From bd8c4271af9beacd0cbca7b7870352aba821d965 Mon Sep 17 00:00:00 2001 From: sijandh35 Date: Wed, 5 Jun 2024 17:20:46 +0545 Subject: [PATCH] feat: terraform script added for Infrastructure(IAC) --- .gitignore | 54 ++++++++ .pre-commit-config.yaml | 16 --- terraform/main.tf | 76 +++++++++++ terraform/outputs.tf | 12 ++ terraform/providers.tf | 28 ++++ terraform/step1/VPC.tf | 136 ++++++++++++++++++++ terraform/step1/output.tf | 19 +++ terraform/step1/variables.tf | 29 +++++ terraform/step2/IAM_ec2_policy.tf | 98 ++++++++++++++ terraform/step2/IAM_ecs_policy.tf | 128 +++++++++++++++++++ terraform/step2/KMS.tf | 16 +++ terraform/step2/S3.tf | 54 ++++++++ terraform/step2/SecurityGroups.tf | 170 +++++++++++++++++++++++++ terraform/step2/output.tf | 39 ++++++ terraform/step2/variables.tf | 29 +++++ terraform/step3/ECR.tf | 55 ++++++++ terraform/step3/variables.tf | 9 ++ terraform/step4/EC2.tf | 72 +++++++++++ terraform/step4/RDS_Databases.tf | 73 +++++++++++ terraform/step4/REDIS.tf | 28 ++++ terraform/step4/Userdata/ec2-base.sh | 16 +++ terraform/step4/output.tf | 11 ++ terraform/step4/variables.tf | 60 +++++++++ terraform/step6/ECS_AutoScaling.tf | 56 ++++++++ terraform/step6/ECS_Cluster.tf | 15 +++ terraform/step6/ECS_Service.tf | 56 ++++++++ terraform/step6/ECS_TaskDefinitions.tf | 97 ++++++++++++++ terraform/step6/LB_Loadbalancer.tf | 52 ++++++++ terraform/step6/LB_RoutingRules.tf | 37 ++++++ terraform/step6/LB_TargetGroups.tf | 42 ++++++ terraform/step6/ROUTE53.tf | 31 +++++ terraform/step6/variables.tf | 88 +++++++++++++ terraform/variables.tf | 118 +++++++++++++++++ 33 files changed, 1804 insertions(+), 16 deletions(-) create mode 100644 terraform/main.tf create mode 100644 terraform/outputs.tf create mode 100644 terraform/providers.tf create mode 100644 terraform/step1/VPC.tf create mode 100644 terraform/step1/output.tf create mode 100644 terraform/step1/variables.tf create mode 100644 terraform/step2/IAM_ec2_policy.tf create mode 100644 terraform/step2/IAM_ecs_policy.tf create mode 100644 terraform/step2/KMS.tf create mode 100644 terraform/step2/S3.tf create mode 100644 terraform/step2/SecurityGroups.tf create mode 100644 terraform/step2/output.tf create mode 100644 terraform/step2/variables.tf create mode 100644 terraform/step3/ECR.tf create mode 100644 terraform/step3/variables.tf create mode 100644 terraform/step4/EC2.tf create mode 100644 terraform/step4/RDS_Databases.tf create mode 100644 terraform/step4/REDIS.tf create mode 100644 terraform/step4/Userdata/ec2-base.sh create mode 100644 terraform/step4/output.tf create mode 100644 terraform/step4/variables.tf create mode 100644 terraform/step6/ECS_AutoScaling.tf create mode 100644 terraform/step6/ECS_Cluster.tf create mode 100644 terraform/step6/ECS_Service.tf create mode 100644 terraform/step6/ECS_TaskDefinitions.tf create mode 100644 terraform/step6/LB_Loadbalancer.tf create mode 100644 terraform/step6/LB_RoutingRules.tf create mode 100644 terraform/step6/LB_TargetGroups.tf create mode 100644 terraform/step6/ROUTE53.tf create mode 100644 terraform/step6/variables.tf create mode 100644 terraform/variables.tf diff --git a/.gitignore b/.gitignore index 0fb2e48e..d46b0048 100644 --- a/.gitignore +++ b/.gitignore @@ -78,3 +78,57 @@ chart/charts #Docker DockerData/ + + + +########################################## Terraform ########################################## +# Terraform State files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore override files as they are usually used to override resources locally +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# .terraform directory is used by Terraform to store module and provider caches +.terraform/ + +# Ignore any plan files +*.tfplan + +# Ignore variables files that may contain sensitive information +*.tfvars +*.tfvars.json + +# Ignore local environment files +.terraform.lock.hcl + +# Ignore backup files +*.backup + +# Ignore editor specific files +# Examples for Visual Studio Code, IntelliJ IDEA, etc. +.vscode/ +.idea/ + +# Ignore Mac OS