JGaudette/terraform_interview.tf

## terraform_interview.tf
resource "aws_ecs_cluster" "nonprod-web" {
  name               = "nonprod-cluster"
  capacity_providers = ["FARGATE", "FARGATE_SPOT"]
}


resource "aws_cloudwatch_log_group" "web-api-dev" {
  name = "/ecs/web-api-dev-task"
}

resource "aws_ecs_task_definition" "web-api-dev" {
  family                   = "web-api-dev"
  requires_compatibilities = ["FARGATE"]
  cpu                      = 512  #256 #.25 vCPU
  memory                   = 1024 #512
  network_mode             = "awsvpc"
  execution_role_arn       = "arn:aws:iam::xxx:role/ecsTaskExecutionRole"
  task_role_arn            = "arn:aws:iam::xxx:role/aws-ecs-api-role"
  container_definitions    = <<DEFINITION
  [{
	"dnsSearchDomains": null,
	"environmentFiles": null,
	"logConfiguration": {
		"logDriver": "awslogs",
		"secretOptions": null,
		"options": {
			"awslogs-group": "/ecs/web-api-dev-task",
			"awslogs-region": "us-east-1",
			"awslogs-stream-prefix": "ecs"
		}
	},
	"entryPoint": null,
	"portMappings": [{
		"hostPort": 80,
		"protocol": "tcp",
		"containerPort": 80
	}],
	"command": null,
	"linuxParameters": null,
	"cpu": 0,
	"environment": [
    {"name": "ASPNETCORE_ENVIRONMENT", "value": "Development"},
    {"name": "VERSION_URL", "value": "/HealthCheck/Version"},
    {"name": "DB_SECRET", "value": "dev/rds-api"},
    {"name": "DB_HANGFIRE_SECRET", "value": "dev/rds-api"}
  ],
	"resourceRequirements": null,
	"ulimits": null,
	"dnsServers": null,
	"mountPoints": [],
	"workingDirectory": null,
	"secrets": null,
	"dockerSecurityOptions": null,
	"memory": null,
	"memoryReservation": 512,
	"volumesFrom": [],
	"stopTimeout": null,
	"image": "xxx.dkr.ecr.us-east-1.amazonaws.com/web-api:dev",
	"startTimeout": null,
	"firelensConfiguration": null,
	"dependsOn": null,
	"disableNetworking": null,
	"interactive": null,
	"healthCheck": {
		"Command": ["CMD-SHELL", "curl -f http://localhost/HealthCheck || exit 1"],
		"Interval": 30,
		"Retries": 2,
		"StartPeriod": 120,
		"Timeout": 5
  },
	"essential": true,
	"links": null,
	"hostname": null,
	"extraHosts": null,
	"pseudoTerminal": null,
	"user": null,
	"readonlyRootFilesystem": null,
	"dockerLabels": null,
	"systemControls": null,
	"privileged": null,
	"name": "web-api-dev"
}]
DEFINITION
  tags = {
    "application-id"          = "main-app",
    "environment-id"          = "non-prod",
    "environment-specific-id" = "dev",
    "api-name"                = "api"
  }
}

resource "aws_alb" "web-api-dev" {
  name            = "web-api-dev"
  subnets         = [aws_subnet.public-subnet-1a.id, aws_subnet.public-subnet-1b.id]
  security_groups = [aws_security_group.allow_web_ssh.id]
  tags = {
    "application-id"          = "main-app",
    "environment-id"          = "non-prod",
    "environment-specific-id" = "dev",
    "api-name"                = "api"
  }
}

resource "aws_alb_target_group" "app-dev" {
  name        = "api-target-group-dev"
  port        = 80
  protocol    = "HTTP"
  vpc_id      = aws_vpc.nonprod.id
  target_type = "ip"

  health_check {
    healthy_threshold   = "3"
    interval            = "60"
    protocol            = "HTTP"
    matcher             = "200"
    timeout             = "3"
    path                = "/HealthCheck"
    unhealthy_threshold = "5"
  }
  tags = {
    "application-id"          = "main-app",
    "environment-id"          = "non-prod",
    "environment-specific-id" = "dev",
    "api-name"                = "venture"
  }
  depends_on = [aws_alb.web-ventureapi-dev]
}

