Setup separate VPCs per each env

infrastructure/applications/applications.tf

@@ -1,35 +1,31 @@
 locals {
   is_prod       = terraform.workspace == "production"
-  deploy_pretix = local.is_prod
-
-  # AMI
-  # Built from https://github.com/aws/amazon-ecs-ami
-  # Using 8GB as storage.
-  ecs_arm_ami = "ami-0bd650c1ca04cc1a4" # make al2023arm
 }
 
 # Applications
 
 module "pretix" {
   source       = "./pretix"
   count        = 1
-  ecs_arm_ami  = local.ecs_arm_ami
   server_ip = module.cluster.server_ip
   cluster_id = module.cluster.cluster_id
   logs_group_name = module.cluster.logs_group_name
+  database_settings = module.database.database_settings
 }
 
 module "pycon_backend" {
   source       = "./pycon_backend"
-  ecs_arm_ami  = local.ecs_arm_ami
   cluster_id = module.cluster.cluster_id
   security_group_id = module.cluster.security_group_id
   server_ip = module.cluster.server_ip
   logs_group_name = module.cluster.logs_group_name
   iam_role_arn = module.cluster.iam_role_arn
+  database_settings = module.database.database_settings
+  vpc_id = module.vpc.vpc_id
+  public_1a_subnet_id = module.vpc.public_1a_subnet_id
+  configuration_set_name = module.emails.configuration_set_name
 
   providers = {
-    aws    = aws
     aws.us = aws.us
   }
 }
@@ -41,49 +37,44 @@ module "pycon_frontend" {
   server_ip = module.cluster.server_ip
   cf_domain_name = module.cluster.cf_domain_name
   cf_hosted_zone_id = module.cluster.cf_hosted_zone_id
-
-  providers = {
-    aws    = aws
-    aws.us = aws.us
-  }
 }
 
 module "clamav" {
   source       = "./clamav"
   cluster_id = module.cluster.cluster_id
   logs_group_name = module.cluster.logs_group_name
-
-  providers = {
-    aws    = aws
-    aws.us = aws.us
-  }
 }
 
 # Other resources
 
 module "database" {
   source       = "./database"
+  private_subnets_ids = module.vpc.private_subnets_ids
+  vpc_id = module.vpc.vpc_id
 }
 
 module "emails" {
   source = "./emails"
 
   providers = {
-    aws    = aws
     aws.us = aws.us
   }
 }
 
 module "cluster" {
   source = "./cluster"
-  ecs_arm_ami  = local.ecs_arm_ami
+  vpc_id = module.vpc.vpc_id
+  public_1a_subnet_id = module.vpc.public_1a_subnet_id
 
   providers = {
-    aws    = aws
     aws.us = aws.us
   }
 }
 
+module "vpc" {
+  source = "./vpc"
+}
+
 output "server_public_ip" {
   value = module.cluster.server_public_ip
 }

infrastructure/applications/cluster/cloudfront.tf

@@ -73,9 +73,6 @@ resource "aws_cloudfront_distribution" "application" {
     cache_policy_id          = data.aws_cloudfront_cache_policy.origin_cache_control_headers.id
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id
 
-    min_ttl                = 0
-    default_ttl            = 86400
-    max_ttl                = 31536000
     compress               = true
     viewer_protocol_policy = "redirect-to-https"
   }

infrastructure/applications/cluster/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      configuration_aliases = [aws.us]
+    }
+  }
+}

infrastructure/applications/cluster/security.tf

@@ -1,7 +1,11 @@
 resource "aws_security_group" "server" {
-  name        = "${terraform.workspace}-server"
-  description = "${terraform.workspace} server"
-  vpc_id      = data.aws_vpc.default.id
+  name        = "pythonit-${terraform.workspace}-server"
+  description = "pythonit-${terraform.workspace} server"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-server"
+  }
 }
 
 resource "aws_security_group_rule" "out_all" {

infrastructure/applications/cluster/server.tf

@@ -11,9 +11,9 @@ resource "aws_eip" "server" {
 }
 
 resource "aws_instance" "server" {
-  ami               = "ami-0d683ccb0045afce1"
+  ami               = "ami-0ce51086755ce7709"
   instance_type     = local.is_prod ? "t4g.large" : "t4g.small"
-  subnet_id         = data.aws_subnet.public_1a.id
+  subnet_id         = var.public_1a_subnet_id
   availability_zone = "eu-central-1a"
   vpc_security_group_ids = [
     aws_security_group.server.id,

infrastructure/applications/cluster/variables.tf

@@ -1 +1,2 @@
-variable "ecs_arm_ami" {}
+variable "vpc_id" {}
+variable "public_1a_subnet_id" {}

infrastructure/applications/config.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "5.70.0"
+      version               = "5.82.2"
       configuration_aliases = [aws.us]
     }
   }

infrastructure/applications/database/db.tf

@@ -3,14 +3,6 @@ locals {
   is_prod              = terraform.workspace == "production"
 }
 
-data "aws_db_subnet_group" "rds" {
-  name = "pythonit-rds-subnet"
-}
-
-data "aws_security_group" "rds" {
-  name = "pythonit-rds-security-group"
-}
-
 resource "aws_db_instance" "database" {
   allocated_storage           = 20
   storage_type                = "gp3"
@@ -31,9 +23,19 @@ resource "aws_db_instance" "database" {
   deletion_protection         = local.is_prod
   storage_encrypted           = true
 
-  db_subnet_group_name   = data.aws_db_subnet_group.rds.name
-  vpc_security_group_ids = [data.aws_security_group.rds.id]
+  db_subnet_group_name   = aws_db_subnet_group.rds.name
+  vpc_security_group_ids = [aws_security_group.rds.id]
 
   performance_insights_enabled = true
   performance_insights_retention_period = 7
 }
+
+output "database_settings" {
+  value = {
+    address     = aws_db_instance.database.address
+    port        = aws_db_instance.database.port
+    username    = aws_db_instance.database.username
+    password    = module.common_secrets.value.database_password
+    db_name     = aws_db_instance.database.db_name
+  }
+}

infrastructure/applications/database/security_group.tf

@@ -0,0 +1,23 @@
+resource "aws_security_group" "rds" {
+  vpc_id      = var.vpc_id
+  name        = "pythonit-${terraform.workspace}-rds-security-group"
+  description = "Allow inbound postgres traffic"
+}
+
+resource "aws_security_group_rule" "allow_postgres" {
+  type              = "ingress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  security_group_id = aws_security_group.rds.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "allow_outbound_postgres" {
+  type                     = "egress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.rds.id
+  source_security_group_id = aws_security_group.rds.id
+}

infrastructure/applications/database/subnet.tf

@@ -0,0 +1,9 @@
+resource "aws_db_subnet_group" "rds" {
+  name = "pythonit-${terraform.workspace}-rds-subnet"
+  description = "pythonit ${terraform.workspace} rds subnet"
+  subnet_ids = var.private_subnets_ids
+
+  tags = {
+    Name = "pythonit-${terraform.workspace}-rds-subnet"
+  }
+}

infrastructure/applications/database/variables.tf

@@ -0,0 +1,2 @@
+variable "private_subnets_ids" {}
+variable "vpc_id" {}

infrastructure/applications/emails/main.tf

@@ -7,6 +7,7 @@ resource "aws_sesv2_configuration_set" "main" {
 
   tracking_options {
     custom_redirect_domain = local.email_tracking_domain
+    https_policy          = "OPTIONAL"
   }
 }
 
@@ -33,3 +34,7 @@ resource "aws_sesv2_configuration_set_event_destination" "backend" {
     ]
   }
 }
+
+output "configuration_set_name" {
+  value = aws_sesv2_configuration_set.main.configuration_set_name
+}

infrastructure/applications/pretix/main.tf

@@ -3,10 +3,6 @@ locals {
   alias   = local.is_prod ? "tickets.pycon.it" : "${terraform.workspace}-tickets.pycon.it"
 }
 
-data "aws_db_instance" "database" {
-  db_instance_identifier = "pythonit-${terraform.workspace}"
-}
-
 resource "aws_ecs_task_definition" "pretix" {
   family = "${terraform.workspace}-pretix"
   container_definitions = jsonencode([
@@ -87,19 +83,19 @@ resource "aws_ecs_task_definition" "pretix" {
         },
         {
           name  = "PRETIX_DATABASE_USER"
-          value = data.aws_db_instance.database.master_username
+          value = var.database_settings.username
         },
         {
           name  = "PRETIX_DATABASE_PASSWORD"
-          value = module.common_secrets.value.database_password
+          value = var.database_settings.password
         },
         {
           name  = "PRETIX_DATABASE_HOST"
-          value = data.aws_db_instance.database.address
+          value = var.database_settings.address
         },
         {
           name  = "PRETIX_DATABASE_PORT"
-          value = "5432"
+          value = tostring(var.database_settings.port)
         },
         {
           name  = "PRETIX_MAIL_USER"

infrastructure/applications/pretix/variables.tf

@@ -1,4 +1,4 @@
-variable "ecs_arm_ami" {}
 variable "server_ip" {}
 variable "cluster_id" {}
 variable "logs_group_name" {}
+variable "database_settings" {}