specific files +.DS_Store + +# Ignore Linux and Unix specific files +*.swp +*.swo + +#Ignore Pem File +*.pem + +#Ignore Aws Cred +*/.aws/credentials diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 80d6f5a9..8eb5f1b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -34,22 +34,6 @@ repos: language: python types: [text] - - id: check-executables-have-shebangs - name: check that executables have shebangs - description: ensures that (non-binary) executables have a shebang. - entry: check-executables-have-shebangs - language: python - types: [text, executable] - stages: [commit, push, manual] - - - id: check-shebang-scripts-are-executable - name: check that scripts with shebangs are executable - description: ensures that (non-binary) files with a shebang are executable. - entry: check-shebang-scripts-are-executable - language: python - types: [text] - stages: [commit, push, manual] - - id: check-json name: check json description: checks json files for parseable syntax. diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 00000000..ae0c0ddb --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,76 @@ +# Modules + +# VPC +module "step1" { + source = "./step1/" + aws_region = var.aws_region + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_private_subnets = var.vpc_private_subnets + vpc_public_subnets = var.vpc_public_subnets + availability_zones = var.availability_zones + project_name = var.project_name +} + +# ECR - KMS - IAM Roles/Policies - S3 - SECURITY GROUPS +module "step2" { + source = "./step2/" + project_name = var.project_name + aws_account = var.aws_account + aws_region = var.aws_region + vpc_name = var.vpc_name + vpc_id = module.step1.vpc_id + s3_bucket_name = var.s3_bucket_name + ecs_task_role_name = var.ecs_task_role_name + depends_on = [module.step1] +} + +# ECR +module "step3" { + source = "./step3/" + ecr_names = var.ecr_names + kms_key = module.step2.kms_key.arn + depends_on = [module.step2] +} + +# EC2 - REDIS - POSTGRESQL +module "step4" { + source = "./step4/" + public_ec2_instance_ami = var.public_ec2_instance_ami + private_ec2_instance_ami = var.private_ec2_instance_ami + project_name = var.project_name + vpc_name = var.vpc_name + vpc_private_subnets = module.step1.private_subnets_id + vpc_public_subnets = module.step1.public_subnets_id + ec2_sec_grp = module.step2.ec2_sec_grp.id + psql_sec_grp = module.step2.psql_sec_grp.id + docdb_sec_grp = module.step2.docdb_sec_grp.id + redis_sec_grp = module.step2.redis_sec_grp.id + # document_db_root_username = var.document_db_root_username + # document_db_root_password = var.document_db_root_password + postgresql_root_username = var.postgresql_root_username + postgresql_root_password = var.postgresql_root_password +} + +# ECS - EFS - ALB +module "step6" { + source = "./step6/" + project_name = var.project_name + aws_account = var.aws_account + aws_region = var.aws_region + vpc_name = var.vpc_name + vpc_id = module.step1.vpc_id + vpc_private_subnets = module.step1.private_subnets_id + vpc_public_subnets = module.step1.public_subnets_id + vpc_private_subnets_count = var.vpc_private_subnets + ecs_cluster_name = var.ecs_cluster_name + ecs_loadbalancer_name = var.ecs_loadbalancer_name + ecs_task_role_name = module.step2.ecs_final_role_name + ecs_sec_grp = module.step2.ecs_sec_grp.id + alb_logs_s3_bucket = module.step2.alb_logs_s3_bucket.id + kms_key = module.step2.kms_key.arn + load_balancer_sec_grp = module.step2.load_balancer_sec_grp.id + SSL_certificate_arn = var.SSL_certificate_arn + s3_bucket_name = var.s3_bucket_name + depends_on = [module.step4] +} diff --git a/terraform/outputs.tf b/terraform/outputs.tf new file mode 100644 index 00000000..80956c24 --- /dev/null +++ b/terraform/outputs.tf @@ -0,0 +1,12 @@ +output "postgres_endpoint" { + value = module.step4.postgres_endpoint.address +} + + +#output "private_subnets" { +# value = module.step1.private_subnets_id +#} + +#output "kms_key_arn" { +# value = module.step2.kms_key.arn +#} diff --git a/terraform/providers.tf b/terraform/providers.tf new file mode 100644 index 00000000..e67bcf86 --- /dev/null +++ b/terraform/providers.tf @@ -0,0 +1,28 @@ +# Terraform provider + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.67.0" + } + } +} + +provider "aws" { + # region and profile is for the architecture + region = "ap-south-1" + shared_credentials_files = ["${path.module}/.aws/credentials"] + profile = "default" + + + default_tags { + tags = { + Environment = "NAXA-DTM" + Application = "DTM" + Team = "NAXA-Developers" + Creator = "NAXA" + Owner = "NAXA" + } + } +} diff --git a/terraform/step1/VPC.tf b/terraform/step1/VPC.tf new file mode 100644 index 00000000..cc298884 --- /dev/null +++ b/terraform/step1/VPC.tf @@ -0,0 +1,136 @@ +# CREATE VPC +resource "aws_vpc" "project_vpc" { + cidr_block = var.vpc_cidr_block + enable_dns_hostnames = true + enable_network_address_usage_metrics = true + enable_dns_support = true + tags = { + Name = "${var.project_name}-${var.vpc_name}" + } +} + +# CREATE INTERNET GATEWAY for the public subnets +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.project_vpc.id + tags = { + Name = "${var.project_name}-${var.vpc_name}-igw" + } +} + +# CREATE ELASTIC IP for nat +resource "aws_eip" "nat_eip" { + vpc = true + tags = { + Name = "${var.project_name}-${var.vpc_name}-eip" + } + depends_on = [aws_internet_gateway.igw] +} + +# CREATE NAT GATEWAY +resource "aws_nat_gateway" "nat_gateway" { + allocation_id = aws_eip.nat_eip.id + subnet_id = aws_subnet.public_subnet[0].id + tags = { + Name = "${var.project_name}-${var.vpc_name}-nat" + } + depends_on = [aws_internet_gateway.igw] +} + + + +# ========================== PRIVATE SUBNETS ======================= # + +# Create Private Subnets +resource "aws_subnet" "private_subnet" { + count = length(var.vpc_private_subnets) + vpc_id = aws_vpc.project_vpc.id + cidr_block = var.vpc_private_subnets[count.index] + availability_zone = var.availability_zones[count.index % length(var.availability_zones)] + map_public_ip_on_launch = false + tags = { + Name = "${var.project_name}-${var.vpc_name}-private-subnet-${count.index}" + } +} + +# ROUTE TABLES for private Subnets +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.project_vpc.id + tags = { + Name = "${var.vpc_name}-private-route-table" + } +} + +resource "aws_route" "private_nat_gateway" { + route_table_id = aws_route_table.private_route_table.id + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway.id +} + +resource "aws_route_table_association" "private_subnet_association" { + count = length(aws_subnet.private_subnet) + route_table_id = aws_route_table.private_route_table.id + subnet_id = aws_subnet.private_subnet[count.index].id +} + + + +# ========================== PUBLIC SUBNETS ======================= # + +#Create Public Subnets +resource "aws_subnet" "public_subnet" { + count = length(var.vpc_public_subnets) + cidr_block = var.vpc_public_subnets[count.index] + vpc_id = aws_vpc.project_vpc.id + availability_zone = var.availability_zones[count.index % length(var.availability_zones)] + map_public_ip_on_launch = false + tags = { + Name = "${var.project_name}-${var.vpc_name}-public-subnet-${count.index}" + } +} + +# ROUTE TABLES for public Subnets +resource "aws_route_table" "public_route_table" { + vpc_id = aws_vpc.project_vpc.id + tags = { + Name = "${var.vpc_name}-public-route-table" + } +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.public_route_table.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} + +resource "aws_route_table_association" "public_subnet_association" { + count = length(aws_subnet.public_subnet) + subnet_id = aws_subnet.public_subnet[count.index].id + route_table_id = aws_route_table.public_route_table.id +} + + + +# ========================== DEFAULT SG ======================= # + +# VPC's Default Security Group +resource "aws_security_group" "default" { + name = "${var.vpc_name}-default-sg" + description = "Default security group to allow inbound/outbound from the VPC" + vpc_id = aws_vpc.project_vpc.id + ingress { + from_port = "0" + to_port = "0" + protocol = "-1" + self = true + } + egress { + from_port = "0" + to_port = "0" + protocol = "-1" + self = "true" + } + tags = { + Name = "${var.vpc_name}-default-sg" + } + depends_on = [aws_vpc.project_vpc] +} diff --git a/terraform/step1/output.tf b/terraform/step1/output.tf new file mode 100644 index 00000000..02b64e45 --- /dev/null +++ b/terraform/step1/output.tf @@ -0,0 +1,19 @@ +output "vpc_id" { + value = aws_vpc.project_vpc.id +} + +output "private_subnets_id" { + value = aws_subnet.private_subnet.