rdkls/gist:cef5b0cb4e9ad30218a564534e215f2a

## gistfile1.txt
# Define the provider and region
provider "aws" {
  region = "ap-southeast-2"
}
variable "username" {
}
variable "password" {}

# Get the default VPC
data "aws_vpc" "default" {
  default = true
}

data "aws_subnets" "public" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
  filter {
    name   = "tag:Name"
    values = ["public-*"]
  }
}
# Get the subnets with name prefix "RDS-Pvt-subnet-"
data "aws_subnets" "rds_private" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
  filter {
    name   = "tag:Name"
    values = ["RDS-Pvt-subnet-*"]
  }
}

# Create a security group for the ECS service
resource "aws_security_group" "ecs_service" {
  name        = "ecs-service-sg"
  description = "Security group for the ECS service"
  vpc_id      = data.aws_vpc.default.id

  # Allow inbound traffic from port 22 (SSH) and port 3000 (Gitea)
  #ingress {
  #  from_port   = 22
  #  to_port     = 22
  #  protocol    = "tcp"
  #  cidr_blocks = ["0.0.0.0/0"]
  #  description = "SSH access"
  #}

  ingress {
    from_port = 3000
    to_port   = 3000
    protocol  = "tcp"
    #cidr_blocks = ["203.214.57.29/32"]
    security_groups = [aws_security_group.gitea_lb_sg.id]
    description     = "Gitea access"
  }

  # Allow all outbound traffic
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "ecs-service-sg"
  }
}

# Create an ECS cluster
resource "aws_ecs_cluster" "gitea_cluster" {
  name = "gitea-cluster"
  setting {
    name  = "containerInsights"
    value = "enabled"
  }
}

resource "aws_ecs_cluster_capacity_providers" "gitea_capacity_provider" {
  cluster_name = aws_ecs_cluster.gitea_cluster.id

  capacity_providers = ["FARGATE"]

  default_capacity_provider_strategy {
    base              = 1
    weight            = 100
    capacity_provider = "FARGATE"
  }
}

# Create a target group for the ECS service
resource "aws_lb_target_group" "gitea_tg" {
  name        = "gitea-tg"
  port        = 3000
  protocol    = "HTTP"
  target_type = "ip"
  vpc_id      = data.aws_vpc.default.id

}

# Create an ECS task definition for gitea
resource "aws_ecs_task_definition" "gitea_task" {
  family                   = "gitea-task"
  network_mode             = "awsvpc"
  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
  requires_compatibilities = ["FARGATE"]
  cpu                      = 1024
  memory                   = 2048
  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn

  # Specify the container definition for gitea
  container_definitions = jsonencode([{
    cpu : 1024,
    memory : 2048,
    name : "gitea",
    image : "gitea/gitea:latest",
    essential : true,
    executionRoleArn: aws_iam_role.ecs_task_execution_role.arn,
    portMappings : [
      {
        containerPort : 22,
        hostPort : 22,
        protocol : "tcp"
      },
      {
        containerPort : 3000,
        hostPort : 3000,
        protocol : "tcp"
      }
    ]
    repositoryCredentials: {
	credentialsParameter: aws_secretsmanager_secret.docker_hub_secret.arn
    }
  }])
}

# Create an ECS service for gitea
resource "aws_ecs_service" "gitea_service" {
  name            = "gitea-service"
  cluster         = aws_ecs_cluster.gitea_cluster.id
  task_definition = aws_ecs_task_definition.gitea_task.arn
  desired_count   = 1
  launch_type     = "FARGATE"

  # Attach the target group to the service
  load_balancer {
    target_group_arn = aws_lb_target_group.gitea_tg.arn
    container_name   = "gitea"
    container_port   = 3000
  }

  # Specify the security group for the service
  network_configuration {
    security_groups = [aws_security_group.ecs_service.id]
    subnets         = data.aws_subnets.rds_private.ids
  }
}

resource "aws_lb" "gitea_lb" {
  name                       = "gitea-lb"
  internal                   = false
  load_balancer_type         = "application"
  security_groups            = [aws_security_group.gitea_lb_sg.id]
  subnets                    = toset(data.aws_subnets.public.ids)
  enable_deletion_protection = false
}
data "aws_route53_zone" "eqbal" {
  name = "test.eqbalmurad.com"
}
resource "aws_route53_record" "gitea_lb" {
  zone_id = data.aws_route53_zone.eqbal.zone_id
  name    = "gitea"
  type    = "A"
  alias {
    name                   = aws_lb.gitea_lb.dns_name
    zone_id                = aws_lb.gitea_lb.zone_id
    evaluate_target_health = true
  }
}
resource "aws_acm_certificate" "gitea_lb_cert" {
  domain_name       = "gitea.test.eqbalmurad.com"
  validation_method = "DNS"
  tags = {
    Name = "gitea-lb-cert"
  }
}
resource "aws_lb_listener" "gitea_lb_listener" {
  load_balancer_arn = aws_lb.gitea_lb.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.gitea_lb_cert.arn

  default_action {
    type = "authenticate-oidc"

    authenticate_oidc {
      authorization_endpoint = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/oauth2/v2.0/authorize"
      client_id              = "6f834627-de25-4f4a-ab92-efd57d10d864"
      client_secret          = "VBG8Q~toGNTSxRvEoIKJHmuy4rPncrNgjjyx4ck_"
      issuer                 = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/v2.0/"
      token_endpoint         = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/oauth2/token"
      user_info_endpoint     = "https://graph.microsoft.com/oidc/userinfo"
    }
  }
  default_action {
    target_group_arn = aws_lb_target_group.gitea_tg.arn
    type             = "forward"
  }
}
resource "aws_security_group" "gitea_lb_sg" {
  name        = "gitea-lb-sg"
  description = "Security group for gitea load balancer"
  vpc_id      = data.aws_vpc.default.id

  # Allow inbound traffic from port 22 (SSH) and port 3000 (Gitea)
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["203.214.57.29/32"]
    description = "Gitea access"
  }
}

resource "aws_kms_key" "docker_hub_key" {
  description             = "KMS key for docker hub"
  deletion_window_in_days = 7
  tags = {
    Name = "docker-hub-key"
  }
}
resource "aws_kms_alias" "docker_hub_key_alias" {
  name          = "alias/docker-hub-key"
  target_key_id = aws_kms_key.docker_hub_key.key_id
}
resource "aws_secretsmanager_secret" "docker_hub_secret" {
  name       = "docker-hub-secret"
  kms_key_id = aws_kms_alias.docker_hub_key_alias.target_key_id
}
resource "aws_secretsmanager_secret_version" "docker_hub" {
  secret_id = aws_secretsmanager_secret.docker_hub_secret.id
  secret_string = jsonencode({
    username = var.username
    password = var.password
  })
}
resource "aws_iam_role" "ecs_task_execution_role" {
  name = "ecsTaskExecutionRoleGitea"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      },
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::300428143068:role/aws-innovationlabs-australia1-admin"
        }
        Action = "sts:AssumeRole"
      }

    ]
  })
  inline_policy {
    name = "ecs_task_execution_role_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Action = [
            "kms:*"
          ]
          Resource = [
            aws_kms_key.docker_hub_key.arn
          ]
        },
        {
          Effect = "Allow"
          Action = [
            "secretsmanager:*"
          ]
          Resource = [
            aws_secretsmanager_secret.docker_hub_secret.arn,
          ]
        }
      ]
    })
  }
}
	# Define the provider and region
	provider "aws" {
	region = "ap-southeast-2"
	}
	variable "username" {
	}
	variable "password" {}

	# Get the default VPC
	data "aws_vpc" "default" {
	default = true
	}

	data "aws_subnets" "public" {
	filter {
	name = "vpc-id"
	values = [data.aws_vpc.default.id]
	}
	filter {
	name = "tag:Name"
	values = ["public-*"]
	}
	}
	# Get the subnets with name prefix "RDS-Pvt-subnet-"
	data "aws_subnets" "rds_private" {
	filter {
	name = "vpc-id"
	values = [data.aws_vpc.default.id]
	}
	filter {
	name = "tag:Name"
	values = ["RDS-Pvt-subnet-*"]
	}
	}

	# Create a security group for the ECS service
	resource "aws_security_group" "ecs_service" {
	name = "ecs-service-sg"
	description = "Security group for the ECS service"
	vpc_id = data.aws_vpc.default.id

	# Allow inbound traffic from port 22 (SSH) and port 3000 (Gitea)
	#ingress {
	# from_port = 22
	# to_port = 22
	# protocol = "tcp"
	# cidr_blocks = ["0.0.0.0/0"]
	# description = "SSH access"
	#}

	ingress {
	from_port = 3000
	to_port = 3000
	protocol = "tcp"
	#cidr_blocks = ["203.214.57.29/32"]
	security_groups = [aws_security_group.gitea_lb_sg.id]
	description = "Gitea access"
	}

	# Allow all outbound traffic
	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}

	tags = {
	Name = "ecs-service-sg"
	}
	}

	# Create an ECS cluster
	resource "aws_ecs_cluster" "gitea_cluster" {
	name = "gitea-cluster"
	setting {
	name = "containerInsights"
	value = "enabled"
	}
	}

	resource "aws_ecs_cluster_capacity_providers" "gitea_capacity_provider" {
	cluster_name = aws_ecs_cluster.gitea_cluster.id

	capacity_providers = ["FARGATE"]

	default_capacity_provider_strategy {
	base = 1
	weight = 100
	capacity_provider = "FARGATE"
	}
	}

	# Create a target group for the ECS service
	resource "aws_lb_target_group" "gitea_tg" {
	name = "gitea-tg"
	port = 3000
	protocol = "HTTP"
	target_type = "ip"
	vpc_id = data.aws_vpc.default.id

	}

	# Create an ECS task definition for gitea
	resource "aws_ecs_task_definition" "gitea_task" {
	family = "gitea-task"
	network_mode = "awsvpc"
	task_role_arn = aws_iam_role.ecs_task_execution_role.arn
	requires_compatibilities = ["FARGATE"]
	cpu = 1024
	memory = 2048
	execution_role_arn = aws_iam_role.ecs_task_execution_role.arn

	# Specify the container definition for gitea
	container_definitions = jsonencode([{
	cpu : 1024,
	memory : 2048,
	name : "gitea",
	image : "gitea/gitea:latest",
	essential : true,
	executionRoleArn: aws_iam_role.ecs_task_execution_role.arn,
	portMappings : [
	{
	containerPort : 22,
	hostPort : 22,
	protocol : "tcp"
	},
	{
	containerPort : 3000,
	hostPort : 3000,
	protocol : "tcp"
	}
	]
	repositoryCredentials: {
	credentialsParameter: aws_secretsmanager_secret.docker_hub_secret.arn
	}
	}])
	}

	# Create an ECS service for gitea
	resource "aws_ecs_service" "gitea_service" {
	name = "gitea-service"
	cluster = aws_ecs_cluster.gitea_cluster.id
	task_definition = aws_ecs_task_definition.gitea_task.arn
	desired_count = 1
	launch_type = "FARGATE"

	# Attach the target group to the service
	load_balancer {
	target_group_arn = aws_lb_target_group.gitea_tg.arn
	container_name = "gitea"
	container_port = 3000
	}

