Setup VPC per env

marcoacierno · marcoacierno · commit ce26a4aedce8 · 2025-01-01T23:36:53.000+01:00
diff --git a/infrastructure/applications/applications.tf b/infrastructure/applications/applications.tf
@@ -1,32 +1,27 @@
 locals {
   is_prod       = terraform.workspace == "production"
-  deploy_pretix = local.is_prod
-
-  # AMI
-  # Built from https://github.com/aws/amazon-ecs-ami
-  # Using 8GB as storage.
-  ecs_arm_ami = "ami-0bd650c1ca04cc1a4" # make al2023arm
 }
 
 # Applications
 
 module "pretix" {
   source       = "./pretix"
   count        = 1
-  ecs_arm_ami  = local.ecs_arm_ami
   server_ip = module.cluster.server_ip
   cluster_id = module.cluster.cluster_id
   logs_group_name = module.cluster.logs_group_name
+  database_settings = module.database.database_settings
 }
 
 module "pycon_backend" {
   source       = "./pycon_backend"
-  ecs_arm_ami  = local.ecs_arm_ami
   cluster_id = module.cluster.cluster_id
   security_group_id = module.cluster.security_group_id
   server_ip = module.cluster.server_ip
   logs_group_name = module.cluster.logs_group_name
   iam_role_arn = module.cluster.iam_role_arn
+  database_settings = module.database.database_settings
+  vpc_id = module.vpc.vpc_id
 
   providers = {
     aws    = aws
@@ -63,6 +58,8 @@ module "clamav" {
 
 module "database" {
   source       = "./database"
+  private_subnets_ids = module.vpc.private_subnets_ids
+  vpc_id = module.vpc.vpc_id
 }
 
 module "emails" {
@@ -76,14 +73,19 @@ module "emails" {
 
 module "cluster" {
   source = "./cluster"
-  ecs_arm_ami  = local.ecs_arm_ami
+  vpc_id = module.vpc.vpc_id
+  public_1a_subnet_id = module.vpc.public_1a_subnet_id
 
   providers = {
     aws    = aws
     aws.us = aws.us
   }
 }
 
+module "vpc" {
+  source = "./vpc"
+}
+
 output "server_public_ip" {
   value = module.cluster.server_public_ip
 }
diff --git a/infrastructure/applications/cluster/cloudfront.tf b/infrastructure/applications/cluster/cloudfront.tf
@@ -73,9 +73,6 @@ resource "aws_cloudfront_distribution" "application" {
     cache_policy_id          = data.aws_cloudfront_cache_policy.origin_cache_control_headers.id
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id
 
-    min_ttl                = 0
-    default_ttl            = 86400
-    max_ttl                = 31536000
     compress               = true
     viewer_protocol_policy = "redirect-to-https"
   }
diff --git a/infrastructure/applications/cluster/security.tf b/infrastructure/applications/cluster/security.tf
@@ -1,7 +1,11 @@
 resource "aws_security_group" "server" {
-  name        = "${terraform.workspace}-server"
-  description = "${terraform.workspace} server"
-  vpc_id      = data.aws_vpc.default.id
+  name        = "pythonit-${terraform.workspace}-server"
+  description = "pythonit-${terraform.workspace} server"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-server"
+  }
 }
 
 resource "aws_security_group_rule" "out_all" {
diff --git a/infrastructure/applications/cluster/server.tf b/infrastructure/applications/cluster/server.tf
@@ -13,7 +13,7 @@ resource "aws_eip" "server" {
 resource "aws_instance" "server" {
   ami               = "ami-0d683ccb0045afce1"
   instance_type     = local.is_prod ? "t4g.large" : "t4g.small"
-  subnet_id         = data.aws_subnet.public_1a.id
+  subnet_id         = var.public_1a_subnet_id
   availability_zone = "eu-central-1a"
   vpc_security_group_ids = [
     aws_security_group.server.id,
diff --git a/infrastructure/applications/cluster/variables.tf b/infrastructure/applications/cluster/variables.tf
@@ -1 +1,2 @@
-variable "ecs_arm_ami" {}
+variable "vpc_id" {}
+variable "public_1a_subnet_id" {}
diff --git a/infrastructure/applications/database/db.tf b/infrastructure/applications/database/db.tf
@@ -3,14 +3,6 @@ locals {
   is_prod              = terraform.workspace == "production"
 }
 
