d-tsuji/main.tf

## main.tf
#######################################
# VPC
#######################################
resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"

  tags = {
    Name = "sample"
  }
}

# Subnet
resource "aws_subnet" "public_0" {
  cidr_block        = "10.0.1.0/24"
  vpc_id            = aws_vpc.example.id
  availability_zone = "ap-northeast-1a"
}

resource "aws_subnet" "public_1" {
  cidr_block        = "10.0.2.0/24"
  vpc_id            = aws_vpc.example.id
  availability_zone = "ap-northeast-1c"
}

resource "aws_subnet" "private_0" {
  vpc_id            = aws_vpc.example.id
  cidr_block        = "10.0.101.0/24"
  availability_zone = "ap-northeast-1a"
}

resource "aws_subnet" "private_1" {
  vpc_id            = aws_vpc.example.id
  cidr_block        = "10.0.102.0/24"
  availability_zone = "ap-northeast-1c"
}

resource "aws_internet_gateway" "example" {
  vpc_id = aws_vpc.example.id
}

resource "aws_eip" "nat_gateway_0" {
  vpc        = true
  depends_on = [aws_internet_gateway.example]
}

resource "aws_eip" "nat_gateway_1" {
  vpc        = true
  depends_on = [aws_internet_gateway.example]
}

resource "aws_nat_gateway" "nat_gateway_0" {
  allocation_id = aws_eip.nat_gateway_0.id
  subnet_id     = aws_subnet.public_0.id
  depends_on    = [aws_internet_gateway.example]
}

resource "aws_nat_gateway" "nat_gateway_1" {
  allocation_id = aws_eip.nat_gateway_1.id
  subnet_id     = aws_subnet.public_1.id
  depends_on    = [aws_internet_gateway.example]
}

resource "aws_route_table" "private_0" {
  vpc_id = aws_vpc.example.id
}

resource "aws_route_table" "private_1" {
  vpc_id = aws_vpc.example.id
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.example.id
}

resource "aws_route" "private_0" {
  route_table_id         = aws_route_table.private_0.id
  nat_gateway_id         = aws_nat_gateway.nat_gateway_0.id
  destination_cidr_block = "0.0.0.0/0"
}

resource "aws_route" "private_1" {
  route_table_id         = aws_route_table.private_1.id
  nat_gateway_id         = aws_nat_gateway.nat_gateway_1.id
  destination_cidr_block = "0.0.0.0/0"
}

resource "aws_route_table_association" "private_0" {
  subnet_id      = aws_subnet.private_0.id
  route_table_id = aws_route_table.private_0.id
}

resource "aws_route_table_association" "private_1" {
  subnet_id      = aws_subnet.private_1.id
  route_table_id = aws_route_table.private_1.id
}

# route
resource "aws_route" "public" {
  route_table_id         = aws_route_table.public.id
  gateway_id             = aws_internet_gateway.example.id
  destination_cidr_block = "0.0.0.0/0"
}

# route table association
resource "aws_route_table_association" "public_0" {
  route_table_id = aws_route_table.public.id
  subnet_id      = aws_subnet.public_0.id
}

resource "aws_route_table_association" "public_1" {
  route_table_id = aws_route_table.public.id
  subnet_id      = aws_subnet.public_1.id
}

# security group
resource "aws_security_group" "example" {
  name   = "example"
  vpc_id = aws_vpc.example.id
}

resource "aws_security_group_rule" "ingress_example_http" {
  from_port         = "80"
  to_port           = "80"
  protocol          = "tcp"
  security_group_id = aws_security_group.example.id
  type              = "ingress"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "ingress_example_https" {
  from_port         = "443"
  to_port           = "443"
  protocol          = "tcp"
  security_group_id = aws_security_group.example.id
  type              = "ingress"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "egress_example" {
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  security_group_id = aws_security_group.example.id
  type              = "egress"
  cidr_blocks       = ["0.0.0.0/0"]
}

#######################################
# Route53
#######################################
data "aws_route53_zone" "example" {
  name = "tutuz.org"
}

## ALBのDNSレコードの定義
resource "aws_route53_record" "example" {
  name    = data.aws_route53_zone.example.name
  zone_id = data.aws_route53_zone.example.id
  type    = "A"

  alias {
    evaluate_target_health = true
    name                   = aws_alb.example.dns_name
    zone_id                = aws_alb.example.zone_id
  }
}

#######################################
# ACM(SSL証明書の作成)
#######################################
resource "aws_acm_certificate" "example" {
  domain_name               = data.aws_route53_zone.example.name
  subject_alternative_names = []
  validation_method         = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

# 検証用DNSレコードの作成
resource "aws_route53_record" "example-test" {
  name    = aws_acm_certificate.example.domain_validation_options[0].resource_record_name
  type    = aws_acm_certificate.example.domain_validation_options[0].resource_record_type
  records = [aws_acm_certificate.example.domain_validation_options[0].resource_record_value]
  zone_id = data.aws_route53_zone.example.id
  ttl     = 60
}

# DNSレコードの検証
resource "aws_acm_certificate_validation" "default" {
  certificate_arn         = aws_acm_certificate.example.arn
  validation_record_fqdns = [aws_route53_record.example-test.fqdn]
}

#########################################################################
# ALB
#########################################################################

# ALB本体
resource "aws_alb" "example" {
  name                       = "web"
  load_balancer_type         = "application"
  internal                   = false
  idle_timeout               = 60
  enable_deletion_protection = false

  subnets = [
    aws_subnet.public_0.id,
    aws_subnet.public_1.id,
  ]
  security_groups = [aws_security_group.example.id]
}

# リスナーの作成
resource "aws_alb_listener" "example" {
  load_balancer_arn = aws_alb.example.arn
  port              = "443"
  protocol          = "HTTPS"
  certificate_arn   = aws_acm_certificate.example.arn
  ssl_policy        = "ELBSecurityPolicy-2016-08"

  default_action {
    type             = "forward"
    target_group_arn = aws_alb_target_group.example.arn
  }
}

# ターゲットグループの作成
resource "aws_alb_target_group" "example" {
  name                 = "example-target"
  vpc_id               = aws_vpc.example.id
  target_type          = "ip"
  port                 = 80
  protocol             = "HTTP"
  deregistration_delay = 300

  health_check {
    path                = "/"
    healthy_threshold   = 5
    unhealthy_threshold = 2
    timeout             = 5
    interval            = 30
    matcher             = 200
    port                = "traffic-port"
    protocol            = "HTTP"
  }

  depends_on = [aws_alb.example]
}

resource "aws_alb_listener_rule" "example" {
  listener_arn = aws_alb_listener.example.arn
  priority     = 100
  action {
    type             = "forward"
    target_group_arn = aws_alb_target_group.example.arn
  }

  condition {
    field  = "path-pattern"
    values = ["/*"]
  }
}

#########################################################################
# ECS
#########################################################################
resource "aws_ecs_cluster" "example" {
  name = "nginx-cluster"
}

resource "aws_ecs_task_definition" "example" {
  container_definitions    = file("./example_task_definitions.json")
  family                   = "example"
  cpu                      = 256
  memory                   = 512
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  execution_role_arn       = aws_iam_role.example.arn
}

resource "aws_ecs_service" "example" {
  name                              = "example-nginx-service"
  cluster                           = aws_ecs_cluster.example.arn
  task_definition                   = aws_ecs_task_definition.example.arn
  desired_count                     = 2
  launch_type                       = "FARGATE"
  platform_version                  = "1.3.0"
  health_check_grace_period_seconds = 60

  network_configuration {
    assign_public_ip = false
    security_groups  = [aws_security_group.example.id]

    subnets = [
      aws_subnet.private_0.id,
      aws_subnet.private_1.id,
    ]
  }

  load_balancer {
    target_group_arn = aws_alb_target_group.example.arn
    container_name   = "example"
    container_port   = 80
  }

  lifecycle {
    ignore_changes = [task_definition]
  }
}

#########################################################################
# CloudWatch Logs
#########################################################################
resource "aws_cloudwatch_log_group" "for_ecs" {
  name              = "/ecs/example"
  retention_in_days = 7
}

#########################################################################
# IAM
#########################################################################
data "aws_iam_policy" "ecs_task_execution_role_policy" {
  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

data "aws_iam_policy_document" "ecs_task_execution" {
  source_json = data.aws_iam_policy.ecs_task_execution_role_policy.policy

  statement {
    effect    = "Allow"
    actions   = ["ssm:GetParameters", "kms:Decrypt"]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

resource "aws_iam_policy" "example" {
  name   = "example-policy-ecs-task-execution"
  policy = data.aws_iam_policy_document.ecs_task_execution.json
}

resource "aws_iam_role" "example" {
  name               = "example-role-ecs-task-execution"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.name
  policy_arn = aws_iam_policy.example.arn
}

provider "aws" {
  region = "ap-northeast-1"
}
	#######################################
	# VPC
	#######################################
	resource "aws_vpc" "example" {
	cidr_block = "10.0.0.0/16"

	tags = {
	Name = "sample"
	}
	}

	# Subnet
	resource "aws_subnet" "public_0" {
	cidr_block = "10.0.1.0/24"
	vpc_id = aws_vpc.example.id
	availability_zone = "ap-northeast-1a"
	}

