Skip to content

Instantly share code, notes, and snippets.

@jackkleeman

jackkleeman/main.tf

Last active December 1, 2023 16:31
Show Gist options
  • Save jackkleeman/6ed8ffd5045b5c114ad99404fb7cd885 to your computer and use it in GitHub Desktop.
Save jackkleeman/6ed8ffd5045b5c114ad99404fb7cd885 to your computer and use it in GitHub Desktop.
Download ZIP
terraform for restate runtime on EFS Fargate
Raw
main.tf
# Restate runtime
resource "aws_cloudwatch_log_group" "restate_runtime" {
name = "/ecs/restate-runtime-task"
tags = {
Name = "restate-runtime-task"
}
}
resource "aws_ecs_cluster" "restate_runtime" {
name = "restate-runtime"
}
data "aws_region" "current" {}
resource "aws_iam_role" "restate_runtime_task_execution_role" {
name = "restate-runtime-task-execution-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "restate_runtime_task_execution_role" {
role = aws_iam_role.restate_runtime_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_iam_role" "restate_runtime_task_role" {
name = "restate-runtime-task-role"
inline_policy {
name = "lambda"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["lambda:InvokeFunction"]
Effect = "Allow"
Resource = "*"
},
]
})
}
inline_policy {
name = "exec"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
]
Effect = "Allow"
Resource = "*"
},
]
})
}
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_efs_file_system" "restate_runtime" {
availability_zone_name = data.aws_availability_zones.available.names[
0
]
throughput_mode = "elastic"
}
resource "aws_security_group" "restate_runtime_efs" {
name = "restate-runtime-efs"
description = "Allow inbound traffic to EFS mount target"
vpc_id = data.aws_vpc.default_vpc.id
ingress {
description = "EFS mount target"
from_port = 2049
to_port = 2049
protocol = "tcp"
cidr_blocks = [data.aws_subnet.az1.cidr_block]
}
}
resource "aws_efs_mount_target" "restate_runtime" {
file_system_id = aws_efs_file_system.restate_runtime.id
subnet_id = data.aws_subnet.az1.id
security_groups = [
aws_security_group.restate_runtime_efs.id
]
}
resource "aws_ecs_task_definition" "restate_runtime" {
family = "restate-runtime"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = 512
memory = 3072
execution_role_arn = aws_iam_role.restate_runtime_task_execution_role.arn
task_role_arn = aws_iam_role.restate_runtime_task_role.arn
runtime_platform {
cpu_architecture = "ARM64"
operating_system_family = "LINUX"
}
container_definitions = jsonencode([
{
name = "restate-runtime-container"
image = "ghcr.io/restatedev/restate:0.5.0"
essential = true
environment = [
{
name = "RUST_LOG"
value = "info"
},
{
name = "RESTATE_OBSERVABILITY__LOG__FORMAT"
value = "Json"
},
]
portMappings = [
{
protocol = "tcp"
containerPort = 8080
hostPort = 8080
},
{
protocol = "tcp"
containerPort = 9070
hostPort = 9070
},
{
protocol = "tcp"
containerPort = 9071
hostPort = 9071
},
{
protocol = "tcp"
containerPort = 9072
hostPort = 9072
},
]
mountPoints = [
{
sourceVolume = "restate-runtime-storage"
containerPath = "/target"
readOnly = false
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.restate_runtime.name
awslogs-stream-prefix = "ecs"
awslogs-region = data.aws_region.current.name
}
}
}
])
volume {
name = "restate-runtime-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.restate_runtime.id
}
}
}
data "aws_vpc" "default_vpc" {
default = true
}
data "aws_subnet" "az1" {
vpc_id = data.aws_vpc.default_vpc.id
availability_zone_id = data.aws_availability_zones.available.zone_ids[0]
}
resource "aws_ecs_service" "restate-runtime" {
name = "restate-runtime"
cluster = aws_ecs_cluster.restate_runtime.name
task_definition = aws_ecs_task_definition.restate_runtime.arn
desired_count = 1
deployment_minimum_healthy_percent = 0
deployment_maximum_percent = 100
launch_type = "FARGATE"
scheduling_strategy = "REPLICA"
enable_execute_command = true
network_configuration {
security_groups = [aws_security_group.restate_runtime.id]
subnets = [data.aws_subnet.az1.id]
assign_public_ip = true
}
}
resource "aws_security_group" "restate_runtime" {
name = "restate-runtime"
description = "Allow inbound traffic to restate ports"
vpc_id = data.aws_vpc.default_vpc.id
ingress {
description = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "ingress"
from_port = 9070
to_port = 9072
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment