├── .editorconfig
├── .gitignore
├── Makefile
├── README.md
├── alb-acme.tf
├── alb.tf
├── alert-manager.tf
├── ami
    ├── main.tf
    ├── output.tf
    └── variables.tf
├── data
    └── iam
    │   ├── ecs-task-assumerole.json
    │   └── log-policy.json
├── debug.tf
├── dns.tf
├── docker
    ├── alertmanager
    │   ├── Dockerfile
    │   └── alertmanager.yml
    ├── nats-streaming
    │   └── Dockerfile
    └── prometheus
    │   ├── Dockerfile
    │   ├── alert.rules.yml
    │   └── prometheus.yml
├── docs
    ├── architecture.png
    └── architecture.xml
├── ecs.tf
├── gateway.tf
├── keys
    └── .gitignore
├── main.tf
├── nats.tf
├── network.tf
├── output.tf
├── prometheus.tf
├── security.tf
├── service-internal-no-task
    ├── main.tf
    ├── output.tf
    └── variables.tf
├── service-internal-with-lb
    ├── main.tf
    ├── output.tf
    └── variables.tf
├── service-internal
    ├── main.tf
    ├── output.tf
    └── variables.tf
├── terraform.tfstate.1541875947.backup
└── variables.tf


/.editorconfig:
--------------------------------------------------------------------------------
 1 | root = true
 2 | 
 3 | ; Unix-style newlines with a newline ending every file
 4 | [*]
 5 | end_of_line = lf
 6 | indent_size = 4
 7 | indent_style = space
 8 | insert_final_newline = true
 9 | trim_trailing_whitespace  = true
10 | insert_final_newline = true
11 | charset = utf-8
12 | 
13 | ; Golang
14 | [*.go]
15 | indent_style = tab
16 | indent_size = 4
17 | 
18 | ; YAML
19 | [*.{yaml,yml}]
20 | indent_style = space
21 | indent_size = 2
22 | 
23 | [{Makefile,GNUmakefile}]
24 | indent_style = tab
25 | indent_size = 4
26 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .idea
2 | state.tf
3 | .terraform
4 | *.tfstate
5 | *.tfvars
6 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | alertmanager_version := "v0.15.1"
 2 | prometheus_version := "v2.3.1"
 3 | nats_streaming_version := "0.11.2"
 4 | default: install
 5 | 
 6 | install: init apply
 7 | 
 8 | init:
 9 | 	@terraform init
10 | 
11 | apply:
12 | 	@terraform apply
13 | 
14 | destroy:
15 | 	@terraform destroy
16 | 
17 | keys:
18 | 	@ssh-keygen -t rsa -f ./keys/openfaas
19 | 	@chmod 400 ./keys/openfaas
20 | 	@chmod 400 ./keys/openfaas.pub
21 | 
22 | docker-publish: docker-build
23 | 	@docker push ewilde/alertmanager:${alertmanager_version}
24 | 	@docker push ewilde/prometheus:${prometheus_version}
25 | 	@docker push ewilde/nats-streaming:${nats_streaming_version}
26 | 
27 | docker-build:
28 | 	@docker build ./docker/alertmanager/ -t ewilde/alertmanager:${alertmanager_version}
29 | 	@docker build ./docker/prometheus/ -t ewilde/prometheus:${prometheus_version}
30 | 	@docker build --build-arg NATS_VERSION=${nats_streaming_version} ./docker/nats-streaming/ -t ewilde/nats-streaming:${nats_streaming_version}
31 | uninstall: destroy
32 | 
33 | .PHONY: install uninstall keys init apply destroy
34 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ## Overview
  2 | <img align="right" title="diagram of the openfaas on fargate architecture" width="400" src="docs/architecture.png" alt="Openfaas for fargate overview" />
  3 | 
  4 | * [Installing](#installing)
  5 | * [Uninstalling](#uninstalling)
  6 | 
  7 | ## <a name="installing"></a>Installing
  8 | 1. **Install terraform**
  9 | 
 10 | **_Mac_**: `brew install terraform`
 11 | 
 12 | **_Linux_**: 
 13 | ```
 14 | wget https://releases.hashicorp.com/terraform/0.11.7/terraform_0.11.7_linux_amd64.zip
 15 | unzip terraform_0.11.7_linux_amd64.zip
 16 | sudo mv terraform /usr/local/bin
 17 | terraform --version
 18 | ```
 19 | 
 20 | 2. **Create terraform.tfvars**
 21 | 
 22 | You will need to create a new file in the root of this repo called `terraform.tfvars`
 23 | which configures variables used to install `faas-ecs`  
 24 | 
 25 | | Name                | Description                                                                                                                      |
 26 | |---------------------|----------------------------------------------------------------------------------------------------------------------------------|
 27 | | acme_enabled        | (Recommend)`1` to use the official [acme]() terraform provider to create TLS certificates. Defaults to `0`                       |
 28 | | acme_email_address  | (Recommend) Email address used to register TLS account, used in conjunction with `acme_enabled`                                  |
 29 | | aws_region          | (Required) The aws region to create the openfaas ecs cluster in                                                                  |
 30 | | alb_logs_bucket     | (Required) S3 bucket to store alb logs                                                                                           |
 31 | | debug               | (Optional) `1` to create an ec2 bastion in the external subnet and a test instance in the internal subnet. Defaults to `0`       |
 32 | | developer_ip        | your ip address, used to whitelist incoming ssh to the bastion, debug is enabled                                                 |
 33 | | route53_zone_name   | (Recommended) a route 53 zone to create DNS records for the OpenFaaS gateway, i.e. openfaas.example.com, requires `acme_enabled` |
 34 | | self_signed_enabled | (Not recommended) Use a self-signed TLS certificate for the OpenFaaS gateway if not using `acme_enabled`. Defaults to `0`        |
 35 | 
 36 | 
 37 | 
 38 | **_Example file_**
 39 | ```
 40 | cat > ./terraform.tfvars <<EOF
 41 | acme_enabled           = "1"
 42 | acme_email_address     = "ewilde@gmail.com"
 43 | alb_logs_bucket        = "ewilde-logs"
 44 | aws_region             = "eu-west-1"
 45 | debug                  = "1"
 46 | developer_ip           = "31.53.195.58"
 47 | route53_zone_name      = "openfaas.edwardwilde.com"
 48 | self_signed_enabled    = "0"
 49 | EOF
 50 | ```
 51 | 3. **Create a public key for ssh**
 52 | 
 53 | > Ssh access is only required if `debug = "1"`, however the ssh key is still required for the 
 54 | install to work even if debug disabled. To create the key run:
 55 | 
 56 | `make keys`
 57 | 
 58 | 4. Create bucket for alb logs
 59 | If you don't already have a bucket, please create the bucket you listed in your `terraform.tfvars` in the variable
 60 | `alb_logs_bucket`
 61 | 
 62 | i.e. `aws s3api create-bucket --bucket ewilde-logs --region eu-west-1 --create-bucket-configuration LocationConstraint=eu-west-1`
 63 | 
 64 | 4. **Run terraform**
 65 | 
 66 | `make`
 67 | 
 68 | ### Known issue
 69 | If you get the following error:
 70 | ```
 71 | Error: Error applying plan:
 72 | 
 73 | 2 error(s) occurred:
 74 | 
 75 | * module.ecs_provider.aws_ecs_service.main: 1 error(s) occurred:
 76 | 
 77 | * aws_ecs_service.main: InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists.
 78 | 	status code: 400, request id: d967b493-82f9-11e8-9d63-f5180ba0fbef "ecs-provider"
 79 | * module.nats.aws_ecs_service.main: 1 error(s) occurred:
 80 | 
 81 | * aws_ecs_service.main: InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists.
 82 | 	status code: 400, request id: dab962b7-82f9-11e8-8cc5-29d47e720a04 "nats"
 83 | 
 84 | Terraform does not automatically rollback in the face of errors.
 85 | Instead, your Terraform state file has been partially updated with
 86 | any resources that successfully completed. Please address the error
 87 | above and apply again to incrementally change your infrastructure.
 88 | 
 89 | ```
 90 | 
 91 | Please just re-run `make`, this is an eventual consistency problem see #4
 92 | 
 93 | ## <a name="uninstalling"></a>Uninstalling
 94 | 
 95 | 1. Run `make uninstall`
 96 | 2. Patiently wait about `5-10 minutes`
 97 | 
 98 | ### Known issue
 99 | ```Error applying plan:
100 | 
101 | 1 error(s) occurred:
102 | 
103 | * aws_service_discovery_private_dns_namespace.openfaas (destroy): 1 error(s) occurred:
104 | ```
105 | 
106 | To resolve this problem manually delete all the service registrations
107 | 
108 | `aws servicediscovery list-services | jq '.Services[].Id' -r | xargs -L 1 aws servicediscovery delete-service --id`
109 | 
110 | 
111 | 


--------------------------------------------------------------------------------
/alb-acme.tf:
--------------------------------------------------------------------------------
 1 | resource "tls_private_key" "private_key" {
 2 |     algorithm = "RSA"
 3 |     count = "${var.acme_enabled}"
 4 | }
 5 | 
 6 | resource "acme_registration" "reg" {
 7 |     account_key_pem = "${tls_private_key.private_key.0.private_key_pem}"
 8 |     email_address   = "${var.acme_email_address}"
 9 |     count           = "${var.acme_enabled}"
10 | }
11 | 
12 | resource "acme_certificate" "acme" {
13 |     account_key_pem           = "${acme_registration.reg.0.account_key_pem}"
14 |     common_name               = "${aws_route53_record.main.fqdn}"
15 |     count                     = "${var.acme_enabled}"
16 | 
17 |     dns_challenge {
18 |         provider = "route53"
19 |     }
20 | }
21 | 
22 | resource "aws_iam_server_certificate" "acme" {
23 |     name              = "acme-certificate-${md5(acme_certificate.acme.0.certificate_pem)}"
24 |     certificate_body  = "${acme_certificate.acme.0.certificate_pem}"
25 |     private_key       = "${acme_certificate.acme.0.private_key_pem}"
26 |     certificate_chain = "${acme_certificate.acme.0.issuer_pem}"
27 |     count             = "${var.acme_enabled}"
28 | 
29 |     lifecycle {
30 |         create_before_destroy = true
31 |     }
32 | }
33 | 
34 | data "aws_route53_zone" "main" {
35 |     name  = "${var.route53_zone_name}"
36 |     count = "${var.acme_enabled}"
37 | }
38 | 
39 | resource "aws_route53_record" "main" {
40 |     name = "gateway"
41 |     zone_id = "${data.aws_route53_zone.main.id}"
42 |     type    = "A"
43 |     count   = "${var.acme_enabled}"
44 |     alias {
45 |         name                   = "${aws_lb.openfaas.dns_name}"
46 |         zone_id                = "${aws_lb.openfaas.zone_id}"
47 |         evaluate_target_health = false
48 |     }
49 | }
50 | 
51 | 


--------------------------------------------------------------------------------
/alb.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_lb" "openfaas" {
  2 |     name               = "${var.namespace}"
  3 |     internal           = false
  4 |     security_groups    = ["${aws_security_group.alb.id}"]
  5 |     subnets            = ["${aws_subnet.external.*.id}"]
  6 |     load_balancer_type = "application"
  7 |     access_logs {
  8 |         bucket = "${var.alb_logs_bucket}"
  9 |         enabled  = true
 10 |     }
 11 | }
 12 | 
 13 | resource "tls_private_key" "main" {
 14 |     algorithm   = "RSA"
 15 | }
 16 | 
 17 | resource "tls_self_signed_cert" "main" {
 18 |     key_algorithm   = "${tls_private_key.main.algorithm}"
 19 |     private_key_pem = "${tls_private_key.main.private_key_pem}"
 20 | 
 21 |     # Certificate expires after 12 hours.
 22 |     validity_period_hours = 12
 23 | 
 24 |     # Generate a new certificate if Terraform is run within three
 25 |     # hours of the certificate's expiration time.
 26 |     early_renewal_hours = 3
 27 | 
 28 |     # Reasonable set of uses for a server SSL certificate.
 29 |     allowed_uses = [
 30 |         "key_encipherment",
 31 |         "digital_signature",
 32 |         "server_auth",
 33 |     ]
 34 | 
 35 |     dns_names = ["${aws_lb.openfaas.dns_name}"]
 36 | 
 37 |     subject {
 38 |         common_name  = "${aws_lb.openfaas.dns_name}"
 39 |         organization = "ACME Examples, Inc"
 40 |     }
 41 | }
 42 | 
 43 | resource "aws_iam_server_certificate" "self_signed" {
 44 |     name             = "example_self_signed_cert_${random_string.name.result}"
 45 |     certificate_body = "${tls_self_signed_cert.main.cert_pem}"
 46 |     private_key      = "${tls_private_key.main.private_key_pem}"
 47 | 
 48 |     lifecycle {
 49 |         create_before_destroy = true
 50 |         ignore_changes = ["name"]
 51 |     }
 52 | }
 53 | 
 54 | resource "random_string" "name" {
 55 |     length = 6
 56 |     special = false
 57 | }
 58 | 
 59 | resource "aws_lb_target_group" "gateway" {
 60 |     name        = "${var.namespace}-gateway"
 61 |     port        = 8080
 62 |     protocol    = "HTTP"
 63 |     vpc_id      = "${aws_vpc.default.id}"
 64 | 
 65 |     target_type = "ip"
 66 |     health_check {
 67 |         path    = "/healthz"
 68 |         matcher = "200"
 69 |     }
 70 | }
 71 | 
 72 | resource "aws_lb_listener" "gateway_self_signed" {
 73 |     load_balancer_arn = "${aws_lb.openfaas.arn}"
 74 |     port              = 443
 75 |     protocol          = "HTTPS"
 76 |     certificate_arn   = "${aws_iam_server_certificate.self_signed.arn}"
 77 |     count             = "${var.self_signed_enabled}"
 78 | 
 79 |     default_action {
 80 |         target_group_arn = "${aws_lb_target_group.gateway.arn}"
 81 |         type             = "forward"
 82 |     }
 83 | }
 84 | 
 85 | resource "aws_lb_listener" "gateway_acme" {
 86 |     load_balancer_arn = "${aws_lb.openfaas.arn}"
 87 |     port              = 443
 88 |     protocol          = "HTTPS"
 89 |     certificate_arn   = "${aws_iam_server_certificate.acme.arn}"
 90 |     count             = "${var.acme_enabled}"
 91 |     default_action {
 92 |         target_group_arn = "${aws_lb_target_group.gateway.arn}"
 93 |         type             = "forward"
 94 |     }
 95 | }
 96 | 
 97 | resource "aws_lb_target_group" "prometheus" {
 98 |     name        = "${var.namespace}-prometheus"
 99 |     port        = 9090
100 |     protocol    = "HTTP"
101 |     vpc_id      = "${aws_vpc.default.id}"
102 | 
103 |     target_type = "ip"
104 |     health_check {
105 |         path    = "/graph"
106 |         matcher = "200"
107 |     }
108 | }
109 | 
110 | resource "aws_lb_listener" "prometheus" {
111 |     load_balancer_arn = "${aws_lb.openfaas.arn}"
112 |     port              = 9090
113 |     protocol          = "HTTP"
114 |     default_action {
115 |         target_group_arn = "${aws_lb_target_group.prometheus.arn}"
116 |         type             = "forward"
117 |     }
118 | }
119 | 
120 | resource "aws_security_group" "alb" {
121 |     name = "${var.namespace}.alb"
122 |     description = "Alb security group rules"
123 |     vpc_id = "${aws_vpc.default.id}"
124 | 
125 |     tags {
126 |         Name = "${format("%s-alb", var.namespace)}"
127 |     }
128 | }
129 | 
130 | resource "aws_security_group_rule" "alb_ingress_gateway" {
131 |     type                     = "ingress"
132 |     from_port                = 443
133 |     to_port                  = 443
134 |     protocol                 = "tcp"
135 |     cidr_blocks              = ["${var.developer_ip}/32"]
136 |     security_group_id        = "${aws_security_group.alb.id}"
137 | }
138 | 
139 | resource "aws_security_group_rule" "alb_ingress_prometheus" {
140 |     type                     = "ingress"
141 |     from_port                = 9090
142 |     to_port                  = 9090
143 |     protocol                 = "tcp"
144 |     cidr_blocks              = ["${var.developer_ip}/32"]
145 |     security_group_id        = "${aws_security_group.alb.id}"
146 | }
147 | 
148 | resource "aws_security_group_rule" "alb_egress_gateway" {
149 |     type                     = "egress"
150 |     from_port                = 8080
151 |     to_port                  = 8080
152 |     protocol                 = "tcp"
153 |     security_group_id        = "${aws_security_group.alb.id}"
154 |     source_security_group_id = "${aws_security_group.gateway.id}"
155 | }
156 | 
157 | resource "aws_security_group_rule" "alb_egress_prometheus" {
158 |     type                     = "egress"
159 |     from_port                = 9090
160 |     to_port                  = 9090
161 |     protocol                 = "tcp"
162 |     security_group_id        = "${aws_security_group.alb.id}"
163 |     source_security_group_id = "${aws_security_group.prometheus.id}"
164 | }
165 | 
166 | 


--------------------------------------------------------------------------------
/alert-manager.tf:
--------------------------------------------------------------------------------
 1 | module "alertmanager" {
 2 |     source                        = "./service-internal"
 3 |     name                          = "alertmanager"
 4 |     ecs_cluster_name              = "${var.ecs_cluster_name}"
 5 |     aws_region                    = "${var.aws_region}"
 6 |     desired_count                 = "1"
 7 |     security_groups               = ["${aws_security_group.service.id}", "${aws_security_group.alertmanager.id}"]
 8 |     allowed_subnets               = ["${aws_subnet.internal.*.id}"]
 9 |     namespace                     = "${var.namespace}"
10 |     namespace_id                  = "${aws_service_discovery_private_dns_namespace.openfaas.id}"
11 |     task_image                    = "ewilde/alertmanager"
12 |     task_image_version            = "v0.15.1"
13 |     task_role_arn                 = "${aws_iam_role.alertmanager_role.arn}"
14 |     task_ports                    = "[{\"containerPort\":9093,\"hostPort\":9093}]"
15 |     task_command                  = <<CMD
16 | [
17 |     "--config.file=/alertmanager.yml",
18 |     "--storage.path=/alertmanager'"
19 | ]
20 | CMD
21 | }
22 | 
23 | resource "aws_security_group" "alertmanager" {
24 |     name = "${var.namespace}.alertmanager"
25 |     description = "alertmanager security group."
26 |     vpc_id = "${aws_vpc.default.id}"
27 | 
28 |     tags {
29 |         Name = "${format("%s-alertmanager", var.namespace)}"
30 |     }
31 | }
32 | 
33 | resource "aws_security_group_rule" "alertmanager_ingress_alertmanager" {
34 |     type                     = "ingress"
35 |     security_group_id        = "${aws_security_group.alertmanager.id}"
36 |     source_security_group_id = "${aws_security_group.prometheus.id}"
37 |     from_port                = 9093
38 |     to_port                  = 9093
39 |     protocol                 = "tcp"
40 | }
41 | 
42 | resource "aws_security_group_rule" "alertmanager_egress_gateway" {
43 |     type                     = "egress"
44 |     security_group_id        = "${aws_security_group.alertmanager.id}"
45 |     source_security_group_id = "${aws_security_group.gateway.id}"
46 |     from_port                = 8080
47 |     to_port                  = 8080
48 |     protocol                 = "tcp"
49 | }
50 | 
51 | resource "aws_iam_role" "alertmanager_role" {
52 |     name = "${var.namespace}-alertmanager-provider-role"
53 |     assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
54 | }
55 | 
56 | resource "aws_iam_role_policy" "alertmanager_role_policy" {
57 |     name = "${var.namespace}-alertmanager-role-policy"
58 |     role = "${aws_iam_role.alertmanager_role.id}"
59 | 
60 |     policy = <<EOF
61 | {
62 |   "Version": "2012-10-17",
63 |   "Statement": [
64 |     ${file("${path.module}/data/iam/log-policy.json")}
65 |   ]
66 | }
67 | EOF
68 | }
69 | 


--------------------------------------------------------------------------------
/ami/main.tf:
--------------------------------------------------------------------------------
 1 | // dynamically search for amis
 2 | // equiv: aws ec2 describe-images --owners amazon --filters "Name=name,Values=amzn-ami-*.a-amazon-ecs-optimized" "Name=root-device-type,Values=ebs" --region us-east-1
 3 | data "aws_ami" "images" {
 4 |     most_recent = true
 5 |     filter {
 6 |         name = "name"
 7 |         values = ["${lookup(var.images, var.name)}"]
 8 |     }
 9 |     filter {
10 |         name = "root-device-type"
11 |         values = ["ebs"]
12 |     }
13 |     owners = ["amazon"] # Official
14 | }
15 | 


--------------------------------------------------------------------------------
/ami/output.tf:
--------------------------------------------------------------------------------
1 | output "ami_id" {
2 |     value = "${data.aws_ami.images.id}"
3 | }
4 | 


--------------------------------------------------------------------------------
/ami/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |     default = "amazon_linux"
 3 |     description = "Which version of linux to use: amazon_linux or amazon_ecs."
 4 | }
 5 | 
 6 | variable "images" {
 7 |     type = "map"
 8 | 
 9 |     default = {
10 |         amazon_linux = "amzn-ami-hvm-????.??.?.????????-x86_64-gp2"
11 |         amazon_ecs = "amzn-ami-*.e-amazon-ecs-optimized"
12 |         win_2012 = "Windows_Server-2012-R2_RTM-English-64Bit-Base-*"
13 |         win_2016 = "Windows_Server-2016-English-Full-Base-*"
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/data/iam/ecs-task-assumerole.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": "2008-10-17",
 3 |   "Statement": [
 4 |     {
 5 |       "Action": "sts:AssumeRole",
 6 |       "Principal": {
 7 |         "Service": [
 8 |           "ecs.amazonaws.com",
 9 |           "ecs-tasks.amazonaws.com"
10 |         ]
11 |       },
12 |       "Effect": "Allow"
13 |     }
14 |   ]
15 | }


--------------------------------------------------------------------------------
/data/iam/log-policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Effect": "Allow",
 3 |     "Action": [
 4 |         "logs:CreateLogGroup",
 5 |         "logs:CreateLogStream",
 6 |         "logs:PutLogEvents",
 7 |         "logs:DescribeLogStreams"
 8 |     ],
 9 |     "Resource": "arn:aws:logs:*:*:*"
10 | }
11 | 


--------------------------------------------------------------------------------
/debug.tf:
--------------------------------------------------------------------------------
  1 | module "bastion_ami" {
  2 |     source = "./ami"
  3 |     name   = "amazon_ecs"
  4 | }
  5 | 
  6 | resource "aws_instance" "bastion" {
  7 |     count                       = "${var.debug}"
  8 |     ami                         = "${module.bastion_ami.ami_id}"
  9 |     source_dest_check           = false
 10 |     instance_type               = "t2.micro"
 11 |     subnet_id                   = "${element("${aws_subnet.external.*.id}", 0)}"
 12 |     key_name                    = "${var.bastion_keypair_name}"
 13 |     vpc_security_group_ids      = ["${aws_security_group.bastion.id}"]
 14 |     monitoring                  = true
 15 |     associate_public_ip_address = true
 16 |     tags {
 17 |         Name        = "${var.namespace}-bastion"
 18 |     }
 19 | 
 20 |     depends_on = ["aws_key_pair.bastion_ssh", "aws_internet_gateway.default"]
 21 | }
 22 | 
 23 | resource "aws_instance" "service" {
 24 |     count                       = "${var.debug}"
 25 |     ami                         = "${module.bastion_ami.ami_id}"
 26 |     source_dest_check           = false
 27 |     instance_type               = "t2.micro"
 28 |     subnet_id                   = "${element("${aws_subnet.internal.*.id}", 0)}"
 29 |     key_name                    = "${var.bastion_keypair_name}"
 30 |     vpc_security_group_ids      = ["${aws_security_group.service.id}"]
 31 |     monitoring                  = true
 32 |     associate_public_ip_address = false
 33 |     tags {
 34 |         Name        = "${var.namespace}-service"
 35 |     }
 36 | 
 37 |     depends_on = ["aws_key_pair.bastion_ssh", "aws_nat_gateway.default"]
 38 | }
 39 | 
 40 | resource "aws_security_group" "bastion" {
 41 |     count       = "${var.debug}"
 42 |     name        = "${var.namespace}.bastion"
 43 |     description = "Allow inbound ssh traffic"
 44 |     vpc_id      = "${aws_vpc.default.id}"
 45 | 
 46 |     tags {
 47 |         Name = "${format("%s-bastion", var.namespace)}"
 48 |     }
 49 | }
 50 | 
 51 | resource "aws_security_group_rule" "bastion_ingress_ssh" {
 52 |     count                    = "${var.debug}"
 53 |     type                     = "ingress"
 54 |     security_group_id        = "${aws_security_group.bastion.id}"
 55 |     from_port                = 22
 56 |     to_port                  = 22
 57 |     protocol                 = "tcp"
 58 |     cidr_blocks              = ["${var.developer_ip}/32"]
 59 | }
 60 | 
 61 | resource "aws_security_group_rule" "bastion_egress_ssh" {
 62 |     count                    = "${var.debug}"
 63 |     type                     = "egress"
 64 |     security_group_id        = "${aws_security_group.bastion.id}"
 65 |     source_security_group_id = "${aws_security_group.service.id}"
 66 |     from_port                = 22
 67 |     to_port                  = 22
 68 |     protocol                 = "tcp"
 69 | }
 70 | 
 71 | resource "aws_security_group_rule" "bastion_egress_http" {
 72 |     count                    = "${var.debug}"
 73 |     type                     = "egress"
 74 |     security_group_id        = "${aws_security_group.bastion.id}"
 75 |     cidr_blocks              = ["0.0.0.0/0"]
 76 |     from_port                = 80
 77 |     to_port                  = 80
 78 |     protocol                 = "tcp"
 79 | }
 80 | 
 81 | resource "aws_security_group_rule" "bastion_egress_https" {
 82 |     count                    = "${var.debug}"
 83 |     type                     = "egress"
 84 |     security_group_id        = "${aws_security_group.bastion.id}"
 85 |     cidr_blocks              = ["0.0.0.0/0"]
 86 |     from_port                = 443
 87 |     to_port                  = 443
 88 |     protocol                 = "tcp"
 89 | }
 90 | 
 91 | resource "aws_security_group_rule" "bastion_egress_nats" {
 92 |     count                    = "${var.debug}"
 93 |     type                     = "egress"
 94 |     security_group_id        = "${aws_security_group.bastion.id}"
 95 |     source_security_group_id = "${aws_security_group.nats.id}"
 96 |     from_port                = 4222
 97 |     to_port                  = 4222
 98 |     protocol                 = "tcp"
 99 | }
100 | 
101 | resource "aws_security_group_rule" "bastion_egress_gateway" {
102 |     count                    = "${var.debug}"
103 |     type                     = "egress"
104 |     security_group_id        = "${aws_security_group.bastion.id}"
105 |     source_security_group_id = "${aws_security_group.gateway.id}"
106 |     from_port                = 8080
107 |     to_port                  = 8080
108 |     protocol                 = "tcp"
109 | }
110 | 
111 | resource "aws_security_group_rule" "bastion_egress_services" {
112 |     count                    = "${var.debug}"
113 |     type                     = "egress"
114 |     security_group_id        = "${aws_security_group.bastion.id}"
115 |     source_security_group_id = "${aws_security_group.service.id}"
116 |     from_port                = 8080
117 |     to_port                  = 8080
118 |     protocol                 = "tcp"
119 | }
120 | 
121 | resource "aws_key_pair" "bastion_ssh" {
122 |     key_name = "${var.bastion_keypair_name}"
123 |     public_key = "${file("${path.module}/keys/${var.bastion_keypair_name}.pub")}"
124 | }
125 | 


--------------------------------------------------------------------------------
/dns.tf:
--------------------------------------------------------------------------------
1 | resource "aws_service_discovery_private_dns_namespace" "openfaas" {
2 |     name = "openfaas.local"
3 |     description = "example"
4 |     vpc = "${aws_vpc.default.id}"
5 | }
6 | 


--------------------------------------------------------------------------------
/docker/alertmanager/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM prom/alertmanager:v0.15.1
2 | COPY alertmanager.yml /alertmanager.yml
3 | 


--------------------------------------------------------------------------------
/docker/alertmanager/alertmanager.yml:
--------------------------------------------------------------------------------
 1 | route:
 2 |   group_by: ['alertname', 'cluster', 'service']
 3 |   group_wait: 5s
 4 |   group_interval: 10s
 5 |   repeat_interval: 30s
 6 |   receiver: scale-up
 7 |   routes:
 8 |   - match:
 9 |       service: gateway
10 |       receiver: scale-up
11 |       severity: major
12 | inhibit_rules:
13 | - source_match:
14 |     severity: 'critical'
15 |   target_match:
16 |     severity: 'warning'
17 |   equal: ['alertname', 'cluster', 'service']
18 | receivers:
19 | - name: 'scale-up'
20 |   webhook_configs:
21 |     - url: http://gateway.openfaas.local:8080/system/alert
22 |       send_resolved: true
23 | 


--------------------------------------------------------------------------------
/docker/nats-streaming/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.7 AS build-env
 2 | ARG NATS_VERSION=0
 3 | RUN apk update && apk add curl wget unzip
 4 | RUN wget -O nat.zip https://github.com/nats-io/nats-streaming-server/releases/download/v${NATS_VERSION}/nats-streaming-server-v${NATS_VERSION}-linux-amd64.zip
 5 | RUN unzip -p nat.zip nats-streaming-server-v${NATS_VERSION}-linux-amd64/nats-streaming-server > nats-streaming-server
 6 | RUN chmod +x nats-streaming-server
 7 | 
 8 | 
 9 | FROM alpine:3.7
10 | COPY --from=build-env /nats-streaming-server /
11 | 
12 | # Expose client and management ports
13 | EXPOSE 4222 8222
14 | 
15 | # Run with default memory based store
16 | ENTRYPOINT ["/nats-streaming-server"]
17 | CMD ["-m", "8222"]
18 | 


--------------------------------------------------------------------------------
/docker/prometheus/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM prom/prometheus:v2.3.1
2 | COPY alert.rules.yml /etc/prometheus/alert.rules.yml
3 | COPY prometheus.yml /etc/prometheus/prometheus.yml
4 | 


--------------------------------------------------------------------------------
/docker/prometheus/alert.rules.yml:
--------------------------------------------------------------------------------
 1 | groups:
 2 | - name: prometheus/alert.rules
 3 |   rules:
 4 |   - alert: service_down
 5 |     expr: up == 0
 6 |   - alert: APIHighInvocationRate
 7 |     expr: sum(rate(gateway_function_invocation_total{code="200"}[10s])) BY (function_name) > 5
 8 |     for: 5s
 9 |     labels:
10 |       service: gateway
11 |       severity: major
12 |       value: '{{$value}}'
13 |     annotations:
14 |       description: High invocation total on {{ $labels.instance }}
15 |       summary: High invocation total on {{ $labels.instance }}
16 | 


--------------------------------------------------------------------------------
/docker/prometheus/prometheus.yml:
--------------------------------------------------------------------------------
 1 | # my global config
 2 | global:
 3 |   scrape_interval:     15s # By default, scrape targets every 15 seconds.
 4 |   evaluation_interval: 15s # By default, scrape targets every 15 seconds.
 5 |   # scrape_timeout is set to the global default (10s).
 6 | 
 7 |   # Attach these labels to any time series or alerts when communicating with
 8 |   # external systems (federation, remote storage, Alertmanager).
 9 |   external_labels:
10 |       monitor: 'faas-monitor'
11 | 
12 | # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
13 | rule_files:
14 |     - 'alert.rules.yml'
15 | 
16 | 
17 | # A scrape configuration containing exactly one endpoint to scrape:
18 | # Here it's Prometheus itself.
19 | scrape_configs:
20 |   # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
21 |   - job_name: 'prometheus'
22 | 
23 |     # Override the global default and scrape targets from this job every 5 seconds.
24 |     scrape_interval: 5s
25 | 
26 |     # metrics_path defaults to '/metrics'
27 |     # scheme defaults to 'http'.
28 |     static_configs:
29 |       - targets: ['localhost:9090']
30 | 
31 |   - job_name: "gateway"
32 |     scrape_interval: 5s
33 |     dns_sd_configs:
34 |       - names: ['gateway.openfaas.local']
35 |         port: 8080
36 |         type: A
37 |         refresh_interval: 5s
38 | 
39 | alerting:
40 |   alertmanagers:
41 |   - static_configs:
42 |     - targets:
43 |       - alertmanager.openfaas.local:9093
44 | 


--------------------------------------------------------------------------------
/docs/architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ewilde/terraform-aws-openfaas-fargate/6268d896f3cdb20ef07015812814b2f3e023a38b/docs/architecture.png


