tf apply working

infra/create-app/main.tf

@@ -87,3 +87,29 @@ module "cloudfront" {
     aws.us-east-1-provider = aws.us-east-1-provider
   }
 }
+
+module "ecs" {
+  source             = "../modules/ecs"
+  environment        = local.environment
+  private_subnet_ids = module.network.private_subnet_ids
+  project_name       = local.project_name
+  public_subnet_ids  = module.network.public_subnet_ids
+  vpc_id             = module.network.vpc_id
+}
+
+module "ecr" {
+  source                 = "../modules/ecr"
+  environment            = local.environment
+  private_route_table_id = module.network.private_route_table_id
+  private_subnet_ids     = module.network.private_subnet_ids
+  project_name           = local.project_name
+  task_security_group_id = module.ecs.task_security_group_id
+  vpc_id                 = module.network.vpc_id
+}
+
+module "codepipeline" {
+  count        = local.environment == "prod" ? 1 : 0
+  source       = "../modules/codepipeline"
+  environment  = local.environment
+  project_name = local.project_name
+}

infra/docker/poc/Dockerfile

@@ -0,0 +1,2 @@
+FROM public.ecr.aws/docker/library/node:18-alpine
+CMD ["echo", "Hello again, World!"]

infra/modules/codepipeline/buildspec/deploy-docker-image.yml

@@ -0,0 +1,18 @@
+version: 0.1
+
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to ECR...
+      - aws ecr get-login-password --region $DEFAULT_REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$DEFAULT_REGION.amazonaws.com
+  build:
+    commands:
+      - echo Building docker image...
+      - docker build -t $IMAGE_NAME ./infra/docker/poc
+      - docker tag $IMAGE_NAME:latest $ACCOUNT_ID.dkr.ecr.$DEFAULT_REGION.amazonaws.com/$PROJECT_NAME-$ENVIRONMENT:$IMAGE_NAME
+      - docker tag $IMAGE_NAME:latest $ACCOUNT_ID.dkr.ecr.$DEFAULT_REGION.amazonaws.com/$PROJECT_NAME-$ENVIRONMENT:$COMMIT_ID
+  post_build:
+    commands:
+      - echo Pushing docker image...
+      - docker push $ACCOUNT_ID.dkr.ecr.$DEFAULT_REGION.amazonaws.com/$PROJECT_NAME-$ENVIRONMENT:$IMAGE_NAME
+      - docker push $ACCOUNT_ID.dkr.ecr.$DEFAULT_REGION.amazonaws.com/$PROJECT_NAME-$ENVIRONMENT:$COMMIT_ID

infra/modules/codepipeline/codebuild.tf

@@ -0,0 +1,63 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+locals {
+  account_id  = data.aws_caller_identity.current.account_id
+  region_name = data.aws_region.current.name
+}
+
+resource "aws_codebuild_project" "deploy-docker-image" {
+  name          = "${var.project_name}-codebuild-deploy-docker-image-${var.environment}"
+  description   = "Build docker image"
+  build_timeout = "300"
+  service_role  = aws_iam_role.codepipeline_role.arn
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:5.0"
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
+
+    environment_variable {
+      name  = "ACCOUNT_ID"
+      value = local.account_id
+    }
+
+    environment_variable {
+      name  = "DEFAULT_REGION"
+      value = local.region_name
+    }
+
+    environment_variable {
+      name  = "IMAGE_NAME"
+      value = "latest"
+    }
+
+    environment_variable {
+      name  = "COMMIT_ID"
+      value = "#{SourceVariables.CommitId}"
+    }
+
+    environment_variable {
+      name  = "PROJECT_NAME"
+      value = var.project_name
+    }
+
+    environment_variable {
+      name  = "ENVIRONMENT"
+      value = var.environment
+    }
+  }
+
+  source_version = "main"
+
+  source {
+    type      = "CODEPIPELINE"
+    buildspec = "infra/modules/codepipeline/buildspec/deploy-docker-image.yml"
+  }
+}