# Redirect all traffic from the ALB to the target group
resource "aws_alb_listener" "web-api-dev" {
  load_balancer_arn = aws_alb.web-api-dev.id
  port              = 80
  protocol          = "HTTP"

  default_action {
    target_group_arn = aws_alb_target_group.app-dev.id
    type             = "forward"
  }
}

resource "aws_acm_certificate" "cert-dev" {
  domain_name       = "api.dev.company.build"
  validation_method = "DNS"

  tags = {
    Environment = "dev"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_alb_listener" "web-api-dev-https" {
  load_balancer_arn = aws_alb.web-api-dev.id
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = "arn:aws:acm:us-east-1:xxx:certificate/xxx-3c2f-426d-a6c4-xxx"

  default_action {
    target_group_arn = aws_alb_target_group.app-dev.id
    type             = "forward"
  }

  depends_on = [aws_acm_certificate.cert-dev]
}


resource "aws_ecs_service" "web-api-dev" {
  name            = "web-api-dev"
  cluster         = aws_ecs_cluster.nonprod-web.id
  task_definition = aws_ecs_task_definition.web-api-dev.arn
  desired_count   = 1
  force_new_deployment = true

  network_configuration {
    assign_public_ip = false

    security_groups = [
      aws_security_group.allow_web_ssh.id
    ]

    subnets = [
      aws_subnet.private-subnet-1a.id
    ]
  }

  load_balancer {
    target_group_arn = aws_alb_target_group.app-dev.id
    container_name   = "web-api-dev"
    container_port   = 80
  }

  deployment_circuit_breaker {
    enable   = true
    rollback = true
  }

  capacity_provider_strategy {
    capacity_provider = "FARGATE_SPOT"
    weight            = 1
  }
}

#################################################################
##  Cloudfront
#################################################################

resource "aws_cloudfront_distribution" "api-dev" {
  origin {
    domain_name = "api.alb.dev.build"
    origin_id   = "alb-api-origin"
    origin_path = ""
    custom_origin_config {
      http_port              = "80"
      https_port             = "443"
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  enabled         = true
  aliases         = ["api.dev.company.build"]
  is_ipv6_enabled = true

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "DELETE", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD", "OPTIONS"]
    target_origin_id = "alb-api-origin"
    compress         = false

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
    forwarded_values {
      query_string = true

      cookies {
        forward = "none"
      }
      headers = [
        "Authorization",
        "Origin",
        "CloudFront-Viewer-Country-Region-Name",
        "CloudFront-Viewer-Country",
        "CloudFront-Viewer-City",
        "Accept-Encoding",
        "X-Forwarded-For",
        "User-Agent"
      ]
    }

  }
  viewer_certificate {
    cloudfront_default_certificate = false
    acm_certificate_arn            = aws_acm_certificate.cert-dev.arn
    minimum_protocol_version       = "TLSv1.2_2019"
    ssl_support_method             = "sni-only"
  }

  ordered_cache_behavior {
    allowed_methods = [
      "GET",
      "HEAD",
      "DELETE",
      "OPTIONS",
      "PATCH",
      "POST",
      "PUT"
    ]
    cached_methods = [
      "GET",
      "HEAD"
    ]
    compress                   = true
    default_ttl                = 86400
    max_ttl                    = 31536000
    min_ttl                    = 0
    path_pattern               = "/logo/*"
    smooth_streaming           = false
    target_origin_id           = "alb-api-origin"
    trusted_key_groups         = []
    trusted_signers            = []
    viewer_protocol_policy     = "redirect-to-https"
    response_headers_policy_id = aws_cloudfront_response_headers_policy.static-image-assets.id

    forwarded_values {
      headers = [
        "Access-Control-Allow-Origin",
        "Access-Control-Request-Headers",
        "Access-Control-Request-Method",
        "Authorization",
        "Origin",
        "Referer",
      ]
      query_string            = false
      query_string_cache_keys = []

      cookies {
        forward           = "none"
        whitelisted_names = []
      }
    }
  }
}

#################################################################
##  Route53 DNS Entry
#################################################################
resource "aws_route53_record" "web-api-dev" {
  zone_id = "xxx"
  name    = "api.dev.company.build"
  type    = "A"
  #ttl     = "300"

  alias {
    name                   = aws_cloudfront_distribution.api-dev.domain_name
    zone_id                = aws_cloudfront_distribution.api-dev.hosted_zone_id
    evaluate_target_health = false
  }
}
	resource "aws_ecs_cluster" "nonprod-web" {
	name = "nonprod-cluster"
	capacity_providers = ["FARGATE", "FARGATE_SPOT"]
	}


	resource "aws_cloudwatch_log_group" "web-api-dev" {
	name = "/ecs/web-api-dev-task"
	}

	resource "aws_ecs_task_definition" "web-api-dev" {
	family = "web-api-dev"
	requires_compatibilities = ["FARGATE"]
	cpu = 512 #256 #.25 vCPU
	memory = 1024 #512
	network_mode = "awsvpc"
	execution_role_arn = "arn:aws:iam::xxx:role/ecsTaskExecutionRole"
	task_role_arn = "arn:aws:iam::xxx:role/aws-ecs-api-role"
	container_definitions = <<DEFINITION
	[{
	"dnsSearchDomains": null,
	"environmentFiles": null,
	"logConfiguration": {
	"logDriver": "awslogs",
	"secretOptions": null,
	"options": {
	"awslogs-group": "/ecs/web-api-dev-task",
	"awslogs-region": "us-east-1",
	"awslogs-stream-prefix": "ecs"
	}
	},
	"entryPoint": null,
	"portMappings": [{
	"hostPort": 80,
	"protocol": "tcp",
	"containerPort": 80
	}],
	"command": null,
	"linuxParameters": null,
	"cpu": 0,
	"environment": [
	{"name": "ASPNETCORE_ENVIRONMENT", "value": "Development"},
	{"name": "VERSION_URL", "value": "/HealthCheck/Version"},
	{"name": "DB_SECRET", "value": "dev/rds-api"},
	{"name": "DB_HANGFIRE_SECRET", "value": "dev/rds-api"}
	],
	"resourceRequirements": null,
	"ulimits": null,
	"dnsServers": null,
	"mountPoints": [],
	"workingDirectory": null,
	"secrets": null,
	"dockerSecurityOptions": null,
	"memory": null,
	"memoryReservation": 512,
	"volumesFrom": [],
	"stopTimeout": null,
	"image": "xxx.dkr.ecr.us-east-1.amazonaws.com/web-api:dev",
	"startTimeout": null,
	"firelensConfiguration": null,
	"dependsOn": null,
	"disableNetworking": null,
	"interactive": null,
	"healthCheck": {
	"Command": ["CMD-SHELL", "curl -f http://localhost/HealthCheck \|\| exit 1"],
	"Interval": 30,
	"Retries": 2,
	"StartPeriod": 120,
	"Timeout": 5
	},
	"essential": true,
	"links": null,
	"hostname": null,
	"extraHosts": null,
	"pseudoTerminal": null,
	"user": null,
	"readonlyRootFilesystem": null,
	"dockerLabels": null,
	"systemControls": null,
	"privileged": null,
	"name": "web-api-dev"
	}]
	DEFINITION
	tags = {
	"application-id" = "main-app",
	"environment-id" = "non-prod",
	"environment-specific-id" = "dev",
	"api-name" = "api"
	}
	}

	resource "aws_alb" "web-api-dev" {
	name = "web-api-dev"
	subnets = [aws_subnet.public-subnet-1a.id, aws_subnet.public-subnet-1b.id]
	security_groups = [aws_security_group.allow_web_ssh.id]
	tags = {
	"application-id" = "main-app",
	"environment-id" = "non-prod",
	"environment-specific-id" = "dev",
	"api-name" = "api"
	}
	}

	resource "aws_alb_target_group" "app-dev" {
	name = "api-target-group-dev"
	port = 80
	protocol = "HTTP"
	vpc_id = aws_vpc.nonprod.id
	target_type = "ip"

	health_check {
	healthy_threshold = "3"
	interval = "60"
	protocol = "HTTP"
	matcher = "200"
	timeout = "3"
	path = "/HealthCheck"
	unhealthy_threshold = "5"
	}
	tags = {
	"application-id" = "main-app",
	"environment-id" = "non-prod",
	"environment-specific-id" = "dev",
	"api-name" = "venture"
	}
	depends_on = [aws_alb.web-ventureapi-dev]
	}

	# Redirect all traffic from the ALB to the target group
	resource "aws_alb_listener" "web-api-dev" {
	load_balancer_arn = aws_alb.web-api-dev.id
	port = 80
	protocol = "HTTP"

	default_action {
	target_group_arn = aws_alb_target_group.app-dev.id
	type = "forward"
	}
	}

	resource "aws_acm_certificate" "cert-dev" {
	domain_name = "api.dev.company.build"
	validation_method = "DNS"

	tags = {
	Environment = "dev"
	}

	lifecycle {
	create_before_destroy = true
	}
	}

	resource "aws_alb_listener" "web-api-dev-https" {
	load_balancer_arn = aws_alb.web-api-dev.id
	port = 443
	protocol = "HTTPS"
	ssl_policy = "ELBSecurityPolicy-2016-08"
	certificate_arn = "arn:aws:acm:us-east-1:xxx:certificate/xxx-3c2f-426d-a6c4-xxx"

	default_action {
	target_group_arn = aws_alb_target_group.app-dev.id
	type = "forward"
	}

	depends_on = [aws_acm_certificate.cert-dev]
	}



	resource "aws_ecs_service" "web-api-dev" {
	name = "web-api-dev"
	cluster = aws_ecs_cluster.nonprod-web.id
	task_definition = aws_ecs_task_definition.web-api-dev.arn
	desired_count = 1
	force_new_deployment = true

	network_configuration {
	assign_public_ip = false

	security_groups = [
	aws_security_group.allow_web_ssh.id
	]

	subnets = [
	aws_subnet.private-subnet-1a.id
	]
	}

	load_balancer {
	target_group_arn = aws_alb_target_group.app-dev.id
	container_name = "web-api-dev"
	container_port = 80
	}

	deployment_circuit_breaker {
	enable = true
	rollback = true
	}

	capacity_provider_strategy {
	capacity_provider = "FARGATE_SPOT"
	weight = 1
	}
	}

	#################################################################
	## Cloudfront
	#################################################################

	resource "aws_cloudfront_distribution" "api-dev" {
	origin {
	domain_name = "api.alb.dev.build"
	origin_id = "alb-api-origin"
	origin_path = ""
	custom_origin_config {
	http_port = "80"
	https_port = "443"
	origin_protocol_policy = "https-only"
	origin_ssl_protocols = ["TLSv1.2"]
	}
	}

	enabled = true
	aliases = ["api.dev.company.build"]
	is_ipv6_enabled = true

	restrictions {
	geo_restriction {
	restriction_type = "none"
	}
	}

	default_cache_behavior {
	allowed_methods = ["GET", "HEAD", "DELETE", "OPTIONS", "PATCH", "POST", "PUT"]
	cached_methods = ["GET", "HEAD", "OPTIONS"]
	target_origin_id = "alb-api-origin"
	compress = false

	viewer_protocol_policy = "redirect-to-https"
	min_ttl = 0
	default_ttl = 0
	max_ttl = 0
	forwarded_values {
	query_string = true

	cookies {
	forward = "none"
	}
	headers = [
	"Authorization",
	"Origin",
	"CloudFront-Viewer-Country-Region-Name",
	"CloudFront-Viewer-Country",
	"CloudFront-Viewer-City",
	"Accept-Encoding",
	"X-Forwarded-For",
	"User-Agent"
	]
	}

	}
	viewer_certificate {
	cloudfront_default_certificate = false
	acm_certificate_arn = aws_acm_certificate.cert-dev.arn
	minimum_protocol_version = "TLSv1.2_2019"
	ssl_support_method = "sni-only"
	}

	ordered_cache_behavior {
	allowed_methods = [
	"GET",
	"HEAD",
	"DELETE",
	"OPTIONS",
	"PATCH",
	"POST",
	"PUT"
	]
	cached_methods = [
	"GET",
	"HEAD"
	]
	compress = true
	default_ttl = 86400
	max_ttl = 31536000
	min_ttl = 0
	path_pattern = "/logo/*"
	smooth_streaming = false
	target_origin_id = "alb-api-origin"
	trusted_key_groups = []
	trusted_signers = []
	viewer_protocol_policy = "redirect-to-https"
	response_headers_policy_id = aws_cloudfront_response_headers_policy.static-image-assets.id

	forwarded_values {
	headers = [
	"Access-Control-Allow-Origin",
	"Access-Control-Request-Headers",
	"Access-Control-Request-Method",
	"Authorization",
	"Origin",
	"Referer",
	]
	query_string = false
	query_string_cache_keys = []

	cookies {
	forward = "none"
	whitelisted_names = []
	}
	}
	}
	}

	#################################################################
	## Route53 DNS Entry
	#################################################################
	resource "aws_route53_record" "web-api-dev" {
	zone_id = "xxx"
	name = "api.dev.company.build"
	type = "A"
	#ttl = "300"

	alias {
	name = aws_cloudfront_distribution.api-dev.domain_name
	zone_id = aws_cloudfront_distribution.api-dev.hosted_zone_id
	evaluate_target_health = false
	}
	}