--------------------------------------------------------------------------------
/docs/architecture.xml:
--------------------------------------------------------------------------------
1 | <mxfile userAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" version="8.8.1" editor="www.draw.io" type="device"><diagram id="276d3537-4b5f-a6b6-7909-cdfd8e9387d3" name="Page-1">7VzLkps4FP0aL9sF4uml7Y4ni2Sqq7LIzGxcMsi2JjKisPzK148E4inodgKGTobuqm64vKR7jq6ujgQTY3m4/hHBcP+Z+ohMgOZfJ8bzBACgA5v/E5ZbYtEdZ5ZYdhH2E5uWG77g70iemFpP2EdHaUtMjFLCcFg2ejQIkMdKNhhF9FI+bUuJXzKEcIcUwxcPEtX6FftsL626PcsPfER4t5ePdoGTHNhA79suoqdAPm8CjG38kxw+wPResqLHPfTppWAyPkyMZUQpS7YO1yUiwrllt60ajmbljlDA7rnASC44Q3KSVachCrYQHmO3ReIvjHaQIVledkt9dNljhr6E0BP7F06EibHYswPhezrfJHCDyCJzx5ISfjfjOaABP3+xpQGTsOuO3F/BAyaCMR8ROSOGPcgPnFEktsic4F3AjzEqnhPfEvnyUbIO/Ex0bfSDnnmX0xbRA2LRjZ+SXqCB5BLJ2Cd7ZiaGS47/zJIn7QvQ244leSc5t8tunvudb0jX18NgKjDM/zEUj3OyhGITXfmzFz49beIjwgVvgFF0ty33U0Q4RbX4h9uh9LLH3YaiFMUXesQM09KBFJdPlRMSfKqobShj9HAXK2pYALQ/kfDLwofHfYa62HmBjBcniC1A64gLjmlWuKDpCheAq6lcMGdOey5YNVwAIxeG4YJpKFwA93LBbc8Fu4YL+siFYbigg0G54ChcCDnQ2BNcOG0CxBRe5L2k9jYV7vDhkUX0Gyrww7MBdGIeYUIqmDVC3QUSlltGwnLU3to1a5DQba09Eq6CBBbsDyAZsQBPhnknFlkS3AYLQw2HyOe5vNylEdvTHeXQfMitizIYBcfzOke3v4R9aqW7f8vT/kWM3WSwhCdGuSm/+ycq4lsWU2tT2UKwdV+JtXcHM1HP10HjbqGnyKsMrhhP6FF6WgO4ESKQ4XP5/q1wUlOYH8FJr+B0xSyBybHk7t9VCPUSgDGevyeEoCcIzXZNrQnCAn6FVlfTCO+MjF2CzH2roDzTxW9cMH8utIY8znLLCgv/xbVSQvRCE7+dgm9qPYGfPrzQ6QlV4AJvCikelXMWOzZ+og+Ru/Xq/Gx7LtpsW2eVHXSOsnEWEpU0eSjKCobaN1pddI1mp11jFnJBMeRq5QYLlBb768fcVIAsxty+mp35mG6z65j7Vii8lwTNIbN1tO4O/N5irqFKgB2Ar5fAd8ro/445E1AhTHTvPtpvuxhchXBspXdD3FsrNZ3HjGwaBzY1Y9N45wVFmJde5ErPd7ao/xcj7L5yZaDkysg7PoURPWOfwzMmzPcnzNncWA8Js67OhipY0RMjOODOSyeeSy1N7DQp4JnoVj+lqaBXYEAq8B+uOzHhPoWXozE944idIFmHET7zkdjaI/Tkq6ivLNfiIwFjwS/1McqpI0H9UXkRHsOk4lt8FXXuBHXNKqPuaDMFddOc6o4KvNEF8Or8awAZNzQNcd8RC0Jvzcu6Tktaj7/djH+5J/phsfnVqN1OWHYqocC0wNRSaGHUKMudcEKdhx05MTQnzHT6ZiBOqPOxIyeG5oQzcJxomg1EvwYx0sK+wYxXMohOmVHRyNsxQ69O2LtqMvkoXhh9DQv5dnXk19c0Zt3ALRuOTH5u4CYTv0HU1vThhbYMyeYdN14YhoTfRtx9TSj01xtIYODVjf56bcVdxndQXY5n9diK0+KOjHhHjLCs2YCMUMWdkRFDM8K1B2SEaXXa048af21ikL6qMIjGX/OexPYUeKJNPUEF/Z703OVytZrN6rBywcawxa0H13NNpzJgN3RV2XuUnlvzWoWZxe8CXixZOF0MpCWPpu5SF1YqEFVj9gH7ftze6zhRXmtxR+NuO8faRTamO9OKWAvcGrG2br1nF5CqqpyrubzINhEQbiK+tWNZVUeQuwJZr3kf6mEgqzIbB1kbIe1yYi17J6EPQNV3F0Y428FpV+C0+gzCquQ5wtluROs4A8Kpql4jnO2Go64xHJzpkHbsPbsDVBnG9JnzGraCXQt9oTf9/2ELOg2ZmpamCGb1+N2tBMSXzqNIzNVlJ4QUB+xYuPOLMBTCtl1p57bUqlcNFxjpa1A/fYElla6cO0mhcyZltb+PXOqAil+CgzOPBArtUn3xdCBzj9Fi029UMRskiPzDGE1CZ4GztWJqmeGKBpLxsKKaZE/taIKrXb9vVl6e5JFaiSt1umUXr7GaakcRryG7QObtuZ3Q3bGRAvgQf0KliFI9jF0QJH7YPF14Fmtj1VVosjzPe8bEN2Lmwgtg5fkBmGKPBlvMuRJNPf5EsPIhg4Lk3M4ryDkAvwsd73J8OjIUeJgIq84xBqtnFBJ6O3A41+vPMODPiLc9Gt7WS+Gsr8JZTzpwp2Gwe5uVtW/pFrW8jtTVbl/ptdM418d6CnXGLYBMJeK4aLZ5bN+nyGqqYg13A0OWIfBC0RlzhIDm46NHeS3f81KYuNxrXvCWi6NenwJr1bofsvo2hTDrhFT2AHOafmKh8+kzVU0YVfrOl9E/brzCd/PvlSUZaP5VOOPDfw==</diagram></mxfile>


--------------------------------------------------------------------------------
/ecs.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_cluster" "openfaas" {
 2 |     name = "${var.ecs_cluster_name}"
 3 | }
 4 | 
 5 | resource "aws_iam_role" "ecs_role" {
 6 |     assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
 7 | }
 8 | 
 9 | resource "aws_iam_role_policy" "ecs_role_policy" {
10 |     name   = "openfaas-task-role"
11 |     role = "${aws_iam_role.ecs_role.id}"
12 |     policy = <<EOF
13 | {
14 |   "Version": "2012-10-17",
15 |   "Statement": [
16 |     ${file("${path.module}/data/iam/log-policy.json")}
17 |   ]
18 | }
19 | EOF
20 | }
21 | 
22 | 


--------------------------------------------------------------------------------
/gateway.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | resource "aws_ecs_service" "gateway" {
  3 |     name             = "gateway"
  4 |     cluster          = "${aws_ecs_cluster.openfaas.name}"
  5 |     task_definition  = "${aws_ecs_task_definition.gateway.arn}"
  6 |     launch_type      = "FARGATE"
  7 |     desired_count    = 1
  8 | 
  9 |     network_configuration {
 10 |         subnets          = ["${aws_subnet.external.*.id}"]
 11 |         security_groups  = ["${aws_security_group.gateway.id}"]
 12 |         assign_public_ip = true
 13 |     }
 14 | 
 15 |     load_balancer {
 16 |         target_group_arn = "${aws_lb_target_group.gateway.arn}"
 17 |         container_name = "gateway"
 18 |         container_port = 8080
 19 |     }
 20 | 
 21 |     service_registries {
 22 |         registry_arn = "${aws_service_discovery_service.gateway.arn}"
 23 |     }
 24 | 
 25 |     lifecycle {
 26 |         ignore_changes = ["desired_count"]
 27 |     }
 28 | 
 29 |     depends_on = [
 30 |         "aws_lb_listener.gateway_self_signed",
 31 |         "aws_lb_listener.gateway_acme"
 32 |     ]
 33 | }
 34 | 
 35 | resource "aws_ecs_task_definition" "gateway" {
 36 |     family                   = "gateway"
 37 |     requires_compatibilities = ["FARGATE"]
 38 |     network_mode             = "awsvpc"
 39 |     task_role_arn            = "${aws_iam_role.gateway_role.arn}"
 40 |     execution_role_arn       = "${aws_iam_role.gateway_role.arn}"
 41 |     cpu                      = "256"
 42 |     memory                   = "512"
 43 |     container_definitions    = <<DEFINITION
 44 | [
 45 |   {
 46 |       "name": "gateway",
 47 |       "cpu": 128,
 48 |       "environment": [
 49 |         {
 50 |           "name": "functions_provider_url",
 51 |           "value": "http://localhost:8081/"
 52 |         },
 53 |         {
 54 |           "name": "faas_nats_address",
 55 |           "value": "${module.nats.service_discovery_name}.${aws_service_discovery_private_dns_namespace.openfaas.name}"
 56 |         },
 57 |         {
 58 |           "name": "faas_prometheus_host",
 59 |           "value": "${module.prometheus.service_discovery_name}.${aws_service_discovery_private_dns_namespace.openfaas.name}"
 60 |         },
 61 |         {
 62 |           "name": "faas_nats_port",
 63 |           "value": "4222"
 64 |         },
 65 |         {
 66 |           "name": "read_timeout",
 67 |           "value": "45s"
 68 |         },
 69 |         {
 70 |           "name": "write_timeout",
 71 |           "value": "45s"
 72 |         },
 73 |         {
 74 |           "name": "upstream_timeout",
 75 |           "value": "60s"
 76 |         },
 77 |         {
 78 |           "name": "basic_auth",
 79 |           "value": "true"
 80 |         }
 81 |       ],
 82 |       "volumesFrom": [
 83 |         {
 84 |           "sourceContainer": "gateway-kms"
 85 |         }
 86 |       ],
 87 |       "essential": true,
 88 |       "image": "openfaas/gateway:0.9.6",
 89 |       "memory": 64,
 90 |       "portMappings": [
 91 |         {
 92 |           "containerPort": 8080,
 93 |           "hostPort": 8080
 94 |         }
 95 |       ],
 96 |       "logConfiguration": {
 97 |         "logDriver": "awslogs",
 98 |         "options": {
 99 |           "awslogs-group": "${aws_cloudwatch_log_group.gateway_log.name}",
100 |           "awslogs-region": "${var.aws_region}",
101 |           "awslogs-stream-prefix": "gateway-"
102 |         }
103 |       },
104 |       "healthCheck": {
105 |         "retries": 1,
106 |         "command": ["CMD-SHELL", "cat /run/secrets/basic-auth-password || exit 1" ],
107 |         "timeout": 3,
108 |         "interval": 5,
109 |         "startPeriod": 5
110 |       }
111 |   },
112 |    {
113 |       "name": "fargate-provider",
114 |       "cpu": 64,
115 |       "memory": 64,
116 |       "image": "ewilde/faas-fargate:v0.1.0",
117 |       "environment": [
118 |           {
119 |              "name"  : "port",
120 |              "value" : "8081"
121 |           },
122 |           {
123 |              "name"  : "subnet_ids",
124 |              "value" : "${join(",", aws_subnet.internal.*.id)}"
125 |           },
126 |           {
127 |              "name"  : "security_group_id",
128 |              "value" : "${aws_security_group.service.id}"
129 |           },
130 |           {
131 |              "name"  : "AWS_DEFAULT_REGION",
132 |              "value" : "${var.aws_region}"
133 |           }
134 | 
135 |         ],
136 |       "essential": true,
137 |       "logConfiguration": {
138 |         "logDriver": "awslogs",
139 |         "options": {
140 |           "awslogs-group": "${aws_cloudwatch_log_group.gateway_log_fargate_provider.name}",
141 |           "awslogs-region": "${var.aws_region}",
142 |           "awslogs-stream-prefix": "provider-"
143 |         }
144 |       },
145 |       "healthCheck": {
146 |         "retries": 1,
147 |         "command": ["CMD-SHELL","ls"],
148 |         "timeout": 3,
149 |         "interval": 5,
150 |         "startPeriod": 5
151 |       }
152 |   },
153 |   {
154 |       "name": "gateway-kms",
155 |       "cpu": 64,
156 |       "memory": 32,
157 |       "environment": [
158 |         {
159 |           "name": "SECRETS",
160 |           "value": "basic-auth-user,basic-auth-password"
161 |         }
162 |       ],
163 |       "essential": true,
164 |       "image": "ewilde/kms-template:latest",
165 |       "logConfiguration": {
166 |         "logDriver": "awslogs",
167 |         "options": {
168 |           "awslogs-group": "${aws_cloudwatch_log_group.gateway_log_kms.name}",
169 |           "awslogs-region": "${var.aws_region}",
170 |           "awslogs-stream-prefix": "kms-template-"
171 |         }
172 |       },
173 |       "healthCheck": {
174 |         "retries": 1,
175 |         "command": ["CMD-SHELL", "cat /run/secrets/basic-auth-password || exit 1" ],
176 |         "timeout": 3,
177 |         "interval": 5,
178 |         "startPeriod": 5
179 |       }
180 |   }
181 | ]
182 | DEFINITION
183 |     depends_on = [
184 |         "aws_secretsmanager_secret_version.basic_auth_password",
185 |         "aws_secretsmanager_secret_version.basic_auth_user"
186 |     ]
187 | }
188 | 
189 | resource "aws_cloudwatch_log_group" "gateway_log" {
190 |     name = "${var.namespace}-gateway"
191 | }
192 | 
193 | resource "aws_cloudwatch_log_group" "gateway_log_fargate_provider" {
194 |     name = "${var.namespace}-gateway-fargate-provider"
195 | }
196 | 
197 | resource "aws_cloudwatch_log_group" "gateway_log_kms" {
198 |     name = "${var.namespace}-gateway-kms"
199 | }
200 | 
201 | resource "aws_security_group" "gateway" {
202 |     name = "${var.namespace}.gateway"
203 |     description = "gateway security group. allows traffic from alb and to internal subnet"
204 |     vpc_id = "${aws_vpc.default.id}"
205 | 
206 |     tags {
207 |         Name = "${format("%s-gateway", var.namespace)}"
208 |     }
209 | }
210 | 
211 | resource "aws_service_discovery_service" "gateway" {
212 |     name = "gateway"
213 |     dns_config {
214 |         namespace_id = "${aws_service_discovery_private_dns_namespace.openfaas.id}"
215 |         dns_records {
216 |             ttl = 10
217 |             type = "A"
218 |         }
219 |         routing_policy = "MULTIVALUE"
220 |     }
221 | 
222 |     health_check_custom_config {
223 |         failure_threshold = 1
224 |     }
225 | }
226 | 
227 | resource "aws_security_group_rule" "gateway_ingress_alb" {
228 |     type                     = "ingress"
229 |     security_group_id        = "${aws_security_group.gateway.id}"
230 |     source_security_group_id = "${aws_security_group.alb.id}"
231 |     from_port                = 8080
232 |     to_port                  = 8080
233 |     protocol                 = "tcp"
234 | }
235 | 
236 | resource "aws_security_group_rule" "gateway_ingress_prometheus" {
237 |     type                     = "ingress"
238 |     security_group_id        = "${aws_security_group.gateway.id}"
239 |     source_security_group_id = "${aws_security_group.prometheus.id}"
240 |     from_port                = 8080
241 |     to_port                  = 8080
242 |     protocol                 = "tcp"
243 | }
244 | 
245 | resource "aws_security_group_rule" "gateway_ingress_nats_queue_worker" {
246 |     type                     = "ingress"
247 |     security_group_id        = "${aws_security_group.gateway.id}"
248 |     source_security_group_id = "${aws_security_group.nats_queue_worker.id}"
249 |     from_port                = 8080
250 |     to_port                  = 8080
251 |     protocol                 = "tcp"
252 | }
253 | 
254 | resource "aws_security_group_rule" "gateway_ingress_alertmanager" {
255 |     type                     = "ingress"
256 |     security_group_id        = "${aws_security_group.gateway.id}"
257 |     source_security_group_id = "${aws_security_group.alertmanager.id}"
258 |     from_port                = 8080
259 |     to_port                  = 8080
260 |     protocol                 = "tcp"
261 | }
262 | 
263 | resource "aws_security_group_rule" "gateway_ingress_bastion" {
264 |     type                     = "ingress"
265 |     security_group_id        = "${aws_security_group.gateway.id}"
266 |     source_security_group_id = "${aws_security_group.bastion.id}"
267 |     from_port                = 8080
268 |     to_port                  = 8080
269 |     protocol                 = "tcp"
270 |     count                    = "${var.debug}"
271 | }
272 | 
273 | resource "aws_security_group_rule" "gateway_egress_nats" {
274 |     type                     = "egress"
275 |     security_group_id        = "${aws_security_group.gateway.id}"
276 |     source_security_group_id = "${aws_security_group.nats.id}"
277 |     from_port                = 4222
278 |     to_port                  = 4222
279 |     protocol                 = "all"
280 | }
281 | 
282 | resource "aws_security_group_rule" "gateway_egress_nats_management" {
283 |     type                     = "egress"
284 |     security_group_id        = "${aws_security_group.gateway.id}"
285 |     source_security_group_id = "${aws_security_group.nats.id}"
286 |     from_port                = 8222
287 |     to_port                  = 8222
288 |     protocol                 = "tcp"
289 | }
290 | 
291 | resource "aws_security_group_rule" "gateway_egress_functions" {
292 |     type                     = "egress"
293 |     security_group_id        = "${aws_security_group.gateway.id}"
294 |     source_security_group_id = "${aws_security_group.service.id}"
295 |     from_port                = 8080
296 |     to_port                  = 8080
297 |     protocol                 = "tcp"
298 | }
299 | 
300 | resource "aws_security_group_rule" "gateway_egress_prometheus" {
301 |     type                     = "egress"
302 |     security_group_id        = "${aws_security_group.gateway.id}"
303 |     source_security_group_id = "${aws_security_group.prometheus.id}"
304 |     from_port                = 9090
305 |     to_port                  = 9090
306 |     protocol                 = "tcp"
307 | }
308 | 
309 | resource "aws_security_group_rule" "gateway_egress_http" {
310 |     type               = "egress"
311 |     security_group_id  = "${aws_security_group.gateway.id}"
312 |     from_port          = 80
313 |     to_port            = 80
314 |     protocol           = "tcp"
315 |     cidr_blocks        = ["0.0.0.0/0"]
316 | }
317 | 
318 | resource "aws_security_group_rule" "gateway_egress_https" {
319 |     type               = "egress"
320 |     security_group_id  = "${aws_security_group.gateway.id}"
321 |     from_port          = 443
322 |     to_port            = 443
323 |     protocol           = "tcp"
324 |     cidr_blocks        = ["0.0.0.0/0"]
325 | }
326 | 
327 | resource "random_string" "basic_auth_password" {
328 |     length  = 32
329 |     special = false
330 | }
331 | 
332 | resource "aws_secretsmanager_secret" "basic_auth_password" {
333 |     name                    = "basic-auth-password"
334 |     recovery_window_in_days = 0
335 | }
336 | 
337 | resource "aws_secretsmanager_secret_version" "basic_auth_password" {
338 |     secret_id     = "${aws_secretsmanager_secret.basic_auth_password.id}"
339 |     secret_string = "${random_string.basic_auth_password.result}"
340 | }
341 | 
342 | resource "aws_secretsmanager_secret" "basic_auth_user" {
343 |     name                    = "basic-auth-user"
344 |     recovery_window_in_days = 0
345 | }
346 | 
347 | resource "aws_secretsmanager_secret_version" "basic_auth_user" {
348 |     secret_id     = "${aws_secretsmanager_secret.basic_auth_user.id}"
349 |     secret_string = "admin"
350 | }
351 | 
352 | resource "aws_iam_role" "gateway_role" {
353 |     name = "${var.namespace}-gateway-role"
354 |     assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
355 | }
356 | 
357 | resource "aws_iam_role_policy" "gateway_role_policy" {
358 |     name = "${var.namespace}-gateway-role-policy"
359 |     role = "${aws_iam_role.gateway_role.id}"
360 | 
361 |     policy = <<EOF
362 | {
363 |   "Version": "2012-10-17",
364 |   "Statement": [
365 |     ${file("${path.module}/data/iam/log-policy.json")},
366 |     {
367 |         "Effect": "Allow",
368 |         "Action": [
369 |             "secretsmanager:GetSecretValue",
370 |             "secretsmanager:DescribeSecret"
371 |         ],
372 |         "Resource": [
373 |             "${aws_secretsmanager_secret.basic_auth_user.id}",
374 |             "${aws_secretsmanager_secret.basic_auth_password.id}",
375 |             "arn:aws:secretsmanager:*:*:secret:openfaas-*"
376 |         ]
377 |     },
378 |     {
379 |         "Effect": "Allow",
380 |         "Action": [
381 |             "iam:CreateRole",
382 |             "iam:GetRole",
383 |             "iam:DeleteRole",
384 |             "iam:PutRolePolicy",
385 |             "iam:DeleteRolePolicy"
386 |         ],
387 |         "Resource": [
388 |             "arn:aws:iam::*:role/openfaas-*"
389 |         ]
390 |     },
391 |     {
392 |         "Effect": "Allow",
393 |         "Action": [
394 |             "iam:PassRole"
395 |         ],
396 |         "Resource": [
397 |             "*"
398 |         ]
399 |     },
400 |     {
401 |       "Effect": "Allow",
402 |       "Action": [
403 |         "ecs:*"
404 |       ],
405 |       "Resource": [
406 |         "*"
407 |       ]
408 |     },
409 |     {
410 |       "Effect": "Allow",
411 |       "Action": [
412 |         "ec2:DescribeVpcs",
413 |         "ec2:DescribeSubnets"
414 |       ],
415 |       "Resource": [
416 |         "*"
417 |       ]
418 |     },
419 |     {
420 |       "Effect": "Allow",
421 |       "Action": [
422 |         "servicediscovery:*"
423 |       ],
424 |       "Resource": [
425 |         "*"
426 |       ]
427 |     }
428 |   ]
429 | }
430 | EOF
431 | }
432 | 