-data "aws_db_subnet_group" "rds" {
-  name = "pythonit-rds-subnet"
-}
-
-data "aws_security_group" "rds" {
-  name = "pythonit-rds-security-group"
-}
-
 resource "aws_db_instance" "database" {
   allocated_storage           = 20
   storage_type                = "gp3"
@@ -31,9 +23,19 @@ resource "aws_db_instance" "database" {
   deletion_protection         = local.is_prod
   storage_encrypted           = true
 
-  db_subnet_group_name   = data.aws_db_subnet_group.rds.name
-  vpc_security_group_ids = [data.aws_security_group.rds.id]
+  db_subnet_group_name   = aws_db_subnet_group.rds.name
+  vpc_security_group_ids = [aws_security_group.rds.id]
 
   performance_insights_enabled = true
   performance_insights_retention_period = 7
 }
+
+output "database_settings" {
+  value = {
+    address     = aws_db_instance.database.address
+    port        = aws_db_instance.database.port
+    username    = aws_db_instance.database.username
+    password    = module.common_secrets.value.database_password
+    db_name     = aws_db_instance.database.db_name
+  }
+}
diff --git a/infrastructure/applications/database/security_group.tf b/infrastructure/applications/database/security_group.tf
@@ -0,0 +1,23 @@
+resource "aws_security_group" "rds" {
+  vpc_id      = var.vpc_id
+  name        = "pythonit-${terraform.workspace}-rds-security-group"
+  description = "Allow inbound postgres traffic"
+}
+
+resource "aws_security_group_rule" "allow_postgres" {
+  type              = "ingress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  security_group_id = aws_security_group.rds.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "allow_outbound_postgres" {
+  type                     = "egress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.rds.id
+  source_security_group_id = aws_security_group.rds.id
+}
diff --git a/infrastructure/applications/database/subnet.tf b/infrastructure/applications/database/subnet.tf
@@ -0,0 +1,9 @@
+resource "aws_db_subnet_group" "rds" {
+  name = "pythonit-${terraform.workspace}-rds-subnet"
+  description = "Pythonit rds subnet"
+  subnet_ids = var.private_subnets_ids
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-rds-subnet"
+  }
+}
diff --git a/infrastructure/applications/database/variables.tf b/infrastructure/applications/database/variables.tf
@@ -0,0 +1,2 @@
+variable "private_subnets_ids" {}
+variable "vpc_id" {}
diff --git a/infrastructure/applications/pretix/main.tf b/infrastructure/applications/pretix/main.tf
@@ -3,10 +3,6 @@ locals {
   alias   = local.is_prod ? "tickets.pycon.it" : "${terraform.workspace}-tickets.pycon.it"
 }
 
-data "aws_db_instance" "database" {
-  db_instance_identifier = "pythonit-${terraform.workspace}"
-}
-
 resource "aws_ecs_task_definition" "pretix" {
   family = "${terraform.workspace}-pretix"
   container_definitions = jsonencode([
@@ -87,19 +83,19 @@ resource "aws_ecs_task_definition" "pretix" {
         },
         {
           name  = "PRETIX_DATABASE_USER"
-          value = data.aws_db_instance.database.master_username
+          value = var.database_settings.username
         },
         {
           name  = "PRETIX_DATABASE_PASSWORD"
-          value = module.common_secrets.value.database_password
+          value = var.database_settings.password
         },
         {
           name  = "PRETIX_DATABASE_HOST"
-          value = data.aws_db_instance.database.address
+          value = var.database_settings.address
         },
         {
           name  = "PRETIX_DATABASE_PORT"
-          value = "5432"
+          value = tostring(var.database_settings.port)
         },
         {
           name  = "PRETIX_MAIL_USER"
diff --git a/infrastructure/applications/pretix/variables.tf b/infrastructure/applications/pretix/variables.tf
@@ -1,4 +1,4 @@
-variable "ecs_arm_ami" {}
 variable "server_ip" {}
 variable "cluster_id" {}
 variable "logs_group_name" {}
+variable "database_settings" {}
diff --git a/infrastructure/applications/pycon_backend/main.tf b/infrastructure/applications/pycon_backend/main.tf
@@ -2,7 +2,7 @@ locals {
   is_prod           = terraform.workspace == "production"
   admin_domain      = "admin"
   full_admin_domain = local.is_prod ? "${local.admin_domain}.pycon.it" : "${terraform.workspace}-${local.admin_domain}.pycon.it"
-  db_connection     = "postgres://${data.aws_db_instance.database.master_username}:${module.common_secrets.value.database_password}@${data.aws_db_instance.database.address}:${data.aws_db_instance.database.port}/pycon"
+  db_connection     = "postgres://${var.database_settings.username}:${var.database_settings.password}@${var.database_settings.address}:${var.database_settings.port}/pycon"
   cdn_url           = local.is_prod ? "cdn.pycon.it" : "${terraform.workspace}-cdn.pycon.it"
 }
 
@@ -32,10 +32,6 @@ data "aws_security_group" "lambda" {
   name = "pythonit-lambda-security-group"
 }
 
-data "aws_db_instance" "database" {
-  db_instance_identifier = "pythonit-${terraform.workspace}"
-}
-
 data "aws_acm_certificate" "cert" {
   domain   = "pycon.it"
   statuses = ["ISSUED"]
diff --git a/infrastructure/applications/pycon_backend/variables.tf b/infrastructure/applications/pycon_backend/variables.tf
@@ -4,9 +4,10 @@ locals {
   local_path  = "backend"
 }
 
-variable "ecs_arm_ami" {}
 variable "cluster_id" {}
 variable "security_group_id" {}
 variable "server_ip" {}
 variable "logs_group_name" {}
 variable "iam_role_arn" {}
+variable "database_settings" {}
+variable "vpc_id" {}
diff --git a/infrastructure/applications/vpc/endpoints.tf b/infrastructure/applications/vpc/endpoints.tf
@@ -0,0 +1,8 @@
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id            = aws_vpc.default.id
+  service_name      = "com.amazonaws.eu-central-1.s3"
+  vpc_endpoint_type = "Gateway"
+  route_table_ids = concat(
+    [for route in aws_route_table.public : route.id]
+  )
+}
diff --git a/infrastructure/applications/vpc/main.tf b/infrastructure/applications/vpc/main.tf
@@ -0,0 +1,21 @@
+locals {
+  public_azs_cidr = {
+    "eu-central-1a" : "10.0.1.0/24",
+    "eu-central-1b" : "10.0.2.0/24",
+    "eu-central-1c" : "10.0.3.0/24",
+  }
+  private_azs_cidr = {
+    "eu-central-1a" : "10.0.4.0/24",
+    "eu-central-1b" : "10.0.5.0/24",
+    "eu-central-1c" : "10.0.6.0/24",
+  }
+}
+
+resource "aws_vpc" "default" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-vpc"
+  }
+}
diff --git a/infrastructure/applications/vpc/outputs.tf b/infrastructure/applications/vpc/outputs.tf
@@ -0,0 +1,11 @@
+output "private_subnets_ids" {
+  value = [for subnet in aws_subnet.private : subnet.id]
+}
+
+output "vpc_id" {
+  value = aws_vpc.default.id
+}
+
+output "public_1a_subnet_id" {
+  value = aws_subnet.public["eu-central-1a"].id
+}
diff --git a/infrastructure/applications/vpc/private_subnet.tf b/infrastructure/applications/vpc/private_subnet.tf
@@ -0,0 +1,12 @@
+resource "aws_subnet" "private" {
+  for_each          = local.private_azs_cidr
+  vpc_id            = aws_vpc.default.id
+  availability_zone = each.key
+  cidr_block        = each.value
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-private-subnet-${each.key}"
+    Type = "private"
+    AZ   = each.key
+  }
+}
diff --git a/infrastructure/applications/vpc/public_subnet.tf b/infrastructure/applications/vpc/public_subnet.tf
@@ -0,0 +1,41 @@
+resource "aws_subnet" "public" {
+  for_each                = local.public_azs_cidr
+  vpc_id                  = aws_vpc.default.id
+  availability_zone       = each.key
+  cidr_block              = each.value
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-public-subnet-${each.key}"
+    Type = "public"
+    AZ   = each.key
+  }
+}
+
+resource "aws_route_table" "public" {
+  for_each = toset(keys(local.public_azs_cidr))
+  vpc_id   = aws_vpc.default.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.default.id
+  }
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-public-route-${each.value}"
+  }
+
+  depends_on = [
+    aws_internet_gateway.default
+  ]
+}
+
+resource "aws_route_table_association" "public_subnet_to_public_route" {
+  for_each       = toset(keys(local.public_azs_cidr))
+  route_table_id = aws_route_table.public[each.value].id
+  subnet_id      = aws_subnet.public[each.value].id
+}
+
+resource "aws_internet_gateway" "default" {
+  vpc_id = aws_vpc.default.id
+}

