Terraform: ECS cluster.

The ECS cluster and ASG instances.

Terraform: ECS cluster.
e43fb7d4 · nimrod · 5e35d78f · e43fb7d4 · e43fb7d4 · e43fb7d4
Commit e43fb7d4 authored 2 years ago by nimrod
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -75,6 +75,8 @@ repos:
    rev: v6.0.2
    hooks:
      - id: ansible-lint
+        args:
+          - "--project-dir Ansible"

  - repo: https://github.com/AleksaC/hadolint-py.git
    rev: v2.8.0

--- a/Terraform/AWS/.terraform.lock.hcl
+++ b/Terraform/AWS/.terraform.lock.hcl
@@ -2,21 +2,24 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.9.0"
+  version     = "4.47.0"
  constraints = "~> 4.0"
  hashes = [
-    "h1:GtmIOZMkKmr9tMLWouHWiGXmKEL/diOTNar5XfOVLjs=",
-    "zh:084b83aef3335ad4f5e4b8323c6fe43c1ff55e17a7647c6a5cad6af519f72b42",
-    "zh:132e47ce69f14de4523b84b213cedf7173398acda14245b1ffe7747aac50f050",
-    "zh:2068baef7dfce3613f3b4f27314175e971f8db68d9cde9ec30b5659f80c68c6c",
-    "zh:63c6f489683d5f1ac55e82a0df387143ed22701d5f22c109a4d5c9924dd4e437",
-    "zh:8115fd21965954fa4568c09331e05bb29da967fab8d077419aed09954378e216",
-    "zh:8efdc95fde108f777ed9c79ae25dc17aea9771903250f5c5c8a4c726b90a345f",
+    "h1:J4PCUWoWaJbNP+GadGduWIeERw/AusE5enUJY8kKmNU=",
+    "zh:01afccb7e358ccff4ad800bcdea785198669f23070fba4561c65eb05f4364fc4",
+    "zh:0c45f46461d666c6e084ed742dbf01c9d9dc749e691771717c5ac1f82f4f6e74",
+    "zh:291ddb5a4c0da5fdd2f247ee37089a0f5e48e8446bdad2ed0f9b39cb71a11a9d",
+    "zh:338a888c04ff0da3642b64dbc29f45e5d734dd88d7c4c101c2d9a0bde726d40b",
+    "zh:35cd3c76f485f4486f187032807ef4aad99fac51e32b0ac341ab4e6fe30f2bf1",
+    "zh:39296c9baf7863fdd64194d932ec81886a4d207c05d34474be43abfeeb0f13e2",
+    "zh:6dc77793b52f127f2f48a5353865d8879eab44e5db4b837625eaa35fc842114c",
+    "zh:8bb8c7488e69a65f08bfadbf0b0801bafa28bde9ae908d12dc7490a81b88d368",
+    "zh:8fcfb26008559f514f80a8ab6d380211dfaaa902cb9e9ff2af3203bbe4c9f506",
+    "zh:95a69ccc0fdd5756d3c7311788908ab5fd1392e271b8478f3ee11238c3cbcc57",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9d42a7bc34d84b70c1d1bcc215cabd63abbcbd0352b70bd84da6c3916634932f",
-    "zh:aacbcceb241aa475888c0869e87593182edeced3170c76a0c960dd9c905df449",
-    "zh:c7fe7904511052e4102870256819a1917177572cf684f0611ebf767f9c1fbaa8",
-    "zh:c8e07c3424663d1d0e7e32f4ade8099c19f6326d37c6da98104d90c986ff66fc",
-    "zh:e47cafbd38b56ef14fd8d727b4ffea847c166b1c684f585ee5fb78983b537248",
+    "zh:a93a1320344d9e8f10a8e6b81b9fabfa36fb824a9b7bcb252fa060523dd0da62",
+    "zh:c4902c4aebb4174442fef42ea4a093c5881973a27a5d2c171d7d18a6e092f756",
+    "zh:c70a757e63ffc62d74003ab7719443012c57a2bbb0ae275c5c25a30aaa21dbf2",
+    "zh:de0ef6684a81f74766629bfdc3206cde58a2e1619c9d1b65d199148da3b2f50e",
  ]
 }
--- a/Terraform/AWS/ecs.tf
+++ b/Terraform/AWS/ecs.tf
+# vim: ft=tf
+
+locals {
+  ecs_instance_count = 2
+  ecs_instance_type  = "t3.xlarge"
+  ecs_key_name       = "Nimrod"
+}
+
+data "aws_ec2_instance_type" "ecs" {
+  instance_type = local.ecs_instance_type
+}
+
+data "aws_ami" "ecs" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "owner-alias"
+    values = ["amazon"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-ecs-hvm-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = data.aws_ec2_instance_type.ecs.supported_architectures
+  }
+}
+
+resource "aws_ecs_cluster" "this" {
+  name = local.name
+}
+
+locals {
+  long_arn_settings = [
+    "serviceLongArnFormat",
+    "taskLongArnFormat",
+    "containerInstanceLongArnFormat",
+  ]
+}
+
+resource "aws_ecs_account_setting_default" "this" {
+  count = length(local.long_arn_settings)
+  name  = element(local.long_arn_settings, count.index)
+  value = "enabled"
+}
+
+resource "aws_security_group" "ecs" {
+  description = "The ${local.name} ECS instances."
