Instantly share code, notes, and snippets.

@phroggyy /ecs.tf Secret
Last active Mar 5, 2018

Embed
What would you like to do?
variable "deploy_task_family" {
type = "string"
}
variable "deploy_task_image" {
type = "string"
}
resource "aws_ecr_repository" "unbork_main" {
name = "unbork"
}
resource "aws_ecs_cluster" "unbork" {
name = "unbork"
}
//variable "task_role_arn" {
// type = "string"
//}
resource "aws_ecs_task_definition" "unbork-main" {
family = "${var.deploy_task_family}"
// task_role_arn = "${var.task_role_arn}"
container_definitions = <<EOL
[
{
"name": "${var.deploy_task_family}_data",
"image": "${var.deploy_task_image}",
"essential": false,
"memoryReservation": 4
},
{
"name": "nginx",
"image": "${aws_ecr_repository.unbork_main.repository_url}/nginx",
"essential": true,
"memoryReservation": 256,
"memory": 512,
"volumesFrom": [
{
"sourceContainer": "${var.deploy_task_family}_data",
"readOnly": false
}
],
"links": [
"fpm"
],
"portMappings": [
{
"containerPort": 80
}
]
},
{
"name": "fpm",
"image": "${aws_ecr_repository.unbork_main.repository_url}/php-fpm:7",
"essential": true,
"memoryReservation": 256,
"memory": 512,
"environment": [
{
"name": "NR_LICENSE",
"value": "Decahedron Technologies Ltd."
},
{
"name": "NR_APPNAME",
"value": "Unbork API"
}
],
"volumesFrom": [
{
"sourceContainer": "${var.deploy_task_family}_data",
"readOnly": false
}
]
}
]
EOL
}
resource "aws_lb" "unbork" {
name = "unbork-lb"
internal = false
security_groups = ["${aws_security_group.public_web.id}"]
subnets = [
"${aws_subnet.unbork_public.id}",
"${aws_subnet.unbork_internal.id}"
]
}
resource "aws_lb_target_group" "unbork" {
name = "${aws_lb.unbork.name}-tg"
port = 80
protocol = "HTTP"
vpc_id = "${aws_vpc.unbork.id}"
}
resource "aws_lb_listener" "unbork" {
load_balancer_arn = "${aws_lb.unbork.arn}"
port = "80"
protocol = "HTTP"
default_action {
target_group_arn = "${aws_lb_target_group.unbork.arn}"
type = "forward"
}
}
resource "aws_ecs_service" "unbork-main" {
name = "unbork-main"
task_definition = "${aws_ecs_task_definition.unbork-main.arn}"
cluster = "${aws_ecs_cluster.unbork.id}"
desired_count = 1
launch_type = "EC2"
iam_role = "arn:aws:iam::124707869253:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
load_balancer {
container_name = "fpm"
container_port = 80
target_group_arn = "${aws_lb_target_group.unbork.arn}"
}
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_launch_configuration" "unbork" {
name_prefix = "${format("%s-", aws_ecs_cluster.unbork.name)}"
image_id = "${data.aws_ami.ubuntu.id}"
instance_type = "t2.small"
iam_instance_profile = "${aws_iam_instance_profile.default_ecs.name}"
root_block_device {
volume_type = "gp2"
volume_size = 25
}
ebs_block_device {
device_name = "/dev/xvdcz"
volume_type = "gp2"
volume_size = 30
}
}
resource "aws_autoscaling_group" "unbork_scale" {
launch_configuration = "${aws_launch_configuration.unbork.name}"
max_size = 4
min_size = 1
desired_capacity = 1
termination_policies = ["OldestLaunchConfiguration", "Default"]
availability_zones = ["eu-west-2a", "eu-west-2b"]
tag {
key = "Name"
value = "Unbork ASG"
propagate_at_launch = true
}
}
resource "aws_autoscaling_policy" "scale_up" {
adjustment_type = "ChangeInCapacity"
autoscaling_group_name = "${aws_autoscaling_group.unbork_scale.name}"
name = "unbork-scaleup"
scaling_adjustment = 1
cooldown = 300
}
resource "aws_autoscaling_policy" "scale_down" {
adjustment_type = "ChangeInCapacity"
autoscaling_group_name = "${aws_autoscaling_group.unbork_scale.name}"
name = "unbork-scaledown"
scaling_adjustment = -1
cooldown = 300
}
resource "aws_cloudwatch_metric_alarm" "cpu_high" {
alarm_name = "unbork-cpureservation-high"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = 2
metric_name = "CPUReservation"
namespace = "AWS/ECS"
period = 300
threshold = 90
statistic = "Maximum"
dimensions {
ClusterName = "${aws_ecs_cluster.unbork.name}"
}
alarm_description = "Scale up if the CPU reservation is above 90% for more than 10 minutes"
alarm_actions = ["${aws_autoscaling_policy.scale_up.arn}"]
}
resource "aws_cloudwatch_metric_alarm" "memory_high" {
alarm_name = "unbork-memoryreservation-high"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = 2
metric_name = "MemoryReservation"
namespace = "AWS/ECS"
period = 300
threshold = 90
statistic = "Maximum"
dimensions {
ClusterName = "${aws_ecs_cluster.unbork.name}"
}
alarm_description = "Scale up if the memory reservation is above 90% for more than 10 minutes"
alarm_actions = ["${aws_autoscaling_policy.scale_up.arn}"]
depends_on = ["aws_cloudwatch_metric_alarm.cpu_high"]
}
resource "aws_cloudwatch_metric_alarm" "cpu_low" {
alarm_name = "unbork-cpureservation-low"
comparison_operator = "LessThanOrEqualToThreshold"
evaluation_periods = 2
metric_name = "CPUReservation"
namespace = "AWS/ECS"
period = 300
threshold = 20
statistic = "Maximum"
dimensions {
ClusterName = "${aws_ecs_cluster.unbork.name}"
}
alarm_description = "Scale down if the CPU reservation is below 20% for more than 10 minutes"
alarm_actions = ["${aws_autoscaling_policy.scale_down.arn}"]
}
resource "aws_cloudwatch_metric_alarm" "memory_low" {
alarm_name = "unbork-memoryreservation-low"
comparison_operator = "LessThanOrEqualToThreshold"
evaluation_periods = 2
metric_name = "MemoryReservation"
namespace = "AWS/ECS"
period = 300
threshold = 20
statistic = "Maximum"
dimensions {
ClusterName = "${aws_ecs_cluster.unbork.name}"
}
alarm_description = "Scale up if the memory reservation is below 20% for more than 10 minutes"
alarm_actions = ["${aws_autoscaling_policy.scale_down.arn}"]
depends_on = ["aws_cloudwatch_metric_alarm.cpu_low"]
}
resource "aws_iam_role" "default_ecs_role" {
name = "ecs-role-unbork-prod"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "default_ecs_service_role_policy" {
name = "ecs-service-role-policy-unbork-prod"
role = "${aws_iam_role.default_ecs_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy" "default_ecs_instance_role_policy" {
name = "ecs-instance-role-policy-unbork-prod"
role = "${aws_iam_role.default_ecs_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecs:StartTask",
"autoscaling:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
EOF
}
resource "aws_iam_instance_profile" "default_ecs" {
name = "ecs-instance-profile-unbork-prod"
path = "/"
role = "${aws_iam_role.default_ecs_role.name}"
}
resource "aws_vpc" "unbork" {
cidr_block = "10.0.0.0/16"
tags {
Name = "Unbork Prod"
}
}
resource "aws_internet_gateway" "unbork_igw" {
vpc_id = "${aws_vpc.unbork.id}"
tags {
Name = "Unbork Main IGW"
}
}
resource "aws_subnet" "unbork_public" {
cidr_block = "10.0.1.0/24"
vpc_id = "${aws_vpc.unbork.id}"
availability_zone = "eu-west-2a"
}
resource "aws_subnet" "unbork_internal" {
cidr_block = "10.0.2.0/24"
vpc_id = "${aws_vpc.unbork.id}"
availability_zone = "eu-west-2b"
}
resource "aws_security_group" "public_web" {
name = "public_web"
description = "Allow HTTP traffic from everywhere"
vpc_id = "${aws_vpc.unbork.id}"
ingress {
from_port = 80
protocol = "tcp"
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
protocol = "tcp"
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment