From 6957c722afcc35b58e7934e225b3b51cba93ff0f Mon Sep 17 00:00:00 2001 From: Dan Gooding Date: Wed, 30 Jul 2025 10:03:57 +0100 Subject: [PATCH] Move infra out to separate repo --- terraform/.gitignore | 3 - terraform/api_service.tf | 125 ------------------------------------ terraform/cluster.tf | 14 ---- terraform/github_actions.tf | 94 --------------------------- terraform/load_balancer.tf | 88 ------------------------- terraform/main.tf | 3 - terraform/network.tf | 26 -------- terraform/outputs.tf | 9 --- terraform/static_service.tf | 80 ----------------------- terraform/terraform.tf | 10 --- terraform/variables.tf | 55 ---------------- 11 files changed, 507 deletions(-) delete mode 100644 terraform/.gitignore delete mode 100644 terraform/api_service.tf delete mode 100644 terraform/cluster.tf delete mode 100644 terraform/github_actions.tf delete mode 100644 terraform/load_balancer.tf delete mode 100644 terraform/main.tf delete mode 100644 terraform/network.tf delete mode 100644 terraform/outputs.tf delete mode 100644 terraform/static_service.tf delete mode 100644 terraform/terraform.tf delete mode 100644 terraform/variables.tf diff --git a/terraform/.gitignore b/terraform/.gitignore deleted file mode 100644 index 901c87a..0000000 --- a/terraform/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -.terraform/ -terraform.tfstate* -.terraform* diff --git a/terraform/api_service.tf b/terraform/api_service.tf deleted file mode 100644 index 6b6ba91..0000000 --- a/terraform/api_service.tf +++ /dev/null @@ -1,125 +0,0 @@ -resource "aws_ecr_repository" "api_server_container_repo" { - name = "connect-api-server" - image_scanning_configuration { - scan_on_push = true - } - tags = { - project_name = var.project_name - } -} - -resource "aws_secretsmanager_secret" "db_password" { - name = "connect-db-pass" - tags = { - project_name = var.project_name - } -} - -module "api_service" { - source = "terraform-aws-modules/ecs/aws//modules/service" - - name = "api-service" - cluster_arn = module.cluster.arn - - cpu = 256 - memory = 512 - desired_count = 1 - deployment_maximum_percent = 200 - enable_autoscaling = false - - assign_public_ip = true - - // ssh in for debugging - enable_execute_command = true - - container_definitions = { - api_service_container = { - cpu = 256 - memory = 512 - essential = true - image = "${aws_ecr_repository.api_server_container_repo.repository_url}:${var.api_service_container_image_tag}" - portMappings = [{ - name = "api-service" - containerPort = var.api_service_port - protocol = "tcp" - }] - environment = [ - { - name = "DB_NAME" - value = var.db_credentials.name - }, - { - name = "DB_USER", - value = var.db_credentials.user - }, - { - name = "DB_URL", - value = var.db_credentials.url - } - ] - secrets = [ - { - name = "DB_PASS" - valueFrom = aws_secretsmanager_secret.db_password.arn - } - ] - } - } - - load_balancer = { - service = { - target_group_arn = module.alb.target_groups["api"].arn - container_name = "api_service_container" - container_port = var.api_service_port - } - } - - subnet_ids = module.vpc.public_subnets - - security_group_ingress_rules = { - from_alb = { - ip_protocol = "tcp" - from_port = var.api_service_port - to_port = var.api_service_port - referenced_security_group_id = module.alb.security_group_id - } - } - - security_group_egress_rules = { - all = { - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" - } - } - - task_tags = { - image = var.api_service_container_image_tag - } - - tags = { - Name = "api-ecs-service" - project_name = var.project_name - } -} - -data "aws_iam_policy_document" "access_secrets_for_api_service" { - statement { - effect = "Allow" - actions = ["secretsmanager:GetSecretValue"] - resources = [aws_secretsmanager_secret.db_password.arn] - } -} - -resource "aws_iam_policy" "access_secrets_for_api_service" { - name = "connect-access-runtime-secrets" - policy = data.aws_iam_policy_document.access_secrets_for_api_service.json - tags = { - project_name = var.project_name - } -} - -resource "aws_iam_role_policy_attachment" "api_sevice_can_access_secrets" { - role = module.api_service.task_exec_iam_role_name - policy_arn = aws_iam_policy.access_secrets_for_api_service.arn -} - diff --git a/terraform/cluster.tf b/terraform/cluster.tf deleted file mode 100644 index c593efb..0000000 --- a/terraform/cluster.tf +++ /dev/null @@ -1,14 +0,0 @@ -module "cluster" { - source = "terraform-aws-modules/ecs/aws//modules/cluster" - - name = "connect-ecs-cluster" - default_capacity_provider_strategy = { - FARGATE = { - weight = 100 - } - } - - tags = { - project_name = var.project_name - } -} diff --git a/terraform/github_actions.tf b/terraform/github_actions.tf deleted file mode 100644 index ef7bc1d..0000000 --- a/terraform/github_actions.tf +++ /dev/null @@ -1,94 +0,0 @@ -resource "aws_iam_openid_connect_provider" "github" { - url = "https://token.actions.githubusercontent.com" - client_id_list = ["sts.amazonaws.com"] - - tags = { - project_name = var.project_name - } -} - -data "aws_iam_policy_document" "assume_github_actions_role" { - statement { - effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] - principals { - type = "Federated" - identifiers = [ - aws_iam_openid_connect_provider.github.arn - ] - } - condition { - test = "StringLike" - variable = "token.actions.githubusercontent.com:sub" - values = ["repo:${var.github_repo}:*"] - } - condition { - test = "StringEquals" - variable = "token.actions.githubusercontent.com:aud" - values = ["sts.amazonaws.com"] - } - } -} - -resource "aws_iam_role" "github_actions" { - name = "connect-github-actions" - - assume_role_policy = data.aws_iam_policy_document.assume_github_actions_role.json - - tags = { - project_name = var.project_name - } -} - -resource "aws_iam_role_policy_attachment" "github_actions_can_push_to_ecr_repos" { - role = aws_iam_role.github_actions.name - policy_arn = aws_iam_policy.push_to_ecr_repos.arn -} - -data "aws_iam_policy_document" "push_to_ecr_repos" { - statement { - effect = "Allow" - actions = [ - "ecr:GetAuthorizationToken", - ] - resources = ["*"] - } - - statement { - effect = "Allow" - actions = [ - "ecr:UploadLayerPart", - "ecr:PutImage", - "ecr:InitiateLayerUpload", - "ecr:GetDownloadUrlForLayer", - "ecr:CompleteLayerUpload", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:DescribeImages", - "ecr:DescribePullThroughCacheRules", - "ecr:ListImages", - "ecr:BatchGetRepositoryScanningConfiguration", - "ecr:DescribeRegistry", - "ecr:GetImageCopyStatus", - "ecr:GetLifecyclePolicy", - "ecr:GetLifecyclePolicyPreview", - "ecr:GetRegistryPolicy", - "ecr:ListTagsForResource", - "ecr:BatchDeleteImage", - "ecr:BatchImportUpstreamImage", - "ecr:PutImageTagMutability", - "ecr:ReplicateImage", - "ecr:TagResource", - "ecr:UntagResource" - ] - resources = [aws_ecr_repository.api_server_container_repo.arn, aws_ecr_repository.static_container_repo.arn] - } -} - -resource "aws_iam_policy" "push_to_ecr_repos" { - name = "connect-push-to-ecr-repos" - policy = data.aws_iam_policy_document.push_to_ecr_repos.json - tags = { - project_name = var.project_name - } -} diff --git a/terraform/load_balancer.tf b/terraform/load_balancer.tf deleted file mode 100644 index 6f52e2b..0000000 --- a/terraform/load_balancer.tf +++ /dev/null @@ -1,88 +0,0 @@ - -module "alb" { - source = "terraform-aws-modules/alb/aws" - - name = "connect-alb" - load_balancer_type = "application" - - vpc_id = module.vpc.vpc_id - subnets = module.vpc.public_subnets - - security_group_ingress_rules = { - all_http = { - from_port = 80 - to_port = 80 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" - } - all_https = { - from_port = 443 - to_port = 443 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" - } - } - security_group_egress_rules = { - all = { - ip_protocol = "-1" - cidr_ipv4 = module.vpc.vpc_cidr_block - } - } - - listeners = { - listener = { - protocol = "HTTPS" - port = 443 - - certificate_arn = var.domain_certificate_arn - - rules = { - api = { - conditions = [ - { - path_pattern = { - values = ["/api/*"] - } - } - ] - actions = [ - { - type = "forward" - target_group_key = "api" - } - ] - } - } - - // default rule - forward = { - target_group_key = "static" - } - } - } - - target_groups = { - static = { - target_type = "ip" - - // ECS will attach services to the group dynamically - create_attachment = false - } - - api = { - target_type = "ip" - - create_attachment = false - - health_check = { - matcher = 200 - path = "/api/walls/random" - port = "traffic-port" - protocol = "HTTP" - } - } - } - tags = { - project_name = var.project_name - } -} diff --git a/terraform/main.tf b/terraform/main.tf deleted file mode 100644 index b64be2a..0000000 --- a/terraform/main.