add terraform configuration

Author: briancaffey

Makefile

@@ -1,3 +1,5 @@
+# for local development
+
 dcud:
 docker compose -f docker-compose.dev.yml up
 
@@ -8,4 +10,21 @@ dcug:
 docker compose -f docker-compose.gunicorn.yml up
 
 dcdg:
-docker compose -f docker-compose.gunicorn.yml down
+docker compose -f docker-compose.gunicorn.yml down
+
+# for terraform
+
+tf-init:
+terraform -chdir=terraform init
+
+tf-plan:
+terraform -chdir=terraform plan
+
+tf-apply:
+terraform -chdir=terraform apply
+
+tf-fmt:
+terraform fmt -recursive
+
+tf-destroy:
+terraform -chdir=terraform destroy

README.md

@@ -17,5 +17,18 @@ This repo is for testing ECS networking configurations using:
 - [x] add a simple docker-compose file with flask app and redis (prod mode with gunicorn)
 - [x] add a redis connection to flask app
 - [x] add basic view to test redis connection
-- [ ] add a terraform config that can be used locally
+- [x] add a terraform config that can be used locally
 
+## AWS Setup
+
+- [x] Setup ECR repository for flask backend
+- [x] Build and push flask backend to ECR
+- [x] ACM certificate ARN stored in terraform.tfvars file locally
+- [x] Hosted Zone and Domain name purchased through AWS Route 53
+
+## Terraform Configuration Details
+
+- [x] VPC with only public subnets and no NAT gateway
+- [x] Launch Configuration with 1 EC2 instance
+- [x] ASG for ECS
+- [ ] Service Discovery Resources

app/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-slim-buster
+FROM --platform=linux/amd64 python:3.9-slim-buster
 
 ENV PYTHONUNBUFFERED 1
 ENV PYTHONDONTWRITEBYTECODE 1

app/app.py

@@ -28,3 +28,7 @@ def set_foo(path):
 def unset_foo():
  r.delete('foo')
  return "<b>foo</b> has been deleted"
+
+@app.route("/api/status/")
+def status():
+ return "OK"

scripts/build_and_push_to_ecr.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+IMAGE_TAG=${IMAGE_TAG:-latest}
+echo "IMAGE_TAG is ${IMAGE_TAG}"
+
+aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com
+
+docker build -t flask:$IMAGE_TAG ./app
+
+docker tag flask:$IMAGE_TAG $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/flask:$IMAGE_TAG
+
+docker push $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/flask:$IMAGE_TAG
+

terraform/.gitignore

@@ -0,0 +1,5 @@
+.terraform
+.terraform.lock.hcl
+terraform.tfvars
+terraform.tfstate.backup
+terraform.tfstate

terraform/main.tf

@@ -0,0 +1,81 @@
+module "vpc" {
+ source = "terraform-aws-modules/vpc/aws"
+
+ name = "${terraform.workspace}-vpc"
+ cidr = var.cidr
+
+ azs = var.azs
+ public_subnets = var.public_subnets
+
+ enable_nat_gateway = false
+}
+
+module "lb" {
+ source = "./modules/lb"
+ vpc_id = module.vpc.vpc_id
+ acm_certificate_arn = var.acm_certificate_arn
+ health_check_path = "/"
+ public_subnets = module.vpc.public_subnets
+}
+
+module "ecs" {
+ source = "./modules/ecs"
+ vpc_id = module.vpc.vpc_id
+ public_subnets = module.vpc.public_subnets
+ instance_type = var.instance_type
+ alb_sg_id = module.lb.alb_sg_id
+ region = var.region
+}
+
+module "route53" {
+ source = "./modules/route53"
+ zone_name = var.zone_name
+ record_name = var.record_name
+ alb_dns_name = module.lb.dns_name
+}
+
+module "redis" {
+ source = "./modules/redis"
+ name = "redis"
+ vpc_id = module.vpc.vpc_id
+ ecs_cluster_id = module.ecs.cluster_id
+ public_subnets = module.vpc.public_subnets
+ ecs_sg_id = module.ecs.ecs_sg_id
+ image = "redis:latest"
+ region = var.region
+ service_discovery_arn = module.ecs.registry_arn
+ ecs_service_iam_role_arn = module.ecs.service_iam_role_arn
+}
+
+# locals {
+# be_image = "${var.ecr_app_repo}:${var.app_image_tag}"
+# env_vars = [
+# {
+# name = "REDIS_HOST"
+# value = "redis"
+# }
+# ]
+# }
+
+# module "app" {
+# source = "./modules/app"
+# name = "gunicorn"
+# ecs_cluster_id = module.ecs.cluster_id
+# task_role_arn = module.ecs.task_role_arn
+# ecs_service_iam_role_arn = module.ecs.service_iam_role_arn
+# command = ["gunicorn", "--bind", "0.0.0.0:5000", "wsgi:app"]
+# env_vars = local.env_vars
+# image = local.be_image
+# alb_default_tg_arn = module.lb.alb_default_tg_arn
+# log_group_name = "/ecs/${terraform.workspace}/app"
+# log_stream_prefix = "app"
+# region = var.region
+# cpu = var.app_cpu
+# memory = var.app_memory
+# port = 8000
+# path_patterns = ["/*"]
+# health_check_path = "/api/status/"
+# listener_arn = module.lb.listener_arn
+# vpc_id = module.vpc.vpc_id
+# priority = 1
+# }

terraform/modules/app/main.tf

@@ -0,0 +1,96 @@
+resource "aws_cloudwatch_log_group" "this" {
+ name = var.log_group_name
+ retention_in_days = 1
+}
+
+resource "aws_cloudwatch_log_stream" "this" {
+ name = var.log_stream_prefix
+ log_group_name = aws_cloudwatch_log_group.this.name
+}
+
+resource "aws_ecs_task_definition" "this" {
+ family = "${terraform.workspace}-${var.name}"
+ container_definitions = jsonencode([
+ {
+ name = var.name
+ image = var.image
+ cpu = var.cpu
+ memory = var.memory
+ essential = true
+ links = []
+ environment = var.env_vars
+ command = var.command
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ "awslogs-group" = var.log_group_name
+ "awslogs-region" = var.region
+ "awslogs-stream-prefix" = var.log_stream_prefix
+ }
+ }
+ portMappings = [
+ {
+ containerPort = var.port
+ hostPort = 0
+ protocol = "tcp"
+ }
+ ]
+ }
+ ])
+ task_role_arn = var.task_role_arn
+}
+
+resource "aws_ecs_service" "this" {
+ name = "${terraform.workspace}-${var.name}"
+ cluster = var.ecs_cluster_id
+ task_definition = aws_ecs_task_definition.this.arn
+ iam_role = var.ecs_service_iam_role_arn
+ desired_count = var.app_count
+
+ load_balancer {
+ target_group_arn = aws_lb_target_group.this.arn
+ container_name = var.name
+ container_port = var.port
+ }
+}
+
+resource "aws_lb_target_group" "this" {
+ port = var.port
+ protocol = "HTTP"
+ vpc_id = var.vpc_id
+ deregistration_delay = 5
+
+ health_check {
+ healthy_threshold = var.health_check_healthy_threshold
+ unhealthy_threshold = 3
+ interval = var.health_check_interval
+ matcher = "200-399"
+ path = var.health_check_path
+ port = "traffic-port"
+ protocol = "HTTP"
+ timeout = "5"
+ }
+ tags = {
+ Name = "${terraform.workspace}-${var.name}-tg" #* https://github.com/hashicorp/terraform-provider-aws/issues/636#issuecomment-397459646
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+
+}
+
+resource "aws_lb_listener_rule" "this" {
+ listener_arn = var.listener_arn
+ priority = var.priority
+
+ condition {
+ path_pattern {
+ values = var.path_patterns
+ }
+ }
+ action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.this.arn
+ }
+}

terraform/modules/app/variables.tf

@@ -0,0 +1,124 @@
+variable "alb_default_tg_arn" {
+ description = "The ARN of the default target group"
+ type = string
+}
+
+variable "app_count" {
+ description = "Number of Docker containers to run"
+ default = 1
+}
+
+variable "ecs_cluster_id" {
+ description = "ECS Cluster ID"
+ type = string
+}
+
+variable "ecs_service_iam_role_arn" {
+ description = "ECS Service IAM Role ARN"
+ type = string
+}
+
+variable "task_role_arn" {
+ description = "Task Role ARN"
+ type = string
+}
+
+variable "command" {
+ default = null
+ type = list(string)
+ description = "Command to run in Docker container"
+}
+
+variable "env_vars" {
+ type = list(object({ name = string, value = string }))
+ description = "Environment variables to set in Docker container"
+}
+
+variable "image" {
+ type = string
+ description = "Container image from ECS to run"
+}
+
+variable "log_group_name" {
+ type = string
+ description = "Name of the CloudWatch Logs group"
+}
+
+variable "log_stream_prefix" {
+ type = string
+ description = "Name of the CloudWatch Logs stream"
+}
+
+variable "log_retention_in_days" {
+ default = 1
+ type = number
+}
+
+variable "region" {
+ default = "us-east-1"
+ description = "AWS region"
+ type = string
+}
+
+variable "cpu" {
+ default = null
+ description = "CPU to allocate to container"
+ type = number
+}
+
+variable "memory" {
+ default = null
+ description = "Amount (in MiB) of memory used by the task"
+ type = number
+}
+
+variable "name" {
+ description = "Name to use for the service and task"
+ type = string
+}
+
+variable "port" {
+ default = 80
+ description = "Port to expose on the container"
+ type = number
+}
+
+variable "priority" {
+ description = "Priority for the listener rule"
+ type = number
+}
+
+
+variable "path_patterns" {
+ description = "Path patterns to match"
+ type = list(string)
+}
+
+variable "listener_arn" {
+ description = "Listener ARN"
+ type = string
+}
+
+variable "vpc_id" {
+ description = "VPC ID"
+ type = string
+}
+
+variable "health_check_path" {
+ description = "Path to check for health"
+ default = "/"
+ type = string
+}
+
+variable "health_check_healthy_threshold" {
+ description = "Number of consecutive health checks successes required"
+ default = 2
+ type = number
+}
+
+
+variable "health_check_interval" {
+ description = "Time between health checks"
+ default = 7
+ type = number
+}