├── env
    └── dev
    │   ├── logs-logzio.zip
    │   ├── autoscale-time.zip
    │   ├── no-alb.tf
    │   ├── discovery.tf
    │   ├── nsg.tf
    │   ├── fargate-create.yml
    │   ├── main.tf
    │   ├── variables.tf
    │   ├── role.tf
    │   ├── cicd.tf
    │   ├── logs-logzio.tf
    │   ├── ecs.tf
    │   ├── autoscale-time.tf
    │   ├── autoscale-perf.tf
    │   └── README.md
├── base
    ├── service_discovery_zone.tf
    ├── state.tf
    ├── main.tf
    ├── variables.tf
    ├── ecr.tf
    └── README.md
├── README.md
└── LICENSE


/env/dev/logs-logzio.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/turnerlabs/terraform-ecs-fargate-service-discovery/HEAD/env/dev/logs-logzio.zip


--------------------------------------------------------------------------------
/env/dev/autoscale-time.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/turnerlabs/terraform-ecs-fargate-service-discovery/HEAD/env/dev/autoscale-time.zip


--------------------------------------------------------------------------------
/base/service_discovery_zone.tf:
--------------------------------------------------------------------------------
1 | resource "aws_service_discovery_public_dns_namespace" "fargate" {
2 |   name = "${var.app}.turnerapps.com"
3 |   description = "Fargate discovery managed zone."
4 | }
5 | 
6 | output "namespace" {
7 |   value = "${aws_service_discovery_public_dns_namespace.fargate.id}"
8 | }
9 | 


--------------------------------------------------------------------------------
/env/dev/no-alb.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group_rule" "nsg_task_ingress_rule_noalb" {
 2 |   description              = "Allow connections to tasks on port ${var.container_port}"
 3 |   type                     = "ingress"
 4 |   from_port                = "${var.container_port}"
 5 |   to_port                  = "${var.container_port}"
 6 |   protocol                 = "TCP"
 7 |   cidr_blocks = ["0.0.0.0/0"]
 8 | 
 9 |   security_group_id = "${aws_security_group.nsg_task.id}"
10 | }
11 | 


--------------------------------------------------------------------------------
/env/dev/discovery.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_service_discovery_service" "fargate" {
 2 |   name = "${var.environment}"
 3 |   dns_config {
 4 |     namespace_id = "${var.service_discovery_namespace}"
 5 |     routing_policy = "MULTIVALUE"
 6 |     dns_records {
 7 |       ttl = 10
 8 |       type = "A"
 9 |     }
10 | 
11 |     dns_records {
12 |       ttl  = 10
13 |       type = "SRV"
14 |     }
15 |   }
16 |   health_check_custom_config {
17 |     failure_threshold = 5
18 |   }
19 | }
20 | 
21 | variable "service_discovery_namespace" {}
22 | 
23 | output "discovery_dns" {
24 |   value="${var.environment}.${var.app}.turnerapps.com"
25 | }
26 | 


--------------------------------------------------------------------------------
/base/state.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * state.tf
 3 |  * Generate a remote state bucket in S3 for use with later Terraform run
 4 |  * Uses a Turner created Terrafor module; more information at:
 5 |  * https://github.com/turnerlabs/terraform-remote-state/blob/master/readme.md
 6 |  *
 7 |  * To learn more about remote state:
 8 |  * https://www.terraform.io/docs/state/remote.html
 9 |  */
10 | 
11 | # s3 bucket for tf remote state
12 | module "tf_remote_state" {
13 |   source = "github.com/turnerlabs/terraform-remote-state?ref=v2.0.0"
14 | 
15 |   role        = "${var.saml_role}"
16 |   application = "${var.app}"
17 |   tags        = "${var.tags}"
18 | }
19 | 


--------------------------------------------------------------------------------
/env/dev/nsg.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "nsg_task" {
 2 |   name        = "${var.app}-${var.environment}-task"
 3 |   description = "Limit connections from internal resources while allowing ${var.app}-${var.environment}-task to connect to all external resources"
 4 |   vpc_id      = "${var.vpc}"
 5 | 
 6 |   tags = "${var.tags}"
 7 | }
 8 | 
 9 | resource "aws_security_group_rule" "nsg_task_egress_rule" {
10 |   description = "Allows task to establish connections to all resources"
11 |   type        = "egress"
12 |   from_port   = "0"
13 |   to_port     = "0"
14 |   protocol    = "-1"
15 |   cidr_blocks = ["0.0.0.0/0"]
16 | 
17 |   security_group_id = "${aws_security_group.nsg_task.id}"
18 | }
19 | 


--------------------------------------------------------------------------------
/env/dev/fargate-create.yml:
--------------------------------------------------------------------------------
 1 | 
 2 | # this file is used by fargate-create (https://github.com/turnerlabs/fargate-create)
 3 | # if not using fargate-create, this file can be ignored/deleted
 4 | 
 5 | prompts:
 6 | 
 7 |   - question: "Would you like performance-based auto-scaling?"
 8 |     default: "yes"
 9 |     filesToDeleteIfNo:
10 |       - "autoscale-perf.tf"
11 | 
12 |   - question: "Would you like time-based auto-scaling?"
13 |     default: "yes"
14 |     filesToDeleteIfNo:
15 |       - "autoscale-time.tf"
16 | 
17 |   - question: "Would you like an IAM user that can be used for CI/CD pipelines?"
18 |     default: "no"
19 |     filesToDeleteIfNo:
20 |       - "cicd.tf"
21 | 
22 |   - question: "Would you like to ship your container logs to logz.io (requires a key)?"
23 |     default: "no"
24 |     filesToDeleteIfNo:
25 |       - "logs-logzio.tf"
26 |       - "logs-logzio.zip"
27 | 


--------------------------------------------------------------------------------
/base/main.tf:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * main.tf
 3 |  * The main entry point for Terraform run
 4 |  * See variables.tf for common variables
 5 |  * See ecr.tf for creation of Elastic Container Registry for all environments
 6 |  * See state.tf for creation of S3 bucket for remote state
 7 |  */
 8 | 
 9 | # Using the AWS Provider
10 | # https://www.terraform.io/docs/providers/
11 | provider "aws" {
12 |   region  = "${var.region}"
13 |   profile = "${var.aws_profile}"
14 | }
15 | 
16 | /*
17 |  * Outputs
18 |  * Results from a successful Terraform run (terraform apply)
19 |  * To see results after a successful run, use `terraform output [name]`
20 |  */
21 | 
22 | # Returns the name of the ECR registry, this will be used later in various scripts
23 | output "docker_registry" {
24 |   value = "${aws_ecr_repository.app.repository_url}"
25 | }
26 | 
27 | # Returns the name of the S3 bucket that will be used in later Terraform files
28 | output "bucket" {
29 |   value = "${module.tf_remote_state.bucket}"
30 | }
31 | 


--------------------------------------------------------------------------------
/env/dev/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     region  = "us-east-1"
 4 |     profile = ""
 5 |     bucket  = ""
 6 |     key     = "dev.terraform.tfstate"
 7 |   }
 8 | }
 9 | 
10 | # The AWS Profile to use
11 | variable "aws_profile" {}
12 | 
13 | provider "aws" {
14 |   region  = "${var.region}"
15 |   profile = "${var.aws_profile}"
16 | }
17 | 
18 | # output
19 | 
20 | # Command to view the status of the Fargate service
21 | output "status" {
22 |   value = "fargate service info"
23 | }
24 | 
25 | # Command to deploy a new task definition to the service using Docker Compose
26 | output "deploy" {
27 |   value = "fargate service deploy -f docker-compose.yml"
28 | }
29 | 
30 | # Command to scale up cpu and memory
31 | output "scale_up" {
32 |   value = "fargate service update -h"
33 | }
34 | 
35 | # Command to scale out the number of tasks (container replicas)
36 | output "scale_out" {
37 |   value = "fargate service scale -h"
38 | }
39 | 
40 | # Command to set the AWS_PROFILE
41 | output "aws_profile" {
42 |   value = "${var.aws_profile}"
43 | }
44 | 


--------------------------------------------------------------------------------
/base/variables.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * variables.tf
 3 |  * Common variables to use in various Terraform files (*.tf)
 4 |  */
 5 | 
 6 | # The AWS region to use for the bucket and registry; typically `us-east-1`.
 7 | # Other possible values: `us-east-2`, `us-west-1`, or `us-west-2`.
 8 | # Currently, Fargate is only available in `us-east-1`.
 9 | variable "region" {
10 |   default = "us-east-1"
11 | }
12 | 
13 | # The AWS profile to use, this would be the same value used in AWS_PROFILE.
14 | variable "aws_profile" {}
15 | 
16 | # The role that will have access to the S3 bucket, this should be a role that all
17 | # members of the team have access to.
18 | variable "saml_role" {}
19 | 
20 | # Name of the application. This value should usually match the application tag below.
21 | variable "app" {}
22 | 
23 | # A map of the tags to apply to various resources. The required tags are:
24 | # `application`, name of the app;
25 | # `environment`, the environment being created;
26 | # `team`, team responsible for the application;
27 | # `contact-email`, contact email for the _team_;
28 | # and `customer`, who the application was create for.
29 | variable "tags" {
30 |   type = "map"
31 | }
32 | 


--------------------------------------------------------------------------------
/env/dev/variables.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * variables.tf
 3 |  * Common variables to use in various Terraform files (*.tf)
 4 |  */
 5 | 
 6 |  # The AWS region to use for the dev environment's infrastructure
 7 |  # Currently, Fargate is only available in `us-east-1`.
 8 | variable "region" {
 9 |   default = "us-east-1"
10 | }
11 | 
12 | # Tags for the infrastructure
13 | variable "tags" {
14 |   type = "map"
15 | }
16 | 
17 | # The application's name
18 | variable "app" {}
19 | 
20 | # The environment that is being built
21 | variable "environment" {}
22 | 
23 | # The port the container will listen on, used for load balancer health check
24 | # Best practice is that this value is higher than 1024 so the container processes
25 | # isn't running at root.
26 | variable "container_port" {}
27 | 
28 | # The port the load balancer will listen on
29 | variable "lb_port" {
30 |   default = "80"
31 | }
32 | 
33 | # The load balancer protocol
34 | variable "lb_protocol" {
35 |   default = "HTTP"
36 | }
37 | 
38 | # Network configuration
39 | 
40 | # The VPC to use for the Fargate cluster
41 | variable "vpc" {}
42 | 
43 | # The private subnets, minimum of 2, that are a part of the VPC(s)
44 | variable "private_subnets" {}
45 | 
46 | # The public subnets, minimum of 2, that are a part of the VPC(s)
47 | variable "public_subnets" {}
48 | 


--------------------------------------------------------------------------------
/env/dev/role.tf:
--------------------------------------------------------------------------------
 1 | # The SAML role to use for adding users to the ECR policy
 2 | variable "saml_role" {}
 3 | 
 4 | # creates an application role that the container/task runs as
 5 | resource "aws_iam_role" "app_role" {
 6 |   name               = "${var.app}-${var.environment}"
 7 |   assume_role_policy = "${data.aws_iam_policy_document.app_role_assume_role_policy.json}"
 8 | }
 9 | 
10 | # assigns the app policy
11 | resource "aws_iam_role_policy" "app_policy" {
12 |   name   = "${var.app}-${var.environment}"
13 |   role   = "${aws_iam_role.app_role.id}"
14 |   policy = "${data.aws_iam_policy_document.app_policy.json}"
15 | }
16 | 
17 | # TODO: fill out custom policy
18 | data "aws_iam_policy_document" "app_policy" {
19 |   statement {
20 |     actions = [
21 |       "ecs:DescribeClusters",
22 |     ]
23 | 
24 |     resources = [
25 |       "${aws_ecs_cluster.app.arn}",
26 |     ]
27 |   }
28 | }
29 | 
30 | data "aws_caller_identity" "current" {}
31 | 
32 | # allow role to be assumed by ecs and local saml users (for development)
33 | data "aws_iam_policy_document" "app_role_assume_role_policy" {
34 |   statement {
35 |     actions = ["sts:AssumeRole"]
36 | 
37 |     principals {
38 |       type        = "Service"
39 |       identifiers = ["ecs-tasks.amazonaws.com"]
40 |     }
41 | 
42 |     principals {
43 |       type = "AWS"
44 | 
45 |       identifiers = [
46 |         "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${var.saml_role}/me@example.com",
47 |       ]
48 |     }
49 |   }
50 | }
51 | 


--------------------------------------------------------------------------------
/base/ecr.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * ecr.tf
 3 |  * Creates a Amazon Elastic Container Registry (ECR) for the application
 4 |  * https://aws.amazon.com/ecr/
 5 |  */
 6 | 
 7 | # create an ECR repo at the app/image level
 8 | resource "aws_ecr_repository" "app" {
 9 |   name = "${var.app}"
10 | }
11 | 
12 | data "aws_caller_identity" "current" {}
13 | 
14 | # grant access to saml users
15 | resource "aws_ecr_repository_policy" "app" {
16 |   repository = "${aws_ecr_repository.app.name}"
17 |   policy     = "${data.aws_iam_policy_document.ecr.json}"
18 | }
19 | 
20 | data "aws_iam_policy_document" "ecr" {
21 |   statement {
22 |     actions = [
23 |       "ecr:GetDownloadUrlForLayer",
24 |       "ecr:BatchGetImage",
25 |       "ecr:BatchCheckLayerAvailability",
26 |       "ecr:PutImage",
27 |       "ecr:InitiateLayerUpload",
28 |       "ecr:UploadLayerPart",
29 |       "ecr:CompleteLayerUpload",
30 |       "ecr:DescribeRepositories",
31 |       "ecr:GetRepositoryPolicy",
32 |       "ecr:ListImages",
33 |       "ecr:DescribeImages",
34 |       "ecr:DeleteRepository",
35 |       "ecr:BatchDeleteImage",
36 |       "ecr:SetRepositoryPolicy",
37 |       "ecr:DeleteRepositoryPolicy",
38 |       "ecr:GetLifecyclePolicy",
39 |       "ecr:PutLifecyclePolicy",
40 |       "ecr:DeleteLifecyclePolicy",
41 |       "ecr:GetLifecyclePolicyPreview",
42 |       "ecr:StartLifecyclePolicyPreview",
43 |     ]
44 | 
45 |     principals {
46 |       type = "AWS"
47 | 
48 |       # Add the saml roles for every member on the "team"
49 |       identifiers = [
50 |         "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${var.saml_role}/me@example.com",
51 |       ]
52 |     }
53 |   }
54 | }
55 | 


--------------------------------------------------------------------------------
/env/dev/cicd.tf:
--------------------------------------------------------------------------------
 1 | # create ci/cd user with access keys (for build system)
 2 | resource "aws_iam_user" "cicd" {
 3 |   name = "srv_${var.app}_${var.environment}_cicd"
 4 | }
 5 | 
 6 | resource "aws_iam_access_key" "cicd_keys" {
 7 |   user = "${aws_iam_user.cicd.name}"
 8 | }
 9 | 
10 | # grant required permissions to deploy
11 | data "aws_iam_policy_document" "cicd_policy" {
12 |   # allows user to push/pull to the registry
13 |   statement {
14 |     sid = "ecr"
15 | 
16 |     actions = [
17 |       "ecr:GetDownloadUrlForLayer",
18 |       "ecr:BatchGetImage",
19 |       "ecr:BatchCheckLayerAvailability",
20 |       "ecr:PutImage",
21 |       "ecr:InitiateLayerUpload",
22 |       "ecr:UploadLayerPart",
23 |       "ecr:CompleteLayerUpload",
24 |     ]
25 | 
26 |     resources = [
27 |       "${data.aws_ecr_repository.ecr.arn}",
28 |     ]
29 |   }
30 | 
31 |   # allows user to deploy to ecs
32 |   statement {
33 |     sid = "ecs"
34 | 
35 |     actions = [
36 |       "ecr:GetAuthorizationToken",
37 |       "ecs:DescribeServices",
38 |       "ecs:DescribeTaskDefinition",
39 |       "ecs:UpdateService",
40 |       "ecs:RegisterTaskDefinition",
41 |     ]
42 | 
43 |     resources = [
44 |       "*",
45 |     ]
46 |   }
47 | 
48 |   # allows user to run ecs task using task execution and app roles
49 |   statement {
50 |     sid = "approle"
51 | 
52 |     actions = [
53 |       "iam:PassRole",
54 |     ]
55 | 
56 |     resources = [
57 |       "${aws_iam_role.app_role.arn}",
58 |       "${aws_iam_role.ecsTaskExecutionRole.arn}",
59 |     ]
60 |   }
61 | }
62 | 
63 | resource "aws_iam_user_policy" "cicd_user_policy" {
64 |   name   = "${var.app}_${var.environment}_cicd"
65 |   user   = "${aws_iam_user.cicd.name}"
66 |   policy = "${data.aws_iam_policy_document.cicd_policy.json}"
67 | }
68 | 
69 | data "aws_ecr_repository" "ecr" {
70 |   name = "${var.app}"
71 | }
72 | 
73 | # The AWS keys for the CICD user to use in a build system
74 | output "cicd_keys" {
75 |   value = "terraform state show aws_iam_access_key.cicd_keys"
76 | }
77 | 
78 | # The URL for the docker image repo in ECR
79 | output "docker_registry" {
80 |   value = "${data.aws_ecr_repository.ecr.repository_url}"
81 | }


--------------------------------------------------------------------------------
/base/README.md:
--------------------------------------------------------------------------------
 1 | # Base Terraform
 2 | 
 3 | Creates the foundational infrastructure for the application's infrastructure.
 4 | These Terraform files will create a [remote state][state] and a [registry][ecr].
 5 | Most other infrastructure pieces will be created within the `environments` directory.
 6 | 
 7 | 
 8 | ## Included Files
 9 | 
10 | + `main.tf`  
11 | The main entry point for the Terraform run.
12 | 
13 | + `variables.tf`  
14 | Common variables to use in various Terraform files.
15 | 
16 | + `state.tf`  
17 | Generate a [remote state][state] bucket in S3 for use with later Terraform runs.
18 | 
19 | + `ecr.tf`  
20 | Creates an AWS [Elastic Container Registry (ECR)][ecr] for the application.
21 | 
22 | 
23 | ## Usage
24 | 
25 | Typically, the base Terraform will only need to be run once, and then should only
26 | need changes very infrequently.
27 | 
28 | ```
29 | # Sets up Terraform to run
30 | $ terraform init
31 | 
32 | # Executes the Terraform run
33 | $ terraform apply
34 | ```
35 | 
36 | 
37 | ## Variables
38 | 
39 | | Name | Description | Type | Default | Required |
40 | |------|-------------|:----:|:-----:|:-----:|
41 | | app | Name of the application. This value should usually match the application tag below. | string |  | yes |
42 | | aws_profile | The AWS profile to use, this would be the same value used in AWS_PROFILE. | string |  | yes |
43 | | region | The AWS region to use for the bucket and registry; typically `us-east-1`. Other possible values: `us-east-2`, `us-west-1`, or `us-west-2`. <br>Currently, Fargate is only available in `us-east-1`. | string | `us-east-1` | yes |
44 | | saml_role | The role that will have access to the S3 bucket, this should be a role that all members of the team have access to. | string |  | yes |
45 | | tags | A map of the tags to apply to various resources. The required tags are: <br>+ `application`, name of the app <br>+ `environment`, the environment being created <br>+ `team`, team responsible for the application <br>+ `contact-email`, contact email for the _team_ <br>+ `customer`, who the application was create for | map | `<map>` | yes |
46 | 
47 | 
48 | ## Outputs
49 | 
50 | | Name | Description |
51 | |------|-------------|
52 | | bucket | Returns the name of the S3 bucket that will be used in later Terraform files |
53 | | docker_registry | Returns the name of the ECR registry, this will be used later in various scripts |
54 | 
55 | 
56 | ## Additional Information
57 | 
58 | + [Terraform remote state][state]
59 | 
60 | + [Terraform providers][provider]
61 | 
62 | + [AWS ECR][ecr]
63 | 
64 | 
65 | 
66 | [state]: https://www.terraform.io/docs/state/remote.html
67 | [provider]: https://www.terraform.io/docs/providers/
68 | [ecr]: https://aws.amazon.com/ecr/
69 | 


--------------------------------------------------------------------------------
/env/dev/logs-logzio.tf:
--------------------------------------------------------------------------------
 1 | # The auth token to use for sending logs to Logz.io
 2 | variable "logz_token" {}
 3 | 
 4 | # The endpoint to use for sending logs to Logz.io
 5 | variable "logz_url" {
 6 |   default = "https://listener.logz.io:8071"
 7 | }
 8 | 
 9 | resource "aws_iam_role" "iam_for_lambda_logz" {
10 |   name = "${var.app}-${var.environment}-logz-role"
11 | 
12 |   assume_role_policy = <<EOF
13 | {
14 |   "Version": "2012-10-17",
15 |   "Statement": [
16 |     {
17 |       "Action": "sts:AssumeRole",
18 |       "Principal": {
19 |         "Service": "lambda.amazonaws.com"
20 |       },
21 |       "Effect": "Allow",
22 |       "Sid": ""
23 |     }
24 |   ]
25 | }
26 | EOF
27 | }
28 | 
29 | resource "aws_iam_role_policy" "lambda_policy_logs_logz" {
30 |   name = "${var.app}-${var.environment}-logz-role"
31 |   role = "${aws_iam_role.iam_for_lambda_logz.id}"
32 | 
33 |   policy = <<EOF
34 | {
35 |   "Version": "2012-10-17",
36 |   "Statement": [
37 |     {
38 |       "Effect": "Allow",
39 |       "Action": [
40 |         "logs:CreateLogGroup",
41 |         "logs:CreateLogStream",
42 |         "logs:PutLogEvents"
43 |       ],
44 |       "Resource": [
45 |         "*"
46 |       ]
47 |     }
48 |   ]
49 | }
50 | EOF
51 | }
52 | 
53 | #function code from logzio: https://github.com/logzio/cloudwatch-logs-shipper-lambda
54 | resource "aws_lambda_function" "lambda_logz" {
55 |   function_name    = "${var.app}-${var.environment}-logz"
56 |   description      = "Sends Cloudwatch logs to logz."
57 |   runtime          = "python2.7"
58 |   timeout          = 60
59 |   memory_size      = 512
60 |   role             = "${aws_iam_role.iam_for_lambda_logz.arn}"
61 |   handler          = "lambda_function.lambda_handler"
62 |   filename         = "logs-logzio.zip"
63 |   source_code_hash = "${base64sha256(file("logs-logzio.zip"))}"
64 | 
65 |   tags = "${var.tags}"
66 | 
67 |   environment {
68 |     variables = {
69 |       TOKEN = "${var.logz_token}"
70 |       URL   = "${var.logz_url}"
71 |       TYPE  = "elb"
72 |     }
73 |   }
74 | }
75 | 
76 | resource "aws_lambda_permission" "allow_cloudwatch" {
77 |   statement_id  = "${var.app}-${var.environment}-logz"
78 |   action        = "lambda:InvokeFunction"
79 |   function_name = "${aws_lambda_function.lambda_logz.arn}"
80 |   principal     = "logs.${var.region}.amazonaws.com"
81 |   source_arn    = "${aws_cloudwatch_log_group.logs.arn}"
82 | }
83 | 
84 | resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_lambda_subscription" {
85 |   depends_on      = ["aws_lambda_permission.allow_cloudwatch"]
86 |   name            = "${var.app}-${var.environment}-logz"
87 |   log_group_name  = "${aws_cloudwatch_log_group.logs.name}"
88 |   filter_pattern  = ""
89 |   destination_arn = "${aws_lambda_function.lambda_logz.arn}"
90 | }
91 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Terraform ECS Fargate
 2 | 
 3 | A set of Terraform templates used for provisioning web application stacks on [AWS ECS Fargate][fargate].
 4 | 
 5 | The templates are designed to be customized.  The optional components can be removed by simply deleting the `.tf` file.
 6 | 
 7 | The templates are used for managing infrastructure concerns and, as such, the templates deploy a [default backend docker image](env/dev/ecs.tf#L26).  We recommend using the [fargate CLI](https://github.com/turnerlabs/fargate) for managing application concerns like deploying your actual application images and environment variables on top of this infrastructure.  The fargate CLI can be used to deploy applications from your laptop or in CI/CD pipelines.
 8 | 
 9 | ## Components
10 | 
11 | ### base
12 | 
13 | These components are shared by all environments.
14 | 
15 | | Name | Description | Optional |
16 | |------|-------------|:---:|
17 | | [main.tf][bm] | AWS provider, output |  |
18 | | [state.tf][bs] | S3 bucket backend for storing Terraform remote state  |  |
19 | | [ecr.tf][be] | ECR repository for application (all environments share)  |  ||
20 | 
21 | 
22 | ### env/dev
23 | 
24 | These components are for a specific environment. There should be a corresponding directory for each environment
25 | that is needed.
26 | 
27 | | Name | Description | Optional |
28 | |------|-------------|:----:|
29 | | [main.tf][edm] | Terrform remote state, AWS provider, output |  |
30 | | [ecs.tf][ede] | ECS Cluster, Service, Task Definition, ecsTaskExecutionRole, CloudWatch Log Group |  |
31 | | [lb.tf][edl] | ALB, Target Group, S3 bucket for access logs  |  |
32 | | [nsg.tf][edn] | NSG for ALB and Task |  |
33 | | [lb-http.tf][edlhttp] | HTTP listener, NSG rule. Delete if HTTPS only | Yes |
34 | | [lb-https.tf][edlhttps] | HTTPS listener, NSG rule. Delete if HTTP only | Yes |
35 | | [dashboard.tf][edd] | CloudWatch dashboard: CPU, memory, and HTTP-related metrics | Yes |
36 | | [role.tf][edr] | Application Role for container | Yes |
37 | | [cicd.tf][edc] | IAM user that can be used by CI/CD systems | Yes |
38 | | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
39 | | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
40 | | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
41 | 
42 | 
43 | ## Usage
44 | 
45 | Typically, the base Terraform will only need to be run once, and then should only
46 | need changes very infrequently. After the base is built, each environment can be built.
47 | 
48 | ```
49 | # Move into the base directory
50 | $ cd base
51 | 
52 | # Sets up Terraform to run
53 | $ terraform init
54 | 
55 | # Executes the Terraform run
56 | $ terraform apply
57 | 
58 | # Now, move into the dev environment
59 | $ cd ../env/dev
60 | 
61 | # Sets up Terraform to run
62 | $ terraform init
63 | 
64 | # Executes the Terraform run
65 | $ terraform apply
66 | ```
67 | 
68 | 
69 | ## Additional Information
70 | 
71 | + [Base README][base]
72 | 
73 | + [Environment `dev` README][env-dev]
74 | 
75 | 
76 | 
77 | [fargate]: https://aws.amazon.com/fargate/
78 | [bm]: ./base/main.tf
79 | [bs]: ./base/state.tf
80 | [be]: ./base/ecr.tf
81 | [edm]: ./env/dev/main.tf
82 | [ede]: ./env/dev/ecs.tf
83 | [edl]: ./env/dev/lb.tf
84 | [edn]: ./env/dev/nsg.tf
85 | [edlhttp]: ./env/dev/lb-http.tf
86 | [edlhttps]: ./env/dev/lb-https.tf
87 | [edd]: ./env/dev/dashboard.tf
88 | [edr]: ./env/dev/role.tf
89 | [edc]: ./env/dev/cicd.tf
90 | [edap]: ./env/dev/autoscale-perf.tf
91 | [edat]: ./env/dev/autoscale-time.tf
92 | [edll]: ./env/dev/logs-logzio.tf
93 | [base]: ./base/README.md
94 | [env-dev]: ./env/dev/README.md
95 | 


--------------------------------------------------------------------------------
/env/dev/ecs.tf:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Elastic Container Service (ecs)
  3 |  * This component is required to create the Fargate ECS service. It will create a Fargate cluster
  4 |  * based on the application name and enironment. It will create a "Task Definition", which is required
  5 |  * to run a Docker container, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html.
  6 |  * Next it creates a ECS Service, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html
  7 |  * It attaches the Load Balancer created in `lb.tf` to the service, and sets up the networking required.
  8 |  * It also creates a role with the correct permissions. And lastly, ensures that logs are captured in CloudWatch.
  9 |  *
 10 |  * When building for the first time, it will install a "default backend", which is a simple web service that just
 11 |  * responds with a HTTP 200 OK. It's important to uncomment the lines noted below after you have successfully
 12 |  * migrated the real application containers to the task definition.
 13 |  */
 14 | 
 15 |  # How many containers to run
 16 | variable "replicas" {
 17 |   default = "1"
 18 | }
 19 | 
 20 | # The name of the container to run
 21 | variable "container_name" {
 22 |   default = "app"
 23 | }
 24 | 
 25 | resource "aws_ecs_cluster" "app" {
 26 |   name = "${var.app}-${var.environment}"
 27 | }
 28 | 
 29 | # The default docker image to deploy with the infrastructure.
 30 | # Note that you can use the fargate CLI for application concerns
 31 | # like deploying actual application images and environment variables
 32 | # on top of the infrastructure provisioned by this template
 33 | # https://github.com/turnerlabs/fargate
 34 | # note that the source for the turner default backend image is here:
 35 | # https://github.com/turnerlabs/turner-defaultbackend
 36 | variable "default_backend_image" {
 37 |   default = "quay.io/turner/turner-defaultbackend:0.2.0"
 38 | }
 39 | 
 40 | resource "aws_ecs_task_definition" "app" {
 41 |   family                   = "${var.app}-${var.environment}"
 42 |   requires_compatibilities = ["FARGATE"]
 43 |   network_mode             = "awsvpc"
 44 |   cpu                      = "256"
 45 |   memory                   = "512"
 46 |   execution_role_arn       = "${aws_iam_role.ecsTaskExecutionRole.arn}"
 47 | 
 48 |   # defined in role.tf
 49 |   task_role_arn = "${aws_iam_role.app_role.arn}"
 50 | 
 51 |   container_definitions = <<DEFINITION
 52 | [
 53 |   {
 54 |     "name": "${var.container_name}",
 55 |     "image": "${var.default_backend_image}",
 56 |     "essential": true,
 57 |     "portMappings": [
 58 |       {
 59 |         "protocol": "tcp",
 60 |         "containerPort": ${var.container_port},
 61 |         "hostPort": ${var.container_port}
 62 |       }
 63 |     ],
 64 |     "environment": [
 65 |       {
 66 |         "name": "PORT",
 67 |         "value": "${var.container_port}"
 68 |       },
 69 |       {
 70 |         "name": "ENABLE_LOGGING",
 71 |         "value": "false"
 72 |       },
 73 |       {
 74 |         "name": "PRODUCT",
 75 |         "value": "${var.app}"
 76 |       },
 77 |       {
 78 |         "name": "ENVIRONMENT",
 79 |         "value": "${var.environment}"
 80 |       }
 81 |     ],
 82 |     "logConfiguration": {
 83 |       "logDriver": "awslogs",
 84 |       "options": {
 85 |         "awslogs-group": "/fargate/service/${var.app}-${var.environment}",
 86 |         "awslogs-region": "us-east-1",
 87 |         "awslogs-stream-prefix": "ecs"
 88 |       }
 89 |     }
 90 |   }
 91 | ]
 92 | DEFINITION
 93 | }
 94 | 
 95 | resource "aws_ecs_service" "app" {
 96 |   name            = "${var.app}-${var.environment}"
 97 |   cluster         = "${aws_ecs_cluster.app.id}"
 98 |   launch_type     = "FARGATE"
 99 |   task_definition = "${aws_ecs_task_definition.app.arn}"
100 |   desired_count   = "${var.replicas}"
101 | 
102 |   network_configuration {
103 |     security_groups = ["${aws_security_group.nsg_task.id}"]
104 |     subnets         = ["${split(",", var.private_subnets)}"]
105 |   }
106 | 
107 |   service_registries {
108 |     registry_arn = "${aws_service_discovery_service.fargate.arn}"
109 |     port = "${var.container_port}"
110 |   }
111 | 
112 |   # [after initial apply] don't override changes made to task_definition
113 |   # from outside of terrraform (i.e.; fargate cli)
114 |   lifecycle {
115 |     ignore_changes = ["task_definition"]
116 |   }
117 | }
118 | 
119 | # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
120 | resource "aws_iam_role" "ecsTaskExecutionRole" {
121 |   name               = "${var.app}-${var.environment}-ecs"
122 |   assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
123 | }
124 | 
125 | data "aws_iam_policy_document" "assume_role_policy" {
126 |   statement {
127 |     actions = ["sts:AssumeRole"]
128 | 
129 |     principals {
130 |       type        = "Service"
131 |       identifiers = ["ecs-tasks.amazonaws.com"]
132 |     }
133 |   }
134 | }
135 | 
136 | resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
137 |   role       = "${aws_iam_role.ecsTaskExecutionRole.name}"
138 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
139 | }
140 | 
141 | resource "aws_cloudwatch_log_group" "logs" {
142 |   name              = "/fargate/service/${var.app}-${var.environment}"
143 |   retention_in_days = "14"
144 |   tags              = "${var.tags}"
145 | }
146 | 


--------------------------------------------------------------------------------
/env/dev/autoscale-time.tf:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Will create a lambda that will scale the service to specified values at predetermined times.
  3 |  * This could be used to turn off a service durning non-business hours,
  4 |  * or to just lower/increase it based on known timelines
  5 |  * The source code for this lambda function can be found https://github.com/turnerlabs/fargate-autoscale-time
  6 |  */
  7 | 
  8 | # The number of containers to scale up to
  9 | variable "scale_up_count" {
 10 |   default = "1"
 11 | }
 12 | 
 13 | # The number of containers to scale down to
 14 | variable "scale_down_count" {
 15 |   default = "0"
 16 | }
 17 | 
 18 | # Default scale up at 7 am weekdays, this is UTC so it doesn't adjust to daylight savings
 19 | # https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html
 20 | variable "scale_up_cron" {
 21 |   default = "cron(0 11 ? * MON-FRI *)"
 22 | }
 23 | 
 24 | # Default scale down at 7 pm every day
 25 | variable "scale_down_cron" {
 26 |   default = "cron(0 23 * * ? *)"
 27 | }
 28 | 
 29 | # An endpoint that will receive scale up/down notifications
 30 | variable "slack_webhook" {
 31 |   default = ""
 32 | }
 33 | 
 34 | resource "aws_iam_role" "iam_for_lambda" {
 35 |   name = "${var.app}-${var.environment}-lambdarole"
 36 | 
 37 |   assume_role_policy = <<EOF
 38 | {
 39 |   "Version": "2012-10-17",
 40 |   "Statement": [
 41 |     {
 42 |       "Action": "sts:AssumeRole",
 43 |       "Principal": {
 44 |         "Service": "lambda.amazonaws.com"
 45 |       },
 46 |       "Effect": "Allow",
 47 |       "Sid": ""
 48 |     }
 49 |   ]
 50 | }
 51 | EOF
 52 | }
 53 | 
 54 | resource "aws_iam_role_policy" "lambda_policy_logs" {
 55 |   name = "${var.app}-${var.environment}-lambdapolicy"
 56 |   role = "${aws_iam_role.iam_for_lambda.id}"
 57 | 
 58 |   policy = <<EOF
 59 | {
 60 |   "Version": "2012-10-17",
 61 |   "Statement": [
 62 |     {
 63 |       "Effect": "Allow",
 64 |       "Action": [
 65 |         "logs:CreateLogGroup",
 66 |         "logs:CreateLogStream",
 67 |         "logs:PutLogEvents"
 68 |       ],
 69 |       "Resource": [
 70 |         "*"
 71 |       ]
 72 |     },
 73 |     {
 74 |       "Effect": "Allow",
 75 |       "Action": [
 76 |         "ecs:UpdateService"
 77 |       ],
 78 |       "Resource": [
 79 |         "*"
 80 |       ]
 81 |     }
 82 | 
 83 |   ]
 84 | }
 85 | EOF
 86 | }
 87 | 
 88 | resource "aws_lambda_function" "lambda_scaledown" {
 89 |   function_name    = "${var.app}-${var.environment}-fargate-scale-down"
 90 |   description      = "Scales down a Fargate service"
 91 |   runtime          = "nodejs6.10"
 92 |   timeout          = 30
 93 |   memory_size      = 128
 94 |   role             = "${aws_iam_role.iam_for_lambda.arn}"
 95 |   handler          = "scale.handler"
 96 |   filename         = "autoscale-time.zip"
 97 |   source_code_hash = "${base64sha256(file("autoscale-time.zip"))}"
 98 | 
 99 |   tags = "${var.tags}"
100 | 
101 |   environment {
102 |     variables = {
103 |       scale_to      = "${var.scale_down_count}"
104 |       cluster       = "${aws_ecs_cluster.app.name}"
105 |       service       = "${aws_ecs_service.app.name}"
106 |       slack_webhook = "${var.slack_webhook}"
107 |     }
108 |   }
109 | }
110 | 
111 | resource "aws_cloudwatch_event_rule" "lambdascaledown_schedule" {
112 |   name                = "${var.app}-${var.environment}-fargate-scale-down"
113 |   description         = "Calls lambda on a schedule"
114 |   schedule_expression = "${var.scale_down_cron}"
115 | }
116 | 
117 | resource "aws_cloudwatch_event_target" "call_lambdascaledown_schedule" {
118 |   rule = "${aws_cloudwatch_event_rule.lambdascaledown_schedule.name}"
119 |   arn  = "${aws_lambda_function.lambda_scaledown.arn}"
120 | }
121 | 
122 | resource "aws_lambda_permission" "allow_cloudwatch_to_call_scaledown" {
123 |   statement_id  = "AllowExecutionFromCloudWatch"
124 |   action        = "lambda:InvokeFunction"
125 |   function_name = "${aws_lambda_function.lambda_scaledown.function_name}"
126 |   principal     = "events.amazonaws.com"
127 |   source_arn    = "${aws_cloudwatch_event_rule.lambdascaledown_schedule.arn}"
128 | }
129 | 
130 | resource "aws_lambda_function" "lambda_scaleup" {
131 |   function_name    = "${var.app}-${var.environment}-fargate-scale-up"
132 |   description      = "Scales up a Fargate service"
133 |   runtime          = "nodejs6.10"
134 |   timeout          = 30
135 |   memory_size      = 128
136 |   role             = "${aws_iam_role.iam_for_lambda.arn}"
137 |   handler          = "scale.handler"
138 |   filename         = "autoscale-time.zip"
139 |   source_code_hash = "${base64sha256(file("autoscale-time.zip"))}"
140 | 
141 |   tags = "${var.tags}"
142 | 
143 |   environment {
144 |     variables = {
145 |       scale_to      = "${var.scale_up_count}"
146 |       cluster       = "${aws_ecs_cluster.app.name}"
147 |       service       = "${aws_ecs_service.app.name}"
148 |       slack_webhook = "${var.slack_webhook}"
149 |     }
150 |   }
151 | }
152 | 
153 | resource "aws_cloudwatch_event_rule" "lambdascaleup_schedule" {
154 |   name                = "${var.app}-${var.environment}-fargate-scale-up"
155 |   description         = "Calls lambda on a schedule"
156 |   schedule_expression = "${var.scale_up_cron}"
157 | }
158 | 
159 | resource "aws_cloudwatch_event_target" "call_scaleup_schedule" {
160 |   rule = "${aws_cloudwatch_event_rule.lambdascaleup_schedule.name}"
161 |   arn  = "${aws_lambda_function.lambda_scaleup.arn}"
162 | }
163 | 
164 | resource "aws_lambda_permission" "allow_cloudwatch_to_call_scaleup" {
165 |   statement_id  = "AllowExecutionFromCloudWatch"
166 |   action        = "lambda:InvokeFunction"
167 |   function_name = "${aws_lambda_function.lambda_scaleup.function_name}"
168 |   principal     = "events.amazonaws.com"
169 |   source_arn    = "${aws_cloudwatch_event_rule.lambdascaleup_schedule.arn}"
170 | }
171 | 


--------------------------------------------------------------------------------
/env/dev/autoscale-perf.tf:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * This module sets up CPU-based autoscaling.  The number of containers
  3 |  * is kept strictly within the range you specify.  Within that range,
  4 |  * the number is gradually increased or decreased to keep CPU utilization
  5 |  * within its own range.  If your app is CPU-bound, the number of
  6 |  * instances will autoscale with your traffic.
  7 |  *
  8 |  * The adjustments are gradual.  If you expect a sudden surge of
  9 |  * traffic for a scheduled event (such as sporting events or elections),
 10 |  * set the `ecs_autoscale_min_instances` variable to a higher number.
 11 |  * `ecs_autoscale_max_instances` might also need to be increased, because
 12 |  * it should never be below ecs_autoscale_min_instances.
 13 |  *
 14 |  * To effectively disable autoscaling, set `ecs_autoscale_min_instances`
 15 |  * and `ecs_autoscale_max_instances` to the same number (your desired
 16 |  * number of containers).
 17 |  *
 18 |  * Note the default value of `ecs_autoscale_min_instances` is 1.  For
 19 |  * production, consider using a higher number.
 20 |  *
 21 |  * There should be a [considerable gap](https://en.wikipedia.org/wiki/Deadband) between
 22 |  * `ecs_as_cpu_low_threshold_per` and
 23 |  * `ecs_as_cpu_high_threshold_per` so that the number of
 24 |  * containers is not continually being autoscaled up and down.   If
 25 |  * `ecs_autoscale_min_instances==1`, then
 26 |  * `ecs_as_cpu_high_threshold_per` should be more than
 27 |  * twice ecs_as_cpu_low_threshold_per`.
 28 |  *
 29 |  * In the CloudWatch section of the AWS Console, you will often see the
 30 |  * alarms created by this module in an ALARM state, which are displayed in
 31 |  * red.  This is normal and does not indicate a problem.
 32 |  * On the page listing all the alarms, click the checkbox labelled
 33 |  * "Hide all AutoScaling alarms".
 34 |  *
 35 |  */
 36 | 
 37 | // If the average CPU utilization over a minute drops to this threshold,
 38 | // the number of containers will be reduced (but not below ecs_autoscale_min_instances).
 39 | variable "ecs_as_cpu_low_threshold_per" {
 40 |   default = "20"
 41 | }
 42 | 
 43 | // If the average CPU utilization over a minute rises to this threshold,
 44 | // the number of containers will be increased (but not above ecs_autoscale_max_instances).
 45 | variable "ecs_as_cpu_high_threshold_per" {
 46 |   default = "80"
 47 | }
 48 | 
 49 | // The minimum number of containers that should be running.
 50 | // Must be at least 1.
 51 | // For production, consider using at least "2".
 52 | variable "ecs_autoscale_min_instances" {
 53 |   default = "1"
 54 | }
 55 | 
 56 | // The maximum number of containers that should be running.
 57 | variable "ecs_autoscale_max_instances" {
 58 |   default = "8"
 59 | }
 60 | 
 61 | resource "aws_cloudwatch_metric_alarm" "cpu_utilization_high" {
 62 |   alarm_name          = "${var.app}-${var.environment}-CPU-Utilization-High-${var.ecs_as_cpu_high_threshold_per}"
 63 |   comparison_operator = "GreaterThanOrEqualToThreshold"
 64 |   evaluation_periods  = "1"
 65 |   metric_name         = "CPUUtilization"
 66 |   namespace           = "AWS/ECS"
 67 |   period              = "60"
 68 |   statistic           = "Average"
 69 |   threshold           = "${var.ecs_as_cpu_high_threshold_per}"
 70 | 
 71 |   dimensions {
 72 |     ClusterName = "${aws_ecs_cluster.app.name}"
 73 |     ServiceName = "${aws_ecs_service.app.name}"
 74 |   }
 75 | 
 76 |   alarm_actions = ["${aws_appautoscaling_policy.app_up.arn}"]
 77 | }
 78 | 
 79 | resource "aws_cloudwatch_metric_alarm" "cpu_utilization_low" {
 80 |   alarm_name          = "${var.app}-${var.environment}-CPU-Utilization-Low-${var.ecs_as_cpu_low_threshold_per}"
 81 |   comparison_operator = "LessThanThreshold"
 82 |   evaluation_periods  = "1"
 83 |   metric_name         = "CPUUtilization"
 84 |   namespace           = "AWS/ECS"
 85 |   period              = "60"
 86 |   statistic           = "Average"
 87 |   threshold           = "${var.ecs_as_cpu_low_threshold_per}"
 88 | 
 89 |   dimensions {
 90 |     ClusterName = "${aws_ecs_cluster.app.name}"
 91 |     ServiceName = "${aws_ecs_service.app.name}"
 92 |   }
 93 | 
 94 |   alarm_actions = ["${aws_appautoscaling_policy.app_down.arn}"]
 95 | }
 96 | 
 97 | resource "aws_appautoscaling_target" "app_scale_target" {
 98 |   service_namespace  = "ecs"
 99 |   resource_id        = "service/${aws_ecs_cluster.app.name}/${aws_ecs_service.app.name}"
100 |   scalable_dimension = "ecs:service:DesiredCount"
101 |   max_capacity       = "${var.ecs_autoscale_max_instances}"
102 |   min_capacity       = "${var.ecs_autoscale_min_instances}"
103 | }
104 | 
105 | resource "aws_appautoscaling_policy" "app_up" {
106 |   name               = "app-scale-up"
107 |   service_namespace  = "ecs"
108 |   resource_id        = "service/${aws_ecs_cluster.app.name}/${aws_ecs_service.app.name}"
109 |   scalable_dimension = "ecs:service:DesiredCount"
110 | 
111 |   step_scaling_policy_configuration {
112 |     adjustment_type         = "ChangeInCapacity"
113 |     cooldown                = 60
114 |     metric_aggregation_type = "Average"
115 | 
116 |     step_adjustment {
117 |       metric_interval_lower_bound = 0
118 |       scaling_adjustment          = 1
119 |     }
120 |   }
121 | 
122 |   depends_on = [
123 |     "aws_appautoscaling_target.app_scale_target",
124 |   ]
125 | }
126 | 
127 | resource "aws_appautoscaling_policy" "app_down" {
128 |   name               = "app-scale-down"
129 |   service_namespace  = "ecs"
130 |   resource_id        = "service/${aws_ecs_cluster.app.name}/${aws_ecs_service.app.name}"
131 |   scalable_dimension = "ecs:service:DesiredCount"
132 | 
133 |   step_scaling_policy_configuration {
134 |     adjustment_type         = "ChangeInCapacity"
135 |     cooldown                = 300
136 |     metric_aggregation_type = "Average"
137 | 
138 |     step_adjustment {
139 |       metric_interval_upper_bound = 0
140 |       scaling_adjustment          = -1
141 |     }
142 |   }
143 | 
144 |   depends_on = [
145 |     "aws_appautoscaling_target.app_scale_target",
146 |   ]
147 | }
148 | 


