STR-415(sandbox core API)

infra/dev/backend.tf

@@ -12,7 +12,7 @@ terraform {
     required_providers {
     aws = { 
       source  = "hashicorp/aws"
-      version = "4.14.0"
+      version = "4.37.0"
     }
   }
 

infra/sandbox/Makefile

@@ -0,0 +1,12 @@
+export
+AWS_PROFILE=dev-string
+
+init:
+	terraform init
+plan:
+	terraform plan
+apply:
+	terraform apply
+
+destroy:
+	terraform destroy

infra/sandbox/alb.tf

@@ -0,0 +1,102 @@
+module "alb_acm" {
+  source            = "../acm"
+  domain_name       = "api.${local.root_domain}"
+  aws_region        = "us-west-2"
+  zone_id           = data.aws_route53_zone.root.zone_id
+  tags = {
+    Name = "api-${local.root_domain}-alb"
+  }
+}
+
+resource "aws_alb" "alb" {
+  name                       = "${local.env}-${local.service_name}-alb"
+  drop_invalid_header_fields = true
+  security_groups            = [aws_security_group.ecs_alb_https_sg.id]
+  subnets                    = data.terraform_remote_state.vpc.outputs.public_subnets
+
+  tags = {
+    Name = "${local.env}-${local.service_name}-alb"
+    Environment = local.env
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+ resource "aws_ssm_parameter" "alb" {
+    name = "${local.service_name}-alb-arn"
+    value = aws_alb.alb.arn
+    type = "String"
+ }
+
+  resource "aws_ssm_parameter" "alb_dns" {
+    name = "${local.service_name}-alb-dns"
+    value = aws_alb.alb.dns_name
+    type = "String"
+ }
+
+resource "aws_alb_target_group" "ecs_task_target_group" {
+  name        = "${local.env}-${local.service_name}-tg"
+  port        = local.container_port
+  vpc_id      = data.terraform_remote_state.vpc.outputs.id
+  target_type = "ip"
+  protocol    = "HTTP"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    path                = "/heartbeat"
+    protocol            = "HTTP"
+    matcher             = "200"
+    interval            = 60
+    timeout             = 30
+    unhealthy_threshold = "3"
+    healthy_threshold   = "3"
+  }
+
+  tags = {
+    Name = "${local.env}-${local.service_name}-tg"
+  }
+}
+
+resource "aws_alb_listener" "alb_https_listener" {
+  load_balancer_arn = aws_alb.alb.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = module.alb_acm.arn
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.ecs_task_target_group.arn
+  }
+}
+
+ resource "aws_ssm_parameter" "alb_listerner" {
+    name = "${local.service_name}-alb-listener-arn"
+    value = aws_alb_listener.alb_https_listener.arn
+    type = "String"
+ }
+
+resource "aws_alb_listener_rule" "ecs_alb_listener_rule" {
+  listener_arn = aws_alb_listener.alb_https_listener.arn
+  priority     = 100
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.ecs_task_target_group.arn
+  }
+
+  condition {
+    host_header {
+      values = ["api.${local.root_domain}"]
+    }
+  }
+}
+

infra/sandbox/backend.tf

@@ -0,0 +1,35 @@
+locals {
+  remote_state_bucket  = "dev-string-terraform-state"
+  backend_region       = "us-west-2"
+  vpc_remote_state_key = "vpc.tfstate"
+}
+
+provider "aws" {
+  region  = "us-west-2"
+}
+
+terraform {
+    required_providers {
+    aws = { 
+      source  = "hashicorp/aws"
+      version = "4.37.0"
+    }
+  }
+
+  backend "s3" {
+    encrypt        = true
+    key            = "sandbox-api.tfstate"
+    bucket         = "dev-string-terraform-state"
+    dynamodb_table = "dev-string-terraform-state-lock"
+    region         = "us-west-2"
+  }
+}
+
+data "terraform_remote_state" "vpc" {
+  backend = "s3"
+  config = {
+    region = local.backend_region
+    bucket = local.remote_state_bucket
+    key    = local.vpc_remote_state_key
+  }
+}

infra/sandbox/cloudfront.tf

@@ -0,0 +1,51 @@
+resource "aws_cloudfront_distribution" "this" {
+  enabled         = true
+  is_ipv6_enabled = true
+  aliases         = ["api.${local.root_domain}"]
+
+  origin {
+    domain_name = aws_alb.alb.dns_name
+    origin_id   = local.origin_id
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+      locations        = []
+    }
+  }
+
+
+  default_cache_behavior {
+    target_origin_id = local.origin_id
+    compress         = true
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+
+    forwarded_values {
+      query_string = true
+      headers      = ["X-Forwarded-For", "Host", "X-Api-Key"]
+      cookies {
+        forward = "all"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 60
+    max_ttl                = 120
+  }
+
+  viewer_certificate {
+    ssl_support_method             = "sni-only"
+    acm_certificate_arn            = module.acm.arn
+    minimum_protocol_version       = "TLSv1.1_2016"
+    cloudfront_default_certificate = false
+  }
+}

infra/sandbox/domain.tf

@@ -0,0 +1,25 @@
+data "aws_route53_zone" "root" {
+  name = local.root_domain
+}
+
+resource "aws_route53_record" "domain" {
+  name = "api"
+  type    = "A"
+  zone_id = data.aws_route53_zone.root.zone_id
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cloudfront_distribution.this.domain_name
+    zone_id                = aws_cloudfront_distribution.this.hosted_zone_id
+  }
+}
+
+module "acm" {
+  source      = "../acm"
+  domain_name = "api.${local.root_domain}"
+  aws_region  = "us-east-1"
+  zone_id     = data.aws_route53_zone.root.zone_id
+  tags = {
+    Environment = local.env
+    Name = "api.${local.root_domain}"
+  }
+}

infra/sandbox/ecs.tf

@@ -0,0 +1,59 @@
+resource "aws_ecs_cluster" "cluster" {
+  name = local.cluster_name
+}
+
+resource "aws_ecs_task_definition" "task_definition" {
+  container_definitions    = local.task_definition
+  family                   = local.service_name
+  cpu                      = local.cpu
+  memory                   = local.memory
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.task_ecs_role.arn
+  task_role_arn            = aws_iam_role.task_ecs_role.arn
+}
+
+resource "aws_ecr_repository" "repo" {
+  name                 = local.service_name
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Environment = local.env
+    Name        = local.service_name
+  }
+}
+
+resource "aws_ecs_service" "ecs_service" {
+  name            = local.service_name
+  task_definition = local.service_name
+  desired_count   = local.desired_task_count
+  cluster         = aws_ecs_cluster.cluster.name
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets          = data.terraform_remote_state.vpc.outputs.public_subnets
+    security_groups  = [aws_security_group.ecs_task_sg.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    container_name   = local.service_name
+    container_port   = local.container_port
+    target_group_arn = aws_alb_target_group.ecs_task_target_group.arn
+  }
+
+  depends_on = [
+    aws_alb_listener_rule.ecs_alb_listener_rule,
+    aws_iam_role_policy.task_ecs_policy,
+    aws_ecs_task_definition.task_definition
+  ]
+
+  tags = {
+    Environment = local.env
+    Name        = local.service_name
+  }
+}