Skip to content

Instantly share code, notes, and snippets.

@AlexMikhalev
Forked from GavinRay97/Pulumi.production.yaml
Created August 1, 2022 17:50
Show Gist options
  • Save AlexMikhalev/b4227b4cfcb51ac2e5f080046abc79b4 to your computer and use it in GitHub Desktop.
Save AlexMikhalev/b4227b4cfcb51ac2e5f080046abc79b4 to your computer and use it in GitHub Desktop.
Deploy Hasura on Fargate, including creating a Route53 Domain w/ Cert Manager certificate, and Load Balancer configured for HTTPS on new domain
import * as pulumi from '@pulumi/pulumi'
import * as awsx from '@pulumi/awsx'
import * as aws from '@pulumi/aws'
// Import our Pulumi configuration.
const config = new pulumi.Config()
const HASURA_GRAPHQL_DATABASE_URL = config.requireSecret(
'HASURA_GRAPHQL_DATABASE_URL'
)
/**
* ========================
* AWS Certificate Manager
* Provision certs for Route53 Domain (used for HTTPS later)
* ========================
*/
const certCertificate = new aws.acm.Certificate('cert', {
domainName: 'mysite.com',
validationMethod: 'DNS',
})
const zone = pulumi.output(
aws.route53.getZone(
{
name: 'mysite.com.',
privateZone: false,
},
{ async: true }
)
)
const certValidation = new aws.route53.Record('cert_validation', {
name: certCertificate.domainValidationOptions[0].resourceRecordName,
records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
ttl: 60,
type: certCertificate.domainValidationOptions[0].resourceRecordType,
zoneId: zone.zoneId!,
})
const certCertificateValidation = new aws.acm.CertificateValidation('cert', {
certificateArn: certCertificate.arn,
validationRecordFqdns: [certValidation.fqdn],
})
/**
* ========================
* Application Load Balancer
* ========================
*/
/**
* Run the service over HTTPS, terminating SSL at the load balancer and forwarding to port 8080 on the container.
*
* [NOTE]:
* In order to run the service over HTTPS, you’ll need to have obtained an SSL certificate from AWS Certificate Manager that corresponds with the domain you plan to use for
* the service.
*
* Provided you’ve obtained that certificate, it’s defined in the same AWS region as the one you’ve configured for your Pulumi stack, and you’re able to make changes to
* the DNS records for the domain associated with the certificate, then updating the Pulumi program is easy — just change the listener declaration to use TLS and port 443, and add a
* certificateArn property to apply the certificate
*
* [Ref]: https://www.pulumi.com/blog/run-your-own-rss-server/
*/
const listener = new awsx.lb.NetworkLoadBalancer('lb')
.createTargetGroup('group', { port: 8080, protocol: 'TCP' })
.createListener('listener', {
port: 443,
protocol: 'TLS',
// ARN of the Amazon Cert Manager certificate for *.mysite.com
certificateArn: certCertificate.arn,
})
/**
* ========================
* Fargate Service
* ========================
*/
// Get the default VPC and ECS Cluster for your account.
const cluster = awsx.ecs.Cluster.getDefault()
// Create a Fargate service consisting of just one container instance
const service = new awsx.ecs.FargateService('service', {
cluster,
desiredCount: 1,
taskDefinitionArgs: {
containers: {
service: {
image: 'hasura/graphql-engine:v1.3.0-beta.2',
portMappings: [listener],
environment: [
{ name: 'HASURA_GRAPHQL_ADMIN_SECRET', value: 'my_secret' },
{ name: 'HASURA_GRAPHQL_ENABLE_ALLOWLIST', value: 'true' },
{ name: 'HASURA_GRAPHQL_ENABLE_CONSOLE', value: 'true' },
{ name: 'HASURA_GRAPHQL_UNAUTHORIZED_ROLE', value: 'anonymous' },
{
name: 'HASURA_GRAPHQL_DATABASE_URL',
value: HASURA_GRAPHQL_DATABASE_URL,
},
],
},
},
},
})
// Export the publicly accessible URL.
export const url = pulumi.interpolate`http://${listener.endpoint.hostname}:${listener.endpoint.port}`
config:
aws:region: us-east-2
my-project:HASURA_GRAPHQL_DATABASE_URL:
secure: <snipped>
config:
aws:region: us-east-2
my-project:HASURA_GRAPHQL_DATABASE_URL:
secure: <snipped>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment