Merge pull request #22 from optiop/feature/private-subnet

mehr74 · web-flow · commit ae07d8c8d377 · 2024-03-17T10:31:50.000+01:00
Use private subnet for containers
diff --git a/ops/ecs/main.tf b/ops/ecs/main.tf
@@ -8,6 +8,7 @@ module "cluster" {
   name                  = "ecs-cluster"
   vpc_security_group_id = module.vpc.security_group_id
   vpc_public_subnets    = module.vpc.public_subnets
+  vpc_private_subnets   = module.vpc.private_subnets
 
   depends_on = [module.vpc]
 }
@@ -18,6 +19,7 @@ module "grafana" {
   cluster_id          = module.cluster.cluster_id
   vpc_id              = module.vpc.vpc_id
   vpc_public_subnets  = module.vpc.public_subnets
+  vpc_private_subnets = module.vpc.private_subnets
   security_group_id   = module.vpc.security_group_id
   namespace_id        = module.vpc.namespace_id
   secret_manager_name = var.secret_manager_name
@@ -30,7 +32,7 @@ module "postgres" {
   repository_name     = "postgres-grafana-on-ecs-postgres-repo"
   cluster_id          = module.cluster.cluster_id
   vpc_id              = module.vpc.vpc_id
-  vpc_public_subnets  = module.vpc.public_subnets
+  vpc_private_subnets = module.vpc.private_subnets
   security_group_id   = module.vpc.security_group_id
   namespace_id        = module.vpc.namespace_id
   secret_manager_name = var.secret_manager_name
diff --git a/ops/ecs/modules/cluster/main.tf b/ops/ecs/modules/cluster/main.tf
@@ -11,7 +11,7 @@ resource "aws_ecs_cluster" "cluster" {
 resource "aws_launch_configuration" "ecs_cfg" {
   name          = "ecs-instance"
   image_id      = "ami-06581a55723db5feb"
-  instance_type = "t2.small"
+  instance_type = var.instance_type
 
   iam_instance_profile = aws_iam_instance_profile.ecsInstanceRole.name
 
@@ -28,7 +28,7 @@ resource "aws_launch_configuration" "ecs_cfg" {
 resource "aws_autoscaling_group" "ecs_instance_asg" {
   launch_configuration = aws_launch_configuration.ecs_cfg.name
 
-  vpc_zone_identifier = var.vpc_public_subnets
+  vpc_zone_identifier = concat(var.vpc_public_subnets, var.vpc_private_subnets)
   min_size            = 2
   max_size            = 2
   desired_capacity    = 2
diff --git a/ops/ecs/modules/cluster/variables.tf b/ops/ecs/modules/cluster/variables.tf
@@ -3,6 +3,12 @@ variable "name" {
   description = "The name of the cluster"
 }
 
+variable "instance_type" {
+  type        = string
+  description = "The instance type for the ECS instances"
+  default     = "t2.small"
+}
+
 variable "vpc_security_group_id" {
   type        = string
   description = "The security group id for the ECS instances"
@@ -11,4 +17,9 @@ variable "vpc_security_group_id" {
 variable "vpc_public_subnets" {
   type        = list(string)
   description = "The public subnets for the ECS instances"
+}
+
+variable "vpc_private_subnets" {
+  type        = list(string)
+  description = "The private subnets for the ECS instances"
 }
diff --git a/ops/ecs/modules/grafana/main.tf b/ops/ecs/modules/grafana/main.tf
@@ -93,7 +93,7 @@ resource "aws_ecs_service" "service" {
 
   network_configuration {
     security_groups = [var.security_group_id]
-    subnets         = var.vpc_public_subnets
+    subnets         = var.vpc_private_subnets
   }
 
   load_balancer {
diff --git a/ops/ecs/modules/grafana/variables.tf b/ops/ecs/modules/grafana/variables.tf
@@ -19,9 +19,14 @@ variable "vpc_id" {
   description = "The ID of the VPC to which the container should be deployed."
 }
 