Original file line number	Diff line number	Diff line change
`@@ -73,9 +73,6 @@ resource "aws_cloudfront_distribution" "application" {`
`73`	`73`	`cache_policy_id = data.aws_cloudfront_cache_policy.origin_cache_control_headers.id`
`74`	`74`	`origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id`
`75`	`75`
`76`		`- min_ttl = 0`
`77`		`- default_ttl = 86400`
`78`		`- max_ttl = 31536000`
`79`	`76`	`compress = true`
`80`	`77`	`viewer_protocol_policy = "redirect-to-https"`
`81`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-variable "ecs_arm_ami" {}`
	`1`	`+variable "vpc_id" {}`
	`2`	`+variable "public_1a_subnet_id" {}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+variable "private_subnets_ids" {}`
	`2`	`+variable "vpc_id" {}`
Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,6 @@ locals {`
`3`	`3`	`alias = local.is_prod ? "tickets.pycon.it" : "${terraform.workspace}-tickets.pycon.it"`
`4`	`4`	`}`
`5`	`5`
`6`		`-data "aws_db_instance" "database" {`
`7`		`- db_instance_identifier = "pythonit-${terraform.workspace}"`
`8`		`-}`
`9`		`-`
`10`	`6`	`resource "aws_ecs_task_definition" "pretix" {`
`11`	`7`	`family = "${terraform.workspace}-pretix"`
`12`	`8`	`container_definitions = jsonencode([`
`@@ -87,19 +83,19 @@ resource "aws_ecs_task_definition" "pretix" {`
`87`	`83`	`},`
`88`	`84`	`{`
`89`	`85`	`name = "PRETIX_DATABASE_USER"`
`90`		`- value = data.aws_db_instance.database.master_username`
	`86`	`+ value = var.database_settings.username`
`91`	`87`	`},`
`92`	`88`	`{`
`93`	`89`	`name = "PRETIX_DATABASE_PASSWORD"`
`94`		`- value = module.common_secrets.value.database_password`
	`90`	`+ value = var.database_settings.password`
`95`	`91`	`},`
`96`	`92`	`{`
`97`	`93`	`name = "PRETIX_DATABASE_HOST"`
`98`		`- value = data.aws_db_instance.database.address`
	`94`	`+ value = var.database_settings.address`
`99`	`95`	`},`
`100`	`96`	`{`
`101`	`97`	`name = "PRETIX_DATABASE_PORT"`
`102`		`- value = "5432"`
	`98`	`+ value = tostring(var.database_settings.port)`
`103`	`99`	`},`
`104`	`100`	`{`
`105`	`101`	`name = "PRETIX_MAIL_USER"`