initial

terraform-modules · Feb 23, 2022 · ca3fccc · ca3fccc
1 parent e4cdc7d
commit ca3fccc
Show file tree

Hide file tree

Showing 32 changed files with 1,095 additions and 0 deletions.
diff --git a/examples/dice-centurion/README.md b/examples/dice-centurion/README.md
@@ -0,0 +1,4 @@
+submit CSR to tco
+use email group: adep.mojo.development.list@census.gov
+
+
diff --git a/examples/dice-centurion/certs.tf b/examples/dice-centurion/certs.tf
@@ -0,0 +1,11 @@
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+
+  certificate_cn       = local.app_alb_dns_name
+  certificate_download = local.app_cert_download
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+  )
+}
diff --git a/examples/dice-centurion/dns.tf b/examples/dice-centurion/dns.tf
@@ -0,0 +1,48 @@
+resource "aws_route53_record" "app" {
+  zone_id = local.app_dns_zone_id
+
+  name    = local.app_alb_dns_name
+  type    = "CNAME"
+  ttl     = "900"
+  records = [aws_lb.app.dns_name]
+}
+
+# # add certificate creation with dns name
+# resource "aws_acm_certificate" "app" {
+#   domain_name    = local.app_alb_dns_name
+#   validation_method = "DNS"
+# 
+#   tags = merge(
+#     local.common_tags,
+#     var.application_tags,
+#     local.base_tags,
+#   )
+# 
+#   lifecycle {
+#     create_before_destroy = true
+#   }
+# }
+
+# # domain validation
+# resource "aws_route53_record" "app_validate" {
+#   for_each = {
+#     for dvo in aws_acm_certificate.app.domain_validation_options : dvo.domain_name => {
+#       name   = dvo.resource_record_name
+#       record = dvo.resource_record_value
+#       type   = dvo.resource_record_type
+#     }
+#   }
+# 
+#   allow_overwrite = true
+#   name            = each.value.name
+#   records         = [each.value.record]
+#   ttl             = 60
+#   type            = each.value.type
+#   zone_id         = local.app_dns_zone_id
+# }
+
+# resource "aws_acm_certificate_validation" "app" {
+#   certificate_arn         = aws_acm_certificate.app.arn
+#   validation_record_fqdns = [for record in aws_route53_record.app_validate: record.fqdn]
+# }
+
diff --git a/examples/dice-centurion/load-balancer.tf b/examples/dice-centurion/load-balancer.tf
@@ -0,0 +1,98 @@
+resource "aws_lb_target_group" "app" {
+  name        = local.app_albtg_name
+  port        = 8080
+  protocol    = "HTTP"
+  vpc_id      = local.vpc_id
+  target_type = "ip"
+
+  #  stickiness {
+  #    type = "lb_cookie"
+  #    cookie_duration = 3600
+  #    enabled = true
+  #  }
+
+  health_check {
+    enabled             = true
+    interval            = 180
+    port                = "8080"
+    timeout             = 120
+    protocol            = "HTTP"
+    path                = local.app_lb_health_monitor_path
+    healthy_threshold   = 3
+    unhealthy_threshold = 5
+    matcher             = "200"
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    map("Name", local.app_albtg_name),
+  )
+}
+
+resource "aws_lb" "app" {
+  name                       = local.app_alb_name
+  internal                   = true
+  load_balancer_type         = "application"
+  security_groups            = [local.sg_web_id]
+  subnets                    = local.lb_subnet_ids
+  enable_deletion_protection = true
+  idle_timeout               = 300
+
+  access_logs {
+    bucket  = data.terraform_remote_state.infrastructure_east.outputs.logs_id
+    prefix  = "alb-logs/${local.app_alb_dns_name}"
+    enabled = true
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    map("Name", local.app_alb_name),
+  )
+}
+
+resource "aws_lb_listener" "app_80" {
+  count             = module.cert.certificate_arn == null ? 1 : 0
+  load_balancer_arn = aws_lb.app.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+
+resource "aws_lb_listener" "app_80_redirect" {
+  count             = module.cert.certificate_arn != null ? 1 : 0
+  load_balancer_arn = aws_lb.app.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+resource "aws_lb_listener" "app_443" {
+  count             = module.cert.certificate_arn != null ? 1 : 0
+  load_balancer_arn = aws_lb.app.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = module.cert.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
diff --git a/examples/dice-centurion/locals.tf b/examples/dice-centurion/locals.tf
@@ -0,0 +1,19 @@
+locals {
+  app_program     = "dice"
+  app_project     = "centurion"
+  app_environment = "dev"
+
+  vpc_details     = data.terraform_remote_state.vpc_east_vpc2.outputs
+  vpc_info        = local.vpc_details.vpc_info
+  vpc_id          = local.vpc_info["vpc_id"]
+  vpc_short_name  = local.vpc_info["vpc_short_name"]
+  sg_web_id       = local.vpc_details.sg_web_id
+  apps_subnet_ids = [for s in local.vpc_details.private_subnets_ids : s.id if length(regexall("^apps-", s.label)) > 0]
+  lb_subnet_ids   = [for s in local.vpc_defailts.private_subnets_ids : s.id if length(regexall("^private-lb-", s.label)) > 0]
+  ecs_cluster_id  = data.terraform_remote_state.vpc_east_vpc2_apps_dice-ecs-fargate.outputs.ecs_cluster_id
+
+  base_tags = {
+    "boc:created_by" = "terraform"
+    "CostAllocation" = format("%v:%v:%v", local.app_program, local.app_environment, local.app_project)
+  }
+}
diff --git a/examples/dice-centurion/outputs.tf b/examples/dice-centurion/outputs.tf
@@ -0,0 +1,20 @@
+output "app_info" {
+  description = "Application Info"
+  value = {
+    name                   = local.app_name
+    fullname               = local.app_fullname
+    version                = local.app_version
+    repo                   = local.app_repo
+    image                  = local.app_image
+    secret_name            = local.app_secret_name
+    log_group              = local.app_log_group
+    alb_name               = local.app_alb_name
+    albtg_name             = local.app_albtg_name
+    alb_dns_zone           = local.app_alb_dns_zone
+    alb_dns_name           = local.app_alb_dns_name
+    dns_zone_id            = local.app_dns_zone_id
+    execution_role_arn     = local.app_execution_role_arn
+    task_role_arn          = local.app_task_role_arn
+    lb_health_monitor_path = local.app_lb_health_monitor_path
+  }
+}
diff --git a/examples/dice-centurion/region.tf b/examples/dice-centurion/region.tf
@@ -0,0 +1,3 @@
+locals {
+  region          = var.region
+}
diff --git a/examples/dice-centurion/role.tf b/examples/dice-centurion/role.tf
@@ -0,0 +1,48 @@
+#---
+# task role for api
+#   roles will be vpc and region specific
+#---
+locals {
+  app_instance_base_format = "instance-%v-%v-%v-%v-%v-%v"
+  app_instance_base_name = format(local.app_instance_base_format, local.vpc_short_name, local.region,
+  local.app_program, local.app_project, local.app_environment, local.app_name)
+  app_attached_policies = [
+    format("arn:%v:iam::aws:policy/%v", data.aws_arn.current.partition, "service-role/AmazonEC2ContainerServiceforEC2Role"),
+    data.terraform_remote_state.common_apps_dice-mojo.outputs.app_policy_arn,
+  ]
+}
+
+module "app_ecs_task_role" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name         = local.app_instance_base_name
+  role_description  = format("Role for %v-%v-%v %v ECS instance", local.app_program, local.app_project, local.app_environment, local.app_name)
+  attached_policies = local.app_attached_policies
+  #  assume_policy_document     = data.terraform_remote_state.common.outputs.custom_policy_documents["ec2_assume"].policy
+  assume_policy_document  = data.aws_iam_policy_document.app_ecs_task_assume.json
+  enable_instance_profile = true
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    tomap({ "Name" = local.app_instance_base_name }),
+  )
+}
+
+
+data "aws_iam_policy_document" "app_ecs_task_assume" {
+  statement {
+    sid     = "AWSECSTaskAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "ec2.amazonaws.com",
+        "ecs-tasks.amazonaws.com",
+      ]
+    }
+  }
+}
diff --git a/examples/dice-centurion/settings.tf b/examples/dice-centurion/settings.tf
@@ -0,0 +1,27 @@
+locals {
+  app_name     = "tecmo"
+  app_fullname = format("%v-%v-%v", local.app_program, local.app_project, local.app_name)
+  #  app_version  = "1.0.0"
+  app_version      = "latest"
+  app_repo         = format("%v-%v/%v", local.app_program, local.app_project, local.app_name)
+  app_image        = format("%v.dkr.ecr.%v.amazonaws.com/%v:%v", var.account_id, var.region, local.app_repo, local.app_version)