	# Specify the security group for the service
	network_configuration {
	security_groups = [aws_security_group.ecs_service.id]
	subnets = data.aws_subnets.rds_private.ids
	}
	}

	resource "aws_lb" "gitea_lb" {
	name = "gitea-lb"
	internal = false
	load_balancer_type = "application"
	security_groups = [aws_security_group.gitea_lb_sg.id]
	subnets = toset(data.aws_subnets.public.ids)
	enable_deletion_protection = false
	}
	data "aws_route53_zone" "eqbal" {
	name = "test.eqbalmurad.com"
	}
	resource "aws_route53_record" "gitea_lb" {
	zone_id = data.aws_route53_zone.eqbal.zone_id
	name = "gitea"
	type = "A"
	alias {
	name = aws_lb.gitea_lb.dns_name
	zone_id = aws_lb.gitea_lb.zone_id
	evaluate_target_health = true
	}
	}
	resource "aws_acm_certificate" "gitea_lb_cert" {
	domain_name = "gitea.test.eqbalmurad.com"
	validation_method = "DNS"
	tags = {
	Name = "gitea-lb-cert"
	}
	}
	resource "aws_lb_listener" "gitea_lb_listener" {
	load_balancer_arn = aws_lb.gitea_lb.arn
	port = 443
	protocol = "HTTPS"
	ssl_policy = "ELBSecurityPolicy-2016-08"
	certificate_arn = aws_acm_certificate.gitea_lb_cert.arn

	default_action {
	type = "authenticate-oidc"

	authenticate_oidc {
	authorization_endpoint = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/oauth2/v2.0/authorize"
	client_id = "6f834627-de25-4f4a-ab92-efd57d10d864"
	client_secret = "VBG8Q~toGNTSxRvEoIKJHmuy4rPncrNgjjyx4ck_"
	issuer = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/v2.0/"
	token_endpoint = "https://login.microsoftonline.com/37ec3ca5-0cb7-4985-bc0a-d0ed507b6843/oauth2/token"
	user_info_endpoint = "https://graph.microsoft.com/oidc/userinfo"
	}
	}
	default_action {
	target_group_arn = aws_lb_target_group.gitea_tg.arn
	type = "forward"
	}
	}
	resource "aws_security_group" "gitea_lb_sg" {
	name = "gitea-lb-sg"
	description = "Security group for gitea load balancer"
	vpc_id = data.aws_vpc.default.id

	# Allow inbound traffic from port 22 (SSH) and port 3000 (Gitea)
	ingress {
	from_port = 443
	to_port = 443
	protocol = "tcp"
	cidr_blocks = ["203.214.57.29/32"]
	description = "Gitea access"
	}
	}

	resource "aws_kms_key" "docker_hub_key" {
	description = "KMS key for docker hub"
	deletion_window_in_days = 7
	tags = {
	Name = "docker-hub-key"
	}
	}
	resource "aws_kms_alias" "docker_hub_key_alias" {
	name = "alias/docker-hub-key"
	target_key_id = aws_kms_key.docker_hub_key.key_id
	}
	resource "aws_secretsmanager_secret" "docker_hub_secret" {
	name = "docker-hub-secret"
	kms_key_id = aws_kms_alias.docker_hub_key_alias.target_key_id
	}
	resource "aws_secretsmanager_secret_version" "docker_hub" {
	secret_id = aws_secretsmanager_secret.docker_hub_secret.id
	secret_string = jsonencode({
	username = var.username
	password = var.password
	})
	}
	resource "aws_iam_role" "ecs_task_execution_role" {
	name = "ecsTaskExecutionRoleGitea"
	assume_role_policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Principal = {
	Service = "ecs-tasks.amazonaws.com"
	}
	Action = "sts:AssumeRole"
	},
	{
	Effect = "Allow"
	Principal = {
	AWS = "arn:aws:iam::300428143068:role/aws-innovationlabs-australia1-admin"
	}
	Action = "sts:AssumeRole"
	}

	]
	})
	inline_policy {
	name = "ecs_task_execution_role_policy"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Action = [
	"kms:*"
	]
	Resource = [
	aws_kms_key.docker_hub_key.arn
	]
	},
	{
	Effect = "Allow"
	Action = [
	"secretsmanager:*"
	]
	Resource = [
	aws_secretsmanager_secret.docker_hub_secret.arn,
	]
	}
	]
	})
	}
	}