├── .gitignore
├── variables.tf
├── main.tf
├── output.tf
├── vpc.tf
├── container-definitions
    └── container-def.json
├── iam.tf
├── experimental
    └── ecr.tf
├── alb.tf
├── ecs.tf
├── asg.tf
├── .github
    └── workflows
    │   └── ci_terraform.yaml
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform/


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "key_name" {
2 |   type        = string
3 |   description = "The name for ssh key, used for aws_launch_configuration"
4 | }
5 | 
6 | variable "cluster_name" {
7 |   type        = string
8 |   description = "The name of AWS ECS cluster"
9 | }


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region  = "us-east-1"
 3 |   version = "~> 2.63"
 4 | }
 5 | 
 6 | 
 7 | terraform {
 8 |   backend "s3" {
 9 |     bucket = "ecsworkshopbucket"
10 |     key    = "state/terraform.tfstate"
11 |     region = "us-east-1"
12 |   }
13 | }


--------------------------------------------------------------------------------
/output.tf:
--------------------------------------------------------------------------------
 1 | output "alb_dns" {
 2 |   value = aws_lb.test-lb.dns_name
 3 | }
 4 | 
 5 | output "vpc_id" {
 6 |   value = module.vpc.vpc_id
 7 | }
 8 | 
 9 | output "public_subnets" {
10 |   value = module.vpc.public_subnets
11 | }
12 | 
13 | output "igw_id" {
14 |   value = module.vpc.igw_id
15 | }


--------------------------------------------------------------------------------
/vpc.tf:
--------------------------------------------------------------------------------
 1 | module "vpc" {
 2 |   source         = "terraform-aws-modules/vpc/aws"
 3 |   version        = "2.38.0"
 4 |   name           = "test_ecs_provisioning"
 5 |   cidr           = "10.0.0.0/16"
 6 |   azs            = ["us-east-1a", "us-east-1b", "us-east-1c"]
 7 |   public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
 8 |   tags = {
 9 |     "env"       = "dev"
10 |     "createdBy" = "mkerimova"
11 |   }
12 | 
13 | }
14 | 
15 | data "aws_vpc" "main" {
16 |   id = module.vpc.vpc_id
17 | }


--------------------------------------------------------------------------------
/container-definitions/container-def.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |       "name": "pink-slon",
 4 |       "image": "334600146392.dkr.ecr.us-east-1.amazonaws.com/workshop:latest",
 5 |       "cpu": 10,
 6 |       "memory": 256,
 7 |       "essential": true,
 8 |       "portMappings": [
 9 |         {
10 |           "containerPort": 80
11 |         }
12 |       ],
13 |       "logConfiguration": {
14 |         "logDriver": "awslogs",
15 |         "options": { 
16 |           "awslogs-group" : "/ecs/frontend-container",
17 |           "awslogs-region": "us-east-1"
18 |         }
19 |       }
20 |     }
21 | ]


--------------------------------------------------------------------------------
/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "ecs-instance-role" {
 2 |   name = "ecs-instance-role-test-web"
 3 |   path = "/"
 4 | 
 5 |   assume_role_policy = <<EOF
 6 | {
 7 |   "Version": "2008-10-17",
 8 |   "Statement": [
 9 |     {
10 |       "Action": "sts:AssumeRole",
11 |       "Principal": {
12 |         "Service": ["ec2.amazonaws.com"]
13 |       },
14 |       "Effect": "Allow"
15 |     }
16 |   ]
17 | }
18 | EOF
19 | }
20 | 
21 | resource "aws_iam_role_policy_attachment" "ecs-instance-role-attachment" {
22 |   role       = aws_iam_role.ecs-instance-role.name
23 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
24 | }
25 | 
26 | resource "aws_iam_instance_profile" "ecs_service_role" {
27 |   role = aws_iam_role.ecs-instance-role.name
28 | }
29 | 


--------------------------------------------------------------------------------
/experimental/ecr.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecr_repository" "app_repo" {
 2 |   name                 = "app_repo"
 3 |   image_tag_mutability = "MUTABLE"
 4 |   image_scanning_configuration {
 5 |     scan_on_push = true
 6 |   }
 7 |   tags = {
 8 |     "env"       = "dev"
 9 |     "createdBy" = "mkerimova"
10 |   }
11 | }
12 | 
13 | resource "aws_ecr_lifecycle_policy" "repo_policy" {
14 |   repository = aws_ecr_repository.app_repo.name
15 |   policy     = <<EOF
16 | {
17 |     "rules": [
18 |         {
19 |             "rulePriority": 1,
20 |             "description": "Expire images older than 14 days",
21 |             "selection": {
22 |                 "tagStatus": "any",
23 |                 "countType": "sinceImagePushed",
24 |                 "countUnit": "days",
25 |                 "countNumber": 14
26 |             },
27 |             "action": {
28 |                 "type": "expire"
29 |             }
30 |         }
31 |     ]
32 | }
33 | EOF
34 | }
35 | 


--------------------------------------------------------------------------------
/alb.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lb" "test-lb" {
 2 |   name               = "test-ecs-lb"
 3 |   load_balancer_type = "application"
 4 |   internal           = false
 5 |   subnets            = module.vpc.public_subnets
 6 |   tags = {
 7 |     "env"       = "dev"
 8 |     "createdBy" = "mkerimova"
 9 |   }
10 |   security_groups = [aws_security_group.lb.id]
11 | }
12 | 
13 | resource "aws_security_group" "lb" {
14 |   name   = "allow-all-lb"
15 |   vpc_id = data.aws_vpc.main.id
16 |   ingress {
17 |     from_port   = 0
18 |     to_port     = 0
19 |     protocol    = "-1"
20 |     cidr_blocks = ["0.0.0.0/0"]
21 |   }
22 |   egress {
23 |     from_port   = 0
24 |     to_port     = 0
25 |     protocol    = "-1"
26 |     cidr_blocks = ["0.0.0.0/0"]
27 |   }
28 | 
29 |   tags = {
30 |     "env"       = "dev"
31 |     "createdBy" = "mkerimova"
32 |   }
33 | }
34 | 
35 | resource "aws_lb_target_group" "lb_target_group" {
36 |   name        = "masha-target-group"
37 |   port        = "80"
38 |   protocol    = "HTTP"
39 |   target_type = "instance"
40 |   vpc_id      = data.aws_vpc.main.id
41 |   health_check {
42 |     path                = "/"
43 |     healthy_threshold   = 2
44 |     unhealthy_threshold = 10
45 |     timeout             = 60
46 |     interval            = 300
47 |     matcher             = "200,301,302"
48 |   }
49 | }
50 | 
51 | resource "aws_lb_listener" "web-listener" {
52 |   load_balancer_arn = aws_lb.test-lb.arn
53 |   port              = "80"
54 |   protocol          = "HTTP"
55 |   default_action {
56 |     type             = "forward"
57 |     target_group_arn = aws_lb_target_group.lb_target_group.arn
58 |   }
59 | }


--------------------------------------------------------------------------------
/ecs.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_cluster" "web-cluster" {
 2 |   name               = var.cluster_name
 3 |   capacity_providers = [aws_ecs_capacity_provider.test.name]
 4 |   tags = {
 5 |     "env"       = "dev"
 6 |     "createdBy" = "mkerimova"
 7 |   }
 8 | }
 9 | 
10 | resource "aws_ecs_capacity_provider" "test" {
11 |   name = "capacity-provider-test"
12 |   auto_scaling_group_provider {
13 |     auto_scaling_group_arn         = aws_autoscaling_group.asg.arn
14 |     managed_termination_protection = "ENABLED"
15 | 
16 |     managed_scaling {
17 |       status          = "ENABLED"
18 |       target_capacity = 85
19 |     }
20 |   }
21 | }
22 | 
23 | # update file container-def, so it's pulling image from ecr
24 | resource "aws_ecs_task_definition" "task-definition-test" {
25 |   family                = "web-family"
26 |   container_definitions = file("container-definitions/container-def.json")
27 |   network_mode          = "bridge"
28 |   tags = {
29 |     "env"       = "dev"
30 |     "createdBy" = "mkerimova"
31 |   }
32 | }
33 | 
34 | resource "aws_ecs_service" "service" {
35 |   name            = "web-service"
36 |   cluster         = aws_ecs_cluster.web-cluster.id
37 |   task_definition = aws_ecs_task_definition.task-definition-test.arn
38 |   desired_count   = 10
39 |   ordered_placement_strategy {
40 |     type  = "binpack"
41 |     field = "cpu"
42 |   }
43 |   load_balancer {
44 |     target_group_arn = aws_lb_target_group.lb_target_group.arn
45 |     container_name   = "pink-slon"
46 |     container_port   = 80
47 |   }
48 |   # Optional: Allow external changes without Terraform plan difference(for example ASG)
49 |   lifecycle {
50 |     ignore_changes = [desired_count]
51 |   }
52 |   launch_type = "EC2"
53 |   depends_on  = [aws_lb_listener.web-listener]
54 | }
55 | 
56 | resource "aws_cloudwatch_log_group" "log_group" {
57 |   name = "/ecs/frontend-container"
58 |   tags = {
59 |     "env"       = "dev"
60 |     "createdBy" = "mkerimova"
61 |   }
62 | }


--------------------------------------------------------------------------------
/asg.tf:
--------------------------------------------------------------------------------
 1 | data "aws_ami" "amazon_linux" {
 2 |   most_recent = true
 3 | 
 4 |   filter {
 5 |     name   = "name"
 6 |     values = ["amzn-ami*amazon-ecs-optimized"]
 7 |   }
 8 | 
 9 |   filter {
10 |     name   = "architecture"
11 |     values = ["x86_64"]
12 |   }
13 | 
14 |   filter {
15 |     name   = "virtualization-type"
16 |     values = ["hvm"]
17 |   }
18 |   owners = ["amazon", "self"]
19 | }
20 | 
21 | resource "aws_security_group" "ec2-sg" {
22 |   name        = "allow-all-ec2"
23 |   description = "allow all"
24 |   vpc_id      = data.aws_vpc.main.id
25 |   ingress {
26 |     from_port   = 0
27 |     to_port     = 0
28 |     protocol    = "-1"
29 |     cidr_blocks = ["0.0.0.0/0"]
30 |   }
31 |   egress {
32 |     from_port   = 0
33 |     to_port     = 0
34 |     protocol    = "-1"
35 |     cidr_blocks = ["0.0.0.0/0"]
36 |   }
37 | 
38 |   tags = {
39 |     Name = "mkerimova"
40 |   }
41 | }
42 | 
43 | resource "aws_launch_configuration" "lc" {
44 |   name          = "test_ecs"
45 |   image_id      = data.aws_ami.amazon_linux.id
46 |   instance_type = "t2.micro"
47 |   lifecycle {
48 |     create_before_destroy = true
49 |   }
50 |   iam_instance_profile        = aws_iam_instance_profile.ecs_service_role.name
51 |   key_name                    = var.key_name
52 |   security_groups             = [aws_security_group.ec2-sg.id]
53 |   associate_public_ip_address = true
54 |   user_data                   = <<EOF
55 | #! /bin/bash
56 | sudo apt-get update
57 | sudo echo "ECS_CLUSTER=${var.cluster_name}" >> /etc/ecs/ecs.config
58 | EOF
59 | }
60 | 
61 | resource "aws_autoscaling_group" "asg" {
62 |   name                      = "test-asg"
63 |   launch_configuration      = aws_launch_configuration.lc.name
64 |   min_size                  = 3
65 |   max_size                  = 4
66 |   desired_capacity          = 3
67 |   health_check_type         = "ELB"
68 |   health_check_grace_period = 300
69 |   vpc_zone_identifier       = module.vpc.public_subnets
70 | 
71 |   target_group_arns     = [aws_lb_target_group.lb_target_group.arn]
72 |   protect_from_scale_in = true
73 |   lifecycle {
74 |     create_before_destroy = true
75 |   }
76 | }


--------------------------------------------------------------------------------
/.github/workflows/ci_terraform.yaml:
--------------------------------------------------------------------------------
 1 | name: 'Terraform'
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |     - master
 7 |   pull_request:
 8 | 
 9 | jobs:
10 |   terraform:
11 |     name: 'Terraform'
12 |     runs-on: ubuntu-latest
13 |     steps:
14 |     - name: Checkout
15 |       uses: actions/checkout@v2
16 | 
17 |     - name: Setup Terraform
18 |       uses: hashicorp/setup-terraform@v1
19 |       
20 |     - name: Terraform Init
21 |       id: init
22 |       env:
23 |         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
24 |         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
25 |       run: terraform init -input=false
26 |     
27 |     - name: Terraform fmt
28 |       id: fmt
29 |       run: terraform fmt -check
30 |       continue-on-error: true
31 | 
32 |     - name: Terraform Validate
33 |       id: validate
34 |       run: terraform validate -no-color
35 | 
36 |     - name: Terraform Plan
37 |       id: plan
38 |       env:
39 |         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
40 |         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
41 |       run: terraform plan -no-color -var="key_name=ecs_workshop" -var="cluster_name=ecs_workshop_cluster"
42 |       continue-on-error: true
43 |     
44 |     - uses: actions/github-script@v2
45 |       name: Runs only on pull request
46 |       if: github.event_name == 'pull_request'
47 |       env:
48 |         PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
49 |       with:
50 |         github-token: ${{ secrets.MY_GITHUB_TOKEN }}
51 |         script: |
52 |           const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
53 |           #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
54 |           #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
55 |           #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
56 |           
57 |           <details><summary>Show Plan</summary>
58 |           
59 |           \`\`\`${process.env.PLAN}\`\`\`
60 |           
61 |           </details>
62 |           
63 |           *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`,  Workflow: \`${{ github.workflow }}\`*`;
64 |             
65 |           github.issues.createComment({
66 |             issue_number: context.issue.number,
67 |             owner: context.repo.owner,
68 |             repo: context.repo.repo,
69 |             body: output
70 |           })
71 | 
72 |     # - name: Terraform Apply
73 |     #   if: github.ref == 'refs/heads/master' && github.event_name == 'push'
74 |     #   run: terraform apply -auto-approve


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Provisioning VPC, ECS and ALB using Terraform
 2 | 
 3 | ![](https://github.com/mashun4ek/ecs_terraform_workshop/workflows/Terraform/badge.svg)
 4 | 
 5 | This is the example of creating a simple infrastructure using Terraform and AWS cloud provider. It consists of:
 6 | - Virtual Private Cloud (VPC) with 3 public subnets in 3 availability zones
 7 | - Elastic Container Service (ECS)
 8 | - Application Load Balancer (ALB)
 9 | 
10 | ## How to create the infrastructure?
11 | This example implies that you have already AWS account and Terraform CLI installed.
12 | 1. `git clone https://github.com/mashun4ek/ecs_terraform_workshop.git`
13 | 2. cd ecs_terraform_workshop
14 | 3. terraform init
15 | 4. terraform plan
16 | 5. terraform apply
17 | 
18 | Note: it can take about 5 minutes to provision all resources.
19 | ## How to delete the infrastructure?
20 | 1. Terminate instances
21 | 2. Run `terraform destroy`
22 | 
23 | ## Brief Description
24 | 
25 | Cluster is created using container instances (EC2 launch type, not Fargate!). 
26 | 
27 | In this example, verified module `vpc` is imported from Terraform Registry, other resources are created in relevant files.
28 | 
29 | In file `ecs.tf` we create:
30 |   - cluster of container instances _web-cluster_
31 |   - capacity provider, which is basically AWS Autoscaling group for EC2 instances. In this example managed scaling is enabled, Amazon ECS manages the scale-in and scale-out actions of the Auto Scaling group used when creating the capacity provider. I set target capacity to 85%, which will result in the Amazon EC2 instances in your Auto Scaling group being utilized for 85% and any instances not running any tasks will be scaled in.
32 |   - task definition with family _web-family_, volume and container definition is defined in the file container-def.json
33 |   - service _web-service_, desired count is set to 10, which means there are 10 tasks will be running simultaneously on your cluster. There are two service scheduler strategies available: REPLICA and DAEMON, in this example REPLICA is used. Application load balancer is attached to this service, so the traffic can be distributed between those tasks.
34 |   Note: The _binpack_ task placement strategy is used, which places tasks on available instances that have the least available amount of the cpu (specified with the field parameter). 
35 | 
36 | In file `asg.tf` we create:
37 |   - launch configuration
38 |   - key pair
39 |   - security groups for EC2 instances
40 |   - auto-scaling group. 
41 | 
42 | Note: in order to enable ECS managed scaling you need to enable `protect from scale in` from auto-scaling group.
43 | 
44 | In file `iam.tf` we create roles, which will help us to associate EC2 instances to clusters, and other tasks.
45 | 
46 | In file `alb.tf` we create Application Load Balancer with target groups, security group and listener. 
47 | 
48 | 


--------------------------------------------------------------------------------