infra/modules/codepipeline/codepipeline.tf

@@ -0,0 +1,190 @@
+data "aws_ssm_parameter" "github_codestar_connection_arn" {
+  name = "${var.project_name}_github_codestar_connection_arn"
+}
+
+resource "aws_codepipeline" "docker-image-codepipeline" {
+  name          = "${var.project_name}-docker-image-pipeline-${var.environment}"
+  role_arn      = aws_iam_role.codepipeline_role.arn
+  pipeline_type = "V2"
+
+  artifact_store {
+    type     = "S3"
+    location = aws_s3_bucket.codepipeline_bucket.bucket
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "AWS"
+      provider         = "CodeStarSourceConnection"
+      version          = "1"
+      output_artifacts = ["source_output"]
+      namespace        = "SourceVariables"
+
+      // options given here: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html#action-reference-CodestarConnectionSource-config
+      configuration = {
+        ConnectionArn        = data.aws_ssm_parameter.github_codestar_connection_arn.value
+        FullRepositoryId     = "JiscSD/octopus"
+        BranchName           = "main"
+        OutputArtifactFormat = "CODE_ZIP"
+      }
+    }
+  }
+
+  stage {
+    name = "Deploy-Image"
+
+    action {
+      name            = "Deploy-Image"
+      category        = "Build"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      input_artifacts = ["source_output"]
+      version         = "1"
+
+      configuration = {
+        ProjectName = aws_codebuild_project.deploy-docker-image.name
+        EnvironmentVariables = jsonencode([
+          {
+            name  = "COMMIT_ID",
+            type  = "PLAINTEXT"
+            value = "#{SourceVariables.CommitId}"
+          }
+        ])
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "codepipeline_role" {
+  name = "${var.project_name}-codepipeline-role-${var.environment}"
+  tags = {
+    Name = "${var.project_name}-codepipeline-role-${var.environment}"
+  }
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": [
+                        "codepipeline.amazonaws.com",
+                        "codebuild.amazonaws.com"
+                ]
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+}
+
+// IAM codepipeline policy
+resource "aws_iam_role_policy" "codepipeline_policy" {
+  name = "${var.project_name}-codepipeline_policy-${var.environment}"
+  role = aws_iam_role.codepipeline_role.id
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:GetObjectVersion",
+                "s3:GetBucketVersioning",
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:GetBucketLocation",
+                "s3:DeleteObjectVersion",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.codepipeline_bucket.arn}",
+                "${aws_s3_bucket.codepipeline_bucket.arn}/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "codestar-connections:UseConnection"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "codecommit:GitPull"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "codebuild:BatchGetBuilds",
+                "codebuild:StartBuild"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:CreateRepository",
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:CompleteLayerUpload",
+                "ecr:GetAuthorizationToken",
+                "ecr:InitiateLayerUpload",
+                "ecr:PutImage",
+                "ecr:UploadLayerPart",
+                "ecs:UpdateService",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:PutSecretValue"
+            ],                
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "rds:DescribeDBSnapshots",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "rds:CreateDBSnapshot",
+            "Resource": [
+                "*"
+            ]
+        },              
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:Describe*",
+                "ec2:DeleteNetworkInterface",
+                "ec2:CreateNetworkInterface",
+                "ec2:CreateNetworkInterfacePermission",
+                "iam:PassRole"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}

infra/modules/codepipeline/s3.tf

@@ -0,0 +1,28 @@
+resource "aws_s3_bucket" "codepipeline_bucket" {
+  bucket = "${var.project_name}-codepipeline-bucket-${var.environment}"
+  tags = {
+    Name = "${var.project_name}-codepipeline-bucket-${var.environment}"
+  }
+}
+
+resource "aws_s3_bucket_ownership_controls" "codepipeline_bucket_ownership_controls" {
+  bucket = aws_s3_bucket.codepipeline_bucket.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "codepipeline_bucket_acl" {
+  depends_on = [aws_s3_bucket_ownership_controls.codepipeline_bucket_ownership_controls]
+
+  bucket = aws_s3_bucket.codepipeline_bucket.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "codepipeline_bucket_access" {
+  bucket                  = aws_s3_bucket.codepipeline_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
+}

infra/modules/codepipeline/vars.tf

@@ -0,0 +1,7 @@
+variable "project_name" {
+  type = string
+}
+
+variable "environment" {
+  type = string
+}