Deploy Hasura on Fargate, including creating a Route53 Domain w/ Cert Manager certificate, and Load Balancer configured for HTTPS on new domain

hasura-fargate-https-alb-route53-cert-pulumi.ts

import * as pulumi from '@pulumi/pulumi'
import * as awsx from '@pulumi/awsx'
import * as aws from '@pulumi/aws'

// Import our Pulumi configuration.
const config = new pulumi.Config()
const HASURA_GRAPHQL_DATABASE_URL = config.requireSecret(
  'HASURA_GRAPHQL_DATABASE_URL'
)

/**
 * ========================
 * AWS Certificate Manager
 * Provision certs for Route53 Domain (used for HTTPS later)
 * ========================
 */

 const certCertificate = new aws.acm.Certificate('cert', {
   domainName: 'mysite.com',
   validationMethod: 'DNS',
 })

 const zone = pulumi.output(
   aws.route53.getZone(
     {
       name: 'mysite.com.',
       privateZone: false,
     },
     { async: true }
   )
 )

 const certValidation = new aws.route53.Record('cert_validation', {
   name: certCertificate.domainValidationOptions[0].resourceRecordName,
   records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
   ttl: 60,
   type: certCertificate.domainValidationOptions[0].resourceRecordType,
   zoneId: zone.zoneId!,
 })

 const certCertificateValidation = new aws.acm.CertificateValidation('cert', {
   certificateArn: certCertificate.arn,
   validationRecordFqdns: [certValidation.fqdn],
 })

/**
 * ========================
 * Application Load Balancer
 * ========================
 */

/**
 * Run the service over HTTPS, terminating SSL at the load balancer and forwarding to port 8080 on the container.
 *
 * [NOTE]:
 * In order to run the service over HTTPS, you’ll need to have obtained an SSL certificate from AWS Certificate Manager that corresponds with the domain you plan to use for
 * the service.
 *
 * Provided you’ve obtained that certificate, it’s defined in the same AWS region as the one you’ve configured for your Pulumi stack, and you’re able to make changes to
 * the DNS records for the domain associated with the certificate, then updating the Pulumi program is easy — just change the listener declaration to use TLS and port 443, and add a
 * certificateArn property to apply the certificate
 *
 * [Ref]: https://www.pulumi.com/blog/run-your-own-rss-server/
 */
const listener = new awsx.lb.NetworkLoadBalancer('lb')
  .createTargetGroup('group', { port: 8080, protocol: 'TCP' })
  .createListener('listener', {
    port: 443,
    protocol: 'TLS',
    // ARN of the Amazon Cert Manager certificate for *.mysite.com
    certificateArn: certCertificate.arn,
  })

/**
 * ========================
 * Fargate Service
 * ========================
 */

// Get the default VPC and ECS Cluster for your account.
const cluster = awsx.ecs.Cluster.getDefault()

// Create a Fargate service consisting of just one container instance
const service = new awsx.ecs.FargateService('service', {
  cluster,
  desiredCount: 1,
  taskDefinitionArgs: {
    containers: {
      service: {
        image: 'hasura/graphql-engine:v1.3.0-beta.2',
        portMappings: [listener],
        environment: [
          { name: 'HASURA_GRAPHQL_ADMIN_SECRET', value: 'my_secret' },
          { name: 'HASURA_GRAPHQL_ENABLE_ALLOWLIST', value: 'true' },
          { name: 'HASURA_GRAPHQL_ENABLE_CONSOLE', value: 'true' },
          { name: 'HASURA_GRAPHQL_UNAUTHORIZED_ROLE', value: 'anonymous' },
          {
            name: 'HASURA_GRAPHQL_DATABASE_URL',
            value: HASURA_GRAPHQL_DATABASE_URL,
          },
        ],
      },
    },
  },
})

// Export the publicly accessible URL.
export const url = pulumi.interpolate`http://${listener.endpoint.hostname}:${listener.endpoint.port}`

Pulumi.production.yaml

config:
  aws:region: us-east-2
  my-project:HASURA_GRAPHQL_DATABASE_URL:
    secure: <snipped>

Pulumi.staging.yaml

config:
  aws:region: us-east-2
  my-project:HASURA_GRAPHQL_DATABASE_URL:
    secure: <snipped>