founders_template 0.1.8 → 0.2.0

data/templates/terraform/modules/application/variables.tf

@@ -0,0 +1,109 @@
+variable "name" {
+  description = "The name to use for resources"
+  type        = string
+}
+
+variable "app_environment" {
+  description = "Environment variables to set on the application container"
+  default     = []
+
+  type = list(object({
+    name  = string,
+    value = string
+  }))
+}
+
+variable "worker_environment" {
+  description = "Environment variables to set on the worker container"
+  default     = []
+
+  type = list(object({
+    name  = string,
+    value = string
+  }))
+}
+
+variable "app_repository_url" {
+  description = "The URL to the image repository for the application container"
+  type        = string
+}
+
+variable "web_repository_url" {
+  description = "The URL to the image repository for the web container"
+  type        = string
+}
+
+variable "aws_region" {
+  description = "The AWS region to launch resources in"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "app_process_memory" {
+  description = "The amount of memory to allocate to the application process"
+  type        = number
+  default     = 768
+}
+
+variable "app_task_cpu" {
+  description = "The CPU units to allocate to the application task"
+  type        = number
+  default     = 256
+}
+
+variable "app_task_memory" {
+  description = "The memory to allocate to the application task"
+  type        = number
+  default     = 1024
+}
+
+variable "app_task_count" {
+  description = "The number of application tasks to run"
+  type        = number
+  default     = 1
+}
+
+variable "worker_task_cpu" {
+  description = "The CPU units to allocate to the worker task"
+  type        = number
+  default     = 256
+}
+
+variable "worker_task_memory" {
+  description = "The memory to allocate to the worker task"
+  type        = number
+  default     = 1024
+}
+
+variable "worker_task_count" {
+  description = "The number of worker tasks to run"
+  type        = number
+  default     = 1
+}
+
+variable "task_subnets" {
+  description = "The subnets to launch tasks in"
+  type        = list
+}
+
+variable "vpc_id" {
+  description = "The VPC ID to launch things in"
+  type        = string
+}
+
+variable "alb_listener" {
+  description = "The ALB Listener to use in the load balancer configuration"
+}
+
+variable "alb_target_group" {
+  description = "The ALB Target Group to use in the load balancer configuration"
+}
+
+variable "load_balance_security_group" {
+  description = "The Security group for the ALB"
+}
+
+variable "key_pair_public_key" {
+  description = "The public key for the EC2 Key Pair to use when running remote_console"
+  type        = string
+}

data/templates/terraform/modules/application/web_service.tf

@@ -0,0 +1,62 @@
+# WEB
+resource "aws_cloudwatch_log_group" "web" {
+  name              = "/ecs/service/${var.name}-web"
+  retention_in_days = "14"
+}
+
+resource "aws_cloudwatch_log_group" "app" {
+  name              = "/ecs/service/${var.name}-app"
+  retention_in_days = "14"
+}
+
+data "template_file" "web_task_definition" {
+  template = file("${path.module}/task_definitions/web.json")
+
+  vars = {
+    app_log_path = aws_cloudwatch_log_group.app.name
+    web_log_path = aws_cloudwatch_log_group.web.name
+    app_image    = "${var.app_repository_url}:latest"
+    web_image    = "${var.web_repository_url}:latest"
+    environment  = jsonencode(var.app_environment)
+    app_memory   = var.app_process_memory
+    region       = var.aws_region
+  }
+}
+
+resource "aws_ecs_task_definition" "web" {
+  family                   = "${var.name}-web"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.app_task_cpu
+  memory                   = var.app_task_memory
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
+
+  container_definitions = data.template_file.web_task_definition.rendered
+}
+
+resource "aws_ecs_service" "web" {
+  name            = "${var.name}-web"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.web.arn
+  desired_count   = var.app_task_count
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups = [aws_security_group.ecs_tasks.id]
+    subnets         = var.task_subnets
+  }
+
+  load_balancer {
+    target_group_arn = var.alb_target_group.id
+    container_name   = "web"
+    container_port   = "80"
+  }
+
+  depends_on = [var.alb_listener]
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [task_definition]
+  }
+}

data/templates/terraform/modules/application/worker_service.tf

@@ -0,0 +1,48 @@
+# WORKER
+resource "aws_cloudwatch_log_group" "worker" {
+  name              = "/ecs/service/${var.name}-worker"
+  retention_in_days = "14"
+}
+
+data "template_file" "worker_task_definition" {
+  template = file("${path.module}/task_definitions/worker.json")
+
+  vars = {
+    app_log_path      = aws_cloudwatch_log_group.worker.name
+    app_image         = "${var.app_repository_url}:latest"
+    app_memory        = var.app_process_memory
+    region            = var.aws_region
+    worker_app_memory = var.worker_task_memory
+    environment       = jsonencode(var.worker_environment)
+  }
+}
+
+resource "aws_ecs_task_definition" "worker" {
+  family                   = "${var.name}-worker"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.worker_task_cpu
+  memory                   = var.worker_task_memory
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
+
+  container_definitions = data.template_file.worker_task_definition.rendered
+}
+
+resource "aws_ecs_service" "worker" {
+  name            = "${var.name}-worker"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.worker.arn
+  desired_count   = var.worker_task_count
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups = [aws_security_group.ecs_tasks.id]
+    subnets         = var.task_subnets
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [task_definition]
+  }
+}

data/templates/terraform/production/domains.tf

@@ -0,0 +1,19 @@
+resource "aws_route53_zone" "primary" {
+  count = var.domain_name == null ? 0 : 1
+
+  name = var.domain_name
+}
+
+resource "aws_route53_record" "root" {
+  count = var.domain_name == null ? 0 : 1
+
+  zone_id = aws_route53_zone.primary[0].id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = module.application.alb.dns_name
+    zone_id                = module.application.alb.zone_id
+    evaluate_target_health = true
+  }
+}

data/templates/terraform/production/main.tf

@@ -0,0 +1,167 @@
+provider "aws" {
+  version = "~> 2.8"
+}
+
+provider "template" {
+  version = "~> 2.0"
+}
+
+locals {
+  environment       = "production"
+  ecr_expire_policy = <<EOF
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Expire images older than 14 days",
+      "selection": {
+        "tagStatus": "untagged",
+        "countType": "imageCountMoreThan",
+        "countNumber": 14
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}
+EOF
+}
+
+# You MUST run the TF files in the "shared" environment before this will work
+terraform {
+  backend "s3" {
+    encrypt        = true
+    bucket         = "rails-app-terraform-production"
+    dynamodb_table = "rails-app-terraform-production"
+    region         = "us-east-1"
+    key            = "statefile"
+  }
+}
+
+module "vpc" {
+  source = "git://github.com/trobrock/terraform-vpc.git?ref=v1.0.0"
+
+  name = "${var.short_name}-${local.environment}"
+}
+
+resource "aws_ecr_repository" "app" {
+  name = "${var.short_name}-${local.environment}-app"
+}
+
+resource "aws_ecr_lifecycle_policy" "app" {
+  repository = aws_ecr_repository.app.name
+  policy     = local.ecr_expire_policy
+}
+
+resource "aws_ecr_repository" "web" {
+  name = "${var.short_name}-${local.environment}-web"
+}
+
+resource "aws_ecr_lifecycle_policy" "web" {
+  repository = aws_ecr_repository.web.name
+  policy     = local.ecr_expire_policy
+}
+
+module "code_pipeline" {
+  source = "git://github.com/trobrock/terraform-code-pipeline.git?ref=v2.0.0"
+
+  short_name  = var.short_name
+  environment = local.environment
+  repo_owner  = var.github_org
+  repo_name   = var.github_repo
+
+  build_environment = [
+    {
+      name  = "APP_REPOSITORY_URI"
+      value = aws_ecr_repository.app.repository_url
+    },
+    {
+      name  = "WEB_REPOSITORY_URI"
+      value = aws_ecr_repository.web.repository_url
+    },
+    {
+      name  = "DATABASE_URL"
+      value = module.database.url
+    },
+    {
+      name  = "RAILS_ENV"
+      value = local.environment
+    },
+    {
+      name  = "REDIS_URL"
+      value = module.redis.url
+    }
+  ]
+
+  lambda_subnet              = module.vpc.private_subnets[0]
+  ecs_cluster                = module.application.ecs_cluster
+  ecs_security_group_id      = module.application.application_security_group.id
+  ecs_task_definition_family = module.application.one_off_task_definition_name
+  ecs_task_definition_name   = "one_off"
+  deployments = [
+    {
+      name         = "deploy-web"
+      service_name = module.application.web_service_name
+      file_name    = "web_imagedefinitions.json"
+    },
+    {
+      name         = "deploy-worker"
+      service_name = module.application.worker_service_name
+      file_name    = "worker_imagedefinitions.json"
+    }
+  ]
+}
+
+module "database" {
+  source = "git://github.com/trobrock/terraform-database.git?ref=v1.0.1"
+
+  name            = "${var.short_name}${local.environment}"
+  instance_class  = "db.t2.small"
+  vpc_id          = module.vpc.vpc_id
+  subnets         = module.vpc.private_subnets
+  security_groups = [module.application.application_security_group.id]
+  username        = var.short_name
+  password        = "database20200207"
+}
+
+module "redis" {
+  source = "git://github.com/trobrock/terraform-redis.git?ref=v1.0.0"
+
+  name            = "${var.name}-${local.environment}"
+  vpc_id          = module.vpc.vpc_id
+  subnets         = module.vpc.private_subnets
+  security_groups = [module.application.application_security_group.id]
+}
+
+module "application" {
+  source = "git://github.com/trobrock/terraform-rails-application.git?ref=v0.0.2"
+
+  name                = "${var.short_name}-${local.environment}"
+  app_repository_url  = aws_ecr_repository.app.repository_url
+  web_repository_url  = aws_ecr_repository.web.repository_url
+  public_subnets      = module.vpc.public_subnets
+  task_subnets        = module.vpc.private_subnets
+  vpc_id              = module.vpc.vpc_id
+  enable_ssl          = var.enable_ssl
+  acm_certificate_arn = aws_acm_certificate.cert[0].arn
+  key_pair_public_key = var.ssh_public_key
+
+  app_environment = [
+    {
+      name  = "DATABASE_URL"
+      value = module.database.url
+    },
+    {
+      name  = "REDIS_URL"
+      value = module.redis.url
+    }
+  ]
+
+  worker_environment = [
+    {
+      name  = "QUEUE"
+      value = "*"
+    }
+  ]
+}

data/templates/terraform/production/ssl.tf

@@ -0,0 +1,28 @@
+resource "aws_acm_certificate" "cert" {
+  count = var.enable_ssl ? 1 : 0
+
+  domain_name               = var.domain_name
+  subject_alternative_names = ["*.${var.domain_name}"]
+  validation_method         = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "cert_validation" {
+  count = var.enable_ssl ? 1 : 0
+
+  name    = aws_acm_certificate.cert[0].domain_validation_options[0].resource_record_name
+  type    = aws_acm_certificate.cert[0].domain_validation_options[0].resource_record_type
+  zone_id = aws_route53_zone.primary[0].id
+  records = [aws_acm_certificate.cert[0].domain_validation_options[0].resource_record_value]
+  ttl     = 60
+}
+
+resource "aws_acm_certificate_validation" "cert" {
+  count = var.enable_ssl ? 1 : 0
+
+  certificate_arn         = aws_acm_certificate.cert[0].arn
+  validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn]
+}

data/templates/terraform/production/variables.tf

@@ -0,0 +1,36 @@
+variable "name" {
+  description = "The long name to use on resources"
+  type        = string
+}
+
+variable "short_name" {
+  description = "The short name to use on resources"
+  type        = string
+}
+
+variable "github_org" {
+  description = "The name of the organization in GitHub"
+  type        = string
+}
+
+variable "github_repo" {
+  description = "The name of the repository in GitHub"
+  type        = string
+}
+
+variable "domain_name" {
+  description = "The primary domain name to launch the app on"
+  type        = string
+  default     = null
+}
+
+variable "enable_ssl" {
+  description = "Whether the app should be served over SSL"
+  type        = bool
+  default     = false
+}
+
+variable "ssh_public_key" {
+  description = "The public key for the SSH key to use in the SSHable group to access servers"
+  type        = string
+}

data/templates/terraform/shared/main.tf

@@ -0,0 +1,41 @@
+variable "name" {
+  type        = string
+  description = "the name of the application"
+}
+
+provider "aws" {
+  version = "~> 2.31"
+}
+
+# PRODUCTION
+resource "aws_s3_bucket" "production" {
+  bucket = "${var.name}-terraform-production"
+
+  versioning {
+    enabled = true
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  tags = {
+    Name = "S3 Remote Terraform State Store for production"
+  }
+}
+
+resource "aws_dynamodb_table" "production" {
+  name           = "${var.name}-terraform-production"
+  hash_key       = "LockID"
+  read_capacity  = 20
+  write_capacity = 20
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  tags = {
+    Name = "DynamoDB Terraform State Lock Table for production"
+  }
+}

data/templates/terraform/shared/terraform.tfstate.backup

@@ -0,0 +1,129 @@
+{
+  "version": 4,
+  "terraform_version": "0.12.20",
+  "serial": 4,
+  "lineage": "96f07a4f-a32d-dbcd-f6e5-95a51e93647c",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_dynamodb_table",
+      "name": "production",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 1,
+          "attributes": {
+            "arn": "arn:aws:dynamodb:us-east-1:947651631655:table/net-worth-monitor-terraform-production",
+            "attribute": [
+              {
+                "name": "LockID",
+                "type": "S"
+              }
+            ],
+            "billing_mode": "PROVISIONED",
+            "global_secondary_index": [],
+            "hash_key": "LockID",
+            "id": "net-worth-monitor-terraform-production",
+            "local_secondary_index": [],
+            "name": "net-worth-monitor-terraform-production",
+            "point_in_time_recovery": [
+              {
+                "enabled": false
+              }
+            ],
+            "range_key": null,
+            "read_capacity": 20,
+            "server_side_encryption": [],
+            "stream_arn": "",
+            "stream_enabled": false,
+            "stream_label": "",
+            "stream_view_type": "",
+            "tags": {
+              "Name": "DynamoDB Terraform State Lock Table for production"
+            },
+            "timeouts": null,
+            "ttl": [
+              {
+                "attribute_name": "",
+                "enabled": false
+              }
+            ],
+            "write_capacity": 20
+          },
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjM2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_kms_key",
+      "name": "parameter_store",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:kms:us-east-1:947651631655:key/d9e991ab-6627-4b87-8377-88d9b44eda0a",
+            "customer_master_key_spec": "SYMMETRIC_DEFAULT",
+            "deletion_window_in_days": 10,
+            "description": "Parameter store kms master key (Chamber CLI)",
+            "enable_key_rotation": true,
+            "id": "d9e991ab-6627-4b87-8377-88d9b44eda0a",
+            "is_enabled": true,
+            "key_id": "d9e991ab-6627-4b87-8377-88d9b44eda0a",
+            "key_usage": "ENCRYPT_DECRYPT",
+            "policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::947651631655:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
+            "tags": null
+          },
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "production",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acceleration_status": "",
+            "acl": "private",
+            "arn": "arn:aws:s3:::net-worth-monitor-terraform-production",
+            "bucket": "net-worth-monitor-terraform-production",
+            "bucket_domain_name": "net-worth-monitor-terraform-production.s3.amazonaws.com",
+            "bucket_prefix": null,
+            "bucket_regional_domain_name": "net-worth-monitor-terraform-production.s3.amazonaws.com",
+            "cors_rule": [],
+            "force_destroy": false,
+            "hosted_zone_id": "Z3AQBSTGFYJSTF",
+            "id": "net-worth-monitor-terraform-production",
+            "lifecycle_rule": [],
+            "logging": [],
+            "object_lock_configuration": [],
+            "policy": null,
+            "region": "us-east-1",
+            "replication_configuration": [],
+            "request_payer": "BucketOwner",
+            "server_side_encryption_configuration": [],
+            "tags": {
+              "Name": "S3 Remote Terraform State Store for production"
+            },
+            "versioning": [
+              {
+                "enabled": true,
+                "mfa_delete": false
+              }
+            ],
+            "website": [],
+            "website_domain": null,
+            "website_endpoint": null
+          },
+          "private": "bnVsbA=="
+        }
+      ]
+    }
+  ]
+}

data/templates/terraform-production.tfvars.erb

@@ -0,0 +1,4 @@
+name        = "<%= app_config.slugified_name %>"
+short_name  = "<%= app_config.short_name %>"
+github_org  = "<%= app_config.github_org %>"
+github_repo = "<%= app_config.github_repo %>"

data/templates/terraform-shared.tfvars.erb

@@ -0,0 +1 @@
+name = "<%= app_config.slugified_name %>"