Merge pull request #35 from sanG-github/release/0.3.0

Release - 0.3.0

Author: sanG-github

core/assets/ecs_configs/production.json

@@ -0,0 +1,9 @@
+{
+  "task_desired_count": 3,
+  "web_container_cpu": 256,
+  "web_container_memory": 512,
+  "deployment_maximum_percent": 200,
+  "deployment_minimum_healthy_percent": 50,
+  "max_capacity": 10,
+  "max_cpu_threshold": 80
+}

core/assets/ecs_configs/staging.json

@@ -0,0 +1,9 @@
+{
+  "task_desired_count": 3,
+  "web_container_cpu": 256,
+  "web_container_memory": 512,
+  "deployment_maximum_percent": 200,
+  "deployment_minimum_healthy_percent": 50,
+  "max_capacity": 10,
+  "max_cpu_threshold": 80
+}

core/assets/environment_variables/production.json

@@ -0,0 +1,4 @@
+{
+  "AVAILABLE_LOCALES": "en",
+  "DEFAULT_LOCALE": "en"
+}

core/assets/environment_variables/staging.json

@@ -0,0 +1,4 @@
+{
+  "AVAILABLE_LOCALES": "en",
+  "DEFAULT_LOCALE": "en"
+}

core/locals.tf

@@ -5,6 +5,65 @@ locals {
   # The owner of the infrastructure, used to tag the resources, e.g. `acme-web`
   owner = "sanghuynh20000"
 
+  # The repository name of the ECR to retrieve the image from
+  ecr_repo_name = "devops-ic-ecr"
+
   # AWS region
   region = "ap-southeast-1"
+
+  # The application exposed port
+  app_port = 3000
+
+  # The health check path of the Application
+  health_check_path = "/health"
+
+  # The ECS configuration for the current environment
+  current_ecs_config = local.ecs_config[var.environment]
+
+  # ECS configurations for each environment
+  ecs_config = {
+    staging    = jsondecode(file("assets/ecs_configs/staging.json"))
+    production = jsondecode(file("assets/ecs_configs/production.json"))
+  }
+
+  # ENV variables for the current environment
+  current_environment_variables = local.environment_variables[var.environment]
+
+  # ENV variables for each environment
+  environment_variables = {
+    staging    = [for k, v in jsondecode(file("assets/environment_variables/staging.json")) : { name = k, value = v }]
+    production = [for k, v in jsondecode(file("assets/environment_variables/production.json")) : { name = k, value = v }]
+  }
+
+  current_rds_config = local.rds_config[var.environment]
+
+  rds_config = {
+    staging = {
+      instance_type            = "db.t3.micro"
+      port                     = 5432
+      autoscaling_min_capacity = 0
+      autoscaling_max_capacity = 3
+    }
+
+    production = {
+      instance_type            = "db.t3.micro"
+      port                     = 5432
+      autoscaling_min_capacity = 1
+      autoscaling_max_capacity = 3
+    }
+  }
+
+  current_elasticache_config = local.elasticache_config[var.environment]
+
+  elasticache_config = {
+    staging = {
+      node_type = "cache.t2.micro"
+      port      = 6379
+    }
+
+    production = {
+      node_type = "cache.t2.micro"
+      port      = 6379
+    }
+  }
 }

core/main.tf

@@ -8,24 +8,98 @@ terraform {
   }
 }
 
+module "vpc" {
+  source = "../modules/vpc"
+}
+
+module "s3" {
+  source = "../modules/s3"
+}
+
+module "security_group" {
+  source = "../modules/security_group"
+
+  vpc_id                      = module.vpc.vpc_id
+  app_port                    = local.app_port
+  rds_port                    = local.current_rds_config.port
+  elasticache_port            = local.current_elasticache_config.port
+  private_subnets_cidr_blocks = module.vpc.private_subnets_cidr_blocks
+}
+
+module "alb" {
+  source = "../modules/alb"
+
+  vpc_id             = module.vpc.vpc_id
+  app_port           = local.app_port
+  subnet_ids         = module.vpc.public_subnet_ids
+  security_group_ids = module.security_group.alb_security_group_ids
+  health_check_path  = local.health_check_path
+}
+
 module "cloudwatch" {
   source = "../modules/cloudwatch"
 
-  kms_key_id = module.secrets_manager.secret_cloudwatch_log_key_arn
+  kms_key_id = module.secrets_manager.secret_key_arn
 }
 
 module "secrets_manager" {
   source = "../modules/secrets_manager"
 
   secrets = {
+    database_url    = module.rds.db_url
+    redis_url       = module.elasticache.redis_primary_endpoint
     secret_key_base = var.secret_key_base
   }
 }
 
-module "vpc" {
-  source = "../modules/vpc"
+module "ecs" {
+  source = "../modules/ecs"
+
+  region                             = local.region
+  app_port                           = local.app_port
+  ecr_repo_name                      = local.ecr_repo_name
+  health_check_path                  = local.health_check_path
+  subnets                            = module.vpc.private_subnet_ids
+  security_groups                    = module.security_group.ecs_security_group_ids
+  alb_target_group_arn               = module.alb.alb_target_group_arn
+  aws_cloudwatch_log_group_name      = module.cloudwatch.aws_cloudwatch_log_group_name
+  deployment_maximum_percent         = local.current_ecs_config.deployment_maximum_percent
+  deployment_minimum_healthy_percent = local.current_ecs_config.deployment_minimum_healthy_percent
+  web_container_cpu                  = local.current_ecs_config.web_container_cpu
+  web_container_memory               = local.current_ecs_config.web_container_memory
+  task_desired_count                 = local.current_ecs_config.task_desired_count
+  max_capacity                       = local.current_ecs_config.max_capacity
+  max_cpu_threshold                  = local.current_ecs_config.max_cpu_threshold
+
+  environment_variables = local.current_environment_variables
+  secrets_variables     = module.secrets_manager.secrets_variables
+  secret_arns           = module.secrets_manager.secret_arns
 }
 
