.cluster.security_group_id
   server_ip = module.cluster.server_ip
+  logs_group_name = module.cluster.logs_group_name
 
   providers = {
     aws    = aws
@@ -54,3 +57,7 @@ module "cluster" {
     aws.us = aws.us
   }
 }
+
+output "server_public_ip" {
+  value = module.cluster.server_public_ip
+}

…astructure/components/cloudfront/main.tf …cture/applications/cluster/cloudfront.tfinfrastructure/components/cloudfront/main.tf renamed to infrastructure/applications/cluster/cloudfront.tf infrastructure/components/cloudfront/main.tf renamed to infrastructure/applications/cluster/cloudfront.tf

@@ -1,24 +1,38 @@
+locals {
+  pycon_web_domain  = local.is_prod ? "admin.pycon.it" : "${terraform.workspace}-admin.pycon.it"
+  pretix_web_domain = local.is_prod ? "tickets.pycon.it" : "${terraform.workspace}-tickets.pycon.it"
+}
+
+data "aws_cloudfront_origin_request_policy" "all_viewer" {
+  name = "Managed-AllViewer"
+}
+
 data "aws_cloudfront_cache_policy" "caching_disabled" {
   name = "Managed-CachingDisabled"
 }
 
-data "aws_cloudfront_origin_request_policy" "all_viewer_except_host_header" {
-  name = "Managed-AllViewerExceptHostHeader"
+data "aws_acm_certificate" "cert" {
+  domain   = "*.pycon.it"
+  statuses = ["ISSUED"]
+  provider = aws.us
 }
 
 resource "aws_cloudfront_distribution" "application" {
   enabled             = true
   is_ipv6_enabled     = true
-  comment             = "${terraform.workspace}-${var.application}"
+  comment             = "${terraform.workspace} server"
   wait_for_deployment = false
-  aliases             = [var.domain]
+  aliases = [
+    local.pycon_web_domain,
+    local.pretix_web_domain
+  ]
 
   origin {
-    domain_name = var.origin_url
+    domain_name = aws_eip.server.public_dns
     origin_id   = "default"
 
     custom_origin_config {
-      origin_protocol_policy = "https-only"
+      origin_protocol_policy = "http-only"
       http_port              = "80"
       https_port             = "443"
       origin_ssl_protocols   = ["TLSv1"]
@@ -29,7 +43,7 @@ resource "aws_cloudfront_distribution" "application" {
     cloudfront_default_certificate = false
     minimum_protocol_version       = "TLSv1"
     ssl_support_method             = "sni-only"
-    acm_certificate_arn            = var.certificate_arn
+    acm_certificate_arn            = data.aws_acm_certificate.cert.arn
   }
 
   default_cache_behavior {
@@ -38,16 +52,10 @@ resource "aws_cloudfront_distribution" "application" {
     target_origin_id = "default"
 
     cache_policy_id          = data.aws_cloudfront_cache_policy.caching_disabled.id
-    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer_except_host_header.id
+    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id
 
     viewer_protocol_policy = "redirect-to-https"
     compress               = true
-
-    lambda_function_association {
-      event_type   = "viewer-request"
-      lambda_arn   = var.forward_host_header_lambda_arn
-      include_body = false
-    }
   }
 
   restrictions {

infrastructure/applications/cluster/domains.tf

@@ -0,0 +1,27 @@
+data "aws_route53_zone" "zone" {
+  name = "pycon.it"
+}
+
+resource "aws_route53_record" "web_pycon" {
+  zone_id = data.aws_route53_zone.zone.zone_id
+  name    = local.pycon_web_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.application.domain_name
+    zone_id                = aws_cloudfront_distribution.application.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+resource "aws_route53_record" "web_tickets" {
+  zone_id = data.aws_route53_zone.zone.zone_id
+  name    = local.pretix_web_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.application.domain_name
+    zone_id                = aws_cloudfront_distribution.application.hosted_zone_id
+    evaluate_target_health = false
+  }
+}

infrastructure/applications/cluster/iam.tf

@@ -58,4 +58,24 @@ data "aws_iam_policy_document" "server_role_policy" {
       "arn:aws:s3:::${terraform.workspace}-pretix-media/*",
     ]
   }
+
+  statement {
+    actions = [
+      "sns:CreatePlatformEndpoint",
+      "sns:Publish"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
+
+  statement {
+    actions = [
+      "sqs:SendMessage",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:ReceiveMessage",
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
 }

infrastructure/applications/cluster/load_balancer_task.tf

@@ -25,6 +25,10 @@ resource "aws_ecs_task_definition" "traefik" {
           name  = "TRAEFIK_ENTRYPOINTS_WEB_ADDRESS",
           value = ":80"
         },
+        {
+          name = "TRAEFIK_LOG_LEVEL",
+          value = "DEBUG"
+        }
       ]
 
       portMappings = [
@@ -76,10 +80,4 @@ resource "aws_ecs_service" "traefik" {
   desired_count                      = 1
   deployment_minimum_healthy_percent = 0
   deployment_maximum_percent         = 100
-
-  lifecycle {
-    ignore_changes = [
-      capacity_provider_strategy
-    ]
-  }
 }

infrastructure/applications/cluster/logs.tf

@@ -2,3 +2,8 @@ resource "aws_cloudwatch_log_group" "cluster" {
   name              = "/ecs/pythonit-${terraform.workspace}-cluster"
   retention_in_days = 3
 }
+
+
+output "logs_group_name" {
+  value = aws_cloudwatch_log_group.cluster.name
+}

infrastructure/applications/cluster/main.tf

@@ -1,3 +1,7 @@
+locals {
+  is_prod = terraform.workspace == "production"
+}
+
 resource "aws_ecs_cluster" "cluster" {
   name = "pythonit-${terraform.workspace}"
 }
@@ -6,15 +10,6 @@ output "cluster_id" {
   value = aws_ecs_cluster.cluster.id
 }
 
-resource "aws_service_discovery_http_namespace" "cluster" {
-  name        = "pythonit-${terraform.workspace}"
-  description = "pythonit-${terraform.workspace} service discovery namespace"
-}
-
-output "service_connect_namespace" {
-  value = aws_service_discovery_http_namespace.cluster.arn
-}
-
 resource "aws_ecs_account_setting_default" "trunking" {
   name  = "awsvpcTrunking"
   value = "enabled"

infrastructure/applications/cluster/server.tf

@@ -1,7 +1,7 @@
 locals {
   server_user_data = templatefile("${path.module}/userdata.sh", {
     ecs_cluster = aws_ecs_cluster.cluster.name
-    swap_size = "1G"
+    swap_size = "4G"
   })
 }
 
@@ -11,8 +11,8 @@ resource "aws_eip" "server" {
 }
 
 resource "aws_instance" "server" {
-  ami               = "ami-01c0b647efcf28a90"
-  instance_type     = "t4g.small"
+  ami               = "ami-0d683ccb0045afce1"
+  instance_type     = "t4g.large"
   subnet_id         = data.aws_subnet.public_1a.id
   availability_zone = "eu-central-1a"
   vpc_security_group_ids = [
@@ -53,3 +53,7 @@ resource "aws_volume_attachment" "redis_data_attachment" {
 output "server_ip" {
   value = aws_instance.server.private_ip
 }
+
+output "server_public_ip" {
+  value = aws_eip.server.public_ip
+}

infrastructure/applications/cluster/userdata.sh

@@ -10,5 +10,76 @@ swapon /swapfile
 echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
 
 mkdir /redis-data -p
-echo '/dev/nvme1n1 /redis-data xfs defaults 0 0' >> /etc/fstab
+echo '/dev/nvme1n1 /redis-data xfs defaults,nofail 0 2' >> /etc/fstab
 mount -a
+
+# Reclaim unused Docker disk space
+cat << "EOF" > /usr/local/bin/claimspace.sh
+#!/bin/bash
+# Run fstrim on the host OS periodically to reclaim the unused container data blocks
+docker ps -q | xargs docker inspect --format='{{ .State.Pid }}' | xargs -IZ sudo fstrim /proc/Z/root/
+exit $?
+EOF
+
+# Run pretix cron
+cat << "EOF" > /usr/local/bin/pretixcron.sh
+#!/bin/bash
+docker exec `docker ps --no-trunc -q --filter="name=.*pretix.*" | head -n 1` pretix cron
+exit 0
+EOF
+
+chmod +x /usr/local/bin/claimspace.sh
+chmod +x /usr/local/bin/pretixcron.sh
+
+cat << "EOF" > /etc/systemd/system/claimspace.service
+[Unit]
+Description=Run fstrim on Docker containers
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/claimspace.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << "EOF" > /etc/systemd/system/pretixcron.service
+[Unit]
+Description=Run Pretix cron job
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/pretixcron.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << "EOF" > /etc/systemd/system/claimspace.timer
+[Unit]
+Description=Run fstrim on Docker containers daily
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+
+cat << "EOF" > /etc/systemd/system/pretixcron.timer
+[Unit]
+Description=Run Pretix cron job
+
+[Timer]
+OnCalendar=*:15,45
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+
+systemctl daemon-reload
+
+systemctl enable --now claimspace.timer
+systemctl enable --now pretixcron.timer

infrastructure/applications/database/db.tf

@@ -19,7 +19,7 @@ resource "aws_db_instance" "database" {
   allow_major_version_upgrade = true
   engine_version              = "14.12"
   instance_class              = "db.t4g.micro"
-  db_name                     = "${local.normalized_workspace}backend"
+  db_name                     = local.is_prod ? "${local.normalized_workspace}backend" : "pycon"
   username                    = "root"
   password                    = module.common_secrets.value.database_password
   multi_az                    = "false"