+  name        = "${local.name}-ecs"
+  tags        = { "Name" = "${local.name}-ecs" }
+  vpc_id      = aws_vpc.vpc.id
+
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 0
+    protocol    = -1
+    to_port     = 0
+  }
+
+  ingress {
+    cidr_blocks = [var.cidr_block]
+    from_port   = 0
+    protocol    = -1
+    to_port     = 0
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+locals {
+  ecs_instance_policies = [
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+    "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
+  ]
+}
+
+data "aws_iam_policy_document" "ecs_assume_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ecs" {
+  assume_role_policy = data.aws_iam_policy_document.ecs_assume_policy.json
+  description        = "EC2 instances in the ECS cluster in ${local.env}."
+  name               = local.name
+}
+
+resource "aws_iam_role_policy_attachment" "ecs" {
+  for_each   = toset(local.ecs_instance_policies)
+  policy_arn = each.key
+  role       = aws_iam_role.ecs.name
+}
+
+resource "aws_iam_instance_profile" "ecs" {
+  name = local.name
+  role = aws_iam_role.ecs.name
+}
+
+locals {
+  user_data_vars = {
+    cluster_name = aws_ecs_cluster.this.name
+    region       = var.region
+  }
+  user_data = trimspace(templatefile("${path.module}/user-data.yaml", local.user_data_vars))
+}
+
+resource "aws_launch_template" "ecs" {
+  image_id                             = data.aws_ami.ecs.image_id
+  instance_initiated_shutdown_behavior = "terminate"
+  instance_type                        = local.ecs_instance_type
+  key_name                             = local.ecs_key_name
+  name                                 = local.name
+  user_data                            = base64encode(local.user_data)
+  vpc_security_group_ids               = [aws_security_group.ecs.id]
+
+  block_device_mappings {
+    device_name = "/dev/sda1"
+
+    ebs {
+      delete_on_termination = true
+      volume_size           = "128"
+      volume_type           = "gp3"
+    }
+  }
+
+  iam_instance_profile {
+    arn = aws_iam_instance_profile.ecs.arn
+  }
+}
+
+resource "aws_autoscaling_group" "ecs" {
+  desired_capacity          = local.ecs_instance_count
+  force_delete              = true
+  health_check_type         = "EC2"
+  max_size                  = local.ecs_instance_count
+  min_size                  = local.ecs_instance_count
+  name                      = local.name
+  vpc_zone_identifier       = local.private_subnet_ids
+  wait_for_capacity_timeout = "10m"
+
+  instance_refresh {
+    strategy = "Rolling"
+  }
+
+  launch_template {
+    id      = aws_launch_template.ecs.id
+    version = aws_launch_template.ecs.latest_version
+  }
+
+  dynamic "tag" {
+    for_each = local.common_tags
+
+    content {
+      key                 = tag.key
+      propagate_at_launch = true
+      value               = tag.value
+    }
+  }
+}
--- a/Terraform/AWS/main.tf
+++ b/Terraform/AWS/main.tf
+# vim: ft=tf
+
 terraform {
  backend "http" {}
  required_providers {

--- a/Terraform/AWS/route53.tf
+++ b/Terraform/AWS/route53.tf
+# vim: ft=tf
+
 resource "aws_route53_zone" "zone" {
  name = "aws.shore.co.il"
 }

--- a/Terraform/AWS/user-data.yaml
+++ b/Terraform/AWS/user-data.yaml
+#cloud-config
+---
+runcmd:
+  # yamllint disable-line rule:line-length
+  - [yum, install, "-y", "https://amazon-ssm-${region}.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm"]
+write_files:
+  - path: /etc/ecs/ecs.config
+    append: true
+    content: |
+      ECS_CLUSTER=${cluster_name}
--- a/Terraform/AWS/vpc.tf
+++ b/Terraform/AWS/vpc.tf
+# vim: ft=tf
+
 variable "cidr_block" {
  default     = "172.31.0.0/16"
  description = "CIDR block for the VPC."