-module "s3" {
-  source = "../modules/s3"
+module "rds" {
+  source = "../modules/rds"
+
+  vpc_security_group_ids = module.security_group.rds_security_group_ids
+  vpc_id                 = module.vpc.vpc_id
+  subnet_ids             = module.vpc.private_subnet_ids
+
+  database_name = var.environment
+  username      = var.rds_username
+  password      = var.rds_password
+
+  instance_type            = local.current_rds_config.instance_type
+  port                     = local.current_rds_config.port
+  autoscaling_min_capacity = local.current_rds_config.autoscaling_min_capacity
+  autoscaling_max_capacity = local.current_rds_config.autoscaling_max_capacity
+}
+
+module "elasticache" {
+  source = "../modules/elasticache"
+
+  node_type          = local.current_elasticache_config.node_type
+  port               = local.current_elasticache_config.port
+  subnet_ids         = module.vpc.private_subnet_ids
+  security_group_ids = module.security_group.elasticache_security_group_ids
+  auth_token         = var.redis_auth_token
+  kms_key_id         = module.secrets_manager.secret_key_arn
 }

core/variables.tf

@@ -7,4 +7,22 @@ variable "environment" {
 variable "secret_key_base" {
   description = "The secret key base for the application"
   type        = string
+  sensitive   = true
+}
+
+variable "rds_username" {
+  description = "RDS username"
+  type        = string
+  sensitive   = true
+}
+
+variable "rds_password" {
+  description = "RDS password"
+  type        = string
+  sensitive   = true
+}
+
+variable "redis_auth_token" {
+  description = "The auth token for the Redis cluster"
+  type        = string
 }

modules/alb/locals.tf

@@ -0,0 +1,28 @@
+locals {
+  # aws_lb
+  namespace                     = "devops-ic-alb"
+  access_logs_bucket            = "${local.namespace}-log-bucket"
+  application_target_group_name = "${local.namespace}-application-tg"
+  load_balancer_type            = "application"
+
+  # aws_lb_target_group
+  application_target_group_protocol       = "HTTP"
+  application_target_type                 = "ip"
+  application_target_deregistration_delay = 100
+
+  # Health check timeout must be smaller than the interval
+  health_check_timeout             = 20
+  health_check_interval            = 30
+  health_check_healthy_threshold   = 3
+  health_check_unhealthy_threshold = 3
+  health_check_protocol            = "HTTP"
+  health_check_matcher             = "200-299"
+
+  # stickiness
+  enable_stickiness = false
+  stickiness_type   = "lb_cookie"
+
+  # aws_lb_listener
+  aws_lb_listener_port     = 80
+  aws_lb_listener_protocol = "HTTP"
+}

modules/alb/main.tf

@@ -0,0 +1,63 @@
+resource "aws_lb" "this" {
+  #checkov:skip=CKV2_AWS_20: HTTP protocol is used for redirecting to HTTPS
+  #checkov:skip=CKV2_AWS_28: There is no need to protect public ALB by WAF
+  name               = local.namespace
+  load_balancer_type = local.load_balancer_type
+  subnets            = var.subnet_ids
+  security_groups    = var.security_group_ids
+
+  enable_deletion_protection = true
+  drop_invalid_header_fields = true
+
+  # tfsec:ignore:aws-elb-alb-not-public
+  internal = false
+
+  access_logs {
+    bucket  = local.access_logs_bucket
+    enabled = true
+  }
+}
+
+resource "aws_lb_target_group" "application_target_group" {
+  port                 = var.app_port
+  vpc_id               = var.vpc_id
+  name                 = local.application_target_group_name
+  target_type          = local.application_target_type
+  deregistration_delay = local.application_target_deregistration_delay
+  protocol             = local.application_target_group_protocol
+
+  health_check {
+    path                = var.health_check_path
+    port                = var.app_port
+    timeout             = local.health_check_timeout
+    interval            = local.health_check_interval
+    healthy_threshold   = local.health_check_healthy_threshold
+    unhealthy_threshold = local.health_check_unhealthy_threshold
+    protocol            = local.health_check_protocol
+    matcher             = local.health_check_matcher
+  }
+
+  dynamic "stickiness" {
+    for_each = local.enable_stickiness ? [1] : []
+
+    content {
+      enabled = local.enable_stickiness
+      type    = local.stickiness_type
+    }
+  }
+}
+
+# tfsec:ignore:aws-elb-http-not-used
+resource "aws_lb_listener" "app_http" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = local.aws_lb_listener_port
+
+  #checkov:skip=CKV_AWS_2: HTTP protocol is used for redirecting to HTTPS
+  #checkov:skip=CKV_AWS_103: HTTP protocol is used for redirecting to HTTPS, so there is no TLS certificate
+  protocol = local.aws_lb_listener_protocol
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.application_target_group.arn
+  }
+}

modules/alb/outputs.tf

@@ -0,0 +1,19 @@
+output "alb_name" {
+  description = "Application LB name"
+  value       = aws_lb.this.name
+}
+
+output "alb_dns_name" {
+  description = "Application LB DNS name"
+  value       = aws_lb.this.dns_name
+}
+
+output "alb_zone_id" {
+  description = "Application LB Zone ID"
+  value       = aws_lb.this.zone_id
+}
+
+output "alb_target_group_arn" {
+  description = "ALB target group ARN"
+  value       = aws_lb_target_group.application_target_group.arn
+}