need tests

Author: Lionel Martin

.gitignore

@@ -0,0 +1,2 @@
+.terraform.lock.hcl
+.terraform/

README.md

@@ -0,0 +1,157 @@
+# Deploy Laravel on AWS ECS Fargate
+
+## Key Resources & Features
+
+| Name | Description | Required | Status |
+|------|-------------|:--------:|------|
+| `aws_vpc` | We create a separate Virtual Private Cloud network for each new Laravel stack (e.g. production vs staging) | yes | DONE |
+| `aws_subnet` | We always setup our VPC both with private and public subnets. Private subnets can't be accessible from the internet, which is great for the database | yes | DONE |
+| Multi-AZ | By default, Fargate tasks are spread across Availability Zones. So we just need to bump the number of instances for our Fargate tasks | no | DONE |
+| `aws_route_table` | Required for traffic to flow in and out of our subnets | yes | DONE |
+| `aws_nat_gateway` | Required for instances in private subnets to egress to the internet | no | DONE |
+| `aws_ecs_cluster` |  We need one cluster for each of our Laravel web frontend, workers and crons | yes | DONE |
+| `aws_ecs_service` |  We need one service for each of our Laravel web frontend, workers and crons | yes | DONE |
+| `aws_ecs_task_definition` |  We need one task definition for each of our Laravel web frontend, workers and crons | yes | DONE |
+| `aws_ecr_repository` | We will build our Laravel project as a Docker image, which will be stored in a new Docker repository | yes | DONE |
+| `aws_iam_role` |  Roles needed for our compute instances to access various resources, such as S3 or ECR | yes | DONE |
+| `aws_rds_cluster` |  Our MySQL database | yes | DONE |
+| Auto-Scaling |  The ability for our clusters and services to automatically instantiate more Laravel frontend (or workers) based on CPU usage | no | DONE for frontend |
+| Laravel Workers & Cron |  Self explanatory | yes | DONE |
+| `Dockerfile` |  Our PHP FPM configuration | yes | DONE |
+| `Dockerfile-nginx` |  Our reverse proxy configuration | yes | DONE |
+| `aws_elasticache_cluster` | Our Redis cluster | no | DONE |
+| `aws_elasticsearch_domain` | Our managed ElasticSearch instance | no | DONE |
+| `aws_sqs_queue` | Our Laravel queue | no | DONE |
+| `aws_ssm_parameter` | Third party secrets in a managed vault | no | DONE |
+| `aws_cloudwatch_dashboard` | Cloudwatch dashboard | no | TODO |
+| `aws_s3_bucket` | Example S3 bucket for  | no | DONE |
+| `aws_cloudfront_distribution` | A CloudFront distribution | no | Coming soon... |
+
+## 1. Create an IAM User for Terraform in the AWS console
+...with Programmatic Access only and with the following permissions:
+
+- `arn:aws:iam::aws:policy/AmazonS3FullAccess`
+- `arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess`
+- `arn:aws:iam::aws:policy/IAMFullAccess`
+- `arn:aws:iam::aws:policy/AmazonRoute53FullAccess`
+- `arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess`
+- `arn:aws:iam::aws:policy/AmazonRDSFullAccess`
+- `arn:aws:iam::aws:policy/AmazonEC2FullAccess`
+- `arn:aws:iam::aws:policy/AmazonECS_FullAccess`
+- `arn:aws:iam::aws:policy/CloudWatchFullAccess`
+- `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess`
+
+## 2. Save new access keys as an AWS CLI profile
+```
+export PROJECT_NAME=your_project_name_here
+
+aws --profile $PROJECT_NAME configure
+```
+
+Save the below function into your terminal to easily load an AWS profile in a terminal instance (optional):
+```
+awsprofile() { export AWS_ACCESS_KEY_ID=$(aws --profile $1 configure get aws_access_key_id) && export AWS_SECRET_ACCESS_KEY=$(aws --profile $1 configure get aws_secret_access_key); }
+
+awsprofile $PROJECT_NAME
+```
+
+## 3. Create your infrastructure using Terraform
+
+### Create and configure an S3 bucket as Terraform backend
+You can use any naming norm for your S3 bucket, as long as you update the backend bucket name configuration in `providers.tf` accordingly.
+
+```
