Skip to content

Instantly share code, notes, and snippets.

@JGaudette

JGaudette/terraform_interview.tf

Last active July 22, 2022 16:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save JGaudette/ddcb568989e977263ee4d4317d8a8525 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save JGaudette/ddcb568989e977263ee4d4317d8a8525 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
terraform_interview.tf
resource "aws_ecs_cluster" "nonprod-web" {
name = "nonprod-cluster"
capacity_providers = ["FARGATE", "FARGATE_SPOT"]
}
resource "aws_cloudwatch_log_group" "web-api-dev" {
name = "/ecs/web-api-dev-task"
}
resource "aws_ecs_task_definition" "web-api-dev" {
family = "web-api-dev"
requires_compatibilities = ["FARGATE"]
cpu = 512 #256 #.25 vCPU
memory = 1024 #512
network_mode = "awsvpc"
execution_role_arn = "arn:aws:iam::xxx:role/ecsTaskExecutionRole"
task_role_arn = "arn:aws:iam::xxx:role/aws-ecs-api-role"
container_definitions = <<DEFINITION
[{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/web-api-dev-task",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [
{"name": "ASPNETCORE_ENVIRONMENT", "value": "Development"},
{"name": "VERSION_URL", "value": "/HealthCheck/Version"},
{"name": "DB_SECRET", "value": "dev/rds-api"},
{"name": "DB_HANGFIRE_SECRET", "value": "dev/rds-api"}
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "xxx.dkr.ecr.us-east-1.amazonaws.com/web-api:dev",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": {
"Command": ["CMD-SHELL", "curl -f http://localhost/HealthCheck || exit 1"],
"Interval": 30,
"Retries": 2,
"StartPeriod": 120,
"Timeout": 5
},
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "web-api-dev"
}]
DEFINITION
tags = {
"application-id" = "main-app",
"environment-id" = "non-prod",
"environment-specific-id" = "dev",
"api-name" = "api"
}
}
resource "aws_alb" "web-api-dev" {
name = "web-api-dev"
subnets = [aws_subnet.public-subnet-1a.id, aws_subnet.public-subnet-1b.id]
security_groups = [aws_security_group.allow_web_ssh.id]
tags = {
"application-id" = "main-app",
"environment-id" = "non-prod",
"environment-specific-id" = "dev",
"api-name" = "api"
}
}
resource "aws_alb_target_group" "app-dev" {
name = "api-target-group-dev"
port = 80
protocol = "HTTP"
vpc_id = aws_vpc.nonprod.id
target_type = "ip"
health_check {
healthy_threshold = "3"
interval = "60"
protocol = "HTTP"
matcher = "200"
timeout = "3"
path = "/HealthCheck"
unhealthy_threshold = "5"
}
tags = {
"application-id" = "main-app",
"environment-id" = "non-prod",
"environment-specific-id" = "dev",
"api-name" = "venture"
}
depends_on = [aws_alb.web-ventureapi-dev]
}
# Redirect all traffic from the ALB to the target group
resource "aws_alb_listener" "web-api-dev" {
load_balancer_arn = aws_alb.web-api-dev.id
port = 80
protocol = "HTTP"
default_action {
target_group_arn = aws_alb_target_group.app-dev.id
type = "forward"
}
}
resource "aws_acm_certificate" "cert-dev" {
domain_name = "api.dev.company.build"
validation_method = "DNS"
tags = {
Environment = "dev"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_alb_listener" "web-api-dev-https" {
load_balancer_arn = aws_alb.web-api-dev.id
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "arn:aws:acm:us-east-1:xxx:certificate/xxx-3c2f-426d-a6c4-xxx"
default_action {
target_group_arn = aws_alb_target_group.app-dev.id
type = "forward"
}
depends_on = [aws_acm_certificate.cert-dev]
}
resource "aws_ecs_service" "web-api-dev" {
name = "web-api-dev"
cluster = aws_ecs_cluster.nonprod-web.id
task_definition = aws_ecs_task_definition.web-api-dev.arn
desired_count = 1
force_new_deployment = true
network_configuration {
assign_public_ip = false
security_groups = [
aws_security_group.allow_web_ssh.id
]
subnets = [
aws_subnet.private-subnet-1a.id
]
}
load_balancer {
target_group_arn = aws_alb_target_group.app-dev.id
container_name = "web-api-dev"
container_port = 80
}
deployment_circuit_breaker {
enable = true
rollback = true
}
capacity_provider_strategy {
capacity_provider = "FARGATE_SPOT"
weight = 1
}
}
#################################################################
## Cloudfront
#################################################################
resource "aws_cloudfront_distribution" "api-dev" {
origin {
domain_name = "api.alb.dev.build"
origin_id = "alb-api-origin"
origin_path = ""
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
enabled = true
aliases = ["api.dev.company.build"]
is_ipv6_enabled = true
restrictions {
geo_restriction {
restriction_type = "none"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "DELETE", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "alb-api-origin"
compress = false
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 0
max_ttl = 0
forwarded_values {
query_string = true
cookies {
forward = "none"
}
headers = [
"Authorization",
"Origin",
"CloudFront-Viewer-Country-Region-Name",
"CloudFront-Viewer-Country",
"CloudFront-Viewer-City",
"Accept-Encoding",
"X-Forwarded-For",
"User-Agent"
]
}
}
viewer_certificate {
cloudfront_default_certificate = false
acm_certificate_arn = aws_acm_certificate.cert-dev.arn
minimum_protocol_version = "TLSv1.2_2019"
ssl_support_method = "sni-only"
}
ordered_cache_behavior {
allowed_methods = [
"GET",
"HEAD",
"DELETE",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
cached_methods = [
"GET",
"HEAD"
]
compress = true
default_ttl = 86400
max_ttl = 31536000
min_ttl = 0
path_pattern = "/logo/*"
smooth_streaming = false
target_origin_id = "alb-api-origin"
trusted_key_groups = []
trusted_signers = []
viewer_protocol_policy = "redirect-to-https"
response_headers_policy_id = aws_cloudfront_response_headers_policy.static-image-assets.id
forwarded_values {
headers = [
"Access-Control-Allow-Origin",
"Access-Control-Request-Headers",
"Access-Control-Request-Method",
"Authorization",
"Origin",
"Referer",
]
query_string = false
query_string_cache_keys = []
cookies {
forward = "none"
whitelisted_names = []
}
}
}
}
#################################################################
## Route53 DNS Entry
#################################################################
resource "aws_route53_record" "web-api-dev" {
zone_id = "xxx"
name = "api.dev.company.build"
type = "A"
#ttl = "300"
alias {
name = aws_cloudfront_distribution.api-dev.domain_name
zone_id = aws_cloudfront_distribution.api-dev.hosted_zone_id
evaluate_target_health = false
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment