├── README.md ├── envs └── prod │ ├── .terraform-version │ ├── db │ └── foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── outputs.tf │ │ ├── backend.tf │ │ ├── db_option_group.tf │ │ ├── data.tf │ │ ├── iam.tf │ │ ├── .terraform.lock.hcl │ │ ├── db_parameter_group.tf │ │ └── db_instance.tf │ ├── log │ ├── alb │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── data.tf │ │ ├── outputs.tf │ │ ├── backend.tf │ │ ├── .terraform.lock.hcl │ │ └── s3.tf │ ├── app_foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── backend.tf │ │ ├── cloudwatch_log.tf │ │ └── .terraform.lock.hcl │ └── db_foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── backend.tf │ │ ├── cloudwatch_log.tf │ │ └── .terraform.lock.hcl │ ├── app │ └── foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── variables.tf │ │ ├── backend.tf │ │ ├── ecr.tf │ │ ├── s3.tf │ │ ├── data.tf │ │ ├── .terraform.lock.hcl │ │ ├── iam.tf │ │ └── ecs.tf │ ├── cache │ └── foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── outputs.tf │ │ ├── backend.tf │ │ ├── elasticache_parameter_group.tf │ │ ├── data.tf │ │ ├── .terraform.lock.hcl │ │ └── elasticache_replication_group.tf │ ├── network │ └── main │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── data.tf │ │ ├── locals.tf │ │ ├── internet_gateway.tf │ │ ├── backend.tf │ │ ├── elasticache_subnet_group.tf │ │ ├── vpc.tf │ │ ├── eip.tf │ │ ├── db_subnet_group.tf │ │ ├── nat_gateway.tf │ │ ├── variables.tf │ │ ├── subnet.tf │ │ ├── outputs.tf │ │ ├── .terraform.lock.hcl │ │ ├── route_table.tf │ │ └── security_group.tf │ ├── cicd │ └── app_foobar │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── locals.tf │ │ ├── backend.tf │ │ ├── data.tf │ │ ├── .terraform.lock.hcl │ │ ├── ecspresso.tf │ │ └── iam.tf │ ├── routing │ ├── appfoobar_link │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ ├── backend.tf │ │ ├── acm.tf │ │ ├── data.tf │ │ ├── route53.tf │ │ ├── .terraform.lock.hcl │ │ └── alb.tf │ └── foobar_internal │ │ ├── provider.tf │ │ ├── shared_locals.tf │ │ ├── backend.tf │ │ ├── data.tf │ │ ├── route53.tf │ │ └── .terraform.lock.hcl │ ├── shared_locals.tf │ └── provider.tf ├── .gitignore └── modules └── ecr ├── outputs.tf ├── variables.tf └── main.tf /README.md: -------------------------------------------------------------------------------- 1 | # laravel-fargate-infra 2 | -------------------------------------------------------------------------------- /envs/prod/.terraform-version: -------------------------------------------------------------------------------- 1 | 1.0.0 2 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/log/alb/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/app/foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/cache/foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/network/main/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/db/foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/log/alb/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/app/foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/cache/foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/network/main/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/provider.tf: -------------------------------------------------------------------------------- 1 | ../../provider.tf -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/network/main/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "current" {} 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.terraform/* 2 | *.tfstate 3 | *.tfstate.* 4 | *.tfvars 5 | -------------------------------------------------------------------------------- /envs/prod/log/alb/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_elb_service_account" "current" {} 2 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/shared_locals.tf: -------------------------------------------------------------------------------- 1 | ../../shared_locals.tf -------------------------------------------------------------------------------- /envs/prod/db/foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | service_name = "foobar" 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/log/alb/outputs.tf: -------------------------------------------------------------------------------- 1 | output "s3_bucket_this_id" { 2 | value = aws_s3_bucket.this.id 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/variables.tf: -------------------------------------------------------------------------------- 1 | variable "desired_count" { 2 | type = number 3 | default = 1 4 | } 5 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/outputs.tf: -------------------------------------------------------------------------------- 1 | output "db_instance_this_address" { 2 | value = aws_db_instance.this.address 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/variables.tf: -------------------------------------------------------------------------------- 1 | variable "enable_alb" { 2 | type = bool 3 | default = true 4 | } 5 | -------------------------------------------------------------------------------- /modules/ecr/outputs.tf: -------------------------------------------------------------------------------- 1 | output "ecr_repository_this_repository_url" { 2 | value = aws_ecr_repository.this.repository_url 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/outputs.tf: -------------------------------------------------------------------------------- 1 | output "lb_target_group_foobar_arn" { 2 | value = aws_lb_target_group.foobar.arn 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/network/main/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | nat_gateway_azs = var.single_nat_gateway ? { keys(var.azs)[0] = values(var.azs)[0] } : var.azs 3 | } 4 | -------------------------------------------------------------------------------- /modules/ecr/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name" { 2 | type = string 3 | } 4 | 5 | variable "holding_count" { 6 | type = number 7 | default = 10 8 | } 9 | -------------------------------------------------------------------------------- /envs/prod/shared_locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name_prefix = "${local.system_name}-${local.env_name}" 3 | system_name = "example" 4 | env_name = "prod" 5 | } 6 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/outputs.tf: -------------------------------------------------------------------------------- 1 | output "elasticache_replication_group_this_primary_endpoint_address" { 2 | value = aws_elasticache_replication_group.this.primary_endpoint_address 3 | } 4 | -------------------------------------------------------------------------------- /envs/prod/network/main/internet_gateway.tf: -------------------------------------------------------------------------------- 1 | resource "aws_internet_gateway" "this" { 2 | vpc_id = aws_vpc.this.id 3 | 4 | tags = { 5 | Name = aws_vpc.this.tags.Name 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/log/alb/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/log/alb_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/app/foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/db/foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/cache/foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/elasticache_parameter_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticache_parameter_group" "this" { 2 | name = "${local.system_name}-${local.env_name}-${local.service_name}" 3 | 4 | family = "redis6.x" 5 | } 6 | -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/log/db_foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/network/main/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/network/main_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/network/main/elasticache_subnet_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticache_subnet_group" "this" { 2 | name = aws_vpc.this.tags.Name 3 | 4 | subnet_ids = [ 5 | for s in aws_subnet.private : s.id 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/cicd/app_foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/log/app_foobar_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/routing/appfoobar_link_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "shonansurvivors-tfstate" 4 | key = "example/prod/routing/foobar_internal_v1.0.0.tfstate" 5 | region = "ap-northeast-1" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /envs/prod/network/main/vpc.tf: -------------------------------------------------------------------------------- 1 | resource "aws_vpc" "this" { 2 | cidr_block = var.vpc_cidr 3 | enable_dns_hostnames = true 4 | enable_dns_support = true 5 | 6 | tags = { 7 | Name = "${local.name_prefix}-main" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /envs/prod/network/main/eip.tf: -------------------------------------------------------------------------------- 1 | resource "aws_eip" "nat_gateway" { 2 | for_each = var.enable_nat_gateway ? local.nat_gateway_azs : {} 3 | 4 | vpc = true 5 | 6 | tags = { 7 | Name = "${aws_vpc.this.tags.Name}-nat-gateway-${each.key}" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /envs/prod/network/main/db_subnet_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_subnet_group" "this" { 2 | name = aws_vpc.this.tags.Name 3 | 4 | subnet_ids = [ 5 | for s in aws_subnet.private : s.id 6 | ] 7 | 8 | tags = { 9 | Name = aws_vpc.this.tags.Name 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/data.tf: -------------------------------------------------------------------------------- 1 | data "terraform_remote_state" "network_main" { 2 | backend = "s3" 3 | 4 | config = { 5 | bucket = "shonansurvivors-tfstate" 6 | key = "${local.system_name}/${local.env_name}/network/main_v1.0.0.tfstate" 7 | region = "ap-northeast-1" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/ecr.tf: -------------------------------------------------------------------------------- 1 | module "nginx" { 2 | source = "../../../../modules/ecr" 3 | 4 | name = "${local.name_prefix}-${local.service_name}-nginx" 5 | } 6 | 7 | module "php" { 8 | source = "../../../../modules/ecr" 9 | 10 | name = "${local.name_prefix}-${local.service_name}-php" 11 | } 12 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/db_option_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_option_group" "this" { 2 | name = "${local.system_name}-${local.env_name}-${local.service_name}" 3 | 4 | engine_name = "mysql" 5 | major_engine_version = "8.0" 6 | 7 | tags = { 8 | Name = "${local.system_name}-${local.env_name}-${local.service_name}" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /envs/prod/network/main/nat_gateway.tf: -------------------------------------------------------------------------------- 1 | resource "aws_nat_gateway" "this" { 2 | for_each = var.enable_nat_gateway ? local.nat_gateway_azs : {} 3 | 4 | allocation_id = aws_eip.nat_gateway[each.key].id 5 | subnet_id = aws_subnet.public[each.key].id 6 | 7 | tags = { 8 | Name = "${aws_vpc.this.tags.Name}-${each.key}" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/cloudwatch_log.tf: -------------------------------------------------------------------------------- 1 | resource "aws_cloudwatch_log_group" "nginx" { 2 | name = "/ecs/${local.name_prefix}-${local.service_name}/nginx" 3 | 4 | retention_in_days = 90 5 | } 6 | 7 | resource "aws_cloudwatch_log_group" "php" { 8 | name = "/ecs/${local.name_prefix}-${local.service_name}/php" 9 | 10 | retention_in_days = 90 11 | } 12 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_kms_alias" "rds" { 2 | name = "alias/aws/rds" 3 | } 4 | 5 | data "terraform_remote_state" "network_main" { 6 | backend = "s3" 7 | 8 | config = { 9 | bucket = "shonansurvivors-tfstate" 10 | key = "${local.system_name}/${local.env_name}/network/main_v1.0.0.tfstate" 11 | region = "ap-northeast-1" 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /envs/prod/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "ap-northeast-1" 3 | 4 | default_tags { 5 | tags = { 6 | Env = "prod" 7 | System = "example" 8 | } 9 | } 10 | } 11 | 12 | terraform { 13 | required_providers { 14 | aws = { 15 | source = "hashicorp/aws" 16 | version = "3.42.0" 17 | } 18 | } 19 | 20 | required_version = "1.0.0" 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/acm.tf: -------------------------------------------------------------------------------- 1 | resource "aws_acm_certificate" "root" { 2 | domain_name = data.aws_route53_zone.this.name 3 | 4 | validation_method = "DNS" 5 | 6 | tags = { 7 | Name = "${local.name_prefix}-appfoobar-link" 8 | } 9 | 10 | lifecycle { 11 | create_before_destroy = true 12 | } 13 | } 14 | 15 | resource "aws_acm_certificate_validation" "root" { 16 | certificate_arn = aws_acm_certificate.root.arn 17 | } 18 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/s3.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "env_file" { 2 | bucket = "shonansurvivors-${local.name_prefix}-${local.service_name}-env-file" 3 | 4 | server_side_encryption_configuration { 5 | rule { 6 | apply_server_side_encryption_by_default { 7 | sse_algorithm = "AES256" 8 | } 9 | } 10 | } 11 | 12 | tags = { 13 | Name = "shonansurvivors-${local.name_prefix}-${local.service_name}-env-file" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "self" {} 2 | 3 | data "aws_region" "current" {} 4 | 5 | data "aws_ecs_cluster" "this" { 6 | cluster_name = "${local.name_prefix}-${local.service_name}" 7 | } 8 | 9 | data "aws_ecs_service" "this" { 10 | cluster_arn = "${local.name_prefix}-${local.service_name}" 11 | service_name = "${local.name_prefix}-${local.service_name}" 12 | } 13 | 14 | data "aws_s3_bucket" "env_file" { 15 | bucket = "shonansurvivors-${local.name_prefix}-${local.service_name}-env-file" 16 | } 17 | -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/cloudwatch_log.tf: -------------------------------------------------------------------------------- 1 | resource "aws_cloudwatch_log_group" "error" { 2 | name = "/aws/rds/instance/${local.name_prefix}-${local.service_name}/error" 3 | 4 | retention_in_days = 90 5 | } 6 | 7 | resource "aws_cloudwatch_log_group" "general" { 8 | name = "/aws/rds/instance/${local.name_prefix}-${local.service_name}/general" 9 | 10 | retention_in_days = 90 11 | } 12 | 13 | resource "aws_cloudwatch_log_group" "slowquery" { 14 | name = "/aws/rds/instance/${local.name_prefix}-${local.service_name}/slowquery" 15 | 16 | retention_in_days = 90 17 | } 18 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/data.tf: -------------------------------------------------------------------------------- 1 | data "terraform_remote_state" "network_main" { 2 | backend = "s3" 3 | 4 | config = { 5 | bucket = "shonansurvivors-tfstate" 6 | key = "${local.system_name}/${local.env_name}/network/main_v1.0.0.tfstate" 7 | region = "ap-northeast-1" 8 | } 9 | } 10 | 11 | data "terraform_remote_state" "log_alb" { 12 | backend = "s3" 13 | 14 | config = { 15 | bucket = "shonansurvivors-tfstate" 16 | key = "${local.system_name}/${local.env_name}/log/alb_v1.0.0.tfstate" 17 | region = "ap-northeast-1" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /envs/prod/network/main/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_cidr" { 2 | type = string 3 | default = "171.32.0.0/16" 4 | } 5 | 6 | variable "azs" { 7 | type = map(object({ 8 | public_cidr = string 9 | private_cidr = string 10 | })) 11 | default = { 12 | a = { 13 | public_cidr = "171.32.0.0/20" 14 | private_cidr = "171.32.48.0/20" 15 | }, 16 | c = { 17 | public_cidr = "171.32.16.0/20" 18 | private_cidr = "171.32.64.0/20" 19 | } 20 | } 21 | } 22 | 23 | variable "enable_nat_gateway" { 24 | type = bool 25 | default = true 26 | } 27 | 28 | variable "single_nat_gateway" { 29 | type = bool 30 | default = true 31 | } 32 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "self" {} 2 | 3 | data "aws_region" "current" {} 4 | 5 | data "terraform_remote_state" "network_main" { 6 | backend = "s3" 7 | 8 | config = { 9 | bucket = "shonansurvivors-tfstate" 10 | key = "${local.system_name}/${local.env_name}/network/main_v1.0.0.tfstate" 11 | region = "ap-northeast-1" 12 | } 13 | } 14 | 15 | data "terraform_remote_state" "routing_appfoobar_link" { 16 | backend = "s3" 17 | 18 | config = { 19 | bucket = "shonansurvivors-tfstate" 20 | key = "${local.system_name}/${local.env_name}/routing/appfoobar_link_v1.0.0.tfstate" 21 | region = "ap-northeast-1" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modules/ecr/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "this" { 2 | name = var.name 3 | 4 | tags = { 5 | Name = var.name 6 | } 7 | } 8 | 9 | resource "aws_ecr_lifecycle_policy" "this" { 10 | policy = jsonencode( 11 | { 12 | "rules" : [ 13 | { 14 | "rulePriority" : 1, 15 | "description" : "Hold only ${var.holding_count} images, expire all others", 16 | "selection" : { 17 | "tagStatus" : "any", 18 | "countType" : "imageCountMoreThan", 19 | "countNumber" : var.holding_count 20 | }, 21 | "action" : { 22 | "type" : "expire" 23 | } 24 | } 25 | ] 26 | } 27 | ) 28 | 29 | repository = aws_ecr_repository.this.name 30 | } 31 | -------------------------------------------------------------------------------- /envs/prod/network/main/subnet.tf: -------------------------------------------------------------------------------- 1 | resource "aws_subnet" "public" { 2 | for_each = var.azs 3 | 4 | availability_zone = "${data.aws_region.current.name}${each.key}" 5 | cidr_block = each.value.public_cidr 6 | map_public_ip_on_launch = true 7 | vpc_id = aws_vpc.this.id 8 | 9 | tags = { 10 | Name = "${aws_vpc.this.tags.Name}-public-${each.key}" 11 | } 12 | } 13 | 14 | resource "aws_subnet" "private" { 15 | for_each = var.azs 16 | 17 | availability_zone = "${data.aws_region.current.name}${each.key}" 18 | cidr_block = each.value.private_cidr 19 | map_public_ip_on_launch = false 20 | vpc_id = aws_vpc.this.id 21 | 22 | tags = { 23 | Name = "${aws_vpc.this.tags.Name}-private-${each.key}" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /envs/prod/network/main/outputs.tf: -------------------------------------------------------------------------------- 1 | output "security_group_web_id" { 2 | value = aws_security_group.web.id 3 | } 4 | 5 | output "security_group_vpc_id" { 6 | value = aws_security_group.vpc.id 7 | } 8 | 9 | output "security_group_db_foobar_id" { 10 | value = aws_security_group.db_foobar.id 11 | } 12 | 13 | output "security_group_cache_foobar_id" { 14 | value = aws_security_group.cache_foobar.id 15 | } 16 | 17 | output "subnet_public" { 18 | value = aws_subnet.public 19 | } 20 | 21 | output "subnet_private" { 22 | value = aws_subnet.private 23 | } 24 | 25 | output "vpc_this_id" { 26 | value = aws_vpc.this.id 27 | } 28 | 29 | output "db_subnet_group_this_id" { 30 | value = aws_db_subnet_group.this.id 31 | } 32 | 33 | output "elasticache_subnet_group_this_name" { 34 | value = aws_elasticache_subnet_group.this.name 35 | } 36 | -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/data.tf: -------------------------------------------------------------------------------- 1 | data "terraform_remote_state" "network_main" { 2 | backend = "s3" 3 | 4 | config = { 5 | bucket = "shonansurvivors-tfstate" 6 | key = "${local.system_name}/${local.env_name}/network/main_v1.0.0.tfstate" 7 | region = "ap-northeast-1" 8 | } 9 | } 10 | 11 | data "terraform_remote_state" "db_foobar" { 12 | backend = "s3" 13 | 14 | config = { 15 | bucket = "shonansurvivors-tfstate" 16 | key = "${local.system_name}/${local.env_name}/db/foobar_v1.0.0.tfstate" 17 | region = "ap-northeast-1" 18 | } 19 | } 20 | 21 | data "terraform_remote_state" "cache_foobar" { 22 | backend = "s3" 23 | 24 | config = { 25 | bucket = "shonansurvivors-tfstate" 26 | key = "${local.system_name}/${local.env_name}/cache/foobar_v1.0.0.tfstate" 27 | region = "ap-northeast-1" 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/route53.tf: -------------------------------------------------------------------------------- 1 | resource "aws_route53_zone" "this" { 2 | name = "foobar.internal" 3 | 4 | vpc { 5 | vpc_id = data.terraform_remote_state.network_main.outputs.vpc_this_id 6 | } 7 | } 8 | 9 | resource "aws_route53_record" "db_cname" { 10 | zone_id = aws_route53_zone.this.zone_id 11 | name = "db.${aws_route53_zone.this.name}" 12 | type = "CNAME" 13 | ttl = 300 14 | 15 | records = [ 16 | data.terraform_remote_state.db_foobar.outputs.db_instance_this_address 17 | ] 18 | } 19 | 20 | resource "aws_route53_record" "cache_cname" { 21 | zone_id = aws_route53_zone.this.zone_id 22 | name = "cache.${aws_route53_zone.this.name}" 23 | type = "CNAME" 24 | ttl = 300 25 | 26 | records = [ 27 | data.terraform_remote_state.cache_foobar.outputs.elasticache_replication_group_this_primary_endpoint_address 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/iam.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_role" "rds_monitoring_role" { 2 | name = "${local.system_name}-${local.env_name}-${local.service_name}-rds-monitoring-role" 3 | 4 | assume_role_policy = jsonencode( 5 | { 6 | "Version" : "2012-10-17", 7 | "Statement" : [ 8 | { 9 | "Effect" : "Allow", 10 | "Principal" : { 11 | "Service" : "monitoring.rds.amazonaws.com" 12 | }, 13 | "Action" : "sts:AssumeRole" 14 | } 15 | ] 16 | } 17 | ) 18 | } 19 | 20 | data "aws_iam_policy" "rds_enhanced_monitoring_role" { 21 | arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" 22 | } 23 | 24 | resource "aws_iam_role_policy_attachment" "rds_monitoring_role" { 25 | role = aws_iam_role.rds_monitoring_role.name 26 | policy_arn = data.aws_iam_policy.rds_enhanced_monitoring_role.arn 27 | } 28 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/route53.tf: -------------------------------------------------------------------------------- 1 | data "aws_route53_zone" "this" { 2 | name = "appfoobar.link" 3 | } 4 | 5 | resource "aws_route53_record" "certificate_validation" { 6 | for_each = { 7 | for dvo in aws_acm_certificate.root.domain_validation_options : dvo.domain_name => { 8 | name = dvo.resource_record_name 9 | type = dvo.resource_record_type 10 | record = dvo.resource_record_value 11 | } 12 | } 13 | 14 | name = each.value.name 15 | records = [each.value.record] 16 | ttl = 60 17 | type = each.value.type 18 | zone_id = data.aws_route53_zone.this.id 19 | } 20 | 21 | resource "aws_route53_record" "root_a" { 22 | count = var.enable_alb ? 1 : 0 23 | 24 | name = data.aws_route53_zone.this.name 25 | type = "A" 26 | zone_id = data.aws_route53_zone.this.zone_id 27 | 28 | alias { 29 | evaluate_target_health = true 30 | name = aws_lb.this[0].dns_name 31 | zone_id = aws_lb.this[0].zone_id 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/log/alb/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/log/app_foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/log/db_foobar/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/network/main/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/routing/foobar_internal/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.42.0" 6 | constraints = "3.42.0" 7 | hashes = [ 8 | "h1:C6/yDp6BhuDFx0qdkBuJj/OWUJpAoraHTJaU6ac38Rw=", 9 | "zh:126c856a6eedddd8571f161a826a407ba5655a37a6241393560a96b8c4beca1a", 10 | "zh:1a4868e6ac734b5fc2e79a4a889d176286b66664aad709435aa6acee5871d5b0", 11 | "zh:40fed7637ab8ddeb93bef06aded35d970f0628025b97459ae805463e8aa0a58a", 12 | "zh:68def3c0a5a1aac1db6372c51daef858b707f03052626d3427ac24cba6f2014d", 13 | "zh:6db7ec9c8d1803a0b6f40a664aa892e0f8894562de83061fa7ac1bc51ff5e7e5", 14 | "zh:7058abaad595930b3f97dc04e45c112b2dbf37d098372a849081f7081da2fb52", 15 | "zh:8c25adb15a19da301c478aa1f4a4d8647cabdf8e5dae8331d4490f80ea718c26", 16 | "zh:8e129b847401e39fcbc54817726dab877f36b7f00ff5ed76f7b43470abe99ff9", 17 | "zh:d268bb267a2d6b39df7ddee8efa7c1ef7a15cf335dfa5f2e64c9dae9b623a1b8", 18 | "zh:d6eeb3614a0ab50f8e9ab5666ae5754ea668ce327310e5b21b7f04a18d7611a8", 19 | "zh:f5d3c58055dff6e38562b75d3edc908cb2f1e45c6914f6b00f4773359ce49324", 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/db_parameter_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_parameter_group" "this" { 2 | name = "${local.system_name}-${local.env_name}-${local.service_name}" 3 | 4 | family = "mysql8.0" 5 | 6 | parameter { 7 | name = "character_set_client" 8 | value = "utf8mb4" 9 | } 10 | 11 | parameter { 12 | name = "character_set_connection" 13 | value = "utf8mb4" 14 | } 15 | 16 | parameter { 17 | name = "character_set_database" 18 | value = "utf8mb4" 19 | } 20 | 21 | parameter { 22 | name = "character_set_filesystem" 23 | value = "utf8mb4" 24 | } 25 | 26 | parameter { 27 | name = "character_set_results" 28 | value = "utf8mb4" 29 | } 30 | 31 | parameter { 32 | name = "character_set_server" 33 | value = "utf8mb4" 34 | } 35 | 36 | parameter { 37 | name = "collation_server" 38 | value = "utf8mb4_0900_ai_ci" 39 | } 40 | 41 | parameter { 42 | name = "general_log" 43 | value = "1" 44 | } 45 | 46 | parameter { 47 | name = "slow_query_log" 48 | value = "1" 49 | } 50 | 51 | parameter { 52 | name = "long_query_time" 53 | value = "1.0" 54 | } 55 | 56 | parameter { 57 | name = "log_output" 58 | value = "FILE" 59 | } 60 | 61 | tags = { 62 | Name = "${local.system_name}-${local.env_name}-${local.service_name}" 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /envs/prod/network/main/route_table.tf: -------------------------------------------------------------------------------- 1 | resource "aws_route_table" "public" { 2 | vpc_id = aws_vpc.this.id 3 | 4 | tags = { 5 | Name = "${aws_vpc.this.tags.Name}-public" 6 | } 7 | } 8 | 9 | resource "aws_route" "internet_gateway_public" { 10 | destination_cidr_block = "0.0.0.0/0" 11 | gateway_id = aws_internet_gateway.this.id 12 | route_table_id = aws_route_table.public.id 13 | } 14 | 15 | resource "aws_route_table_association" "public" { 16 | for_each = var.azs 17 | 18 | route_table_id = aws_route_table.public.id 19 | subnet_id = aws_subnet.public[each.key].id 20 | } 21 | 22 | resource "aws_route_table" "private" { 23 | for_each = var.azs 24 | 25 | vpc_id = aws_vpc.this.id 26 | 27 | tags = { 28 | Name = "${aws_vpc.this.tags.Name}-private-${each.key}" 29 | } 30 | } 31 | 32 | resource "aws_route" "nat_gateway_private" { 33 | for_each = var.enable_nat_gateway ? var.azs : {} 34 | 35 | destination_cidr_block = "0.0.0.0/0" 36 | nat_gateway_id = aws_nat_gateway.this[var.single_nat_gateway ? keys(var.azs)[0] : each.key].id 37 | route_table_id = aws_route_table.private[each.key].id 38 | } 39 | 40 | resource "aws_route_table_association" "private" { 41 | for_each = var.azs 42 | 43 | route_table_id = aws_route_table.private[each.key].id 44 | subnet_id = aws_subnet.private[each.key].id 45 | } 46 | -------------------------------------------------------------------------------- /envs/prod/cache/foobar/elasticache_replication_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticache_replication_group" "this" { 2 | engine = "redis" 3 | 4 | // Redis settings 5 | replication_group_id = "${local.system_name}-${local.env_name}-${local.service_name}" 6 | replication_group_description = "Session storage for Laravel" 7 | engine_version = "6.x" 8 | port = 6379 9 | parameter_group_name = aws_elasticache_parameter_group.this.name 10 | node_type = "cache.t3.micro" 11 | number_cache_clusters = 2 12 | multi_az_enabled = true 13 | 14 | // Advanced Redis settings 15 | subnet_group_name = data.terraform_remote_state.network_main.outputs.elasticache_subnet_group_this_name 16 | 17 | // Security 18 | security_group_ids = [ 19 | data.terraform_remote_state.network_main.outputs.security_group_cache_foobar_id 20 | ] 21 | at_rest_encryption_enabled = true 22 | transit_encryption_enabled = false 23 | 24 | // Backup 25 | snapshot_retention_limit = 1 26 | snapshot_window = "17:00-18:00" 27 | 28 | // Maintenance 29 | maintenance_window = "fri:18:00-fri:19:00" 30 | notification_topic_arn = "" 31 | 32 | // Others 33 | automatic_failover_enabled = true 34 | auto_minor_version_upgrade = false 35 | 36 | tags = { 37 | Name = "${local.system_name}-${local.env_name}-${local.service_name}" 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/ecspresso.tf: -------------------------------------------------------------------------------- 1 | // referenced by ecspresso 2 | 3 | data "aws_cloudwatch_log_group" "nginx" { 4 | name = "/ecs/${local.name_prefix}-${local.service_name}/nginx" 5 | } 6 | 7 | data "aws_cloudwatch_log_group" "php" { 8 | name = "/ecs/${local.name_prefix}-${local.service_name}/php" 9 | } 10 | 11 | data "aws_ecr_repository" "nginx" { 12 | name = "${local.name_prefix}-${local.service_name}-nginx" 13 | } 14 | 15 | data "aws_ecr_repository" "php" { 16 | name = "${local.name_prefix}-${local.service_name}-php" 17 | } 18 | 19 | data "aws_iam_role" "ecs_task_execution" { 20 | name = "${local.name_prefix}-${local.service_name}-ecs-task-execution" 21 | } 22 | 23 | data "aws_iam_role" "ecs_task" { 24 | name = "${local.name_prefix}-${local.service_name}-ecs-task" 25 | } 26 | 27 | data "aws_lb_target_group" "this" { 28 | name = "${local.name_prefix}-${local.service_name}" 29 | } 30 | 31 | data "aws_security_group" "cache_foobar" { 32 | name = "${local.name_prefix}-main-cache-foobar" 33 | } 34 | 35 | data "aws_security_group" "db_foobar" { 36 | name = "${local.name_prefix}-main-db-foobar" 37 | } 38 | 39 | data "aws_security_group" "vpc" { 40 | name = "${local.name_prefix}-main-vpc" 41 | } 42 | 43 | data "aws_subnet" "private" { 44 | for_each = var.azs 45 | 46 | tags = { 47 | Name = "${local.name_prefix}-main-private-${each.key}" 48 | } 49 | } 50 | 51 | variable "azs" { 52 | type = map(object({ 53 | public_cidr = string 54 | private_cidr = string 55 | })) 56 | default = { 57 | a = { 58 | public_cidr = "172.32.0.0/20" 59 | private_cidr = "172.32.48.0/20" 60 | }, 61 | c = { 62 | public_cidr = "172.32.16.0/20" 63 | private_cidr = "172.32.64.0/20" 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /envs/prod/log/alb/s3.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "this" { 2 | bucket = "shonansurvivors-${local.name_prefix}-alb-log" 3 | 4 | server_side_encryption_configuration { 5 | rule { 6 | apply_server_side_encryption_by_default { 7 | sse_algorithm = "AES256" 8 | } 9 | } 10 | } 11 | 12 | tags = { 13 | Name = "shonansurvivors-${local.name_prefix}-alb-log" 14 | } 15 | 16 | lifecycle_rule { 17 | enabled = true 18 | 19 | expiration { 20 | days = "90" 21 | } 22 | } 23 | } 24 | 25 | resource "aws_s3_bucket_policy" "this" { 26 | bucket = aws_s3_bucket.this.id 27 | policy = jsonencode( 28 | { 29 | "Version" : "2012-10-17", 30 | "Statement" : [ 31 | { 32 | "Effect" : "Allow", 33 | "Principal" : { 34 | "AWS" : "arn:aws:iam::${data.aws_elb_service_account.current.id}:root" 35 | }, 36 | "Action" : "s3:PutObject", 37 | "Resource" : "arn:aws:s3:::${aws_s3_bucket.this.id}/*" 38 | }, 39 | { 40 | "Effect" : "Allow", 41 | "Principal" : { 42 | "Service" : "delivery.logs.amazonaws.com" 43 | }, 44 | "Action" : "s3:PutObject", 45 | "Resource" : "arn:aws:s3:::${aws_s3_bucket.this.id}/*", 46 | "Condition" : { 47 | "StringEquals" : { 48 | "s3:x-amz-acl" : "bucket-owner-full-control" 49 | } 50 | } 51 | }, 52 | { 53 | "Effect" : "Allow", 54 | "Principal" : { 55 | "Service" : "delivery.logs.amazonaws.com" 56 | }, 57 | "Action" : "s3:GetBucketAcl", 58 | "Resource" : "arn:aws:s3:::${aws_s3_bucket.this.id}" 59 | } 60 | ] 61 | } 62 | ) 63 | } 64 | -------------------------------------------------------------------------------- /envs/prod/network/main/security_group.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group" "web" { 2 | name = "${aws_vpc.this.tags.Name}-web" 3 | vpc_id = aws_vpc.this.id 4 | 5 | ingress { 6 | from_port = 80 7 | to_port = 80 8 | protocol = "tcp" 9 | cidr_blocks = ["0.0.0.0/0"] 10 | } 11 | 12 | ingress { 13 | from_port = 443 14 | to_port = 443 15 | protocol = "tcp" 16 | cidr_blocks = ["0.0.0.0/0"] 17 | } 18 | 19 | egress { 20 | from_port = 0 21 | to_port = 0 22 | protocol = "-1" 23 | cidr_blocks = ["0.0.0.0/0"] 24 | } 25 | 26 | tags = { 27 | Name = "${aws_vpc.this.tags.Name}-web" 28 | } 29 | } 30 | 31 | resource "aws_security_group" "vpc" { 32 | name = "${aws_vpc.this.tags.Name}-vpc" 33 | vpc_id = aws_vpc.this.id 34 | 35 | ingress { 36 | from_port = 0 37 | to_port = 0 38 | protocol = "-1" 39 | self = true 40 | } 41 | 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "${aws_vpc.this.tags.Name}-vpc" 51 | } 52 | } 53 | 54 | resource "aws_security_group" "db_foobar" { 55 | name = "${aws_vpc.this.tags.Name}-db-foobar" 56 | vpc_id = aws_vpc.this.id 57 | 58 | ingress { 59 | from_port = 0 60 | to_port = 0 61 | protocol = "-1" 62 | self = true 63 | } 64 | 65 | egress { 66 | from_port = 0 67 | to_port = 0 68 | protocol = "-1" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | tags = { 73 | Name = "${aws_vpc.this.tags.Name}-db-foobar" 74 | } 75 | } 76 | 77 | resource "aws_security_group" "cache_foobar" { 78 | name = "${aws_vpc.this.tags.Name}-cache-foobar" 79 | vpc_id = aws_vpc.this.id 80 | 81 | ingress { 82 | from_port = 0 83 | to_port = 0 84 | protocol = "-1" 85 | self = true 86 | } 87 | 88 | egress { 89 | from_port = 0 90 | to_port = 0 91 | protocol = "-1" 92 | cidr_blocks = ["0.0.0.0/0"] 93 | } 94 | 95 | tags = { 96 | Name = "${aws_vpc.this.tags.Name}-cache-foobar" 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /envs/prod/routing/appfoobar_link/alb.tf: -------------------------------------------------------------------------------- 1 | resource "aws_lb" "this" { 2 | count = var.enable_alb ? 1 : 0 3 | 4 | name = "${local.name_prefix}-appfoobar-link" 5 | 6 | internal = false 7 | load_balancer_type = "application" 8 | 9 | access_logs { 10 | bucket = data.terraform_remote_state.log_alb.outputs.s3_bucket_this_id 11 | enabled = true 12 | prefix = "appfoobar-link" 13 | } 14 | 15 | security_groups = [ 16 | data.terraform_remote_state.network_main.outputs.security_group_web_id, 17 | data.terraform_remote_state.network_main.outputs.security_group_vpc_id 18 | ] 19 | 20 | subnets = [ 21 | for s in data.terraform_remote_state.network_main.outputs.subnet_public : s.id 22 | ] 23 | 24 | tags = { 25 | Name = "${local.name_prefix}-appfoobar-link" 26 | } 27 | } 28 | 29 | resource "aws_lb_listener" "https" { 30 | count = var.enable_alb ? 1 : 0 31 | 32 | certificate_arn = aws_acm_certificate.root.arn 33 | load_balancer_arn = aws_lb.this[0].arn 34 | port = "443" 35 | protocol = "HTTPS" 36 | ssl_policy = "ELBSecurityPolicy-2016-08" 37 | 38 | default_action { 39 | type = "forward" 40 | 41 | target_group_arn = aws_lb_target_group.foobar.arn 42 | } 43 | } 44 | 45 | resource "aws_lb_listener" "redirect_http_to_https" { 46 | count = var.enable_alb ? 1 : 0 47 | 48 | load_balancer_arn = aws_lb.this[0].arn 49 | port = 80 50 | protocol = "HTTP" 51 | 52 | default_action { 53 | type = "redirect" 54 | 55 | redirect { 56 | port = "443" 57 | protocol = "HTTPS" 58 | status_code = "HTTP_301" 59 | } 60 | } 61 | } 62 | 63 | resource "aws_lb_target_group" "foobar" { 64 | name = "${local.name_prefix}-foobar" 65 | 66 | deregistration_delay = 60 67 | port = 80 68 | protocol = "HTTP" 69 | target_type = "ip" 70 | vpc_id = data.terraform_remote_state.network_main.outputs.vpc_this_id 71 | 72 | health_check { 73 | healthy_threshold = 2 74 | interval = 30 75 | matcher = 200 76 | path = "/" 77 | port = "traffic-port" 78 | protocol = "HTTP" 79 | timeout = 5 80 | unhealthy_threshold = 2 81 | } 82 | 83 | tags = { 84 | Name = "${local.name_prefix}-foobar" 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /envs/prod/db/foobar/db_instance.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_instance" "this" { 2 | // Engine options 3 | engine = "mysql" 4 | engine_version = "8.0.25" 5 | 6 | // Settings 7 | identifier = "${local.system_name}-${local.env_name}-${local.service_name}" 8 | 9 | // Credentials Settings 10 | username = local.service_name 11 | password = "MustChangeStrongPassword!" 12 | 13 | // DB instance class 14 | instance_class = "db.t3.micro" 15 | 16 | // Storage 17 | storage_type = "gp2" 18 | allocated_storage = 20 19 | max_allocated_storage = 0 20 | 21 | // Availability & durability 22 | multi_az = false 23 | 24 | // Connectivity 25 | db_subnet_group_name = data.terraform_remote_state.network_main.outputs.db_subnet_group_this_id 26 | publicly_accessible = false 27 | vpc_security_group_ids = [ 28 | data.terraform_remote_state.network_main.outputs.security_group_db_foobar_id, 29 | ] 30 | availability_zone = "ap-northeast-1a" 31 | port = 3306 32 | 33 | // Database authentication 34 | iam_database_authentication_enabled = false 35 | 36 | // Database options 37 | name = local.service_name 38 | parameter_group_name = aws_db_parameter_group.this.name 39 | option_group_name = aws_db_option_group.this.name 40 | 41 | // Backup 42 | backup_retention_period = 1 43 | backup_window = "17:00-18:00" 44 | copy_tags_to_snapshot = true 45 | delete_automated_backups = true 46 | skip_final_snapshot = true 47 | 48 | // Encryption 49 | storage_encrypted = true 50 | kms_key_id = data.aws_kms_alias.rds.target_key_arn 51 | 52 | // Performance Insights (db.t3.micro, db.t3.small are not supported) 53 | performance_insights_enabled = false 54 | # performance_insights_kms_key_id = data.aws_kms_alias.rds.target_key_arn 55 | # performance_insights_retention_period = 7 56 | 57 | // Monitoring 58 | monitoring_interval = 60 59 | monitoring_role_arn = aws_iam_role.rds_monitoring_role.arn 60 | 61 | // Log exports 62 | enabled_cloudwatch_logs_exports = [ 63 | "error", 64 | "general", 65 | "slowquery" 66 | ] 67 | 68 | // Maintenance 69 | auto_minor_version_upgrade = false 70 | maintenance_window = "fri:18:00-fri:19:00" 71 | 72 | // Deletion protection 73 | deletion_protection = false 74 | 75 | tags = { 76 | Name = "${local.system_name}-${local.env_name}-${local.service_name}" 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/iam.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_role" "ecs_task_execution" { 2 | name = "${local.name_prefix}-${local.service_name}-ecs-task-execution" 3 | 4 | assume_role_policy = jsonencode( 5 | { 6 | "Version" : "2012-10-17", 7 | "Statement" : [ 8 | { 9 | "Effect" : "Allow", 10 | "Principal" : { 11 | "Service" : "ecs-tasks.amazonaws.com" 12 | }, 13 | "Action" : "sts:AssumeRole" 14 | } 15 | ] 16 | } 17 | ) 18 | 19 | tags = { 20 | Name = "${local.name_prefix}-${local.service_name}-ecs-task-execution" 21 | } 22 | } 23 | 24 | data "aws_iam_policy" "ecs_task_execution" { 25 | arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 26 | } 27 | 28 | resource "aws_iam_role_policy_attachment" "ecs_task_execution" { 29 | role = aws_iam_role.ecs_task_execution.name 30 | policy_arn = data.aws_iam_policy.ecs_task_execution.arn 31 | } 32 | 33 | resource "aws_iam_policy" "ssm" { 34 | name = "${local.name_prefix}-${local.service_name}-ssm" 35 | policy = jsonencode( 36 | { 37 | "Version" : "2012-10-17", 38 | "Statement" : [ 39 | { 40 | "Effect" : "Allow", 41 | "Action" : [ 42 | "ssm:GetParameters", 43 | "ssm:GetParameter" 44 | ], 45 | "Resource" : "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.self.account_id}:parameter/${local.system_name}/${local.env_name}/*" 46 | } 47 | ] 48 | } 49 | ) 50 | 51 | tags = { 52 | Name = "${local.name_prefix}-${local.service_name}-ssm" 53 | } 54 | } 55 | 56 | resource "aws_iam_role_policy_attachment" "ecs_task_execution_ssm" { 57 | role = aws_iam_role.ecs_task_execution.name 58 | policy_arn = aws_iam_policy.ssm.arn 59 | } 60 | 61 | resource "aws_iam_policy" "s3_env_file" { 62 | name = "${local.name_prefix}-${local.service_name}-s3-env-file" 63 | policy = jsonencode( 64 | { 65 | "Version" : "2012-10-17", 66 | "Statement" : [ 67 | { 68 | "Effect" : "Allow", 69 | "Action" : "s3:GetObject" 70 | "Resource" : "${aws_s3_bucket.env_file.arn}/*" 71 | }, 72 | { 73 | "Effect" : "Allow", 74 | "Action" : "s3:GetBucketLocation" 75 | "Resource" : aws_s3_bucket.env_file.arn 76 | }, 77 | ] 78 | } 79 | ) 80 | 81 | tags = { 82 | Name = "${local.name_prefix}-${local.service_name}-s3-env-file" 83 | } 84 | } 85 | 86 | resource "aws_iam_role_policy_attachment" "ecs_task_execution_s3_env_file" { 87 | role = aws_iam_role.ecs_task_execution.name 88 | policy_arn = aws_iam_policy.s3_env_file.arn 89 | } 90 | 91 | resource "aws_iam_role" "ecs_task" { 92 | name = "${local.name_prefix}-${local.service_name}-ecs-task" 93 | 94 | assume_role_policy = jsonencode( 95 | { 96 | "Version" : "2012-10-17", 97 | "Statement" : [ 98 | { 99 | "Effect" : "Allow", 100 | "Principal" : { 101 | "Service" : "ecs-tasks.amazonaws.com" 102 | }, 103 | "Action" : "sts:AssumeRole" 104 | } 105 | ] 106 | } 107 | ) 108 | 109 | tags = { 110 | Name = "${local.name_prefix}-${local.service_name}-ecs-task" 111 | } 112 | } 113 | 114 | resource "aws_iam_role_policy" "ecs_task_ssm" { 115 | name = "ssm" 116 | role = aws_iam_role.ecs_task.id 117 | 118 | policy = jsonencode( 119 | { 120 | "Version" : "2012-10-17", 121 | "Statement" : [ 122 | { 123 | "Effect" : "Allow", 124 | "Action" : [ 125 | "ssmmessages:CreateControlChannel", 126 | "ssmmessages:CreateDataChannel", 127 | "ssmmessages:OpenControlChannel", 128 | "ssmmessages:OpenDataChannel" 129 | ], 130 | "Resource" : "*" 131 | } 132 | ] 133 | } 134 | ) 135 | } 136 | -------------------------------------------------------------------------------- /envs/prod/cicd/app_foobar/iam.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_user" "github" { 2 | name = "${local.name_prefix}-${local.service_name}-github" 3 | 4 | tags = { 5 | Name = "${local.name_prefix}-${local.service_name}-github" 6 | } 7 | } 8 | 9 | resource "aws_iam_role" "deployer" { 10 | name = "${local.name_prefix}-${local.service_name}-deployer" 11 | 12 | assume_role_policy = jsonencode( 13 | { 14 | "Version" : "2012-10-17", 15 | "Statement" : [ 16 | { 17 | "Effect" : "Allow", 18 | "Action" : [ 19 | "sts:AssumeRole", 20 | "sts:TagSession" 21 | ], 22 | "Principal" : { 23 | "AWS" : aws_iam_user.github.arn 24 | } 25 | } 26 | ] 27 | } 28 | ) 29 | 30 | tags = { 31 | Name = "${local.name_prefix}-${local.service_name}-deployer" 32 | } 33 | } 34 | 35 | data "aws_iam_policy" "ecr_power_user" { 36 | arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" 37 | } 38 | 39 | resource "aws_iam_role_policy_attachment" "role_deployer_policy_ecr_power_user" { 40 | role = aws_iam_role.deployer.name 41 | policy_arn = data.aws_iam_policy.ecr_power_user.arn 42 | } 43 | 44 | resource "aws_iam_role_policy" "s3" { 45 | name = "s3" 46 | role = aws_iam_role.deployer.id 47 | 48 | policy = jsonencode( 49 | { 50 | "Version" : "2012-10-17", 51 | "Statement" : [ 52 | { 53 | "Effect" : "Allow", 54 | "Action" : [ 55 | "s3:GetObject" 56 | ], 57 | "Resource" : "arn:aws:s3:::shonansurvivors-tfstate/${local.system_name}/${local.env_name}/cicd/app_${local.service_name}_*.tfstate" 58 | }, 59 | { 60 | "Effect" : "Allow", 61 | "Action" : [ 62 | "s3:PutObject" 63 | ], 64 | "Resource" : "${data.aws_s3_bucket.env_file.arn}/*" 65 | }, 66 | ] 67 | } 68 | ) 69 | } 70 | 71 | resource "aws_iam_role_policy" "ecs" { 72 | name = "ecs" 73 | role = aws_iam_role.deployer.id 74 | 75 | policy = jsonencode( 76 | { 77 | "Version" : "2012-10-17", 78 | "Statement" : [ 79 | { 80 | "Sid" : "RegisterTaskDefinition", 81 | "Effect" : "Allow", 82 | "Action" : [ 83 | "ecs:RegisterTaskDefinition", 84 | "ecs:ListTaskDefinitions", 85 | "ecs:DescribeTaskDefinition" 86 | ], 87 | "Resource" : "*" 88 | }, 89 | { 90 | "Sid" : "PassRolesInTaskDefinition", 91 | "Effect" : "Allow", 92 | "Action" : [ 93 | "iam:PassRole" 94 | ], 95 | "Resource" : [ 96 | data.aws_iam_role.ecs_task.arn, 97 | data.aws_iam_role.ecs_task_execution.arn, 98 | ] 99 | }, 100 | { 101 | "Sid" : "DeployService", 102 | "Effect" : "Allow", 103 | "Action" : [ 104 | "ecs:UpdateService", 105 | "ecs:DescribeServices" 106 | ], 107 | "Resource" : [ 108 | data.aws_ecs_service.this.arn 109 | ] 110 | }, 111 | { 112 | "Sid" : "RunAndWaitTask", 113 | "Effect" : "Allow", 114 | "Action" : [ 115 | "ecs:RunTask", 116 | "ecs:DescribeTasks" 117 | ], 118 | "Condition" : { 119 | "ArnEquals" : { 120 | "ecs:cluster" : data.aws_ecs_cluster.this.arn 121 | } 122 | }, 123 | "Resource" : [ 124 | "arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.self.id}:task-definition/${local.name_prefix}-${local.service_name}:*", 125 | "arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.self.id}:task/*" 126 | ] 127 | }, 128 | { 129 | "Sid" : "GetLogEvents", 130 | "Effect" : "Allow", 131 | "Action" : [ 132 | "logs:GetLogEvents" 133 | ], 134 | "Resource" : [ 135 | data.aws_cloudwatch_log_group.nginx.arn, 136 | data.aws_cloudwatch_log_group.php.arn 137 | ] 138 | } 139 | ] 140 | } 141 | ) 142 | } 143 | -------------------------------------------------------------------------------- /envs/prod/app/foobar/ecs.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecs_cluster" "this" { 2 | name = "${local.name_prefix}-${local.service_name}" 3 | 4 | capacity_providers = [ 5 | "FARGATE", 6 | "FARGATE_SPOT" 7 | ] 8 | 9 | tags = { 10 | Name = "${local.name_prefix}-${local.service_name}" 11 | } 12 | } 13 | /* managed by https://github.com/shonansurvivors/laravel-fargate-app/ecspresso 14 | resource "aws_ecs_task_definition" "this" { 15 | family = "${local.name_prefix}-${local.service_name}" 16 | 17 | task_role_arn = aws_iam_role.ecs_task.arn 18 | 19 | network_mode = "awsvpc" 20 | 21 | requires_compatibilities = [ 22 | "FARGATE", 23 | ] 24 | 25 | execution_role_arn = aws_iam_role.ecs_task_execution.arn 26 | 27 | memory = "512" 28 | cpu = "256" 29 | 30 | container_definitions = jsonencode( 31 | [ 32 | { 33 | name = "nginx" 34 | image = "${module.nginx.ecr_repository_this_repository_url}:latest" 35 | 36 | portMappings = [ 37 | { 38 | containerPort = 80 39 | protocol = "tcp" 40 | } 41 | ] 42 | 43 | environment = [] 44 | secrets = [] 45 | 46 | dependsOn = [ 47 | { 48 | containerName = "php" 49 | condition = "START" 50 | } 51 | ] 52 | 53 | mountPoints = [ 54 | { 55 | containerPath = "/var/run/php-fpm" 56 | sourceVolume = "php-fpm-socket" 57 | } 58 | ] 59 | 60 | logConfiguration = { 61 | logDriver = "awslogs" 62 | options = { 63 | awslogs-group = "/ecs/${local.name_prefix}-${(local.service_name)}/nginx" 64 | awslogs-region = data.aws_region.current.id 65 | awslogs-stream-prefix = "ecs" 66 | } 67 | } 68 | }, 69 | { 70 | name = "php" 71 | image = "${module.php.ecr_repository_this_repository_url}:latest" 72 | 73 | portMappings = [] 74 | 75 | environment = [] 76 | secrets = [ 77 | { 78 | name = "APP_KEY" 79 | valueFrom = "/${local.system_name}/${local.env_name}/${local.service_name}/APP_KEY" 80 | } 81 | ] 82 | 83 | mountPoints = [ 84 | { 85 | containerPath = "/var/run/php-fpm" 86 | sourceVolume = "php-fpm-socket" 87 | } 88 | ] 89 | 90 | logConfiguration = { 91 | logDriver = "awslogs" 92 | options = { 93 | awslogs-group = "/ecs/${local.name_prefix}-${(local.service_name)}/php" 94 | awslogs-region = data.aws_region.current.id 95 | awslogs-stream-prefix = "ecs" 96 | } 97 | } 98 | } 99 | ] 100 | ) 101 | 102 | volume { 103 | name = "php-fpm-socket" 104 | } 105 | 106 | tags = { 107 | Name = "${local.name_prefix}-${local.service_name}" 108 | } 109 | } 110 | 111 | resource "aws_ecs_service" "this" { 112 | name = "${local.name_prefix}-${local.service_name}" 113 | 114 | cluster = aws_ecs_cluster.this.arn 115 | 116 | capacity_provider_strategy { 117 | capacity_provider = "FARGATE_SPOT" 118 | base = 0 119 | weight = 1 120 | } 121 | 122 | platform_version = "1.4.0" 123 | 124 | task_definition = aws_ecs_task_definition.this.arn 125 | 126 | desired_count = var.desired_count 127 | deployment_minimum_healthy_percent = 100 128 | deployment_maximum_percent = 200 129 | 130 | load_balancer { 131 | container_name = "nginx" 132 | container_port = 80 133 | target_group_arn = data.terraform_remote_state.routing_appfoobar_link.outputs.lb_target_group_foobar_arn 134 | } 135 | 136 | health_check_grace_period_seconds = 60 137 | 138 | network_configuration { 139 | assign_public_ip = false 140 | security_groups = [ 141 | data.terraform_remote_state.network_main.outputs.security_group_vpc_id 142 | ] 143 | subnets = [ 144 | for s in data.terraform_remote_state.network_main.outputs.subnet_private : s.id 145 | ] 146 | } 147 | 148 | enable_execute_command = true 149 | 150 | tags = { 151 | Name = "${local.name_prefix}-${local.service_name}" 152 | } 153 | } 154 | */ 155 | --------------------------------------------------------------------------------