+export BUCKET_NAME=$PROJECT_NAME-$(date '+%Y%m%d%H%M%S')
+
+aws s3 mb s3://$BUCKET_NAME
+
+aws s3api put-bucket-encryption --bucket $BUCKET_NAME --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }'
+
+aws s3api put-public-access-block --bucket $BUCKET_NAME --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
+
+aws s3api put-bucket-versioning --bucket $BUCKET_NAME --versioning-configuration MFADelete=Disabled,Status=Enabled
+```
+
+### Create a DynamoDB database for Terraform state locking
+```
+aws dynamodb create-table --region us-east-1 --table-name terraform_locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1
+```
+
+### Terraform apply
+Copy the terraform folder at the root of your Laravel project.
+
+```
+cd terraform
+
+export TF_VAR_project_name=$PROJECT_NAME
+
+terraform init -backend-config="bucket=$BUCKET_NAME"
+
+terraform apply
+```
+
+### Build and deploy your Docker images manually (optional - only if you don't use a CD pipeline)
+
+```
+aws ecr get-login-password --region $(terraform output region | tr -d '"') | docker login --username AWS --password-stdin $(terraform output account_id | tr -d '"').dkr.ecr.$(terraform output region | tr -d '"').amazonaws.com
+
+docker pull li0nel/laravel-test && docker tag li0nel/laravel-test $(terraform output -json | jq '.ecr.value.laravel_repository_uri' | tr -d '"') && docker push $(terraform output -json | jq '.ecr.value.laravel_repository_uri' | tr -d '"')
+
+docker pull li0nel/nginx && docker tag li0nel/nginx $(terraform output -json | jq '.ecr.value.nginx_repository_uri' | tr -d '"') && docker push $(terraform output -json | jq '.ecr.value.nginx_repository_uri' | tr -d '"')
+```
+
+### SSH tunnelling into the database through the EC2 bastion (optional - only to access the database manually)
+
+Coming soon: replace with [VPN setup](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/) + [AWS System Manager Session Manager](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/)
+
+```
+aws ec2 run-instances --image-id $(terraform output ec2_ami_id) --count 1 --instance-type t2.micro --key-name $(terraform output ec2_key_name) --security-group-ids $(terraform output ec2_security_group_id) --subnet-id $(terraform output ec2_public_subnet_id) --associate-public-ip-address | grep InstanceId
+
+aws ec2 describe-instances --instance-ids xxxx | grep PublicIpAddress
+```
+
+```
+ssh ubuntu@xxxxx -i $(terraform output ec2_ssh_key_path) -L 3306:$(terraform output aurora_endpoint):3306
+```
+  
+Then connect using your favourite MySQL client
+```
+mysql -u$(terraform output aurora_db_username) -p$(terraform output aurora_master_password) -h 127.0.0.1 -D $(terraform output aurora_db_name)
+```
+
+```
+aws ec2 terminate-instances --instance-ids xxxx
+```
+
+## Set up your Continuous Integration/Deployment pipeline
+
+You will need the below environment variables in your CI/CD project to redeploy your ECS service.
+
+- `AWS_ACCOUNT_ID`
+- `ECR_LARAVEL_URI_*`
+- `ECR_NGINX_URI_*`
+- `AWS_ACCESS_KEY_ID_*`
+- `AWS_SECRET_ACCESS_KEY_*`
+- `AWS_REGION`
+- `ECS_TASK_DEFINITION`
+- `ECS_CLUSTER_NAME_*`
+- `ECS_SERVICE_NAME_*`
+
+... where * is each of `PRODUCTION` and `STAGING`
+
+## 4. Test your infrastructure code
+
+// Test Laravel is up
+// Test Laravel workers are running -> workers are writing in the database
+// Test Laravel scheduler is running -> scheduler is creating recurrent jobs picked up by workers
+// Test Laravel can reach S3 -> URL that post/read file
+// Test Laravel can reach MySQL -> select 1
+// Test Laravel can reach Redis -> used as cache driver
+// Test Laravel can reach ElasticSearch
+// Test Laravel can reach SQS -> used as queue driver
+// Test Laravel can be passed SSM secrets -> echo all env vars
+
+// queue driver, db driver, cache driver, file driver
+// store jobs in db?
+// page that dumps env or phpinfo
+// page that posts a random file to S3

data.tf

@@ -0,0 +1,3 @@
+data "aws_availability_zones" "available" {}
+
+data "aws_caller_identity" "current" {}

locals.tf

@@ -0,0 +1,4 @@
+locals {
+  stack_name = terraform.workspace == "default" ? var.project_name : join("-", [var.project_name, replace(terraform.workspace, "/[^[:alnum:]]/", "")])
+  # hostname   = var.subdomain == "" ? var.domain : join(".", [var.subdomain, var.domain])
+}

main.tf

@@ -0,0 +1,106 @@
+// TODO any other subdomain should redirect to APEX
+# module "route53" {
+#   source       = "./modules/route53"
+#   domain       = var.domain
+#   hostname     = local.hostname
+#   alb_hostname = module.ecs.ecs_alb_hostname
+#   alb_zone_id  = module.ecs.ecs_alb_zone_id
+
+#   providers = {
+#     aws = "aws.us-east-1"
+#   }
+# }
+
+# module "acm" {
+#   source         = "./modules/acm"
+#   hostname       = local.hostname
+#   hosted_zone_id = module.route53.hosted_zone_id
+# }
+
+# module "cloudfront" {
+#   source         = "./modules/cloudfront"
+#   hostname       = local.hostname
+# }
+
+module "vpc" {
+  source        = "./modules/vpc"
+  stack_name    = local.stack_name
+  b_nat_gateway = false
+}
+
+module "iam" {
+  source = "./modules/iam"
+  stack_name    = local.stack_name
+}
+
+module "aurora" {
+  source     = "./modules/aurora"
+  stack_name = local.stack_name
+  subnet_ids = module.vpc.private_subnets.*.id
+  vpc_id     = module.vpc.vpc.id
+}
+
+module "ecr" {
+  source               = "./modules/ecr"
+  stack_name           = replace(local.stack_name, "/[^a-zA-Z0-9]+/", "")
+  ci_pipeline_user_arn = module.iam.ci_pipeline_arn
+  ecs_role             = module.iam.ecs_role
+}
+
+module "s3" {
+  source     = "./modules/s3"
+  stack_name = local.stack_name
+}
+
+module "elasticache" {
+  source     = "./modules/elasticache"
+  stack_name = local.stack_name
+}
+
+module "elasticsearch" {
+  source     = "./modules/elasticsearch"
+  stack_name = local.stack_name
+  vpc_id     = module.vpc.vpc.id
+  private_subnet_ids = module.vpc.private_subnets.*.id
+}
+
+module "sqs" {
+  source     = "./modules/sqs"
+  stack_name = local.stack_name
+  vpc_id     = module.vpc.vpc.id
+  private_subnet_ids = module.vpc.private_subnets.*.id
+  security_group_ids = [module.ecs.aws_security_group.id]
+}
+
+module "ssm" {
+  source     = "./modules/ssm"
+  stack_name = local.stack_name
+}
+
+module "cloudwatch" {
+  source     = "./modules/cloudwatch"
+  stack_name = local.stack_name
+}
+
+module "ecs" {
+  source             = "./modules/ecs"
+  stack_name         = local.stack_name
+  vpc_id             = module.vpc.vpc.id
+  public_subnet_ids  = module.vpc.public_subnets.*.id
+  private_subnet_ids = module.vpc.private_subnets.*.id
+  role               = module.iam.ecs_role
+  # certificate_arn            = module.acm.certificate_arn
+  # hostname                   = local.hostname
+
+  aurora_endpoint            = module.aurora.aurora_cluster.endpoint
+  aurora_port                = module.aurora.aurora_cluster.port
+  aurora_db_name             = module.aurora.aurora_cluster.database_name
+  aurora_db_username         = module.aurora.aurora_cluster.master_username
+  aurora_master_password     = module.aurora.rds_master_password.result
+  ecr_laravel_repository_uri = module.ecr.laravel_repository_uri
+  ecr_nginx_repository_uri   = module.ecr.nginx_repository_uri
+  s3_bucket_name             = module.s3.bucket.id
+  s3_bucket_arn              = module.s3.bucket.arn
+
+  // TODO Redis params
+}

modules/acm/main.tf

@@ -0,0 +1,17 @@
+resource "aws_acm_certificate" "certificate" {
+  domain_name       = var.hostname
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "certificate_validation" {
+  name    = aws_acm_certificate.certificate.domain_validation_options[0].resource_record_name
+  type    = aws_acm_certificate.certificate.domain_validation_options[0].resource_record_type
+  zone_id = var.hosted_zone_id
+  records = [aws_acm_certificate.certificate.domain_validation_options[0].resource_record_value]
+  ttl     = 5
+}
+
+resource "aws_acm_certificate_validation" "certificate_validation" {
+  certificate_arn         = aws_acm_certificate.certificate.arn
+  validation_record_fqdns = [aws_route53_record.certificate_validation.fqdn]
+}

modules/acm/outputs.tf

@@ -0,0 +1,4 @@
+output "certificate_arn" {
+  depends_on = [aws_acm_certificate_validation.certificate_validation]
+  value      = aws_acm_certificate.certificate.arn
+}

modules/acm/variables.tf

@@ -0,0 +1,7 @@
+variable "hostname" {
+  type = string
+}
+
+variable "hosted_zone_id" {
+  type = string
+}

modules/aurora/data.tf

@@ -0,0 +1,7 @@
+data "aws_region" "current" {}
+
+data "aws_availability_zones" "available" {}
+
+data "aws_vpc" "vpc" {
+  id = var.vpc_id
+}

modules/aurora/main.tf

@@ -0,0 +1,55 @@
+resource "random_password" "rds_master_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "random_string" "final_snapshot_id" {
+  length  = 12
+  special = false
+}
+
+resource "aws_db_subnet_group" "aurora_subnet_group" {
+  name       = "aurora_db_subnet_group_${var.stack_name}"
+  subnet_ids = var.subnet_ids
+}
+
+resource "aws_security_group" "db_security_group" {
+  vpc_id = data.aws_vpc.vpc.id
+
+  ingress {
+    from_port   = var.port
+    to_port     = var.port
+    protocol    = "TCP"
+    cidr_blocks = [data.aws_vpc.vpc.cidr_block]
+  }
+}
+
+resource "aws_rds_cluster" "aurora_cluster" {
+  engine                       = "aurora-mysql"
+  engine_version               = "5.7.mysql_aurora.2.07.2"
+  database_name                = replace(var.stack_name, "/[^a-zA-Z0-9]+/", "")
+  master_username              = "aurora"
+  master_password              = random_password.rds_master_password.result
+  backup_retention_period      = 35
+  preferred_backup_window      = "02:00-03:00"
+  preferred_maintenance_window = "wed:03:00-wed:04:00"
+  db_subnet_group_name         = aws_db_subnet_group.aurora_subnet_group.name
+  final_snapshot_identifier    = join("-", [var.stack_name, random_string.final_snapshot_id.result, "0"])
+  port                         = var.port
+
+  vpc_security_group_ids = [
+    aws_security_group.db_security_group.id,
+  ]
+}
+
+resource "aws_rds_cluster_instance" "aurora_cluster_instance" {
+  count                = 1
+  cluster_identifier   = aws_rds_cluster.aurora_cluster.id
+  instance_class       = "db.t2.small"
+  db_subnet_group_name = aws_db_subnet_group.aurora_subnet_group.name
+  publicly_accessible  = false
+  engine               = "aurora-mysql"
+  engine_version       = "5.7.mysql_aurora.2.07.2"
+}
+