	resource "aws_subnet" "public_1" {
	cidr_block = "10.0.2.0/24"
	vpc_id = aws_vpc.example.id
	availability_zone = "ap-northeast-1c"
	}

	resource "aws_subnet" "private_0" {
	vpc_id = aws_vpc.example.id
	cidr_block = "10.0.101.0/24"
	availability_zone = "ap-northeast-1a"
	}

	resource "aws_subnet" "private_1" {
	vpc_id = aws_vpc.example.id
	cidr_block = "10.0.102.0/24"
	availability_zone = "ap-northeast-1c"
	}

	resource "aws_internet_gateway" "example" {
	vpc_id = aws_vpc.example.id
	}

	resource "aws_eip" "nat_gateway_0" {
	vpc = true
	depends_on = [aws_internet_gateway.example]
	}

	resource "aws_eip" "nat_gateway_1" {
	vpc = true
	depends_on = [aws_internet_gateway.example]
	}

	resource "aws_nat_gateway" "nat_gateway_0" {
	allocation_id = aws_eip.nat_gateway_0.id
	subnet_id = aws_subnet.public_0.id
	depends_on = [aws_internet_gateway.example]
	}

	resource "aws_nat_gateway" "nat_gateway_1" {
	allocation_id = aws_eip.nat_gateway_1.id
	subnet_id = aws_subnet.public_1.id
	depends_on = [aws_internet_gateway.example]
	}

	resource "aws_route_table" "private_0" {
	vpc_id = aws_vpc.example.id
	}

	resource "aws_route_table" "private_1" {
	vpc_id = aws_vpc.example.id
	}

	resource "aws_route_table" "public" {
	vpc_id = aws_vpc.example.id
	}

	resource "aws_route" "private_0" {
	route_table_id = aws_route_table.private_0.id
	nat_gateway_id = aws_nat_gateway.nat_gateway_0.id
	destination_cidr_block = "0.0.0.0/0"
	}

	resource "aws_route" "private_1" {
	route_table_id = aws_route_table.private_1.id
	nat_gateway_id = aws_nat_gateway.nat_gateway_1.id
	destination_cidr_block = "0.0.0.0/0"
	}

	resource "aws_route_table_association" "private_0" {
	subnet_id = aws_subnet.private_0.id
	route_table_id = aws_route_table.private_0.id
	}

	resource "aws_route_table_association" "private_1" {
	subnet_id = aws_subnet.private_1.id
	route_table_id = aws_route_table.private_1.id
	}

	# route
	resource "aws_route" "public" {
	route_table_id = aws_route_table.public.id
	gateway_id = aws_internet_gateway.example.id
	destination_cidr_block = "0.0.0.0/0"
	}

	# route table association
	resource "aws_route_table_association" "public_0" {
	route_table_id = aws_route_table.public.id
	subnet_id = aws_subnet.public_0.id
	}

	resource "aws_route_table_association" "public_1" {
	route_table_id = aws_route_table.public.id
	subnet_id = aws_subnet.public_1.id
	}

	# security group
	resource "aws_security_group" "example" {
	name = "example"
	vpc_id = aws_vpc.example.id
	}

	resource "aws_security_group_rule" "ingress_example_http" {
	from_port = "80"
	to_port = "80"
	protocol = "tcp"
	security_group_id = aws_security_group.example.id
	type = "ingress"
	cidr_blocks = ["0.0.0.0/0"]
	}

	resource "aws_security_group_rule" "ingress_example_https" {
	from_port = "443"
	to_port = "443"
	protocol = "tcp"
	security_group_id = aws_security_group.example.id
	type = "ingress"
	cidr_blocks = ["0.0.0.0/0"]
	}

	resource "aws_security_group_rule" "egress_example" {
	from_port = 0
	to_port = 0
	protocol = "-1"
	security_group_id = aws_security_group.example.id
	type = "egress"
	cidr_blocks = ["0.0.0.0/0"]
	}

	#######################################
	# Route53
	#######################################
	data "aws_route53_zone" "example" {
	name = "tutuz.org"
	}

	## ALBのDNSレコードの定義
	resource "aws_route53_record" "example" {
	name = data.aws_route53_zone.example.name
	zone_id = data.aws_route53_zone.example.id
	type = "A"

	alias {
	evaluate_target_health = true
	name = aws_alb.example.dns_name
	zone_id = aws_alb.example.zone_id
	}
	}

	#######################################
	# ACM(SSL証明書の作成)
	#######################################
	resource "aws_acm_certificate" "example" {
	domain_name = data.aws_route53_zone.example.name
	subject_alternative_names = []
	validation_method = "DNS"

	lifecycle {
	create_before_destroy = true
	}
	}

	# 検証用DNSレコードの作成
	resource "aws_route53_record" "example-test" {
	name = aws_acm_certificate.example.domain_validation_options[0].resource_record_name
	type = aws_acm_certificate.example.domain_validation_options[0].resource_record_type
	records = [aws_acm_certificate.example.domain_validation_options[0].resource_record_value]
	zone_id = data.aws_route53_zone.example.id
	ttl = 60
	}

	# DNSレコードの検証
	resource "aws_acm_certificate_validation" "default" {
	certificate_arn = aws_acm_certificate.example.arn
	validation_record_fqdns = [aws_route53_record.example-test.fqdn]
	}

	#########################################################################
	# ALB
	#########################################################################

	# ALB本体
	resource "aws_alb" "example" {
	name = "web"
	load_balancer_type = "application"
	internal = false
	idle_timeout = 60
	enable_deletion_protection = false

	subnets = [
	aws_subnet.public_0.id,
	aws_subnet.public_1.id,
	]
	security_groups = [aws_security_group.example.id]
	}

	# リスナーの作成
	resource "aws_alb_listener" "example" {
	load_balancer_arn = aws_alb.example.arn
	port = "443"
	protocol = "HTTPS"
	certificate_arn = aws_acm_certificate.example.arn
	ssl_policy = "ELBSecurityPolicy-2016-08"

	default_action {
	type = "forward"
	target_group_arn = aws_alb_target_group.example.arn
	}
	}

	# ターゲットグループの作成
	resource "aws_alb_target_group" "example" {
	name = "example-target"
	vpc_id = aws_vpc.example.id
	target_type = "ip"
	port = 80
	protocol = "HTTP"
	deregistration_delay = 300

	health_check {
	path = "/"
	healthy_threshold = 5
	unhealthy_threshold = 2
	timeout = 5
	interval = 30
	matcher = 200
	port = "traffic-port"
	protocol = "HTTP"
	}

	depends_on = [aws_alb.example]
	}

	resource "aws_alb_listener_rule" "example" {
	listener_arn = aws_alb_listener.example.arn
	priority = 100
	action {
	type = "forward"
	target_group_arn = aws_alb_target_group.example.arn
	}

	condition {
	field = "path-pattern"
	values = ["/*"]
	}
	}

	#########################################################################
	# ECS
	#########################################################################
	resource "aws_ecs_cluster" "example" {
	name = "nginx-cluster"
	}

	resource "aws_ecs_task_definition" "example" {
	container_definitions = file("./example_task_definitions.json")
	family = "example"
	cpu = 256
	memory = 512
	network_mode = "awsvpc"
	requires_compatibilities = ["FARGATE"]
	execution_role_arn = aws_iam_role.example.arn
	}

	resource "aws_ecs_service" "example" {
	name = "example-nginx-service"
	cluster = aws_ecs_cluster.example.arn
	task_definition = aws_ecs_task_definition.example.arn
	desired_count = 2
	launch_type = "FARGATE"
	platform_version = "1.3.0"
	health_check_grace_period_seconds = 60

	network_configuration {
	assign_public_ip = false
	security_groups = [aws_security_group.example.id]

	subnets = [
	aws_subnet.private_0.id,
	aws_subnet.private_1.id,
	]
	}

	load_balancer {
	target_group_arn = aws_alb_target_group.example.arn
	container_name = "example"
	container_port = 80
	}

	lifecycle {
	ignore_changes = [task_definition]
	}
	}

	#########################################################################
	# CloudWatch Logs
	#########################################################################
	resource "aws_cloudwatch_log_group" "for_ecs" {
	name = "/ecs/example"
	retention_in_days = 7
	}

	#########################################################################
	# IAM
	#########################################################################
	data "aws_iam_policy" "ecs_task_execution_role_policy" {
	arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
	}

	data "aws_iam_policy_document" "ecs_task_execution" {
	source_json = data.aws_iam_policy.ecs_task_execution_role_policy.policy

	statement {
	effect = "Allow"
	actions = ["ssm:GetParameters", "kms:Decrypt"]
	resources = ["*"]
	}
	}

	data "aws_iam_policy_document" "assume_role" {
	statement {
	actions = ["sts:AssumeRole"]

	principals {
	type = "Service"
	identifiers = ["ecs-tasks.amazonaws.com"]
	}
	}
	}

	resource "aws_iam_policy" "example" {
	name = "example-policy-ecs-task-execution"
	policy = data.aws_iam_policy_document.ecs_task_execution.json
	}

	resource "aws_iam_role" "example" {
	name = "example-role-ecs-task-execution"
	assume_role_policy = data.aws_iam_policy_document.assume_role.json
	}

	resource "aws_iam_role_policy_attachment" "example" {
	role = aws_iam_role.example.name
	policy_arn = aws_iam_policy.example.arn
	}

	provider "aws" {
	region = "ap-northeast-1"
	}