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "aws" { - region = "eu-west-2" -} diff --git a/terraform/network.tf b/terraform/network.tf deleted file mode 100644 index 90e5f0b..0000000 --- a/terraform/network.tf +++ /dev/null @@ -1,26 +0,0 @@ -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.19.0" - - name = "connect-vpc" - cidr = "10.0.0.0/16" - - azs = ["eu-west-2a", "eu-west-2b", "eu-west-2c"] - private_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"] - public_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"] - private_subnet_names = ["connect-priv-a", "connect-priv-b", "connect-priv-c"] - public_subnet_names = ["connect-pub-a", "connect-pub-b", "connect-pub-c"] - - create_igw = true - enable_dns_hostnames = true - - vpc_tags = { - Name = "connect-vpc" - } - igw_tags = { - Name = "connect-igw" - } - tags = { - project_name = var.project_name - } -} diff --git a/terraform/outputs.tf b/terraform/outputs.tf deleted file mode 100644 index 92c8fcd..0000000 --- a/terraform/outputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "alb_hostname" { - description = "hostname of entry point load balancer" - value = module.alb.dns_name -} - -output "github_actions_role" { - description = "role to run github actions as" - value = aws_iam_role.github_actions.arn -} diff --git a/terraform/static_service.tf b/terraform/static_service.tf deleted file mode 100644 index 1ef0617..0000000 --- a/terraform/static_service.tf +++ /dev/null @@ -1,80 +0,0 @@ - -resource "aws_ecr_repository" "static_container_repo" { - name = "connect-static-server" - image_scanning_configuration { - scan_on_push = true - } - tags = { - project_name = var.project_name - } -} - -module "static_service" { - source = "terraform-aws-modules/ecs/aws//modules/service" - - name = "static-service" - cluster_arn = module.cluster.arn - - cpu = 256 // 0.25 vCPU - memory = 512 // MB - desired_count = 1 - deployment_maximum_percent = 200 - enable_autoscaling = false - - assign_public_ip = true - - // ssh in for debugging - enable_execute_command = true - - container_definitions = { - static_server_container = { - cpu = 256 - memory = 512 - essential = true - image = "${aws_ecr_repository.static_container_repo.repository_url}:${var.static_service_container_image_tag}" - portMappings = [{ - containerPort = var.static_service_port - protocol = "tcp" - name = "static-service" - }] - - // nginx writes to /etc and /var - readonlyRootFilesystem = false - } - } - - load_balancer = { - service = { - target_group_arn = module.alb.target_groups["static"].arn - container_name = "static_server_container" - container_port = var.static_service_port - } - } - - subnet_ids = module.vpc.public_subnets - - security_group_ingress_rules = { - from_alb = { - ip_protocol = "tcp" - // note 'from_port/to_port' in this context define a range of allowed _destination_ ports (in this case a one-element range) - from_port = var.static_service_port - to_port = var.static_service_port - referenced_security_group_id = module.alb.security_group_id - } - } - security_group_egress_rules = { - all = { - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" - } - } - - task_tags = { - image = var.static_service_container_image_tag - } - - tags = { - Name = "static-ecs-service" - project_name = var.project_name - } -} diff --git a/terraform/terraform.tf b/terraform/terraform.tf deleted file mode 100644 index d973e09..0000000 --- a/terraform/terraform.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 6.0" - } - } - - required_version = ">= 1.2" -} diff --git a/terraform/variables.tf b/terraform/variables.tf deleted file mode 100644 index 3caddc3..0000000 --- a/terraform/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ -variable "project_name" { - description = "tag applied to all resources" - type = string - default = "connect" -} - -variable "domain_certificate_arn" { - description = "certificate of public domain for the site" - type = string - default = "arn:aws:acm:eu-west-2:196481062593:certificate/4ece37fb-0fe4-49d9-8929-65354870ca46" -} - -variable "static_service_port" { - description = "port exposed by static webserver container" - type = number - default = 80 -} - -variable "api_service_port" { - description = "port exposed by api server container" - type = number - default = 3000 -} - -variable "db_credentials" { - description = "configures connectivity to db - the cluster, database, and username" - type = object({ - name = string - user = string - url = string - }) - default = { - name = "connect" - user = "api2" - url = "mongodb+srv://cluster0.649fjz8.mongodb.net/?retryWrites=true&w=majority&appName=Cluster0" - } -} - -variable "api_service_container_image_tag" { - description = "container image to run for API service" - type = string - default = "6d877e3688db18505ba766310425e49095da550a" -} - -variable "static_service_container_image_tag" { - description = "container image to run for static webserver" - type = string - default = "6d877e3688db18505ba766310425e49095da550a" -} - -variable "github_repo" { - description = "github repository that actions run in" - type = string - default = "DanGooding/connect" -}