ECS Attempt 3

Author: marcoacierno

infrastructure/applications/applications.tf

@@ -40,3 +40,12 @@ module "emails" {
     aws.us = aws.us
   }
 }
+
+module "cluster" {
+  source = "./cluster"
+
+  providers = {
+    aws    = aws
+    aws.us = aws.us
+  }
+}

infrastructure/applications/cluster/auto_scaling.tf

@@ -0,0 +1,36 @@
+resource "aws_autoscaling_group" "server" {
+  name                  = "pythonit-${terraform.workspace}-server"
+  vpc_zone_identifier   = [data.aws_subnet.public_1a.id]
+  desired_capacity      = 1
+  max_size              = 1
+  min_size              = 1
+  termination_policies  = ["OldestInstance"]
+  protect_from_scale_in = true
+
+  instance_refresh {
+    strategy = "Rolling"
+    preferences {
+      min_healthy_percentage       = 100
+      max_healthy_percentage       = 110
+      scale_in_protected_instances = "Refresh"
+      instance_warmup              = 30
+    }
+  }
+
+  launch_template {
+    id      = aws_launch_template.pythonit.id
+    version = aws_launch_template.pythonit.latest_version
+  }
+
+  tag {
+    key                 = "Name"
+    value               = "pythonit-${terraform.workspace}-server"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "AmazonECSManaged"
+    value               = true
+    propagate_at_launch = true
+  }
+}

infrastructure/applications/cluster/iam.tf

@@ -0,0 +1,61 @@
+resource "aws_iam_instance_profile" "server" {
+  name = "pythonit-${terraform.workspace}-server"
+  role = aws_iam_role.server.name
+}
+
+resource "aws_iam_role" "server" {
+  name = "pythonit-${terraform.workspace}-server-role"
+  assume_role_policy = data.aws_iam_policy_document.server_assume_role.json
+}
+
+resource "aws_iam_role_policy" "server" {
+  name   = "pythonit-${terraform.workspace}-server-policy"
+  role   = aws_iam_role.server.id
+  policy = data.aws_iam_policy_document.server_role_policy.json
+}
+
+data "aws_iam_policy_document" "server_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+data "aws_iam_policy_document" "server_role_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:PassRole",
+      "ses:*",
+      "ecs:*",
+      "ecr:*",
+      "ec2:DescribeInstances",
+    ]
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["cloudwatch:PutMetricData", "logs:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:*"]
+    resources = [
+      "arn:aws:s3:::${terraform.workspace}-pycon-backend-media",
+      "arn:aws:s3:::${terraform.workspace}-pycon-backend-media/*",
+      "arn:aws:s3:::${terraform.workspace}-pretix-media",
+      "arn:aws:s3:::${terraform.workspace}-pretix-media/*",
+    ]
+  }
+}

infrastructure/applications/cluster/launch_template.tf

@@ -0,0 +1,30 @@
+resource "aws_launch_template" "pythonit" {
+  name          = "pythonit-${terraform.workspace}-server"
+  image_id      = "ami-0bd650c1ca04cc1a4" #todo
+  instance_type = "t4g.small"
+  # user_data     = base64encode(data.template_file.server_user_data.rendered)
+  key_name      = "pretix"
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.server.name
+  }
+
+  # block_device_mappings {
+  #   device_name = data.aws_ami.ecs.root_device_name
+
+  #   ebs {
+  #     volume_size = 20
+  #   }
+  # }
+
+  network_interfaces {
+    associate_public_ip_address = true
+    security_groups = [
+      # data.aws_security_group.rds.id,
+      # data.aws_security_group.lambda.id,
+      # data.aws_security_group.tempone.id,
+      aws_security_group.server.id,
+    ]
+    subnet_id = data.aws_subnet.public_1a.id
+  }
+}

infrastructure/applications/cluster/load_balancer.tf

@@ -0,0 +1,33 @@
+resource "aws_ecs_cluster" "cluster" {
+  name = "pythonit-${terraform.workspace}"
+}
+
+resource "aws_ecs_capacity_provider" "ec2" {
+  name = "pythonit-${terraform.workspace}-ec2"
+
+  auto_scaling_group_provider {
+    auto_scaling_group_arn         = aws_autoscaling_group.server.arn
+    managed_termination_protection = "ENABLED"
+
+    managed_scaling {
+      maximum_scaling_step_size = 2
+      minimum_scaling_step_size = 1
+      status                    = "ENABLED"
+      target_capacity           = 1
+      instance_warmup_period    = 60
+    }
+  }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "server" {
+  cluster_name = aws_ecs_cluster.cluster.name
+  capacity_providers = [
+    aws_ecs_capacity_provider.ec2.name,
+  ]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = aws_ecs_capacity_provider.ec2.name
+  }
+}

infrastructure/applications/cluster/main.tf

@@ -0,0 +1,23 @@
+resource "aws_security_group" "server" {
+  name        = "${terraform.workspace}-server"
+  description = "${terraform.workspace} server"
+  vpc_id      = data.aws_vpc.default.id
+}
+
+resource "aws_security_group_rule" "out_all" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "all"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.server.id
+}
+
+resource "aws_security_group_rule" "web_http" {
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.server.id
+}

infrastructure/applications/cluster/security.tf

@@ -0,0 +1,20 @@
+data "aws_vpc" "default" {
+  filter {
+    name   = "tag:Name"
+    values = ["pythonit-vpc"]
+  }
+}
+
+data "aws_subnet" "public_1a" {
+  vpc_id = data.aws_vpc.default.id
+
+  filter {
+    name   = "tag:Type"
+    values = ["public"]
+  }
+
+  filter {
+    name   = "tag:AZ"
+    values = ["eu-central-1a"]
+  }
+}