--------------------------------------------------------------------------------
/keys/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |     region = "${var.aws_region}"
 3 |     version = "~> 1.41.0"
 4 | }
 5 | 
 6 | provider "acme" {
 7 |     version = "~> 1.0"
 8 |     server_url = "https://acme-v02.api.letsencrypt.org/directory"
 9 | }
10 | 


--------------------------------------------------------------------------------
/nats.tf:
--------------------------------------------------------------------------------
  1 | module "nats" {
  2 |     source                        = "./service-internal-no-task"
  3 |     name                          = "nats"
  4 |     ecs_cluster_name              = "${aws_ecs_cluster.openfaas.name}"
  5 |     aws_region                    = "${var.aws_region}"
  6 |     desired_count                 = "1"
  7 |     security_groups               = ["${aws_security_group.nats.id}", "${aws_security_group.nats_queue_worker.id}", "${aws_security_group.service.id}"]
  8 |     allowed_subnets               = ["${aws_subnet.internal.*.id}"]
  9 |     namespace                     = "${var.namespace}"
 10 |     namespace_id                  = "${aws_service_discovery_private_dns_namespace.openfaas.id}"
 11 |     task_arn                      = "${aws_ecs_task_definition.nats.arn}"
 12 | }
 13 | 
 14 | resource "aws_ecs_task_definition" "nats" {
 15 |     family                   = "nats"
 16 |     requires_compatibilities = ["FARGATE"]
 17 |     network_mode             = "awsvpc"
 18 |     task_role_arn            = "${aws_iam_role.ecs_role.arn}"
 19 |     execution_role_arn       = "${aws_iam_role.ecs_role.arn}"
 20 |     cpu                      = "256"
 21 |     memory                   = "512"
 22 |     container_definitions    = <<DEFINITION
 23 | [
 24 |   {
 25 |     "name": "nats",
 26 |     "memory": 64,
 27 |     "cpu": 128,
 28 |     "image": "ewilde/nats-streaming:0.11.2",
 29 |     "environment": [],
 30 |     "command": [
 31 |         "--store",
 32 |         "memory",
 33 |         "--cluster_id",
 34 |         "faas-cluster"
 35 |     ],
 36 |     "essential": true,
 37 |     "portMappings": [
 38 |         {"containerPort":4222,"hostPort":4222},
 39 |         {"containerPort":8222,"hostPort":8222}
 40 |     ],
 41 |     "logConfiguration": {
 42 |         "logDriver": "awslogs",
 43 |         "options": {
 44 |           "awslogs-group": "${aws_cloudwatch_log_group.nats.name}",
 45 |           "awslogs-region": "${var.aws_region}",
 46 |           "awslogs-stream-prefix": "nats-"
 47 |         }
 48 |     },
 49 |     "healthCheck": {
 50 |         "retries": 1,
 51 |         "command": ["CMD-SHELL","ls"],
 52 |         "timeout": 3,
 53 |         "interval": 5,
 54 |         "startPeriod": 5
 55 |     }
 56 |   },
 57 |   {
 58 |     "name": "nats-queue-worker",
 59 |     "memory": 64,
 60 |     "cpu": 128,
 61 |     "image": "ewilde/queue-worker:latest",
 62 |     "environment": [
 63 |       {
 64 |         "name": "faas_nats_address",
 65 |         "value": "localhost"
 66 |       },
 67 |       {
 68 |         "name": "faas_gateway_address",
 69 |         "value": "${aws_service_discovery_service.gateway.name}.${aws_service_discovery_private_dns_namespace.openfaas.name}"
 70 |       },
 71 |       {
 72 |         "name": "faas_function_suffix",
 73 |         "value": ".${aws_service_discovery_private_dns_namespace.openfaas.name}"
 74 |       },
 75 |       {
 76 |         "name": "max_inflight",
 77 |         "value": "1"
 78 |       },
 79 |       {
 80 |         "name": "ack_wait",
 81 |         "value": "300s"
 82 |       },
 83 |       {
 84 |         "name": "basic_auth",
 85 |         "value": "false"
 86 |       }
 87 |     ],
 88 |     "essential": true,
 89 |     "logConfiguration": {
 90 |         "logDriver": "awslogs",
 91 |         "options": {
 92 |           "awslogs-group": "${aws_cloudwatch_log_group.nats_queue_worker.name}",
 93 |           "awslogs-region": "${var.aws_region}",
 94 |           "awslogs-stream-prefix": "queue-worker-"
 95 |         }
 96 |     },
 97 |     "healthCheck": {
 98 |         "retries": 1,
 99 |         "command": ["CMD-SHELL","ls"],
100 |         "timeout": 3,
101 |         "interval": 5,
102 |         "startPeriod": 5
103 |     }
104 |   }
105 | ]
106 | DEFINITION
107 | }
108 | 
109 | resource "aws_cloudwatch_log_group" "nats" {
110 |     name = "${var.namespace}-nats"
111 | }
112 | 
113 | resource "aws_cloudwatch_log_group" "nats_queue_worker" {
114 |     name = "${var.namespace}-nats-queue-worker"
115 | }
116 | 
117 | resource "aws_security_group" "nats" {
118 |     name = "${var.namespace}.nats"
119 |     description = "nats security group"
120 |     vpc_id = "${aws_vpc.default.id}"
121 | 
122 |     tags {
123 |         Name = "${format("%s-nats", var.namespace)}"
124 |     }
125 | }
126 | 
127 | resource "aws_security_group_rule" "nats_ingress_gateway" {
128 |     type                     = "ingress"
129 |     security_group_id        = "${aws_security_group.nats.id}"
130 |     source_security_group_id = "${aws_security_group.gateway.id}"
131 |     from_port                = 4222
132 |     to_port                  = 4222
133 |     protocol                 = "all"
134 | }
135 | 
136 | resource "aws_security_group_rule" "nats_management_ingress_gateway" {
137 |     type                     = "ingress"
138 |     security_group_id        = "${aws_security_group.nats.id}"
139 |     source_security_group_id = "${aws_security_group.gateway.id}"
140 |     from_port                = 8222
141 |     to_port                  = 8222
142 |     protocol                 = "tcp"
143 | }
144 | 
145 | resource "aws_security_group_rule" "nats_ingress_service" {
146 |     type                     = "ingress"
147 |     security_group_id        = "${aws_security_group.nats.id}"
148 |     source_security_group_id = "${aws_security_group.service.id}"
149 |     from_port                = 4222
150 |     to_port                  = 4222
151 |     protocol                 = "tcp"
152 | }
153 | 
154 | resource "aws_security_group_rule" "nats_ingress_bastion" {
155 |     type                     = "ingress"
156 |     security_group_id        = "${aws_security_group.nats.id}"
157 |     source_security_group_id = "${aws_security_group.bastion.id}"
158 |     from_port                = 4222
159 |     to_port                  = 4222
160 |     protocol                 = "tcp"
161 |     count                    = "${var.debug}"
162 | }
163 | 
164 | 
165 | 
166 | resource "aws_security_group" "nats_queue_worker" {
167 |     name = "${var.namespace}.nats-queue-worker"
168 |     description = "Security rules for the nats queue worker"
169 |     vpc_id = "${aws_vpc.default.id}"
170 | 
171 |     tags {
172 |         Name = "${format("%s-nats-queue-worker", var.namespace)}"
173 |     }
174 | }
175 | 
176 | resource "aws_security_group_rule" "nats_queue_worker_egress_gateway" {
177 |     type                     = "egress"
178 |     security_group_id        = "${aws_security_group.nats_queue_worker.id}"
179 |     source_security_group_id = "${aws_security_group.gateway.id}"
180 |     from_port                = 8080
181 |     to_port                  = 8080
182 |     protocol                 = "tcp"
183 | }
184 | 


--------------------------------------------------------------------------------
/network.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | resource "aws_vpc" "default" {
  3 |     cidr_block           = "${var.vpc_cidr_block}"
  4 |     enable_dns_hostnames = true
  5 | 
  6 |     tags {
  7 |         "Name" = "${var.namespace}"
  8 |     }
  9 | }
 10 | 
 11 | # Create an internet gateway to give our subnet access to the outside world
 12 | resource "aws_internet_gateway" "default" {
 13 |     vpc_id = "${aws_vpc.default.id}"
 14 | 
 15 |     tags {
 16 |         "Name" = "${var.namespace}"
 17 |     }
 18 | }
 19 | 
 20 | resource "aws_nat_gateway" "default" {
 21 |     count         = "${length(var.external_subnets)}"
 22 |     allocation_id = "${element(aws_eip.nat.*.id, count.index)}"
 23 |     subnet_id     = "${element(aws_subnet.external.*.id, count.index)}"
 24 | 
 25 |     tags {
 26 |         Name = "${var.namespace}"
 27 |     }
 28 | }
 29 | 
 30 | resource "aws_eip" "nat" {
 31 |     count         = "${length(var.external_subnets)}"
 32 |     vpc           = true
 33 | 
 34 |     tags {
 35 |         Name = "${var.namespace}"
 36 |     }
 37 | }
 38 | 
 39 | resource "aws_route_table" "internal" {
 40 |     count  = "${length(var.internal_subnets)}"
 41 |     vpc_id = "${aws_vpc.default.id}"
 42 | 
 43 |     tags {
 44 |         Name = "${var.namespace}-${format("internal-%03d", count.index+1)}"
 45 |     }
 46 | }
 47 | 
 48 | resource "aws_route_table_association" "internal" {
 49 |     count          = "${length(var.internal_subnets)}"
 50 |     subnet_id      = "${element(aws_subnet.internal.*.id, count.index)}"
 51 |     route_table_id = "${element(aws_route_table.internal.*.id, count.index)}"
 52 | }
 53 | 
 54 | resource "aws_route" "internal" {
 55 |     count                  = "${length(compact(var.internal_subnets))}"
 56 |     route_table_id         = "${element(aws_route_table.internal.*.id, count.index)}"
 57 |     destination_cidr_block = "0.0.0.0/0"
 58 |     nat_gateway_id         = "${element(aws_nat_gateway.default.*.id, count.index)}"
 59 | }
 60 | 
 61 | resource "aws_route_table" "external" {
 62 |     vpc_id = "${aws_vpc.default.id}"
 63 |     count  = "${length(var.internal_subnets)}"
 64 | 
 65 |     tags {
 66 |         Name = "${var.namespace}-${format("external-%03d", count.index+1)}"
 67 |     }
 68 | }
 69 | 
 70 | resource "aws_route" "external" {
 71 |     count                  = "${length(compact(var.external_subnets))}"
 72 |     route_table_id         = "${element(aws_route_table.external.*.id, count.index)}"
 73 |     destination_cidr_block = "0.0.0.0/0"
 74 |     gateway_id             = "${aws_internet_gateway.default.id}"
 75 | }
 76 | 
 77 | resource "aws_route_table_association" "external" {
 78 |     count          = "${length(var.external_subnets)}"
 79 |     subnet_id      = "${element(aws_subnet.external.*.id, count.index)}"
 80 |     route_table_id = "${element(aws_route_table.external.*.id, count.index)}"
 81 | }
 82 | 
 83 | # Create a subnet to launch our instances into
 84 | resource "aws_subnet" "external" {
 85 |     count                   = "${length(var.external_subnets)}"
 86 |     vpc_id                  = "${aws_vpc.default.id}"
 87 |     availability_zone       = "${var.azs[count.index]}"
 88 |     cidr_block              = "${var.external_subnets[count.index]}"
 89 |     map_public_ip_on_launch = true
 90 | 
 91 |     tags {
 92 |         "Name" = "${var.namespace}-external"
 93 |     }
 94 | }
 95 | 
 96 | resource "aws_subnet" "internal" {
 97 |     count                   = "${length(var.internal_subnets)}"
 98 |     vpc_id                  = "${aws_vpc.default.id}"
 99 |     availability_zone       = "${var.azs[count.index]}"
100 |     cidr_block              = "${var.internal_subnets[count.index]}"
101 |     map_public_ip_on_launch = false
102 | 
103 |     tags {
104 |         "Name" = "${var.namespace}-internal"
105 |     }
106 | }
107 | 


--------------------------------------------------------------------------------
/output.tf:
--------------------------------------------------------------------------------
 1 | output "bastion_ip" {
 2 |     value = "${aws_instance.bastion.*.public_ip}"
 3 | }
 4 | 
 5 | output "servicebox_ip" {
 6 |     value = "${aws_instance.service.*.private_ip}"
 7 | }
 8 | 
 9 | output "service_security_group" {
10 |     value = "${aws_security_group.service.id}"
11 | }
12 | 
13 | output "alb_uri" {
14 |     value = "${aws_lb.openfaas.dns_name}"
15 | }
16 | 
17 | output "openfass_uri" {
18 |     value = "https://gateway.${var.route53_zone_name}/ui/"
19 | }
20 | 
21 | output "login" {
22 |     value = "echo -n \"${random_string.basic_auth_password.result}\" | faas-cli login --gateway https://${aws_lb.openfaas.dns_name} --username=admin --password-stdin --tls-no-verify"
23 | }
24 | 
25 | output "login_secure" {
26 |     value = "echo -n \"${random_string.basic_auth_password.result}\" | faas-cli login --gateway https://gateway.${var.route53_zone_name} --username=admin --password-stdin"
27 | }
28 | 


--------------------------------------------------------------------------------
/prometheus.tf:
--------------------------------------------------------------------------------
 1 | module "prometheus" {
 2 |     source                        = "./service-internal-with-lb"
 3 |     name                          = "prometheus"
 4 |     ecs_cluster_name              = "${aws_ecs_cluster.openfaas.name}"
 5 |     aws_region                    = "${var.aws_region}"
 6 |     desired_count                 = "1"
 7 |     security_groups               = ["${aws_security_group.service.id}", "${aws_security_group.prometheus.id}"]
 8 |     allowed_subnets               = ["${aws_subnet.internal.*.id}"]
 9 |     namespace                     = "${var.namespace}"
10 |     namespace_id                  = "${aws_service_discovery_private_dns_namespace.openfaas.id}"
11 |     task_image                    = "ewilde/prometheus"
12 |     task_image_version            = "v2.3.1"
13 |     task_role_arn                 = "${aws_iam_role.prometheus_role.arn}"
14 |     task_ports                    = "[{\"containerPort\":9090,\"hostPort\":9090}]"
15 |     task_env_vars                 = <<EOF
16 | [
17 | ]
18 | EOF
19 |     vpc_id = "${aws_vpc.default.id}"
20 |     lb_arn = "${aws_lb.openfaas.arn}"
21 |     lb_port = "9090"
22 |     health_check_path = "/graph"
23 | }
24 | 
25 | resource "aws_security_group" "prometheus" {
26 |     name = "${var.namespace}.prometheus"
27 |     description = "prometheus security group."
28 |     vpc_id = "${aws_vpc.default.id}"
29 | 
30 |     tags {
31 |         Name = "${format("%s-prometheus", var.namespace)}"
32 |     }
33 | }
34 | 
35 | resource "aws_security_group_rule" "prometheus_ingress_alb" {
36 |     type                     = "ingress"
37 |     security_group_id        = "${aws_security_group.prometheus.id}"
38 |     source_security_group_id = "${aws_security_group.alb.id}"
39 |     from_port                = 9090
40 |     to_port                  = 9090
41 |     protocol                 = "tcp"
42 | }
43 | 
44 | resource "aws_security_group_rule" "prometheus_ingress_gateway" {
45 |     type                     = "ingress"
46 |     security_group_id        = "${aws_security_group.prometheus.id}"
47 |     source_security_group_id = "${aws_security_group.gateway.id}"
48 |     from_port                = 9090
49 |     to_port                  = 9090
50 |     protocol                 = "tcp"
51 | }
52 | 
53 | resource "aws_security_group_rule" "prometheus_egress_gateway" {
54 |     type                     = "egress"
55 |     security_group_id        = "${aws_security_group.prometheus.id}"
56 |     source_security_group_id = "${aws_security_group.gateway.id}"
57 |     from_port                = 8080
58 |     to_port                  = 8080
59 |     protocol                 = "tcp"
60 | }
61 | 
62 | resource "aws_security_group_rule" "prometheus_egress_alertmanager" {
63 |     type                     = "egress"
64 |     security_group_id        = "${aws_security_group.prometheus.id}"
65 |     source_security_group_id = "${aws_security_group.alertmanager.id}"
66 |     from_port                = 9093
67 |     to_port                  = 9093
68 |     protocol                 = "tcp"
69 | }
70 | 
71 | resource "aws_iam_role" "prometheus_role" {
72 |     name = "${var.namespace}-prometheus-provider-role"
73 |     assume_role_policy = "${file("${path.module}/data/iam/ecs-task-assumerole.json")}"
74 | }
75 | 
76 | resource "aws_iam_role_policy" "prometheus_role_policy" {
77 |     name = "${var.namespace}-prometheus-role-policy"
78 |     role = "${aws_iam_role.prometheus_role.id}"
79 | 
80 |     policy = <<EOF
81 | {
82 |   "Version": "2012-10-17",
83 |   "Statement": [
84 |     ${file("${path.module}/data/iam/log-policy.json")}
85 |   ]
86 | }
87 | EOF
88 | }
89 | 


--------------------------------------------------------------------------------
/security.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "service" {
 2 |     name = "${var.namespace}.service"
 3 |     description = "common security group for all services in the internal subnet"
 4 |     vpc_id = "${aws_vpc.default.id}"
 5 | 
 6 |     tags {
 7 |         Name = "${format("%s-service", var.namespace)}"
 8 |     }
 9 | }
10 | 
11 | resource "aws_security_group_rule" "service_ingress_bastion" {
12 |     type                     = "ingress"
13 |     security_group_id        = "${aws_security_group.service.id}"
14 |     source_security_group_id = "${aws_security_group.bastion.id}"
15 |     from_port                = 22
16 |     to_port                  = 22
17 |     protocol                 = "tcp"
18 |     count                    = "${var.debug}"
19 | }
20 | 
21 | resource "aws_security_group_rule" "service_ingress_functions_from_bastion" {
22 |     type                     = "ingress"
23 |     security_group_id        = "${aws_security_group.service.id}"
24 |     source_security_group_id = "${aws_security_group.bastion.id}"
25 |     from_port                = 8080
26 |     to_port                  = 8080
27 |     protocol                 = "tcp"
28 |     count                    = "${var.debug}"
29 | }
30 | 
31 | 
32 | resource "aws_security_group_rule" "service_ingress_functions_from_provider" {
33 |     type                     = "ingress"
34 |     security_group_id        = "${aws_security_group.service.id}"
35 |     source_security_group_id = "${aws_security_group.gateway.id}"
36 |     from_port                = 8080
37 |     to_port                  = 8080
38 |     protocol                 = "tcp"
39 | }
40 | 
41 | resource "aws_security_group_rule" "service_ingress_functions_service" {
42 |     type                     = "ingress"
43 |     security_group_id        = "${aws_security_group.service.id}"
44 |     self                     = true
45 |     from_port                = 8080
46 |     to_port                  = 8080
47 |     protocol                 = "tcp"
48 | }
49 | 
50 | resource "aws_security_group_rule" "service_egress_functions_service" {
51 |     type                     = "egress"
52 |     security_group_id        = "${aws_security_group.service.id}"
53 |     self                     = true
54 |     from_port                = 8080
55 |     to_port                  = 8080
56 |     protocol                 = "tcp"
57 | }
58 | 
59 | resource "aws_security_group_rule" "service_egress_http" {
60 |     type               = "egress"
61 |     security_group_id  = "${aws_security_group.service.id}"
62 |     from_port          = 80
63 |     to_port            = 80
64 |     protocol           = "tcp"
65 |     cidr_blocks        = ["0.0.0.0/0"]
66 | }
67 | 
68 | resource "aws_security_group_rule" "service_egress_https" {
69 |     type               = "egress"
70 |     security_group_id  = "${aws_security_group.service.id}"
71 |     from_port          = 443
72 |     to_port            = 443
73 |     protocol           = "tcp"
74 |     cidr_blocks        = ["0.0.0.0/0"]
75 | }
76 | 


--------------------------------------------------------------------------------
/service-internal-no-task/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_service" "main" {
 2 |     name             = "${var.name}"
 3 |     cluster          = "${var.ecs_cluster_name}"
 4 |     task_definition  = "${var.task_arn}"
 5 |     launch_type      = "FARGATE"
 6 |     desired_count    = "${var.desired_count}"
 7 | 
 8 |     network_configuration {
 9 |         subnets          = ["${var.allowed_subnets}"]
10 |         security_groups  = ["${var.security_groups}"]
11 |         assign_public_ip = false
12 |     }
13 | 
14 |     service_registries {
15 |         registry_arn = "${aws_service_discovery_service.main.arn}"
16 |     }
17 | 
18 |     lifecycle {
19 |         ignore_changes = ["desired_count"]
20 |     }
21 | }
22 | 
23 | resource "aws_service_discovery_service" "main" {
24 |     name = "${var.name}"
25 |     dns_config {
26 |         namespace_id = "${var.namespace_id}"
27 |         dns_records {
28 |             ttl = 10
29 |             type = "A"
30 |         }
31 |         routing_policy = "MULTIVALUE"
32 |     }
33 | 
34 |     health_check_custom_config {
35 |         failure_threshold = 1
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/service-internal-no-task/output.tf:
--------------------------------------------------------------------------------
1 | output "service_discovery_name" {
2 |     value = "${aws_service_discovery_service.main.name}"
3 | }
4 | 


--------------------------------------------------------------------------------
/service-internal-no-task/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" { description = "name of the service and task" }
 2 | variable "ecs_cluster_name" { description = "name of the ecs cluster"}
 3 | variable "allowed_subnets" { description = "list of subnets to attach service to" type = "list"}
 4 | variable "security_groups" { description = "list of security groups to assign to the new service" type = "list"}
 5 | variable "desired_count" { description = "service desired count"}
 6 | variable "task_arn" { }
 7 | variable "namespace" {}
 8 | variable "namespace_id" {}
 9 | variable "aws_region" {}
10 | 


--------------------------------------------------------------------------------
/service-internal-with-lb/main.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_ecs_service" "main" {
  2 |     name             = "${var.name}"
  3 |     cluster          = "${var.ecs_cluster_name}"
  4 |     task_definition  = "${aws_ecs_task_definition.main.arn}"
  5 |     launch_type      = "FARGATE"
  6 |     desired_count    = "${var.desired_count}"
  7 | 
  8 |     network_configuration {
  9 |         subnets          = ["${var.allowed_subnets}"]
 10 |         security_groups  = ["${var.security_groups}"]
 11 |         assign_public_ip = false
 12 |     }
 13 | 
 14 |     service_registries {
 15 |         registry_arn = "${aws_service_discovery_service.main.arn}"
 16 |     }
 17 | 
 18 |     load_balancer {
 19 |         target_group_arn = "${aws_lb_target_group.main.arn}"
 20 |         container_name = "${var.name}"
 21 |         container_port = "${var.lb_port}"
 22 |     }
 23 | 
 24 |     lifecycle {
 25 |         ignore_changes = ["desired_count"]
 26 |     }
 27 | 
 28 |     depends_on = ["aws_lb_listener.main"]
 29 | }
 30 | 
 31 | resource "aws_service_discovery_service" "main" {
 32 |     name = "${var.name}"
 33 |     dns_config {
 34 |         namespace_id = "${var.namespace_id}"
 35 |         dns_records {
 36 |             ttl = 10
 37 |             type = "A"
 38 |         }
 39 |         routing_policy = "MULTIVALUE"
 40 |     }
 41 | 
 42 |     health_check_custom_config {
 43 |         failure_threshold = 1
 44 |     }
 45 | }
 46 | 
 47 | resource "aws_lb_target_group" "main" {
 48 |     name        = "${var.namespace}-${var.name}"
 49 |     port        = "${var.lb_port}"
 50 |     protocol    = "HTTP"
 51 |     vpc_id      = "${var.vpc_id}"
 52 | 
 53 |     target_type = "ip"
 54 |     health_check {
 55 |         path    = "${var.health_check_path}"
 56 |         matcher = "200"
 57 |     }
 58 | }
 59 | 
 60 | resource "aws_lb_listener" "main" {
 61 |     load_balancer_arn = "${var.lb_arn}"
 62 |     port              = "${var.lb_port}"
 63 |     protocol          = "HTTP"
 64 |     default_action {
 65 |         target_group_arn = "${aws_lb_target_group.main.arn}"
 66 |         type             = "forward"
 67 |     }
 68 | }
 69 | 
 70 | resource "aws_ecs_task_definition" "main" {
 71 |     family                   = "${var.name}"
 72 |     requires_compatibilities = ["FARGATE"]
 73 |     network_mode             = "awsvpc"
 74 |     task_role_arn            = "${var.task_role_arn}"
 75 |     execution_role_arn       = "${var.task_role_arn}"
 76 |     cpu                      = "256"
 77 |     memory                   = "512"
 78 |     container_definitions    = <<DEFINITION
 79 | [
 80 |   {
 81 |     "cpu": ${var.task_cpu},
 82 |     "environment": ${var.task_env_vars},
 83 |     "command": ${var.task_command},
 84 |     "essential": true,
 85 |     "image": "${var.task_image}:${var.task_image_version}",
 86 |     "memory": ${var.task_memory},
 87 |     "name": "${var.name}",
 88 |     "portMappings": ${var.task_ports},
 89 |     "logConfiguration": {
 90 |         "logDriver": "awslogs",
 91 |         "options": {
 92 |           "awslogs-group": "${aws_cloudwatch_log_group.main.name}",
 93 |           "awslogs-region": "${var.aws_region}",
 94 |           "awslogs-stream-prefix": "${var.name}-"
 95 |         }
 96 |     },
 97 |     "healthCheck": {
 98 |         "retries": 1,
 99 |         "command": ${var.task_health_check_command},
100 |         "timeout": 3,
101 |         "interval": 5,
102 |         "startPeriod": 5
103 |     }
104 | }
105 | ]
106 | DEFINITION
107 | }
108 | 
109 | resource "aws_cloudwatch_log_group" "main" {
110 |     name = "${var.namespace}-${var.name}"
111 | }
112 | 


--------------------------------------------------------------------------------
/service-internal-with-lb/output.tf:
--------------------------------------------------------------------------------
1 | output "service_discovery_name" {
2 |     value = "${aws_service_discovery_service.main.name}"
3 | }
4 | 


--------------------------------------------------------------------------------
/service-internal-with-lb/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" { description = "name of the service and task" }
 2 | variable "ecs_cluster_name" { description = "name of the ecs cluster"}
 3 | variable "allowed_subnets" { description = "list of subnets to attach service to" type = "list"}
 4 | variable "security_groups" { description = "list of security groups to assign to the new service" type = "list"}
 5 | variable "desired_count" { description = "service desired count"}
 6 | variable "task_role_arn" {}
 7 | variable "task_cpu" { default = "256" }
 8 | variable "task_env_vars" {description = "The raw json of the task env vars" default = "[]"}
 9 | variable "task_image" {}
10 | variable "task_image_version" {}
11 | variable "task_memory" { default = "64" }
12 | variable "task_ports" { default = "[]" }
13 | variable "lb_port" {}
14 | variable "lb_arn" {}
15 | variable "health_check_path" {}
16 | variable "vpc_id" {}
17 | variable "task_health_check_command" { default = "[\"CMD-SHELL\",\"ls\"]" }
18 | variable "task_command" { default = "[]" }
19 | variable "namespace" {}
20 | variable "namespace_id" {}
21 | variable "aws_region" {}
22 | 


--------------------------------------------------------------------------------
/service-internal/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_service" "main" {
 2 |     name             = "${var.name}"
 3 |     cluster          = "${var.ecs_cluster_name}"
 4 |     task_definition  = "${aws_ecs_task_definition.main.arn}"
 5 |     launch_type      = "FARGATE"
 6 |     desired_count    = "${var.desired_count}"
 7 | 
 8 |     network_configuration {
 9 |         subnets          = ["${var.allowed_subnets}"]
10 |         security_groups  = ["${var.security_groups}"]
11 |         assign_public_ip = false
12 |     }
13 | 
14 |     service_registries {
15 |         registry_arn = "${aws_service_discovery_service.main.arn}"
16 |     }
17 | 
18 |     lifecycle {
19 |         ignore_changes = ["desired_count"]
20 |     }
21 | }
22 | 
23 | resource "aws_service_discovery_service" "main" {
24 |     name = "${var.name}"
25 |     dns_config {
26 |         namespace_id = "${var.namespace_id}"
27 |         dns_records {
28 |             ttl = 10
29 |             type = "A"
30 |         }
31 |         routing_policy = "MULTIVALUE"
32 |     }
33 | 
34 |     health_check_custom_config {
35 |         failure_threshold = 1
36 |     }
37 | }
38 | 
39 | resource "aws_ecs_task_definition" "main" {
40 |     family                   = "${var.name}"
41 |     requires_compatibilities = ["FARGATE"]
42 |     network_mode             = "awsvpc"
43 |     task_role_arn            = "${var.task_role_arn}"
44 |     execution_role_arn       = "${var.task_role_arn}"
45 |     cpu                      = "256"
46 |     memory                   = "512"
47 |     container_definitions    = <<DEFINITION
48 | [
49 |   {
50 |     "cpu": ${var.task_cpu},
51 |     "environment": ${var.task_env_vars},
52 |     "command": ${var.task_command},
53 |     "essential": true,
54 |     "image": "${var.task_image}:${var.task_image_version}",
55 |     "memory": ${var.task_memory},
56 |     "name": "${var.name}",
57 |     "portMappings": ${var.task_ports},
58 |     "logConfiguration": {
59 |         "logDriver": "awslogs",
60 |         "options": {
61 |           "awslogs-group": "${aws_cloudwatch_log_group.main.name}",
62 |           "awslogs-region": "${var.aws_region}",
63 |           "awslogs-stream-prefix": "${var.name}-"
64 |         }
65 |     },
66 |     "healthCheck": {
67 |         "retries": 1,
68 |         "command": ${var.task_health_check_command},
69 |         "timeout": 3,
70 |         "interval": 5,
71 |         "startPeriod": 5
72 |     }
73 | }
74 | ]
75 | DEFINITION
76 | }
77 | 
78 | resource "aws_cloudwatch_log_group" "main" {
79 |     name = "${var.namespace}-${var.name}"
80 | }
81 | 


--------------------------------------------------------------------------------
/service-internal/output.tf:
--------------------------------------------------------------------------------
1 | output "service_discovery_name" {
2 |     value = "${aws_service_discovery_service.main.name}"
3 | }
4 | 


--------------------------------------------------------------------------------
/service-internal/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" { description = "name of the service and task" }
 2 | variable "ecs_cluster_name" { description = "name of the ecs cluster"}
 3 | variable "allowed_subnets" { description = "list of subnets to attach service to" type = "list"}
 4 | variable "security_groups" { description = "list of security groups to assign to the new service" type = "list"}
 5 | variable "desired_count" { description = "service desired count"}
 6 | variable "task_role_arn" {}
 7 | variable "task_cpu" { default = "256" }
 8 | variable "task_env_vars" {description = "The raw json of the task env vars" default = "[]"}
 9 | variable "task_image" {}
10 | variable "task_image_version" {}
11 | variable "task_memory" { default = "64" }
12 | variable "task_ports" { default = "[]" }
13 | variable "task_health_check_command" { default = "[\"CMD-SHELL\",\"ls\"]" }
14 | variable "task_command" { default = "[]" }
15 | variable "namespace" {}
16 | variable "namespace_id" {}
17 | variable "aws_region" {}
18 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "aws_region"   {}
 2 | variable "developer_ip" { default = "" description = "Required if using debugging" }
 3 | variable "debug" { default = "0" description = "Set to 1 to create debugging bastion on external subnet and instance on internal subnet" }
 4 | variable "vpc_cidr_block" {
 5 |     default = "10.0.0.0/16"
 6 | }
 7 | 
 8 | variable "azs" {
 9 |     type    = "list"
10 |     default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
11 | }
12 | 
13 | variable "external_subnets" {
14 |     type    = "list"
15 |     default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
16 | }
17 | 
18 | variable "internal_subnets" {
19 |     type    = "list"
20 |     default = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
21 | }
22 | 
23 | variable "namespace" {
24 |     default     = "openfaas"
25 |     description = "namespace is used to distinguish different instances of installing this module."
26 | }
27 | 
28 | variable "ecs_cluster_name" {
29 |     default = "openfaas"
30 | }
31 | 
32 | variable "bastion_keypair_name" {
33 |     default = "openfaas"
34 | }
35 | 
36 | variable "self_signed_enabled" {
37 |     default = 1
38 | }
39 | 
40 | variable "acme_enabled" {
41 |     default = 0
42 | }
43 | 
44 | variable "acme_email_address" {
45 |     default = "nobody@example.com"
46 | }
47 | 
48 | variable "route53_zone_name" {
49 |     default = "foo"
50 | }
51 | 
52 | variable "alb_logs_bucket" {}
53 | 


--------------------------------------------------------------------------------