Merge pull request #5 from optiop/feature/ecs-infra

Add infrastructure code for ECS.

Author: mehr74

ops/ecs/README.md

@@ -0,0 +1,26 @@
+# Elastic Container Service (ECS) Stack
+
+![Architecture](./docs/architecture.svg)
+
+## Usage
+
+1. Create a secret name `grafana-postgres-on-ecs` in AWS Secret Manager with the following secrets.
+
+| Key | Value |
+| --- | --- |
+| `DATABASE_USERNAME` | Username for database (e.g. postgres) |
+| `DATABASE_PASSWORD` | Password for database (e.g. passw0rd) |
+| `DATABASE_HOST` | `database.service.local` |
+| `DATABASE_NAME` | Name of the database (e.g. sylla) |
+
+2. We need to have two ECR repositories `grafana` and `postgres`. Set the variables 
+set the `repository_name` variable in `modules/grafana/variables.tf` and `modules/postgres/variables.tf` 
+respectively. The subdirectory `repo/ops/repository` contains the 
+terraform code to create the ECR repositories.
+
+
+3. Add your public key to `main.tf` to allow ssh access to the EC2 instances.
+
+
+## References 
+* [How to Deploy an AWS ECS Cluster with Terraform](https://spacelift.io/blog/terraform-ecs)]

ops/ecs/docs/architecture.svg

@@ -0,0 +1,39 @@
+module "vpc" {
+  source = "./modules/vpc"
+  name   = "ecs-vpc"
+}
+
+module "cluster" {
+  source                = "./modules/cluster"
+  name                  = "ecs-cluster"
+  vpc_security_group_id = module.vpc.security_group_id
+  vpc_public_subnets    = module.vpc.public_subnets
+
+  depends_on = [module.vpc]
+}
+
+module "grafana" {
+  source              = "./modules/grafana"
+  repository_name       = "postgres-grafana-on-ecs-grafana-repo"
+  cluster_id          = module.cluster.cluster_id
+  vpc_id              = module.vpc.vpc_id
+  vpc_public_subnets  = module.vpc.public_subnets
+  security_group_id   = module.vpc.security_group_id
+  namespace_id        = module.vpc.namespace_id
+  secret_manager_name = var.secret_manager_name
+
+  depends_on = [module.cluster]
+}
+
+module "postgres" {
+  source              = "./modules/postgres"
+  repository_name       = "postgres-grafana-on-ecs-postgres-repo"
+  cluster_id          = module.cluster.cluster_id
+  vpc_id              = module.vpc.vpc_id
+  vpc_public_subnets  = module.vpc.public_subnets
+  security_group_id   = module.vpc.security_group_id
+  namespace_id        = module.vpc.namespace_id
+  secret_manager_name = var.secret_manager_name
+
+  depends_on = [module.cluster]
+}

ops/ecs/main.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_role" "ecsInstanceRole" {
+  name = "ecsInstanceRole"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        },
+        Effect = "Allow",
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecsInstanceRole" {
+  role       = aws_iam_role.ecsInstanceRole.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+}
+
+resource "aws_iam_instance_profile" "ecsInstanceRole" {
+  name = "ecsInstanceRole"
+  role = aws_iam_role.ecsInstanceRole.name
+}

ops/ecs/modules/cluster/iam.tf

@@ -0,0 +1,63 @@
+# Creating an ECS cluster
+resource "aws_ecs_cluster" "cluster" {
+  name = var.name
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+resource "aws_launch_configuration" "ecs_cfg" {
+  name          = "ecs-instance"
+  image_id      = "ami-06581a55723db5feb"
+  instance_type = "t2.small"
+
+  iam_instance_profile = aws_iam_instance_profile.ecsInstanceRole.name
+
+  associate_public_ip_address = true
+  security_groups             = [var.vpc_security_group_id]
+
+  user_data = <<EOF
+  #!/bin/bash
+  echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCt/+JcQz8a8UwAYaWUqGIHMWtHOkLKuzbCIy3aQwDMwxRMpEfUXThoiqOnszx8ntWEVEYpgQXJzoi2ltkL5odO1nzWxxLGUeTb3dNa8eaABvhKrrXvB7yZ/W9K2ZQ/tS5JA62zxQg+a1aFw5eT8GtiRm3Fjivo5K5PKOHQsYyYQwsu0E17K/u000+Gef9l1ZKaf/LWujISx8mpXEABFKr1IJRxTI0PeQidLHJSwoiKZ81tCfcRBi1yEJWssfgmdeZZlZvqeKKtd1Z4CXV8ez7BYFCsD3qzutUHUi2cQPTTQPJ084DN/6yPhIOuBevfXHbWxVexb6AorY/0ndPvomVIz9Oc/1B1UY1VvrtQdHwldQ3Wj4BfeHudrrsYdvDa6IgEgVYZM0ciZOGakk2/MXWUpysNtDy89TlNuIEPuZGblJ/LLIxRlF+v89is3/F16btQMz1FYwQePvpEJiMY68ZCqRf8o93D38iP0zRU8OEbfvR3fAAe3UdDXULjyFWOKMEX/yVlKwaXf+XJ6c+z/UKu8+4NtZJdU4nMmqLNc+YFsykNaPU9Grl/1lAIgP6mWZuZxqve0Ht+CqOtxnka8uwmK0DPxBJX9V+Mtj7ATgJtXnopPKvFa6ldpWmbOVU/KjiCQgNyJ6V7Z2kcQtyIBIbChU3ktts0gyquEZlFu1iJqQ== mehrshadlotfi@Mehrshads-MBP.fritz.box' >> /home/ec2-user/.ssh/authorized_keys
+  echo ECS_CLUSTER=${var.name} >> /etc/ecs/ecs.config
+  EOF
+}
+
+resource "aws_autoscaling_group" "ecs_instance_asg" {
+  launch_configuration = aws_launch_configuration.ecs_cfg.name
+
+  vpc_zone_identifier = var.vpc_public_subnets
+  min_size            = 1
+  max_size            = 1
+  desired_capacity    = 1
+
+  tag {
+    key                 = "AmazonECSManaged"
+    value               = "ecs-instance"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_ecs_capacity_provider" "ecs_capacity_provider" {
+  name = "default"
+  auto_scaling_group_provider {
+    auto_scaling_group_arn = aws_autoscaling_group.ecs_instance_asg.arn
+    managed_scaling {
+      status          = "ENABLED"
+      target_capacity = 1
+    }
+  }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "cluster_capacity_providers" {
+  cluster_name       = aws_ecs_cluster.cluster.name
+  capacity_providers = [aws_ecs_capacity_provider.ecs_capacity_provider.name]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = aws_ecs_capacity_provider.ecs_capacity_provider.name
+  }
+}

ops/ecs/modules/cluster/main.tf

@@ -0,0 +1,3 @@
+output "cluster_id" {
+  value = aws_ecs_cluster.cluster.id
+}

ops/ecs/modules/cluster/output.tf

@@ -0,0 +1,14 @@
+variable "name" {
+  type        = string
+  description = "The name of the cluster"
+}
+
+variable "vpc_security_group_id" {
+  type        = string
+  description = "The security group id for the ECS instances"
+}
+
+variable "vpc_public_subnets" {
+  type        = list(string)
+  description = "The public subnets for the ECS instances"
+}

ops/ecs/modules/cluster/variables.tf

@@ -0,0 +1,62 @@
+resource "aws_iam_role" "execution_role" {
+  name = "ecsBackendTaskExecutionRole"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_policy" "bucket_policy" {
+  name        = "ecr-policy"
+  description = "Policy to allow ECS to pull images from ECR"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ecr:*"
+        ],
+        Resource = [
+          data.aws_ecr_repository.repository.arn
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ecr:GetAuthorizationToken"
+        ],
+        Resource = [
+          "*"
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogStream",
+          "logs:CreateLogGroup",
+          "logs:PutLogEvents"
+        ],
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+}
+
+
+resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
+  role       = aws_iam_role.execution_role.name
+  policy_arn = aws_iam_policy.bucket_policy.arn
+}