+  app_secret_name  = format("/%v/%v/%v/%v/configs", local.app_program, local.app_project, local.app_environment, local.app_name)
+  app_log_group    = format("/ecs/%v/%v/%v/%v", local.app_program, local.app_project, local.app_environment, local.app_name)
+  app_alb_name     = format("alb-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name)
+  app_albtg_name   = format("albtg-%v-%v-%v-%v", local.app_program, local.app_project, local.app_environment, local.app_name)
+  app_alb_dns_zone = format("%v.%v.census.gov", local.app_environment, local.app_program)
+  app_alb_dns_name = format("%v.%v.%v", local.app_project, local.app_name, local.app_alb_dns_zone)
+  app_dns_zone_id  = data.terraform_remote_state.vpc_east_vpc2_apps_dns.outputs.domain_zone_id
+  # customize these two per app as needed
+  app_execution_role_arn = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1"
+  #  app_task_role_arn      = "arn:aws-us-gov:iam::252960665057:role/r-dice-ecs-task-execution-vpc2-us-gov-east-1"
+  app_task_role_arn          = module.app_ecs_task_role.role_arn
+  app_lb_health_monitor_path = "/api/actuator/health"
+  app_desired_count          = 4
+  app_health_check_grace     = 30
+  app_task_cpu               = "512"
+  app_task_memory            = "1024"
+  app_cert_download          = true
+  app_cert_san               = [local.app_alb_dns_name]
+  app_cert_exists            = fileexists(format("${path.root}/certs/%v.crt", local.app_alb_dns_name))
+}
diff --git a/examples/dice-centurion/task.tf b/examples/dice-centurion/task.tf
@@ -0,0 +1,88 @@
+#data "aws_ecr_image" "app_1" {
+#  repository_name = local.app_repo
+#  image_tag = local.app_version
+#}
+
+resource "aws_ecs_task_definition" "app_1" {
+  container_definitions = jsonencode(
+    [{
+      cpu         = 0
+      environment = []
+      essential   = true
+      image       = local.app_image
+      environment = [
+        { name = "AWS_SECRET_NAME", value = local.app_secret_name }
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = local.app_log_group
+          awslogs-region        = var.region
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+      mountPoints = []
+      name        = local.app_fullname
+      portMappings = [
+        {
+          containerPort = 8080
+          hostPort      = 8080
+          protocol      = "tcp"
+        }
+      ]
+      volumesFrom = []
+    }]
+  )
+  cpu                      = local.app_task_cpu
+  execution_role_arn       = local.app_execution_role_arn
+  family                   = local.app_fullname
+  memory                   = local.app_task_memory
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE", ]
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+    local.base_tags,
+  )
+  task_role_arn = local.app_task_role_arn
+}
+
+resource "aws_cloudwatch_log_group" "app" {
+  name              = local.app_log_group
+  retention_in_days = 14
+}
+
+resource "aws_ecs_service" "app" {
+  name            = local.app_fullname
+  cluster         = local.ecs_cluster_id
+  task_definition = aws_ecs_task_definition.app_1.arn
+  desired_count   = local.app_desired_count
+  health_check_grace_period_seconds  = local.app_health_check_grace
+  #  iam_role        = aws_iam_role.foo.arn
+  #  depends_on      = [aws_iam_role_policy.foo]
+  launch_type = "FARGATE"
+  network_configuration {
+    subnets          = local.apps_subnet_ids
+    security_groups  = [local.sg_web_id]
+    assign_public_ip = false
+  }
+
+  propagate_tags = "TASK_DEFINITION"
+
+  #  ordered_placement_strategy {
+  #    type  = "binpack"
+  #    field = "cpu"
+  #  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.app.arn
+    container_name   = local.app_fullname
+    container_port   = 8080
+  }
+
+  #  placement_constraints {
+  #    type       = "memberOf"
+  #    expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
+  #  }
+}
+
diff --git a/examples/dice-centurion/tf-run.data b/examples/dice-centurion/tf-run.data
@@ -0,0 +1,7 @@
+VERSION 1.0.0
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/dice-mojo-new/README.md b/examples/dice-mojo-new/README.md
@@ -0,0 +1,4 @@
+submit CSR to tco
+use email group: adep.mojo.development.list@census.gov
+
+