+variable "vpc_private_subnets" {
+  type        = list(string)
+  description = "The private subnets to which the container should be deployed."
+}
+
 variable "vpc_public_subnets" {
   type        = list(string)
-  description = "The subnets to which the container should be deployed."
+  description = "The public subnets to which the container should be deployed."
 }
 
 variable "security_group_id" {
diff --git a/ops/ecs/modules/postgres/main.tf b/ops/ecs/modules/postgres/main.tf
@@ -87,7 +87,7 @@ resource "aws_ecs_service" "service" {
 
   network_configuration {
     security_groups = [var.security_group_id]
-    subnets         = var.vpc_public_subnets
+    subnets         = var.vpc_private_subnets
   }
 
   service_registries {
diff --git a/ops/ecs/modules/postgres/variables.tf b/ops/ecs/modules/postgres/variables.tf
@@ -13,7 +13,7 @@ variable "vpc_id" {
   description = "The ID of the VPC to which the container should be deployed."
 }
 
-variable "vpc_public_subnets" {
+variable "vpc_private_subnets" {
   type        = list(string)
   description = "The public subnets to which the container should be deployed."
 }
diff --git a/ops/ecs/modules/vpc/output.tf b/ops/ecs/modules/vpc/output.tf
@@ -6,6 +6,10 @@ output "public_subnets" {
   value = module.vpc.public_subnets
 }
 
+output "private_subnets" {
+  value = module.vpc.private_subnets
+}
+
 output "security_group_id" {
   value = aws_security_group.sg.id
 }
diff --git a/ops/ecs/modules/vpc/vpc.tf b/ops/ecs/modules/vpc/vpc.tf
@@ -14,8 +14,11 @@ module "vpc" {
   cidr = "10.0.0.0/16"
   azs  = slice(data.aws_availability_zones.available.names, 0, 2)
 
-  public_subnets = ["10.0.4.0/24", "10.0.5.0/24"]
+  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
 
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
   enable_dns_hostnames = true
 }
 

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ resource "aws_ecs_service" "service" {`
`93`	`93`
`94`	`94`	`network_configuration {`
`95`	`95`	`security_groups = [var.security_group_id]`
`96`		`- subnets = var.vpc_public_subnets`
	`96`	`+ subnets = var.vpc_private_subnets`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`load_balancer {`
Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,14 @@ variable "vpc_id" {`
`19`	`19`	`description = "The ID of the VPC to which the container should be deployed."`
`20`	`20`	`}`
`21`	`21`
	`22`	`+variable "vpc_private_subnets" {`
	`23`	`+ type = list(string)`
	`24`	`+ description = "The private subnets to which the container should be deployed."`
	`25`	`+}`
	`26`	`+`
`22`	`27`	`variable "vpc_public_subnets" {`
`23`	`28`	`type = list(string)`
`24`		`- description = "The subnets to which the container should be deployed."`
	`29`	`+ description = "The public subnets to which the container should be deployed."`
`25`	`30`	`}`
`26`	`31`
`27`	`32`	`variable "security_group_id" {`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ resource "aws_ecs_service" "service" {`
`87`	`87`
`88`	`88`	`network_configuration {`
`89`	`89`	`security_groups = [var.security_group_id]`
`90`		`- subnets = var.vpc_public_subnets`
	`90`	`+ subnets = var.vpc_private_subnets`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`service_registries {`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ variable "vpc_id" {`
`13`	`13`	`description = "The ID of the VPC to which the container should be deployed."`
`14`	`14`	`}`
`15`	`15`
`16`		`-variable "vpc_public_subnets" {`
	`16`	`+variable "vpc_private_subnets" {`
`17`	`17`	`type = list(string)`
`18`	`18`	`description = "The public subnets to which the container should be deployed."`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,10 @@ output "public_subnets" {`
`6`	`6`	`value = module.vpc.public_subnets`
`7`	`7`	`}`
`8`	`8`
	`9`	`+output "private_subnets" {`
	`10`	`+ value = module.vpc.private_subnets`
	`11`	`+}`
	`12`	`+`
`9`	`13`	`output "security_group_id" {`
`10`	`14`	`value = aws_security_group.sg.id`
`11`	`15`	`}`