├── .gitignore
├── ecs
    ├── outputs.tf
    ├── policies
    │   ├── ecs-role.json
    │   ├── ecs-service-role-policy.json
    │   ├── ecs-instance-role-policy.json
    │   └── registry.json
    ├── bastion.tf
    ├── provider.tf
    ├── iam.tf
    ├── task-definitions
    │   ├── varnish.json
    │   ├── celery.json
    │   ├── celery-beat.json
    │   └── uwsgi.json
    ├── celery.tf
    ├── celery-beat.tf
    ├── ecs.tf
    ├── varnish.tf
    ├── uwsgi.tf
    └── variables.tf
├── destroy
├── Makefile
├── vpc
    ├── keypair.tf
    ├── outputs.tf
    ├── provider.tf
    ├── security-groups.tf
    ├── rds.tf
    ├── route53.tf
    ├── vpc.tf
    ├── elasticache.tf
    └── variables.tf
├── ecr
    ├── outputs.tf
    ├── provider.tf
    ├── variables.tf
    └── ecr.tf
├── upload-cert
├── apply
├── LICENSE
├── env
└── README.rst


/.gitignore:
--------------------------------------------------------------------------------
1 | terraform.tfstate*
2 | .env
3 | .terraform
4 | 


--------------------------------------------------------------------------------
/ecs/outputs.tf:
--------------------------------------------------------------------------------
1 | output "project.dns_name" {
2 |   value = "${aws_elb.varnish-elb.dns_name}"
3 | }
4 | 


--------------------------------------------------------------------------------
/destroy:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | . ./.env
 4 | 
 5 | MODULE=$1
 6 | 
 7 | cd ${MODULE}
 8 | 
 9 | terraform destroy 
10 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | ecs-list:
2 | 	aws ecr describe-repositories
3 | 
4 | ecr-images:
5 | 	aws ecr list-images --repository-name derrickpetzold
6 | 


--------------------------------------------------------------------------------
/vpc/keypair.tf:
--------------------------------------------------------------------------------
1 | resource "aws_key_pair" "keypair" {
2 |   key_name = "${var.key_name}"
3 |   public_key = "${var.public_key}"
4 | }
5 | 


--------------------------------------------------------------------------------
/ecr/outputs.tf:
--------------------------------------------------------------------------------
1 | output "repository.arn" {
2 |   value = "${aws_ecr_repository.repository.arn}"
3 | }
4 | 
5 | output "repository.name" {
6 |   value = "${aws_ecr_repository.repository.name}"
7 | }
8 | 


--------------------------------------------------------------------------------
/upload-cert:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | aws iam upload-server-certificate \
4 |   --server-certificate-name derrickpetzold-com  \
5 |   --certificate-body file://cert \
6 |   --private-key file://key \
7 |   --certificate-chain file://inter-cert
8 | 


--------------------------------------------------------------------------------
/vpc/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "vpc_id" {
 2 |     value = "${aws_vpc.main.id}"
 3 | }
 4 | 
 5 | output "public_subnet_id" {
 6 |     value = "${aws_subnet.main-public.id}"
 7 | }
 8 | 
 9 | output "private_subnet_id" {
10 |     value = "${aws_subnet.main-private.id}"
11 | }
12 | 


--------------------------------------------------------------------------------
/ecs/policies/ecs-role.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2008-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Action": "sts:AssumeRole",
 6 |       "Principal": {
 7 |         "Service": "ecs.amazonaws.com"
 8 |       },
 9 |       "Effect": "Allow"
10 |     }
11 |   ]
12 | }
13 | 


--------------------------------------------------------------------------------
/apply:
--------------------------------------------------------------------------------
 1 | #!/bin/zsh
 2 | 
 3 | . ./.env
 4 | 
 5 | MODULE=$1
 6 | REMOTE_STATE_KEY=`echo TF_VAR_${MODULE}_remote_state_key`
 7 | 
 8 | cd $MODULE
 9 | 
10 | terraform remote config \
11 |     -backend=s3 \
12 |     -backend-config="bucket=${TF_VAR_remote_state_bucket}" \
13 |     -backend-config="key=${(P)REMOTE_STATE_KEY}" \
14 |     -backend-config="region=${TF_VAR_aws_region}"
15 | 
16 | terraform apply
17 | 


--------------------------------------------------------------------------------
/ecs/bastion.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "bastion" {
 2 | 
 3 |   name = "bastion"
 4 |   description = "Bastion Allowed Ports"
 5 |   vpc_id = "${var.vpc_id}"
 6 | 
 7 |   ingress {
 8 |     from_port = 22
 9 |     to_port   = 22
10 |     protocol  = "tcp"
11 |     cidr_blocks = ["0.0.0.0/0"]
12 |     security_groups
13 |   }
14 | 
15 |   tags {
16 |     Name = "${var.project_name}-bastion"
17 |   }
18 | }
19 | 


--------------------------------------------------------------------------------
/ecr/provider.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   access_key = "${var.aws_access_key}"
 3 |   secret_key = "${var.aws_secret_key}"
 4 |   region     = "${var.aws_region}"
 5 | }
 6 | 
 7 | resource "terraform_remote_state" "remote_state" {
 8 |   backend = "s3"
 9 |   config {
10 |       bucket = "${var.remote_state_bucket}"
11 |       key    = "${var.ecr_remote_state_key}"
12 |       region = "${var.aws_region}"
13 |   }
14 | }
15 | 


--------------------------------------------------------------------------------
/ecs/provider.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   access_key = "${var.aws_access_key}"
 3 |   secret_key = "${var.aws_secret_key}"
 4 |   region     = "${var.aws_region}"
 5 | }
 6 | 
 7 | resource "terraform_remote_state" "remote_state" {
 8 |   backend = "s3"
 9 |   config {
10 |       bucket = "${var.remote_state_bucket}"
11 |       key    = "${var.ecs_remote_state_key}"
12 |       region = "${var.aws_region}"
13 |   }
14 | }
15 | 


--------------------------------------------------------------------------------
/vpc/provider.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   access_key = "${var.aws_access_key}"
 3 |   secret_key = "${var.aws_secret_key}"
 4 |   region     = "${var.aws_region}"
 5 | }
 6 | 
 7 | resource "terraform_remote_state" "remote_state" {
 8 |   backend = "s3"
 9 |   config {
10 |       bucket = "${var.remote_state_bucket}"
11 |       key    = "${var.vpc_remote_state_key}"
12 |       region = "${var.aws_region}"
13 |   }
14 | }
15 | 


--------------------------------------------------------------------------------
/ecs/policies/ecs-service-role-policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "elasticloadbalancing:Describe*",
 8 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 9 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
10 |         "ec2:Describe*",
11 |         "ec2:AuthorizeSecurityGroupIngress"
12 |       ],
13 |       "Resource": [
14 |         "*"
15 |       ]
16 |     }
17 |   ]
18 | }
19 | 


--------------------------------------------------------------------------------
/ecs/policies/ecs-instance-role-policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2012-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Effect": "Allow",
 6 |       "Action": [
 7 |         "ecs:CreateCluster",
 8 |         "ecs:DeregisterContainerInstance",
 9 |         "ecs:DiscoverPollEndpoint",
10 |         "ecs:Poll",
11 |         "ecs:RegisterContainerInstance",
12 |         "ecs:StartTelemetrySession",
13 |         "ecs:Submit*",
14 |         "ecr:GetAuthorizationToken",
15 |         "ecr:BatchCheckLayerAvailability",
16 |         "ecr:GetDownloadUrlForLayer",
17 |         "ecr:BatchGetImage"
18 |       ],
19 |       "Resource": "*"
20 |     }
21 |   ]
22 | }
23 | 


--------------------------------------------------------------------------------
/ecs/policies/registry.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |         {
 5 |             "Effect": "Allow",
 6 |             "Action": [
 7 |                 "s3:ListBucket"
 8 |             ],
 9 |             "Resource": [
10 |                 "arn:aws:s3:::${s3_bucket_name}"
11 |             ]
12 |         },
13 |         {
14 |             "Effect": "Allow",
15 |             "Action": [
16 |                 "s3:PutObject",
17 |                 "s3:GetObject",
18 |                 "s3:DeleteObject"
19 |             ],
20 |             "Resource": [
21 |                 "arn:aws:s3:::${s3_bucket_name}/*"
22 |             ]
23 |         }
24 |     ]
25 | }
26 | 


--------------------------------------------------------------------------------
/ecr/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project_name" {
 2 |   description = "The name of the project."
 3 | }
 4 | 
 5 | variable "aws_access_key" {
 6 |   description = "The AWS access key."
 7 | }
 8 | 
 9 | variable "aws_secret_key" {
10 |   description = "The AWS secret key."
11 | }
12 | 
13 | variable "aws_region" {
14 |   description = "The AWS region to create resources in."
15 |   default = "us-west-2"
16 | }
17 | 
18 | variable "remote_state_bucket" {
19 |   description = "The name of the s3 bucket to store the remote state in."
20 |   default = "terraform-state.example.com"
21 | }
22 | 
23 | variable "ecr_remote_state_key" {
24 |   description = "The name of the key to store the remote state in."
25 |   default = "ecr-terraform.tfstate"
26 | }
27 | 


--------------------------------------------------------------------------------
/ecs/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "ecs_role" {
 2 |   name               = "ecs_role"
 3 |   assume_role_policy = "${file("policies/ecs-role.json")}"
 4 | }
 5 | 
 6 | resource "aws_iam_role_policy" "ecs_service_role_policy" {
 7 |   name     = "ecs_service_role_policy"
 8 |   policy   = "${template_file.ecs_service_role_policy.rendered}"
 9 |   role     = "${aws_iam_role.ecs_role.id}"
10 | }
11 | 
12 | resource "aws_iam_role_policy" "ecs_instance_role_policy" {
13 |   name     = "ecs_instance_role_policy"
14 |   policy   = "${file("policies/ecs-instance-role-policy.json")}"
15 |   role     = "${aws_iam_role.ecs_role.id}"
16 | }
17 | 
18 | resource "aws_iam_instance_profile" "ecs" {
19 |   name = "ecs-instance-profile"
20 |   path = "/"
21 |   roles = ["${aws_iam_role.ecs_role.name}"]
22 | }
23 | 


--------------------------------------------------------------------------------
/vpc/security-groups.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "rds" {
 2 |   name        = "rds-sg"
 3 |   description = "RDS Allowed Ports"
 4 |   vpc_id = "${aws_vpc.main.id}"
 5 | 
 6 |   egress {
 7 |     from_port   = 0
 8 |     to_port     = 0
 9 |     protocol    = "-1"
10 |     cidr_blocks = [ "0.0.0.0/0" ]
11 |   }
12 |   ingress {
13 |       from_port = 5432
14 |       to_port = 5432
15 |       protocol = "tcp"
16 |       cidr_blocks = ["10.0.0.0/8"]
17 |   }
18 |   tags {
19 |     Name = "rds-sg"
20 |   }
21 | }
22 | 
23 | resource "aws_security_group" "elasticache" {
24 |   vpc_id = "${aws_vpc.main.id}"
25 | 
26 |   ingress {
27 |     from_port = 1
28 |     to_port   = 65535
29 |     protocol  = "tcp"
30 |     cidr_blocks = ["0.0.0.0/0"]
31 |   }
32 | 
33 |   egress {
34 |     from_port = 0
35 |     to_port = 0
36 |     protocol = "-1"
37 |     cidr_blocks = ["0.0.0.0/0"]
38 |   }
39 | 
40 |   tags {
41 |     Name = "elasticache-sg"
42 |   }
43 | }
44 | 


--------------------------------------------------------------------------------
/ecs/task-definitions/varnish.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |       "name": "varnish",
 4 |       "image": "dpetzold/docker-varnish-django:latest",
 5 |       "cpu": 100,
 6 |       "memory": 100,
 7 |       "portMappings": [
 8 |         {
 9 |           "hostPort": ${host_port},
10 |           "containerPort": ${container_port},
11 |           "protocol": "tcp"
12 |         }
13 |       ],
14 |       "environment": [
15 |         {
16 |           "name": "VARNISH_NAMED_BACKEND",
17 |           "value": "${backend_host}"
18 |         },
19 |         {
20 |           "name": "ALLOWED_HOSTS",
21 |           "value": "${allowed_hosts}"
22 |         },
23 |         {
24 |           "name": "HEALTH_CHECK_URL",
25 |           "value": "${health_check_url}"
26 |         },
27 |         {
28 |           "name": "ADMIN_URL",
29 |           "value": "${admin_url}"
30 |         }
31 |       ],
32 |       "volumesFrom": [],
33 |       "links": [],
34 |       "mountPoints": [],
35 |       "essential": true
36 |    }
37 | ]
38 | 


--------------------------------------------------------------------------------
/vpc/rds.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_db_subnet_group" "ecs_rds_subnet_group" {
 2 |     name = "${var.project_name}-rds-subnet-group"
 3 |     description = "RDS subnet group"
 4 |     subnet_ids  = [
 5 |         "${aws_subnet.main-public.id}",
 6 |         "${aws_subnet.main-private.id}",
 7 |     ]
 8 | }
 9 | 
10 | resource "aws_db_instance" "rds_instance" {
11 |     identifier = "${var.project_name}-rds"
12 |     allocated_storage = "${var.rds_allocated_storage}"
13 |     engine = "${var.rds_engine}"
14 |     engine_version = "${var.rds_engine_version}"
15 |     instance_class = "${var.rds_instance_class}"
16 |     name = "${var.database_name}"
17 |     username = "${var.database_user}"
18 |     password = "${var.database_password}"
19 |     vpc_security_group_ids = ["${aws_security_group.rds.id}"]
20 |     db_subnet_group_name = "${aws_db_subnet_group.ecs_rds_subnet_group.id}"
21 |     storage_type = "${var.rds_storage_type}"
22 |     tags {
23 |         Name = "${var.project_name}-rds"
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/vpc/route53.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_route53_zone" "internal" {
 2 |    name = "internal"
 3 |    vpc_id = "${aws_vpc.main.id}"
 4 | }
 5 | 
 6 | resource "aws_route53_record" "internal-ns" {
 7 |     zone_id = "${aws_route53_zone.internal.zone_id}"
 8 |     name = "internal"
 9 |     type = "NS"
10 |     ttl = "30"
11 |     records = [
12 |         "${aws_route53_zone.internal.name_servers.0}",
13 |         "${aws_route53_zone.internal.name_servers.1}",
14 |         "${aws_route53_zone.internal.name_servers.2}",
15 |         "${aws_route53_zone.internal.name_servers.3}"
16 |     ]
17 | }
18 | 
19 | resource "aws_route53_record" "rds" {
20 |     zone_id = "${aws_route53_zone.internal.zone_id}"
21 |     name = "rds.internal"
22 |     type = "CNAME"
23 |     records = ["${aws_db_instance.rds_instance.address}"]
24 |     ttl = "300"
25 | }
26 | 
27 | resource "aws_route53_record" "redis" {
28 |     zone_id = "${aws_route53_zone.internal.zone_id}"
29 |     name = "redis.internal"
30 |     type = "CNAME"
31 |     records = ["${aws_elasticache_cluster.redis.cache_nodes.0.address}"]
32 |     ttl = "300"
33 | }
34 | 


--------------------------------------------------------------------------------
/ecr/ecr.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecr_repository" "repository" {
 2 |   name = "${var.project_name}"
 3 | }
 4 | 
 5 | resource "aws_ecr_repository_policy" "repository-policy" {
 6 |   repository = "${aws_ecr_repository.repository.name}"
 7 |   policy = <<EOF
 8 | {
 9 |     "Version": "2008-10-17",
10 |     "Statement": [
11 |         {
12 |             "Sid": "new policy",
13 |             "Effect": "Allow",
14 |             "Principal": "*",
15 |             "Action": [
16 |                 "ecr:GetDownloadUrlForLayer",
17 |                 "ecr:BatchGetImage",
18 |                 "ecr:BatchCheckLayerAvailability",
19 |                 "ecr:PutImage",
20 |                 "ecr:InitiateLayerUpload",
21 |                 "ecr:UploadLayerPart",
22 |                 "ecr:CompleteLayerUpload",
23 |                 "ecr:DescribeRepositories",
24 |                 "ecr:GetRepositoryPolicy",
25 |                 "ecr:ListImages",
26 |                 "ecr:DeleteRepository",
27 |                 "ecr:BatchDeleteImage",
28 |                 "ecr:SetRepositoryPolicy",
29 |                 "ecr:DeleteRepositoryPolicy"
30 |             ]
31 |         }
32 |     ]
33 | }
34 | EOF
35 | }
36 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Capgemini
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/vpc/vpc.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_vpc" "main" {
 2 |   cidr_block = "10.0.0.0/16"
 3 |   enable_dns_hostnames = true
 4 |   tags {
 5 |     Name = "${var.project_name}-vpc"
 6 |   }
 7 | }
 8 | 
 9 | resource "aws_internet_gateway" "gateway" {
10 |     vpc_id = "${aws_vpc.main.id}"
11 |     tags {
12 |         Name = "${var.project_name}"
13 |     }
14 | }
15 | 
16 | resource "aws_subnet" "main-public" {
17 |   vpc_id = "${aws_vpc.main.id}"
18 |   availability_zone = "${var.aws_region}a"
19 |   cidr_block = "10.0.1.0/24"
20 |   map_public_ip_on_launch = true
21 |   tags {
22 |     Name = "${var.project_name}-public"
23 |   }
24 | }
25 | 
26 | resource "aws_subnet" "main-private" {
27 |   vpc_id = "${aws_vpc.main.id}"
28 |   availability_zone = "${var.aws_region}c"
29 |   cidr_block = "10.0.2.0/24"
30 |   tags {
31 |     Name = "${var.project_name}-private"
32 |   }
33 | }
34 | 
35 | resource "aws_route_table" "r-public" {
36 |   vpc_id = "${aws_vpc.main.id}"
37 |   route {
38 |     cidr_block = "0.0.0.0/0"
39 |     gateway_id = "${aws_internet_gateway.gateway.id}"
40 |   }
41 |   tags {
42 |     Name = "${var.project_name}-public-route"
43 |   }
44 | }
45 | 
46 | resource "aws_route_table_association" "a-public" {
47 |   subnet_id = "${element(aws_subnet.main-public.*.id, count.index)}"
48 |   route_table_id = "${aws_route_table.r-public.id}"
49 | }
50 | 


--------------------------------------------------------------------------------
/ecs/celery.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_service" "celery-service" {
 2 |   name = "celery"
 3 |   cluster = "${aws_ecs_cluster.default.id}"
 4 |   task_definition = "${aws_ecs_task_definition.celery-task.arn}"
 5 |   desired_count = 1
 6 | 
 7 |   deployment_maximum_percent = 100
 8 |   deployment_minimum_healthy_percent = 0
 9 | }
10 | 
11 | resource "aws_ecs_task_definition" "celery-task" {
12 |   family = "celery"
13 |   container_definitions = "${template_file.celery_task.rendered}"
14 | }
15 | 
16 | resource "template_file" "celery_task" {
17 |   template = "task-definitions/celery.json"
18 |   vars {
19 |     project_name = "${var.project_name}"
20 |     docker_image = "${var.docker_image}"
21 |     secure_ssl_redirect = "${var.secure_ssl_redirect}"
22 |     secret_key= "${var.secret_key}"
23 |     settings_module = "${var.settings_module}"
24 |     aws_access_key = "${var.aws_access_key}"
25 |     aws_secret_key = "${var.aws_secret_key}"
26 |     aws_region = "${var.aws_region}"
27 |     storage_bucket_name = "${var.storage_bucket_name}"
28 |     database_url = "${var.database_url}"
29 |     sentry_dsn = "${var.sentry_dsn}"
30 |     sendgrid_username = "${var.sendgrid_username}"
31 |     sendgrid_password = "${var.sendgrid_password}"
32 |     newrelic_config_file = "${var.newrelic_config_file}"
33 |     newrelic_license_key = "${var.newrelic_license_key}"
34 |     broker_url = "${var.broker_url}"
35 |     redis_host = "${var.redis_host}"
36 |   }
37 | }
38 | 


--------------------------------------------------------------------------------
/ecs/celery-beat.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_service" "celery-beat-service" {
 2 |   name = "celery-beat"
 3 |   cluster = "${aws_ecs_cluster.default.id}"
 4 |   task_definition = "${aws_ecs_task_definition.celery-beat-task.arn}"
 5 |   desired_count = 1
 6 | 
 7 |   deployment_maximum_percent = 100
 8 |   deployment_minimum_healthy_percent = 0
 9 | }
10 | 
11 | resource "aws_ecs_task_definition" "celery-beat-task" {
12 |   family = "celery-beat"
13 |   container_definitions = "${template_file.celery-beat-task.rendered}"
14 | }
15 | 
16 | resource "template_file" "celery-beat-task" {
17 |   template = "task-definitions/celery-beat.json"
18 |   vars {
19 |     project_name = "${var.project_name}"
20 |     docker_image = "${var.docker_image}"
21 |     secure_ssl_redirect = "${var.secure_ssl_redirect}"
22 |     secret_key= "${var.secret_key}"
23 |     settings_module = "${var.settings_module}"
24 |     aws_access_key = "${var.aws_access_key}"
25 |     aws_secret_key = "${var.aws_secret_key}"
26 |     aws_region = "${var.aws_region}"
27 |     storage_bucket_name = "${var.storage_bucket_name}"
28 |     database_url = "${var.database_url}"
29 |     sentry_dsn = "${var.sentry_dsn}"
30 |     sendgrid_username = "${var.sendgrid_username}"
31 |     sendgrid_password = "${var.sendgrid_password}"
32 |     newrelic_config_file = "${var.newrelic_config_file}"
33 |     newrelic_license_key = "${var.newrelic_license_key}"
34 |     broker_url = "${var.broker_url}"
35 |     redis_host = "${var.redis_host}"
36 |   }
37 | }
38 | 


--------------------------------------------------------------------------------
/env:
--------------------------------------------------------------------------------
 1 | export AWS_ACCESS_KEY_ID=""
 2 | export AWS_SECRET_ACCESS_KEY=""
 3 | 
 4 | export TF_VAR_project_name=""
 5 | export TF_VAR_remote_state_bucket=""
 6 | export TF_VAR_aws_region="us-west-2"
 7 | export TF_VAR_docker_image=""
 8 | export TF_VAR_public_key=""
 9 | 
10 | # VPC
11 | 
12 | export TF_VAR_vpc_id=""
13 | export TF_VAR_public_subnet_id=""
14 | export TF_VAR_private_subnet_id=""
15 | export TF_VAR_ssl_certificate_id=""
16 | 
17 | export TF_VAR_aws_access_key="${AWS_ACCESS_KEY_ID}"
18 | export TF_VAR_aws_secret_key="${AWS_SECRET_ACCESS_KEY}"
19 | 
20 | export TF_VAR_ecr_remote_state_key="ecr-terraform.tfstate"
21 | export TF_VAR_ecs_remote_state_key="ecs-terraform.tfstate"
22 | export TF_VAR_vpc_remote_state_key="vpc-terraform.tfstate"
23 | 
24 | export TF_VAR_key_name="${TF_VAR_project_name}-ecs"
25 | export TF_VAR_aws_access_key=${AWS_ACCESS_KEY_ID}
26 | export TF_VAR_aws_secret_key=${AWS_SECRET_ACCESS_KEY}
27 | export TF_VAR_host_port=80
28 | export TF_VAR_container_port=9000
29 | 
30 | # ECS
31 | 
32 | export TF_VAR_ecs_cluster_name="${TF_VAR_project_name}"
33 | 
34 | # ElastiCache
35 | 
36 | export TF_VAR_elasticache_cache_name="${TF_VAR_project_name}"
37 | 
38 | # RDS
39 | 
40 | export TF_VAR_rds_allocated_storage="5"
41 | export TF_VAR_rds_engine="postgres"
42 | export TF_VAR_rds_engine_version="9.4.5"
43 | export TF_VAR_rds_instance_class="db.t1.micro"
44 | 
45 | export TF_VAR_database_name="${TF_VAR_project_name}"
46 | export TF_VAR_database_user="${TF_VAR_project_name}"
47 | export TF_VAR_database_password=""
48 | 
49 | export TF_VAR_keypair_name=${TF_VAR_project_name}-ecs
50 | 
51 | # Django specific
52 | 
53 | export TF_VAR_secure_ssl_redirect=False
54 | export TF_VAR_secret_key=""
55 | export TF_VAR_settings_module=config.settings.production
56 | 
57 | export TF_VAR_static_url=/static/
58 | export TF_VAR_compress_enabled=True
59 | export TF_VAR_compress_offline=True
60 | export TF_VAR_compress_root=/app
61 | export TF_VAR_storage_bucket_name=""
62 | export TF_VAR_database_url="postgres://${TF_VAR_database_user}:${TF_VAR_database_password}@db.internal/${TF_VAR_database_name}"
63 | export TF_VAR_sentry_dsn=""
64 | export TF_VAR_sendgrid_username=""
65 | export TF_VAR_sendgrid_password=""
66 | 


--------------------------------------------------------------------------------
/ecs/task-definitions/celery.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |       "name": "celery",
 4 |       "image": "${docker_image}",
 5 |       "cpu": 256,
 6 |       "memory": 200,
 7 |       "volumesFrom": [],
 8 |       "links": [],
 9 |       "mountPoints": [],
10 |       "essential": true,
11 |       "command": ["newrelic-admin", "run-program", "celery", "worker", "--app", "derrickpetzold.celery", "--loglevel=INFO"],
12 |       "environment": [
13 |         {
14 |           "name": "BROKER_URL",
15 |           "value": "${broker_url}"
16 |         },
17 |         {
18 |           "name": "DJANGO_SECURE_SSL_REDIRECT",
19 |           "value": "${secure_ssl_redirect}"
20 |         },
21 |         {
22 |           "name": "DJANGO_SECRET_KEY",
23 |           "value": "${secret_key}"
24 |         },
25 |         {
26 |           "name": "DJANGO_SETTINGS_MODULE",
27 |           "value": "${settings_module}"
28 |         },
29 |         {
30 |           "name": "DJANGO_AWS_ACCESS_KEY_ID",
31 |           "value": "${aws_access_key}"
32 |         },
33 |         {
34 |           "name": "DJANGO_AWS_SECRET_ACCESS_KEY",
35 |           "value": "${aws_secret_key}"
36 |         },
37 |         {
38 |           "name": "DJANGO_AWS_REGION",
39 |           "value": "${aws_region}"
40 |         },
41 |         {
42 |           "name": "DJANGO_AWS_STORAGE_BUCKET_NAME",
43 |           "value": "${storage_bucket_name}"
44 |         },
45 |         {
46 |           "name": "DATABASE_URL",
47 |           "value": "${database_url}"
48 |         },
49 |         {
50 |           "name": "SENTRY_DSN",
51 |           "value": "${sentry_dsn}"
52 |         },
53 |         {
54 |           "name": "SENDGRID_USERNAME",
55 |           "value": "${sendgrid_username}"
56 |         },
57 |         {
58 |           "name": "SENDGRID_PASSWORD",
59 |           "value": "${sendgrid_password}"
60 |         },
61 |         {
62 |           "name": "NEW_RELIC_LICENSE_KEY",
63 |           "value": "${newrelic_license_key}"
64 |         },
65 |         {
66 |           "name": "NEW_RELIC_CONFIG_FILE",
67 |           "value": "${newrelic_config_file}"
68 |         },
69 |         {
70 |           "name": "REDIS_HOST",
71 |           "value": "${redis_host}"
72 |         }
73 |      ]
74 |   }
75 | ]
76 | 


--------------------------------------------------------------------------------
/ecs/task-definitions/celery-beat.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |       "name": "celery-beat",
 4 |       "image": "${docker_image}",
 5 |       "cpu": 100,
 6 |       "memory": 100,
 7 |       "volumesFrom": [],
 8 |       "links": [],
 9 |       "mountPoints": [],
10 |       "essential": true,
11 |       "command": ["newrelic-admin", "run-program", "celery", "-A", "derrickpetzold.celery", "beat", "--loglevel=INFO"],
12 |       "environment": [
13 |         {
14 |           "name": "BROKER_URL",
15 |           "value": "${broker_url}"
16 |         },
17 |         {
18 |           "name": "DJANGO_SECURE_SSL_REDIRECT",
19 |           "value": "${secure_ssl_redirect}"
20 |         },
21 |         {
22 |           "name": "DJANGO_SECRET_KEY",
23 |           "value": "${secret_key}"
24 |         },
25 |         {
26 |           "name": "DJANGO_SETTINGS_MODULE",
27 |           "value": "${settings_module}"
28 |         },
29 |         {
30 |           "name": "DJANGO_AWS_ACCESS_KEY_ID",
31 |           "value": "${aws_access_key}"
32 |         },
33 |         {
34 |           "name": "DJANGO_AWS_SECRET_ACCESS_KEY",
35 |           "value": "${aws_secret_key}"
36 |         },
37 |         {
38 |           "name": "DJANGO_AWS_REGION",
39 |           "value": "${aws_region}"
40 |         },
41 |         {
42 |           "name": "DJANGO_AWS_STORAGE_BUCKET_NAME",
43 |           "value": "${storage_bucket_name}"
44 |         },
45 |         {
46 |           "name": "DATABASE_URL",
47 |           "value": "${database_url}"
48 |         },
49 |         {
50 |           "name": "SENTRY_DSN",
51 |           "value": "${sentry_dsn}"
52 |         },
53 |         {
54 |           "name": "SENDGRID_USERNAME",
55 |           "value": "${sendgrid_username}"
56 |         },
57 |         {
58 |           "name": "SENDGRID_PASSWORD",
59 |           "value": "${sendgrid_password}"
60 |         },
61 |         {
62 |           "name": "NEW_RELIC_LICENSE_KEY",
63 |           "value": "${newrelic_license_key}"
64 |         },
65 |         {
66 |           "name": "NEW_RELIC_CONFIG_FILE",
67 |           "value": "${newrelic_config_file}"
68 |         },
69 |         {
70 |           "name": "REDIS_HOST",
71 |           "value": "${redis_host}"
72 |         }
73 |      ]
74 |   }
75 | ]
76 | 


--------------------------------------------------------------------------------
/vpc/elasticache.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_elasticache_cluster" "redis" {
 2 |   cluster_id = "${var.elasticache_cache_name}"
 3 |   engine = "redis"
 4 |   engine_version = "${var.elasticache_engine_version}"
 5 |   maintenance_window = "${var.elasticache_maintenance_window}"
 6 |   node_type = "${var.elasticache_instance_type}"
 7 |   num_cache_nodes = "1"
 8 |   parameter_group_name = "default.redis2.8"
 9 |   port = "6379"
10 |   subnet_group_name = "${aws_elasticache_subnet_group.default.name}"
11 |   security_group_ids = ["${aws_security_group.elasticache.id}"]
12 | 
13 |   tags {
14 |     Name = "${var.project_name}-redis"
15 |   }
16 | }
17 | 
18 | resource "aws_elasticache_subnet_group" "default" {
19 |   name = "${var.elasticache_cache_name}-elasticache-subnet-group"
20 |   description = "Private subnets for the ElastiCache instances"
21 |   subnet_ids = [
22 |     "${aws_subnet.main-public.id}"
23 |   ]
24 | }
25 | 
26 | #
27 | # CloudWatch resources
28 | #
29 | 
30 | /*
31 | resource "aws_cloudwatch_metric_alarm" "cpu" {
32 |   alarm_name          = "alarmCacheClusterCPUUtilization-${var.elasticache_cache_name}"
33 |   alarm_description   = "Cache cluster CPU utilization"
34 |   comparison_operator = "GreaterThanThreshold"
35 |   evaluation_periods  = "1"
36 |   metric_name         = "CPUUtilization"
37 |   namespace           = "AWS/ElastiCache"
38 |   period              = "300"
39 |   statistic           = "Average"
40 |   threshold           = "75"
41 | 
42 |   dimensions {
43 |     CacheClusterId = "${aws_elasticache_cluster.redis.id}"
44 |   }
45 | 
46 |   alarm_actions = ["${split(",", var.alarm_actions)}"]
47 | }
48 | 
49 | resource "aws_cloudwatch_metric_alarm" "memory_free" {
50 |   alarm_name          = "alarmCacheClusterFreeableMemory-${var.elasticache_cache_name}"
51 |   alarm_description   = "Cache cluster freeable memory"
52 |   comparison_operator = "LessThanThreshold"
53 |   evaluation_periods  = "1"
54 |   metric_name         = "FreeableMemory"
55 |   namespace           = "AWS/ElastiCache"
56 |   period              = "60"
57 |   statistic           = "Average"
58 | 
59 |   # 10MB in bytes
60 |   threshold = "10000000"
61 | 
62 |   dimensions {
63 |     CacheClusterId = "${aws_elasticache_cluster.redis.id}"
64 |   }
65 | 
66 |   alarm_actions = ["${split(",", var.alarm_actions)}"]
67 | }
68 | */
69 | 


--------------------------------------------------------------------------------
/ecs/ecs.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "ecs" {
 2 |   name = "${var.project_name}-container"
 3 |   description = "Container Instance Allowed Ports"
 4 |   vpc_id = "${var.vpc_id}"
 5 | 
 6 |   ingress {
 7 |     from_port = 22
 8 |     to_port   = 22
 9 |     protocol  = "tcp"
10 |     security_groups = [
11 |       "${aws_security_group.bastion.id}",
12 |     ]
13 |   }
14 | 
15 |   ingress {
16 |     from_port = 80
17 |     to_port   = 80
18 |     protocol  = "tcp"
19 |     security_groups = [
20 |       "${aws_security_group.bastion.id}",
21 |       "${aws_security_group.uwsgi-elb.id}",
22 |     ]
23 |   }
24 | 
25 |   ingress {
26 |     from_port = 8888
27 |     to_port   = 8888
28 |     protocol  = "tcp"
29 |     security_groups = [
30 |       "${aws_security_group.bastion.id}",
31 |       "${aws_security_group.varnish-elb.id}",
32 |     ]
33 |   }
34 |  
35 |   egress {
36 |     from_port = 0
37 |     to_port = 0
38 |     protocol = "-1"
39 |     cidr_blocks = ["0.0.0.0/0"]
40 |   }
41 | 
42 |   tags {
43 |     Name = "${var.project_name}-container-sg"
44 |   }
45 | }
46 | 
47 | resource "aws_ecs_cluster" "default" {
48 |   name = "${var.project_name}"
49 | }
50 | 
51 | resource "aws_launch_configuration" "ecs" {
52 |   name = "${var.project_name}"
53 |   image_id = "${lookup(var.amis, var.aws_region)}"
54 |   instance_type = "${var.instance_type}"
55 |   key_name = "${var.keypair_name}"
56 |   iam_instance_profile = "${aws_iam_instance_profile.ecs.id}"
57 |   security_groups = ["${aws_security_group.ecs.id}"]
58 | 
59 |   // XXX: These creds shouldn't be required with the role
60 |   user_data = "#!/bin/bash\necho 'ECS_CLUSTER=${aws_ecs_cluster.default.name}\nAWS_ACCESS_KEY_ID=${var.aws_access_key}\nAWS_SECRET_ACCESS_KEY=${var.aws_secret_key}\nAWS_DEFAULT_REGION=${var.aws_region}' > /etc/ecs/ecs.config"
61 |   associate_public_ip_address = false
62 | }
63 | 
64 | resource "aws_autoscaling_group" "ecs" {
65 |   name = "${var.project_name}"
66 |   launch_configuration = "${aws_launch_configuration.ecs.name}"
67 |   vpc_zone_identifier = ["${var.public_subnet_id}"]
68 |   min_size = "${var.aws_autoscaling_group_min_size}"
69 |   max_size = "${var.aws_autoscaling_group_max_size}"
70 |   desired_capacity = "${var.aws_autoscaling_group_desired_capacity}"
71 | }
72 | 
73 | resource "template_file" "project_policy" {
74 |   template = "policies/project.json"
75 |   vars {
76 |   }
77 | }
78 | 
79 | resource "template_file" "ecs_service_role_policy" {
80 |   template = "policies/ecs-service-role-policy.json"
81 |   vars {
82 |   }
83 | }
84 | 


--------------------------------------------------------------------------------
/ecs/varnish.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_security_group" "varnish-elb" {
  2 | 
  3 |   name = "varnish-elb"
  4 |   description = "Varnish Allowed Ports"
  5 |   vpc_id = "${var.vpc_id}"
  6 | 
  7 |   tags {
  8 |     Name = "varnish-elb"
  9 |   }
 10 | }
 11 | 
 12 | resource "aws_security_group_rule" "varnish_allow_http" {
 13 |     type = "ingress"
 14 |     from_port = 80
 15 |     to_port = 80
 16 |     protocol = "tcp"
 17 |     cidr_blocks = ["0.0.0.0/0"]
 18 |     security_group_id = "${aws_security_group.varnish-elb.id}"
 19 | }
 20 | 
 21 | resource "aws_security_group_rule" "varnish_allow_https" {
 22 |     type = "ingress"
 23 |     from_port = 443
 24 |     to_port = 443
 25 |     protocol = "tcp"
 26 |     cidr_blocks = ["0.0.0.0/0"]
 27 |     security_group_id = "${aws_security_group.varnish-elb.id}"
 28 | }
 29 | 
 30 | resource "aws_security_group_rule" "varnish_allow_all" {
 31 |     type = "egress"
 32 |     from_port = 0
 33 |     to_port = 0
 34 |     protocol = "-1"
 35 |     cidr_blocks = ["0.0.0.0/0"]
 36 |     security_group_id = "${aws_security_group.varnish-elb.id}"
 37 | }
 38 | 
 39 | resource "aws_elb" "varnish-elb" {
 40 |   name = "varnish"
 41 |   subnets = ["${var.public_subnet_id}"]
 42 |   security_groups = ["${aws_security_group.varnish-elb.id}"]
 43 | 
 44 |   listener {
 45 |     instance_port = "${var.varnish_host_port}"
 46 |     instance_protocol = "http"
 47 |     lb_port = 80
 48 |     lb_protocol = "http"
 49 |   }
 50 | 
 51 |   listener {
 52 |     instance_port = "${var.varnish_host_port}"
 53 |     instance_protocol = "http"
 54 |     lb_port = 443
 55 |     lb_protocol = "https"
 56 |     ssl_certificate_id = "${var.ssl_certificate_id}"
 57 |   }
 58 | 
 59 |   health_check {
 60 |     healthy_threshold = 2
 61 |     unhealthy_threshold = 2
 62 |     timeout = 3
 63 |     target = "HTTP:${var.varnish_host_port}/varnish-health/"
 64 |     interval = 30
 65 |   }
 66 | 
 67 |   connection_draining = false
 68 | 
 69 |   tags {
 70 |     Name = "varnish-elb"
 71 |   }
 72 | }
 73 | 
 74 | resource "aws_ecs_service" "varnish-service" {
 75 |   name = "varnish"
 76 |   cluster = "${aws_ecs_cluster.default.id}"
 77 |   task_definition = "${aws_ecs_task_definition.varnish-task.arn}"
 78 |   desired_count = 1
 79 |   iam_role = "${aws_iam_role.ecs_role.arn}"
 80 |   depends_on = ["aws_iam_role_policy.ecs_service_role_policy"]
 81 |   deployment_maximum_percent = 200
 82 |   deployment_minimum_healthy_percent = 50
 83 | 
 84 |   load_balancer {
 85 |     elb_name = "${aws_elb.varnish-elb.id}"
 86 |     container_name = "varnish"
 87 |     container_port = "${var.varnish_container_port}"
 88 |   }
 89 | }
 90 | 
 91 | resource "aws_ecs_task_definition" "varnish-task" {
 92 |   family = "varnish"
 93 |   container_definitions = "${template_file.varnish_task.rendered}"
 94 | }
 95 | 
 96 | resource "template_file" "varnish_task" {
 97 |   template = "task-definitions/varnish.json"
 98 |   vars {
 99 |     backend_host = "uwsgi.internal"
100 |     allowed_hosts = "${var.allowed_hosts}"
101 |     host_port = "${var.varnish_host_port}"
102 |     container_port = "${var.varnish_container_port}"
103 |     health_check_url = "${var.varnish_health_check_url}"
104 |     admin_url = "${var.admin_url}"
105 |   }
106 | }
107 | 