*.id +} + +output "public_subnets_id" { + value = aws_subnet.public_subnet.*.id +} + +output "private_route_table_id" { + value = aws_route_table.private_route_table.id +} + +output "public_route_table_id" { + value = aws_route_table.public_route_table.id +} diff --git a/terraform/step1/variables.tf b/terraform/step1/variables.tf new file mode 100644 index 00000000..3b381473 --- /dev/null +++ b/terraform/step1/variables.tf @@ -0,0 +1,29 @@ +#VARIABLES + +variable "aws_region" { + type = string +} + +variable "project_name" { + type = string +} + +variable "vpc_name" { + type = string +} + +variable "vpc_cidr_block" { + type = string +} + +variable "vpc_private_subnets" { + type = list(string) +} + +variable "vpc_public_subnets" { + type = list(string) +} + +variable "availability_zones" { + type = list(string) +} diff --git a/terraform/step2/IAM_ec2_policy.tf b/terraform/step2/IAM_ec2_policy.tf new file mode 100644 index 00000000..49153cd6 --- /dev/null +++ b/terraform/step2/IAM_ec2_policy.tf @@ -0,0 +1,98 @@ +################################# +# EC2 Instance Profile and Policy + +resource "aws_iam_role" "ec2_role" { + name = "${var.project_name}-ec2-role" + assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json + tags = { + Name = "${var.project_name}-ec2-role" + } +} + +resource "aws_iam_policy" "ec2_policy" { + name = "${var.project_name}-ec2-policy" + description = "Instance profile policy for EC2" + policy = data.aws_iam_policy_document.ec2_instance_profile.json + tags = { + Name = "${var.project_name}-ec2-policy" + } +} + +resource "aws_iam_role_policy_attachment" "ec2_attachment" { + role = aws_iam_role.ec2_role.name + policy_arn = aws_iam_policy.ec2_policy.arn +} + +resource "aws_iam_instance_profile" "ec2_instance_profile" { + name = "${var.project_name}-ec2-profile" + role = "${var.project_name}-ec2-role" +} + +# ===================== DATA POLICY ============================ + +data "aws_iam_policy_document" "ec2_assume_role" { + statement { + sid = "GenericAssumeRoleEC2" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "ec2_instance_profile" { + statement { + sid = "EC2InstanceProfilePolicy" + effect = "Allow" + resources = ["*"] + + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey", + "s3:GetEncryptionConfiguration", + "ssm:DescribeParameters", + "ssm:GetParameters", + "ssm:UpdateInstanceInformation", + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", + ] + } + + statement { + sid = "" + effect = "Allow" + resources = ["*"] + + actions = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + ] + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:s3:::${var.s3_bucket_name}/*", + "arn:aws:s3:::${var.s3_bucket_name}", + ] + + actions = [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetEncryptionConfiguration", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:DeleteObject", + "s3:DeleteObjectVersion", + ] + } +} diff --git a/terraform/step2/IAM_ecs_policy.tf b/terraform/step2/IAM_ecs_policy.tf new file mode 100644 index 00000000..b656a705 --- /dev/null +++ b/terraform/step2/IAM_ecs_policy.tf @@ -0,0 +1,128 @@ +########################### +# ECS Role and Policy + +resource "aws_iam_role" "ecs_role" { + name = var.ecs_task_role_name + assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json + tags = { + Name = "${var.ecs_task_role_name}" + } +} + +resource "aws_iam_policy" "ecs_policy" { + name = "${var.project_name}-ecs-policy" + description = "ECS policy for ${var.ecs_task_role_name}" + policy = data.aws_iam_policy_document.ecs_policy.json + tags = { + Name = "${var.project_name}-ecs-policy" + } +} + +resource "aws_iam_role_policy_attachment" "ecs_attachment_1" { + role = aws_iam_role.ecs_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +resource "aws_iam_role_policy_attachment" "ecs_attachment_2" { + role = aws_iam_role.ecs_role.name + policy_arn = aws_iam_policy.ecs_policy.arn +} + +# ===================== DATA POLICY ============================ + +data "aws_iam_policy_document" "ecs_assume_role" { + statement { + sid = "GenericAssumeRoleEC2" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "ecs_policy" { + statement { + sid = "ECSs3Bucket" + effect = "Allow" + + resources = [ + "arn:aws:s3:::${var.s3_bucket_name}/*", + "arn:aws:s3:::${var.s3_bucket_name}", + ] + + actions = [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetEncryptionConfiguration", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:DeleteObject", + "s3:DeleteObjectVersion", + ] + } + + statement { + sid = "ECSssmMessages" + effect = "Allow" + resources = ["*"] + + actions = [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", + ] + } + + statement { + sid = "ECSssm" + effect = "Allow" + resources = ["*"] + + actions = [ + "ssm:UpdateInstanceInformation", + "ssm:DescribeParameters", + "ssm:GetParameters", + ] + } + + statement { + sid = "ECSlogs" + effect = "Allow" + resources = ["arn:aws:logs:*:*:*"] + + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + ] + } + + statement { + sid = "ECScloudwatch" + effect = "Allow" + resources = ["*"] + + actions = [ + "cloudwatch:PutMetricData", + "cloudwatch:GetMetricData", + "cloudwatch:ListMetrics", + ] + } + + statement { + sid = "ECSotherPermissions" + effect = "Allow" + resources = ["*"] + + actions = [ + "elasticfilesystem:*", + "secretsmanager:GetSecretValue", + "kms:Decrypt", + ] + } +} diff --git a/terraform/step2/KMS.tf b/terraform/step2/KMS.tf new file mode 100644 index 00000000..c7cedf3a --- /dev/null +++ b/terraform/step2/KMS.tf @@ -0,0 +1,16 @@ +# KMS key for ECR encryption +resource "aws_kms_key" "encryption_key_ecr" { + description = "KMS ECR key 1" + key_usage = "ENCRYPT_DECRYPT" + deletion_window_in_days = 7 + is_enabled = true + enable_key_rotation = true + tags = { + "Name" = "${var.project_name}-ecr-key" + } +} + +resource "aws_kms_alias" "kms_alias_ecr" { + name = "alias/${var.project_name}-ecr-key" + target_key_id = aws_kms_key.encryption_key_ecr.key_id +} diff --git a/terraform/step2/S3.tf b/terraform/step2/S3.tf new file mode 100644 index 00000000..3f7b88e7 --- /dev/null +++ b/terraform/step2/S3.tf @@ -0,0 +1,54 @@ +# CREATE S3 Bucket +resource "aws_s3_bucket" "s3_bucket" { + bucket = var.s3_bucket_name + tags = { + Name = "${var.s3_bucket_name}" + } +} + + +resource "aws_s3_bucket" "alb_logs_s3_bucket" { + bucket = "${var.s3_bucket_name}-alb-logs" + tags = { + Name = "${var.s3_bucket_name}-alb-logs" + } +} + +resource "aws_s3_bucket_policy" "allow_loadbalancer_to_logs_bucket" { + bucket = aws_s3_bucket.alb_logs_s3_bucket.id + policy = data.aws_iam_policy_document.allow_loadbalancer_to_logs_bucket.json +} + +data "aws_iam_policy_document" "allow_loadbalancer_to_logs_bucket" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::718504428378:root"] + # Here Change identifier "718504428378" on basis of loadbalancer region + # We're using 718504428378 as our loadbalancer is on region ap-south-1 + } + + actions = [ + "s3:PutObject", + ] + + resources = [ + "${aws_s3_bucket.alb_logs_s3_bucket.arn}/*", + ] + } + statement { + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl", + ] + + resources = [ + "${aws_s3_bucket.alb_logs_s3_bucket.arn}" + ] + } + +} diff --git a/terraform/step2/SecurityGroups.tf b/terraform/step2/SecurityGroups.tf new file mode 100644 index 00000000..3998a8dc --- /dev/null +++ b/terraform/step2/SecurityGroups.tf @@ -0,0 +1,170 @@ +# EC2 security group +resource "aws_security_group" "ec2_sec_grp" { + name_prefix = "${var.project_name}-ec2_sec_grp" + description = "Allow ssh for EC2" + vpc_id = var.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-ec2_sec_grp" + } +} + +# RDS security group +resource "aws_security_group" "psql_sec_grp" { + name_prefix = "${var.project_name}-psql_sec_grp" + description = "Allow PostgreSQL access" + vpc_id = var.vpc_id + + ingress { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-psql_sec_grp" + } +} + +# Document DB Security group +resource "aws_security_group" "doc_db_sec_grp" { + name_prefix = "${var.project_name}-doc_db_sec_grp" + description = "Allow Document DB access" + vpc_id = var.vpc_id + + ingress { + from_port = 27017 + to_port = 27017 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-doc_db_sec_grp" + } +} + +# ElastiCache Redis DB Security group +resource "aws_security_group" "redis_sec_grp" { + name_prefix = "${var.project_name}-redis_sec_grp" + description = "Allow Elasticache" + vpc_id = var.vpc_id + + ingress { + from_port = 6379 + to_port = 6380 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-redis_sec_grp" + } +} + +# ECS security group +resource "aws_security_group" "ecs_sec_grp" { + name_prefix = "${var.project_name}-ecs_sec_grp" + description = "Allow ECS traffic" + vpc_id = var.vpc_id + + ingress { + from_port = 9000 + to_port = 9000 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8000 + to_port = 8000 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8005 + to_port = 8005 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-ecs_sec_grp" + } +} + +# Load Balancer Security Group +resource "aws_security_group" "load_balancer_sec_grp" { + name_prefix = "${var.project_name}-load_balancer_sec_grp" + description = "Allow ALB HTTP and HTTPS" + vpc_id = var.vpc_id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-load_balancer_sec_grp" + } +} diff --git a/terraform/step2/output.tf b/terraform/step2/output.tf new file mode 100644 index 00000000..6a055650 --- /dev/null +++ b/terraform/step2/output.tf @@ -0,0 +1,39 @@ +output "ec2_sec_grp" { + value = aws_security_group.ec2_sec_grp +} + +output "psql_sec_grp" { + value = aws_security_group.psql_sec_grp +} + +output "docdb_sec_grp" { + value = aws_security_group.doc_db_sec_grp +} + +output "redis_sec_grp" { + value = aws_security_group.redis_sec_grp +} + +output "ecs_sec_grp" { + value = aws_security_group.ecs_sec_grp +} + +output "ecs_final_role_name" { + value = aws_iam_role.ecs_role.name +} + +output "load_balancer_sec_grp" { + value = aws_security_group.load_balancer_sec_grp +} + +output "kms_key" { + value = aws_kms_key.encryption_key_ecr +} + +output "kms_key_name" { + value = aws_kms_alias.kms_alias_ecr +} + +output "alb_logs_s3_bucket" { + value = aws_s3_bucket.alb_logs_s3_bucket +} diff --git a/terraform/step2/variables.tf b/terraform/step2/variables.tf new file mode 100644 index 00000000..c34d3fdf --- /dev/null +++ b/terraform/step2/variables.tf @@ -0,0 +1,29 @@ +#VARIABLES + +variable "project_name" { + type = string +} + +variable "vpc_name" { + type = string +} + +variable "vpc_id" { + type = string +} + +variable "aws_account" { + type = string +} + +variable "aws_region" { + type = string +} + +variable "s3_bucket_name" { + type = string +} + +variable "ecs_task_role_name" { + type = string +} diff --git a/terraform/step3/ECR.tf b/terraform/step3/ECR.tf new file mode 100644 index 00000000..4f36d449 --- /dev/null +++ b/terraform/step3/ECR.tf @@ -0,0 +1,55 @@ +# CREATE AWS PRIVATE REPO +resource "aws_ecr_repository" "private_repo" { + count = length(var.ecr_names) + name = var.ecr_names[count.index] + #image_tag_mutability = "IMMUTABLE" + image_scanning_configuration { + scan_on_push = true + } + encryption_configuration { + encryption_type = "KMS" + kms_key = var.kms_key + } + tags = { + Name = "Private ECR Repository for ${var.ecr_names[count.index]}" + } +} + + +resource "aws_ecr_lifecycle_policy" "only_3_image" { + count = length(aws_ecr_repository.private_repo) + repository = aws_ecr_repository.private_repo.* [count.index].name + depends_on = [aws_ecr_repository.private_repo] + policy = <