tobbie
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/destroy.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/destroy.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/test-and-lint.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/test-and-lint.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 2 additions & 1 deletion b/‎docker-compose.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ecs-with-fargate/.terraform.lock.hcl‎
Lines changed: 25 additions & 0 deletions b/‎ecs-with-fargate/.terraform.lock.hcl‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎ecs-with-fargate/README.md‎ b/‎ecs-with-fargate/README.md‎
diff --git a/‎ecs-with-fargate/acm.tf‎
Lines changed: 19 additions & 0 deletions b/‎ecs-with-fargate/acm.tf‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎ecs-with-fargate/alb.tf‎
Lines changed: 104 additions & 0 deletions b/‎ecs-with-fargate/alb.tf‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎ecs-with-fargate/data-sources.tf‎
Lines changed: 20 additions & 0 deletions b/‎ecs-with-fargate/data-sources.tf‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎ecs-with-fargate/ecs.tf‎
Lines changed: 129 additions & 0 deletions b/‎ecs-with-fargate/ecs.tf‎
Lines changed: 129 additions & 0 deletions
@@ -36,6 +36,11 @@ jobs:
           docker compose run --rm terraform -chdir=network/ init
           docker compose run --rm terraform -chdir=network/ workspace select -or-create $workspace    
           docker compose run --rm terraform -chdir=network/ apply --auto-approve
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ init
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ workspace select -or-create $workspace 
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ plan   
+        # docker compose run --rm terraform -chdir=ecs-with-fargate/ apply --auto-approve
+          
 
 
 
 
@@ -25,6 +25,8 @@ jobs:
           export TF_WORKSPACE=${{  github.event.inputs.environment }}
           docker compose run --rm terraform -chdir=network/ init
           docker compose run --rm terraform -chdir=network/ destroy --auto-approve
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ init
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ destroy --auto-approve
           
 
 
 
@@ -24,10 +24,14 @@ jobs:
       - name: Run terraform checks
         run: |
           docker compose run --rm terraform -chdir=setup/ init -backend=false
-          docker compose run --rm terraform -chdir=setup/ validate
           docker compose run --rm terraform -chdir=setup/ fmt -check
+          docker compose run --rm terraform -chdir=setup/ validate
           docker compose run --rm terraform -chdir=network/ init -backend=false
-          docker compose run --rm terraform -chdir=network/ validate
           docker compose run --rm terraform -chdir=network/ fmt -check
+          docker compose run --rm terraform -chdir=network/ validate   
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ init -backend=false
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ fmt -check
+          docker compose run --rm terraform -chdir=ecs-with-fargate/ validate
+         
 
 
@@ -4,12 +4,13 @@ services:
     volumes:
       - ./setup:/tf/setup
       - ./network:/tf/network
+      - ./ecs-with-fargate:/tf/ecs-with-fargate
 
     working_dir: /tf   # all commands will run from /tf in the container
     environment:
       - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
       - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
-      - AWS_DEFAULT_REGION=us-east-1
+      - AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
       - TF_WORKSPACE=${TF_WORKSPACE}
 
@@ -0,0 +1,19 @@
+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "5.1.0"
+
+  domain_name = trimsuffix(data.aws_route53_zone.mydomain.name, ".") # trimsiffix added to handle cases here the domain name is a private one.
+  zone_id     = data.aws_route53_zone.mydomain.zone_id
+
+
+  subject_alternative_names = [
+    "*.${terraform.workspace}.${var.domain}"
+  ]
+
+  validation_method   = "DNS"
+  wait_for_validation = true
+
+  tags = {
+    Name = "${terraform.workspace}.${var.domain}"
+  }
+}
@@ -0,0 +1,104 @@
+##########################################
+# Application Load Balancer #
+##########################################
+
+module "alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 9.0"
+
+  name                       = "my-alb"
+  vpc_id                     = data.terraform_remote_state.vpc.outputs.vpc_id
+  subnets                    = data.terraform_remote_state.vpc.outputs.public_subnets
+  enable_deletion_protection = false
+
+  # Security Groups
+  security_group_ingress_rules = {
+    all_http = {
+      from_port   = 80
+      to_port     = 80
+      ip_protocol = "tcp"
+      description = "HTTP web traffic"
+      cidr_ipv4   = "0.0.0.0/0"
+    }
+    all_https = {
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "HTTPS web traffic"
+      cidr_ipv4   = "0.0.0.0/0"
+    }
+  }
+
+  security_group_egress_rules = {
+    all = {
+      ip_protocol = "-1"
+      cidr_ipv4   = data.terraform_remote_state.vpc.outputs.vpc_cidr_block //only allow outbound traffic to vpc_cidr block only
+    }
+  }
+
+
+
+  listeners = {
+    #HTTP Listener no longer needed. Uncomment for testing purpose
+    #  http = {
+    #    port     = 80
+    #   protocol = "HTTP"
+
+    #   forward = {
+    #     target_group_key = "ror-frontend-service"
+    #   }
+    #  }
+
+    #HTTPS Redirect Listener
+    http-https-redirect = {
+      port     = 80
+      protocol = "HTTP"
+      redirect = {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+
+    #HTTPS Listener
+    https = {
+      port            = 443
+      protocol        = "HTTPS"
+      certificate_arn = module.acm.acm_certificate_arn
+
+      forward = {
+        target_group_key = "ror-frontend-service"
+      }
+    }
+  }
+
+  target_groups = {
+    ror-frontend-service = {
+      name_prefix                       = "tg1"
+      backend_protocol                  = "HTTP"
+      backend_port                      = local.container_port
+      target_type                       = "ip"
+      deregistration_delay              = 5
+      load_balancing_cross_zone_enabled = true
+
+      health_check = {
+        enabled             = true
+        interval            = 30
+        path                = "/"
+        port                = "traffic-port"
+        healthy_threshold   = 3
+        unhealthy_threshold = 3
+        timeout             = 6
+        protocol            = "HTTP"
+        matcher             = "200-399"
+      }
+
+      # There's nothing to attach here in this definition. Instead,
+      # ECS will attach the IPs of the tasks to this target group
+      create_attachment = false
+
+    }
+  }
+
+
+}
@@ -0,0 +1,20 @@
+# Terraform newtwork remote state data source 
+data "terraform_remote_state" "vpc" {
+  backend = "s3"
+  config = {
+    bucket         = "aws-infra-repo-tfstate-25"
+    key            = "env:/${local.workspace}/tf-state-network"
+    region         = "us-east-1"
+    dynamodb_table = "aws-infra-repo-tf-lock"
+  }
+}
+
+# Provides the current AWS region
+data "aws_region" "current" {}
+
+# Get DNS information from AWS Route53
+data "aws_route53_zone" "mydomain" {
+  name         = var.domain
+  private_zone = false
+}
+
@@ -0,0 +1,129 @@
+module "ecs" {
+  source = "terraform-aws-modules/ecs/aws"
+
+  cluster_name = "rite-blend"
+
+  cluster_configuration = {
+    execute_command_configuration = {
+      logging = "OVERRIDE"
+      log_configuration = {
+        cloud_watch_log_group_name = "/aws/ecs/ecs-exec-group" # aws_cloudwatch_log_group.ecs_execute_command.name
+      }
+    }
+  }
+
+  #Specify how fargate provisions serverless resources for your containers 
+  fargate_capacity_providers = {
+    FARGATE = {
+      default_capacity_provider_strategy = {
+        base   = 1
+        weight = 60
+      }
+    }
+    FARGATE_SPOT = {
+      default_capacity_provider_strategy = {
+        base   = 0
+        weight = 40
+      }
+    }
+  }
+
+
+  # Task execution IAM role policy
+  # Automatically creates a task execution role that has default permission for ECS to access ECR, SSM
+  create_task_exec_policy = true
+
+
+  # Service Configuration
+  services = {
+    (local.service_name) = {
+      cpu    = 1024
+      memory = 4096
+
+      assign_public_ip       = true
+      enable_execute_command = true
+
+
+      # Container definition(s)
+      container_definitions = {
+        (local.container_name) = {
+          cpu       = 512
+          memory    = 2048
+          essential = true
+          image     = "public.ecr.aws/aws-containers/ecsdemo-frontend:latest"
+
+
+          port_mappings = [
+            {
+              name          = local.container_name
+              containerPort = local.container_port
+              hostPort      = local.container_port
+              protocol      = "tcp"
+            }
+          ]
+
+          # Example image used requires access to write to root filesystem
+          readonly_root_filesystem = false
+
+          #Allows terraform to manage the cloudwatch log group
+          create_cloudwatch_log_group    = true
+          cloud_watch_log_group_name     = "/aws/ecs/${local.service_name}/${local.container_name}"
+          cloudwatch_log_group_retention = 7
+
+
+          log_configuration = {
+            logDriver = "awslogs"
+            options = {
+              awslogs-region        = var.aws_region
+              awslogs-group         = "/aws/ecs/${local.service_name}/${local.container_name}"
+              awslogs-stream-prefix = "ecs"
+
+            }
+          }
+          memory_reservation = 100
+
+        }
+      }
+
+      # Connect ECS Service to Load Balancer
+      load_balancer = {
+        service = {
+          target_group_arn = module.alb.target_groups["ror-frontend-service"].arn
+          container_name   = local.container_name
+          container_port   = local.container_port
+        }
+      }
+
+
+      #Specify subnets to host ECS service and tasks
+      subnet_ids = data.terraform_remote_state.vpc.outputs.public_subnets
+
+      #Specify ECS service security groups
+      security_group_rules = {
+        public_ingress_80 = {
+          type                     = "ingress"
+          from_port                = local.container_port
+          to_port                  = local.container_port
+          protocol                 = "tcp"
+          source_security_group_id = module.alb.security_group_id
+          description              = "Allow traffic from ALB SG only"
+        }
+        egress_all = {
+          type        = "egress"
+          from_port   = 0
+          to_port     = 0
+          protocol    = "-1"
+          cidr_blocks = ["0.0.0.0/0"]
+        }
+      }
+    }
+  }
+
+
+  # TODO 
+  # - Create Task Execution Role -- to allow ECS access other AWS services it requires to create the task.
+  #   E.g accessing SSM parameter store for secrets to be injected when creating tasks for containers
+  # - Create Task Role -- to allow running containers access other aws services- e.g container needs access to S3.
+}
+
+