--------------------------------------------------------------------------------
/ecs/task-definitions/uwsgi.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |       "name": "uwsgi",
  4 |       "image": "${docker_image}",
  5 |       "cpu": 512,
  6 |       "memory": 400,
  7 |       "command": ["newrelic-admin", "run-program", "uwsgi", "config/uwsgi.ini"],
  8 |       "portMappings": [
  9 |         {
 10 |           "hostPort": ${host_port},
 11 |           "containerPort": ${container_port},
 12 |           "protocol": "tcp"
 13 |         }
 14 |       ],
 15 |       "environment": [
 16 |         {
 17 |           "name": "BROKER_URL",
 18 |           "value": "${broker_url}"
 19 |         },
 20 |         {
 21 |           "name": "COMPRESS_ENABLED",
 22 |           "value": "${compress_enabled}"
 23 |         },
 24 |         {
 25 |           "name": "COMPRESS_OFFLINE",
 26 |           "value": "${compress_offline}"
 27 |         },
 28 |         {
 29 |           "name": "COMPRESS_ROOT",
 30 |           "value": "${compress_root}"
 31 |         },
 32 |         {
 33 |           "name": "AWS_CLOUDFRONT_DISTRIBUTION",
 34 |           "value": "${aws_cloudfront_distribution}"
 35 |         },
 36 |         {
 37 |           "name": "STATIC_URL",
 38 |           "value": "${static_url}"
 39 |         },
 40 |         {
 41 |           "name": "STATIC_HOST",
 42 |           "value": "${static_host}"
 43 |         },
 44 |         {
 45 |           "name": "STATICFILES_STORAGE",
 46 |           "value": "${staticfiles_storage}"
 47 |         },
 48 |         {
 49 |           "name": "DJANGO_SECURE_SSL_REDIRECT",
 50 |           "value": "${secure_ssl_redirect}"
 51 |         },
 52 |         {
 53 |           "name": "DJANGO_SECRET_KEY",
 54 |           "value": "${secret_key}"
 55 |         },
 56 |         {
 57 |           "name": "DJANGO_SETTINGS_MODULE",
 58 |           "value": "${settings_module}"
 59 |         },
 60 |         {
 61 |           "name": "DJANGO_AWS_ACCESS_KEY_ID",
 62 |           "value": "${aws_access_key}"
 63 |         },
 64 |         {
 65 |           "name": "DJANGO_AWS_SECRET_ACCESS_KEY",
 66 |           "value": "${aws_secret_key}"
 67 |         },
 68 |         {
 69 |           "name": "DJANGO_AWS_REGION",
 70 |           "value": "${aws_region}"
 71 |         },
 72 |         {
 73 |           "name": "DJANGO_AWS_STORAGE_BUCKET_NAME",
 74 |           "value": "${storage_bucket_name}"
 75 |         },
 76 |         {
 77 |           "name": "DATABASE_URL",
 78 |           "value": "${database_url}"
 79 |         },
 80 |         {
 81 |           "name": "SENTRY_DSN",
 82 |           "value": "${sentry_dsn}"
 83 |         },
 84 |         {
 85 |           "name": "SENDGRID_USERNAME",
 86 |           "value": "${sendgrid_username}"
 87 |         },
 88 |         {
 89 |           "name": "SENDGRID_PASSWORD",
 90 |           "value": "${sendgrid_password}"
 91 |         },
 92 |         {
 93 |           "name": "NEW_RELIC_LICENSE_KEY",
 94 |           "value": "${newrelic_license_key}"
 95 |         },
 96 |         {
 97 |           "name": "NEW_RELIC_CONFIG_FILE",
 98 |           "value": "${newrelic_config_file}"
 99 |         },
100 |         {
101 |           "name": "UWSGI_PROCESSES",
102 |           "value": "${uwsgi_processes}"
103 |         },
104 |         {
105 |           "name": "UWSGI_HARAKIKI",
106 |           "value": "${uwsgi_harakiki}"
107 |         },
108 |         {
109 |           "name": "REDIS_HOST",
110 |           "value": "${redis_host}"
111 |         },
112 |         {
113 |           "name": "ADMIN_URL",
114 |           "value": "${admin_url}"
115 |         },
116 |         {
117 |           "name": "VARNISH_HOST_PORT",
118 |           "value": "${varnish_host_port}"
119 |         }
120 |       ],
121 |       "volumesFrom": [],
122 |       "links": [],
123 |       "mountPoints": [],
124 |       "essential": true
125 |    }
126 | ]
127 | 


--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
  1 | ====================
  2 | terraform-django-ecs
  3 | ====================
  4 | 
  5 | Deploy a dockerized Django Application to AWS in a VPC using Terraform, EC2 Container
  6 | Registry and EC2 Container Service.
  7 | 
  8 | Includes:
  9 | 
 10 | * Virtual Private Cloud
 11 | * Internal DNS
 12 | * Private S3 bucket for container registry data
 13 | * Private ECR Docker repository
 14 | * ECS cluster, launch configuration and autoscaling group
 15 | * RDS cluster
 16 | * ElastiCache cluster
 17 | * EC2 instances to run ECS agent on
 18 | * ELB to distribute requests across the EC2 instances
 19 | * uWSGI task definition
 20 | * Celery task definition
 21 | * Celery beat task definition
 22 | 
 23 | This project is split into three separate Terraform projects. So they can be
 24 | built and destroyed independent of each other.
 25 | 
 26 | ECR
 27 |   Builds the private ECR Docker repository. Outputs the registry endpoint.
 28 | 
 29 | VPC
 30 |   Builds the VPC, the RDS cluster, ElastiCache cluster and their security
 31 |   groups. The DNS names for the clusters are:
 32 | 
 33 |   * rds.internal
 34 |   * redis.interal
 35 | 
 36 |   Outputs the VPC id and the public and private subnets ids.
 37 | 
 38 | ECS
 39 |   Builds the ECS cluster with 2 micro instances and uWSGI and Celery task definitions
 40 |   and the necessary security groups and IAM roles. Outputs the ELB endpoint.
 41 | 
 42 | Prerequisites
 43 | -------------
 44 | 
 45 | * Terraform installed. Get it from
 46 |   `https://www.terraform.io/downloads.html <https://www.terraform.io/downloads.html>`_ to grab the latest version.
 47 | * An AWS account `http://aws.amazon.com/ <http://aws.amazon.com/>`_
 48 | 
 49 | Usage
 50 | -----
 51 | 
 52 | Building the cluster is broken up into three operations:
 53 | 
 54 | 1) Provision the ECR regristry and upload the application docker image to it.
 55 | 2) Provision the VPC with RDS and ElastiCache.
 56 | 3) Provision the ECS cluster with the sevice and task definitions.
 57 | 
 58 | 
 59 | The following steps will walk you through the process:
 60 | 
 61 | 1. Clone the repo::
 62 | 
 63 |     git clone https://github.com/dpetzold/terraform-django-ecs.git
 64 | 
 65 | 2. Copy the sample env to .env and edit it with your information::
 66 | 
 67 |     TF_VAR_key_name=name of ssh key
 68 |     TF_VAR_aws_access_key=The AWS access key ID
 69 |     TF_VAR_aws_secret_key=The AWS secret key
 70 |     TF_VAR_project_name=The name of your project
 71 | 
 72 | 3. Build the ECR registry::
 73 | 
 74 |     ./apply ecr
 75 | 
 76 |     It will output the docker repository url used below.
 77 | 
 78 | 4. Upload your docker image to it::
 79 | 
 80 |     cd project
 81 |     `aws ecr get-login --region us-east-1`
 82 |     docker build -t repo/project:version .
 83 |     docker push repo/project:version
 84 | 
 85 | 5. Update the env file with the ARN to the docker image::
 86 | 
 87 |     TF_VAR_docker_image="repo/project:version"
 88 | 
 89 | 6. Build the VPC::
 90 | 
 91 |    ./apply vpc
 92 | 
 93 | 7. Update the env file with the output::
 94 | 
 95 |     TF_VAR_vpc_id="vpc-????????"
 96 |     TF_VAR_public_subnet_id="subnet-????????"
 97 |     TF_VAR_private_subnet_id="subnet-????????"
 98 | 
 99 | 8. Build the ECS cluster::
100 | 
101 |    ./apply ecs
102 | 
103 | 9. Initialize your database. Get the hostname of one of the running EC2
104 |    instances and make sure ssh from your host is allowed in the security
105 |    group. Then scp your database dump and load it::
106 | 
107 |     scp -i <your keypair> database.dump ec2-user@<hostname>
108 |     ssh -i <your keypair> ec2-user@<hostname>
109 |     sudo -s
110 |     yum install -y postgresql94
111 |     pg_restore -U <database user> -h rds.internal -d postgres -C database.dump
112 | 
113 | 9. Check the status of the cluster from the AWS console. Once the status of the
114 |    task definition changes from PENDING to ACTIVE the instances will be added
115 |    to the ELB and your site should accessible from the ELB endpoint returned
116 |    from the build ecs command.
117 | 
118 | 
119 | Deploy
120 | ------
121 | 
122 | To deploy new code perform the following steps::
123 | 
124 |     `aws ecr get-login --region us-east-1`
125 |     docker build -t $TF_VAR_project_name .
126 |     docker push $TF_VAR_docker_image
127 | 
128 | * Create a new task revision.
129 | 
130 | * Update the service.
131 | 


--------------------------------------------------------------------------------
/ecs/uwsgi.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_security_group" "uwsgi-elb" {
  2 | 
  3 |   name = "uwsgi-elb"
  4 |   description = "uWSGI Allowed Ports"
  5 |   vpc_id = "${var.vpc_id}"
  6 | 
  7 |   tags {
  8 |     Name = "uwsgi-elb"
  9 |   }
 10 | }
 11 | 
 12 | resource "aws_security_group_rule" "uwsgi_allow_http" {
 13 |     type = "ingress"
 14 |     from_port = 80
 15 |     to_port = 80
 16 |     protocol = "tcp"
 17 |     source_security_group_id= "${aws_security_group.ecs.id}"
 18 |     security_group_id = "${aws_security_group.uwsgi-elb.id}"
 19 | }
 20 | 
 21 | resource "aws_security_group_rule" "uwsgi_allow_http_10" {
 22 |     type = "ingress"
 23 |     from_port = 80
 24 |     to_port = 80
 25 |     protocol = "tcp"
 26 |     cidr_blocks = ["10.0.0.0/8"]
 27 |     security_group_id = "${aws_security_group.uwsgi-elb.id}"
 28 | }
 29 | 
 30 | resource "aws_security_group_rule" "uwsgi_allow_all" {
 31 |     type = "egress"
 32 |     from_port = 0
 33 |     to_port = 0
 34 |     protocol = "-1"
 35 |     cidr_blocks = ["0.0.0.0/0"]
 36 |     security_group_id = "${aws_security_group.uwsgi-elb.id}"
 37 | }
 38 | 
 39 | resource "aws_route53_record" "uwsgi-internal" {
 40 |     zone_id = "${var.internal_zone_id}"
 41 |     name = "uwsgi.internal"
 42 |     type = "A"
 43 | 
 44 |     alias {
 45 |         name = "${aws_elb.uwsgi-elb.dns_name}"
 46 |         zone_id = "${aws_elb.uwsgi-elb.zone_id}"
 47 |         evaluate_target_health = true
 48 |     }
 49 | }
 50 | 
 51 | resource "aws_elb" "uwsgi-elb" {
 52 |   name = "uwsgi"
 53 |   subnets = ["${var.public_subnet_id}"]
 54 |   security_groups = ["${aws_security_group.uwsgi-elb.id}"]
 55 |   connection_draining = false
 56 |   internal = true
 57 | 
 58 |   listener {
 59 |     instance_port = "${var.host_port}"
 60 |     instance_protocol = "http"
 61 |     lb_port = 80
 62 |     lb_protocol = "http"
 63 |   }
 64 | 
 65 |   health_check {
 66 |     healthy_threshold = 2
 67 |     unhealthy_threshold = 2
 68 |     timeout = 3
 69 |     target = "HTTP:${var.host_port}/200/"
 70 |     interval = 30
 71 |   }
 72 | 
 73 |   tags {
 74 |     Name = "${var.project_name}-elb"
 75 |   }
 76 | }
 77 | 
 78 | resource "aws_ecs_service" "uwsgi-service" {
 79 |   name = "uwsgi"
 80 |   cluster = "${aws_ecs_cluster.default.id}"
 81 |   task_definition = "${aws_ecs_task_definition.uwsgi-task.arn}"
 82 |   desired_count = 2
 83 |   iam_role = "${aws_iam_role.ecs_role.arn}"
 84 |   depends_on = ["aws_iam_role_policy.ecs_service_role_policy"]
 85 |   deployment_maximum_percent = 100
 86 |   deployment_minimum_healthy_percent = 0
 87 | 
 88 |   load_balancer {
 89 |     elb_name = "${aws_elb.uwsgi-elb.id}"
 90 |     container_name = "uwsgi"
 91 |     container_port = "${var.container_port}"
 92 |   }
 93 | }
 94 | 
 95 | resource "aws_ecs_task_definition" "uwsgi-task" {
 96 |   family = "uwsgi"
 97 |   container_definitions = "${template_file.uwsgi_task.rendered}"
 98 | }
 99 | 
100 | resource "template_file" "uwsgi_task" {
101 |   template = "task-definitions/uwsgi.json"
102 |   vars {
103 |     project_name = "${var.project_name}"
104 |     docker_image = "${var.docker_image}"
105 |     host_port = "${var.host_port}"
106 |     container_port = "${var.container_port}"
107 |     secure_ssl_redirect = "${var.secure_ssl_redirect}"
108 |     compress_enabled = "${var.compress_enabled}"
109 |     compress_offline = "${var.compress_offline}"
110 |     compress_root = "${var.compress_root}"
111 |     compress_url = "${var.compress_url}"
112 |     broker_url = "${var.broker_url}"
113 |     static_url = "${var.static_url}"
114 |     secret_key= "${var.secret_key}"
115 |     settings_module = "${var.settings_module}"
116 |     aws_access_key = "${var.aws_access_key}"
117 |     aws_secret_key = "${var.aws_secret_key}"
118 |     aws_region = "${var.aws_region}"
119 |     storage_bucket_name = "${var.storage_bucket_name}"
120 |     database_url = "${var.database_url}"
121 |     sentry_dsn = "${var.sentry_dsn}"
122 |     sendgrid_username = "${var.sendgrid_username}"
123 |     sendgrid_password = "${var.sendgrid_password}"
124 |     newrelic_config_file = "${var.newrelic_config_file}"
125 |     newrelic_license_key = "${var.newrelic_license_key}"
126 |     aws_cloudfront_distribution = "${var.aws_cloudfront_distribution}"
127 |     static_host = "${var.static_host}"
128 |     staticfiles_storage = "${var.staticfiles_storage}"
129 |     uwsgi_processes = "${var.uwsgi_processes}"
130 |     uwsgi_harakiki = "${var.uwsgi_harakiki}"
131 |     admin_url = "${var.admin_url}"
132 |     varnish_host_port = "${var.varnish_host_port}"
133 |     redis_host = "${var.redis_host}"
134 |   }
135 | }
136 | 


--------------------------------------------------------------------------------
/vpc/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "project_name" {
  2 |   description = "The name of the project."
  3 | }
  4 | 
  5 | variable "aws_access_key" {
  6 |   description = "The AWS access key."
  7 | }
  8 | 
  9 | variable "aws_secret_key" {
 10 |   description = "The AWS secret key."
 11 | }
 12 | 
 13 | variable "public_key" {
 14 |   description = "The public key."
 15 | }
 16 | 
 17 | variable "aws_region" {
 18 |   description = "The AWS region to create resources in."
 19 |   default = "us-west-2"
 20 | }
 21 | 
 22 | variable "remote_state_bucket" {
 23 |   description = "The name of the s3 bucket to store the remote state in."
 24 |   default = "terraform-state.example.com"
 25 | }
 26 | 
 27 | variable "vpc_remote_state_key" {
 28 |   description = "The name of the key to store the remote state in."
 29 |   default = "vpc-terraform.tfstate"
 30 | }
 31 | 
 32 | variable "ecs_cluster_name" {
 33 |   description = "The name of the Amazon ECS cluster."
 34 |   default = "default"
 35 | }
 36 | 
 37 | /* ECS optimized AMIs per region */
 38 | variable "amis" {
 39 |   default = {
 40 |     ap-northeast-1 = "ami-b3afa2dd"
 41 |     ap-southeast-1 = "ami-0cb0786f"
 42 |     ap-southeast-2 = "ami-cf6342ac"
 43 |     eu-west-1      = "ami-77ab1504"
 44 |     us-east-1      = "ami-33b48a59"
 45 |     us-west-1      = "ami-26f78746"
 46 |     us-west-2      = "ami-65866a05"
 47 |   }
 48 | }
 49 | 
 50 | variable "availability_zones" {
 51 |   default = "us-west-2a,us-west-2b,us-west-2c"
 52 |   description = "The availability zones in this environment (must be a comma-deliminated list of availability zones with no spaces)"
 53 | }
 54 | 
 55 | variable "instance_type" {
 56 |   default = "t2.micro"
 57 | }
 58 | 
 59 | variable "key_name" {
 60 |   description = "The aws ssh key name."
 61 |   default = ""
 62 | }
 63 | 
 64 | variable "host_port" {
 65 |   description = "The instance port"
 66 |   default = "5000"
 67 | }
 68 | 
 69 | variable "container_port" {
 70 |   description = "The container port"
 71 |   default = "5000"
 72 | }
 73 | 
 74 | variable "bastion_aws_region" {
 75 |   description = "The bastion region"
 76 |   default = "us-west-2"
 77 | }
 78 | 
 79 | variable "vpc_availability_zone" {
 80 |   description = "The vpc availability zone"
 81 |   default = "us-west-2a,"
 82 | }
 83 | 
 84 | # Ubuntu 14.04
 85 | variable "bastion_aws_amis" {
 86 |   description = "The bastion amis"
 87 |   default = {
 88 |     us-west-2 = "ami-5189a661"
 89 |   }
 90 | }
 91 | 
 92 | variable "aws_autoscaling_group_min_size" {
 93 |   description = "The autoscaling group minimum size"
 94 |   default = 1
 95 | }
 96 | 
 97 | variable "aws_autoscaling_group_max_size" {
 98 |   description = "The autoscaling group maximum size"
 99 |   default = 10
100 | }
101 | 
102 | variable "aws_autoscaling_group_desired_capacity" {
103 |   description = "The autoscaling group desired capacity"
104 |   default = 1
105 | }
106 | 
107 | variable "docker_image" {
108 |   description = "The Docker image to use."
109 | }
110 | 
111 | // RDS
112 | // https://docs.aws.amazon.com/AmazonRDS/latest/CommandLineReference/CLIReference-cmd-CreateDBInstance.html
113 | 
114 | variable rds_allocated_storage {
115 |   description = "Amount of storage to be initially allocated for the DB instance, in gigabytes."
116 |   default = 5
117 | }
118 | 
119 | variable rds_engine {
120 |   description = "Name of the database engine to be used for this instance."
121 |   default = "postgres"
122 | }
123 | 
124 | variable rds_engine_version {
125 |   description = "Version number of the database engine to use."
126 |   default = "9.4.5"
127 | }
128 | 
129 | variable rds_instance_class {
130 |   description = "The compute and memory capacity of the instance"
131 |   default = "db.t1.micro"
132 | }
133 | 
134 | variable database_name {
135 |   description = "The name of the database."
136 | }
137 | 
138 | variable database_user {
139 |   description = "The name of the master database user."
140 | }
141 | 
142 | variable database_password {
143 |   description = "Password for the master DB instance user"
144 | }
145 | 
146 | variable rds_storage_type {
147 |   description = "Specifies the storage type for the DB instance."
148 |   default = "standard"
149 | }
150 | 
151 | // ElastiCache
152 | // http://docs.aws.amazon.com/cli/latest/reference/elasticache/create-cache-cluster.html
153 | 
154 | variable elasticache_cache_name {
155 |   description = "Specifies the name of the cache instance."
156 | }
157 | 
158 | variable elasticache_engine_version {
159 |   description = "Specifies the engine version for the cache instance."
160 |   default = "2.8.24"
161 | }
162 | 
163 | variable elasticache_maintenance_window {
164 |   description = "Specifies the maintenence window for the cache instance."
165 |   default = "sun:05:00-sun:09:00"
166 | }
167 | 
168 | variable elasticache_instance_type {
169 |   description = "Specifies the instance type for the cache instance."
170 |   default = "cache.t2.micro"
171 | }
172 | 


--------------------------------------------------------------------------------
/ecs/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "project_name" {
  2 |   description = "The name of the project."
  3 | }
  4 | 
  5 | variable "aws_access_key" {
  6 |   description = "The AWS access key."
  7 | }
  8 | 
  9 | variable "aws_secret_key" {
 10 |   description = "The AWS secret key."
 11 | }
 12 | 
 13 | variable "aws_cloudfront_distribution" {
 14 |   description = "The AWS secret key."
 15 | }
 16 | 
 17 | variable "public_key" {
 18 |   description = "The public key."
 19 | }
 20 | 
 21 | variable "aws_region" {
 22 |   description = "The AWS region to create resources in."
 23 |   default = "us-west-2"
 24 | }
 25 | 
 26 | variable "remote_state_bucket" {
 27 |   description = "The name of the s3 bucket to store the remote state in."
 28 |   default = "terraform-state.example.com"
 29 | }
 30 | 
 31 | variable "vpc_id" {
 32 |   description = "The id of the vpc to launch in."
 33 | }
 34 | 
 35 | variable "public_subnet_id" {
 36 |   description = "The id of the private subnet to launch in."
 37 | }
 38 | 
 39 | variable "private_subnet_id" {
 40 |   description = "The id of the private subnet to launch in."
 41 | }
 42 | 
 43 | variable "ecs_remote_state_key" {
 44 |   description = "The name of the key to store the remote state in."
 45 |   default = "vpc-terraform.tfstate"
 46 | }
 47 | 
 48 | variable "ecs_cluster_name" {
 49 |   description = "The name of the Amazon ECS cluster."
 50 |   default = "default"
 51 | }
 52 | 
 53 | /* ECS optimized AMIs per region */
 54 | variable "amis" {
 55 |   default = {
 56 |     ap-northeast-1 = "ami-b3afa2dd"
 57 |     ap-southeast-1 = "ami-0cb0786f"
 58 |     ap-southeast-2 = "ami-cf6342ac"
 59 |     eu-west-1      = "ami-77ab1504"
 60 |     us-east-1      = "ami-33b48a59"
 61 |     us-west-1      = "ami-26f78746"
 62 |     us-west-2      = "ami-65866a05"
 63 |   }
 64 | }
 65 | 
 66 | variable "availability_zones" {
 67 |   default = "us-east-2a,us-east-2c,us-east-2d"
 68 |   description = "The availability zones in this environment (must be a comma-deliminated list of availability zones with no spaces)"
 69 | }
 70 | 
 71 | variable "instance_type" {
 72 |   default = "t2.micro"
 73 | }
 74 | 
 75 | variable "key_name" {
 76 |   description = "The aws ssh key name."
 77 |   default = ""
 78 | }
 79 | 
 80 | variable "host_port" {
 81 |   description = "The instance port"
 82 |   default = "5000"
 83 | }
 84 | 
 85 | variable "container_port" {
 86 |   description = "The container port"
 87 |   default = "5000"
 88 | }
 89 | 
 90 | variable "bastion_aws_region" {
 91 |   description = "The bastion region"
 92 |   default = "us-west-2"
 93 | }
 94 | 
 95 | variable "vpc_availability_zone" {
 96 |   description = "The vpc availability zone"
 97 |   default = "us-west-2a,"
 98 | }
 99 | 
100 | # Ubuntu 14.04
101 | variable "bastion_aws_amis" {
102 |   description = "The bastion amis"
103 |   default = {
104 |     us-west-2 = "ami-5189a661"
105 |   }
106 | }
107 | 
108 | variable "aws_autoscaling_group_min_size" {
109 |   description = "The autoscaling group minimum size"
110 |   default = 2
111 | }
112 | 
113 | variable "aws_autoscaling_group_max_size" {
114 |   description = "The autoscaling group maximum size"
115 |   default = 10
116 | }
117 | 
118 | variable "aws_autoscaling_group_desired_capacity" {
119 |   description = "The autoscaling group desired capacity"
120 |   default = 2
121 | }
122 | 
123 | variable "docker_image" {
124 |   description = "The Docker image to use."
125 | }
126 | 
127 | # Django
128 | variable "secure_ssl_redirect" {
129 |   description = ""
130 | }
131 | 
132 | variable "secret_key" {
133 |   description = ""
134 | }
135 | 
136 | variable "settings_module" {
137 |   description = ""
138 | }
139 | 
140 | variable "storage_bucket_name" {
141 |   description = ""
142 | }
143 | 
144 | variable "database_url" {
145 |   description = ""
146 | }
147 | 
148 | variable "sentry_dsn" {
149 |   description = ""
150 | }
151 | 
152 | variable "sendgrid_username" {
153 |   description = ""
154 | }
155 | 
156 | variable "sendgrid_password" {
157 |   description = ""
158 | }
159 | 
160 | variable "compress_enabled" {
161 |   description = ""
162 | }
163 | 
164 | variable "compress_offline" {
165 |   description = ""
166 | }
167 | 
168 | variable "compress_root" {
169 |   description = ""
170 | }
171 | 
172 | variable "compress_url" {
173 |   description = ""
174 | }
175 | 
176 | variable "static_url" {
177 |   description = ""
178 | }
179 | 
180 | variable "static_host" {
181 |   description = ""
182 | }
183 | 
184 | variable "staticfiles_storage" {
185 |   description = ""
186 | }
187 | 
188 | variable "ssl_certificate_id" {
189 |   description = ""
190 | }
191 | 
192 | variable "keypair_name" {
193 |   description = ""
194 | }
195 | 
196 | variable "newrelic_license_key" {
197 |   description = ""
198 | }
199 | 
200 | variable "newrelic_config_file" {
201 |   description = ""
202 | }
203 | 
204 | variable "uwsgi_processes" {
205 |   description = ""
206 | }
207 | 
208 | variable "uwsgi_harakiki" {
209 |   description = ""
210 | }
211 | 
212 | variable "broker_url" {
213 |   description = ""
214 | }
215 | 
216 | variable "internal_zone_id" {
217 |   description = ""
218 | }
219 | 
220 | variable "admin_url" {
221 |   description = "admin"
222 | }
223 | 
224 | variable "allowed_hosts" {
225 |   description = ""
226 | }
227 | 
228 | variable "varnish_host_port" {
229 |   description = ""
230 |   default = "8888"
231 | }
232 | 
233 | variable "varnish_container_port" {
234 |   description = ""
235 |   default = "80"
236 | }
237 | 
238 | variable "varnish_health_check_url" {
239 |   description = ""
240 |   default = "/200/"
241 | }
242 | 
243 | variable "redis_host" {
244 |   description = ""
245 |   default = "uwsgi.internal"
246 | }
247 | 


--------------------------------------------------------------------------------