--------------------------------------------------------------------------------
/env/dev/README.md:
--------------------------------------------------------------------------------
  1 | # Environment Dev Terraform
  2 | 
  3 | Creates the dev environment's infrastructure. These templates are designed to be customized.  
  4 | The optional components can be removed by simply deleting the `.tf` file.
  5 | 
  6 | 
  7 | ## Components
  8 | 
  9 | | Name | Description | Optional |
 10 | |------|-------------|:----:|
 11 | | [main.tf][edm] | Terrform remote state, AWS provider, output |  |
 12 | | [ecs.tf][ede] | ECS Cluster, Service, Task Definition, ecsTaskExecutionRole, CloudWatch Log Group |  |
 13 | | [lb.tf][edl] | ALB, Target Group, S3 bucket for access logs  |  |
 14 | | [nsg.tf][edn] | NSG for ALB and Task |  |
 15 | | [lb-http.tf][edlhttp] | HTTP listener, NSG rule. Delete if HTTPS only | Yes |
 16 | | [lb-https.tf][edlhttps] | HTTPS listener, NSG rule. Delete if HTTP only | Yes |
 17 | | [dashboard.tf][edd] | CloudWatch dashboard: CPU, memory, and HTTP-related metrics | Yes |
 18 | | [role.tf][edr] | Application Role for container | Yes |
 19 | | [cicd.tf][edc] | IAM user that can be used by CI/CD systems | Yes |
 20 | | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
 21 | | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
 22 | | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
 23 | 
 24 | 
 25 | ## Usage
 26 | 
 27 | ```
 28 | # Sets up Terraform to run
 29 | $ terraform init
 30 | 
 31 | # Executes the Terraform run
 32 | $ terraform apply
 33 | ```
 34 | 
 35 | 
 36 | ## Inputs
 37 | 
 38 | | Name | Description | Type | Default | Required |
 39 | |------|-------------|:----:|:-----:|:-----:|
 40 | | app | The application's name | string | - | yes |
 41 | | aws_profile | The AWS Profile to use | string | - | yes |
 42 | | certificate_arn | The ARN for the SSL certificate | string | - | yes |
 43 | | container_name | The name of the container to run | string | `app` | no |
 44 | | container_port | The port the container will listen on, used for load balancer health check Best practice is that this value is higher than 1024 so the container processes isn't running at root. | string | - | yes |
 45 | | default_backend_image | The default docker image to deploy with the infrastructure. Note that you can use the fargate CLI for application concerns like deploying actual application images and environment variables on top of the infrastructure provisioned by this template https://github.com/turnerlabs/fargate note that the source for the turner default backend image is here: https://github.com/turnerlabs/turner-defaultbackend | string | `quay.io/turner/turner-defaultbackend:0.2.0` | no |
 46 | | deregistration_delay | The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused | string | `30` | no |
 47 | | ecs_as_cpu_high_threshold_per | If the average CPU utilization over a minute rises to this threshold, the number of containers will be increased (but not above ecs_autoscale_max_instances). | string | `80` | no |
 48 | | ecs_as_cpu_low_threshold_per | If the average CPU utilization over a minute drops to this threshold, the number of containers will be reduced (but not below ecs_autoscale_min_instances). | string | `20` | no |
 49 | | ecs_autoscale_max_instances | The maximum number of containers that should be running. | string | `8` | no |
 50 | | ecs_autoscale_min_instances | The minimum number of containers that should be running. Must be at least 1. For production, consider using at least "2". | string | `1` | no |
 51 | | environment | The environment that is being built | string | - | yes |
 52 | | health_check | The path to the health check for the load balancer to know if the container(s) are ready | string | - | yes |
 53 | | health_check_interval | How often to check the liveliness of the container | string | `30` | no |
 54 | | health_check_matcher | What HTTP response code to listen for | string | `200` | no |
 55 | | health_check_timeout | How long to wait for the response on the health check path | string | `10` | no |
 56 | | https_port | The port to listen on for HTTPS, always use 443 | string | `443` | no |
 57 | | internal | Whether the application is available on the public internet, also will determine which subnets will be used (public or private) | string | `true` | no |
 58 | | lb_port | The port the load balancer will listen on | string | `80` | no |
 59 | | lb_protocol | The load balancer protocol | string | `HTTP` | no |
 60 | | logz_token | The auth token to use for sending logs to Logz.io | string | - | yes |
 61 | | logz_url | The endpoint to use for sending logs to Logz.io | string | `https://listener.logz.io:8071` | no |
 62 | | private_subnets | The private subnets, minimum of 2, that are a part of the VPC(s) | string | - | yes |
 63 | | public_subnets | The public subnets, minimum of 2, that are a part of the VPC(s) | string | - | yes |
 64 | | region | The AWS region to use for the dev environment's infrastructure Currently, Fargate is only available in `us-east-1`. | string | `us-east-1` | no |
 65 | | replicas | How many containers to run | string | `1` | no |
 66 | | saml_role | The SAML role to use | string | - | yes |
 67 | | scale_down_count | The number of containers to scale down to | string | `0` | no |
 68 | | scale_down_cron | Default scale down at 7 pm every day | string | `cron(0 23 * * ? *)` | no |
 69 | | scale_up_count | The number of containers to scale up to | string | `1` | no |
 70 | | scale_up_cron | Default scale up at 7 am weekdays, this is UTC so it doesn't adjust to daylight savings https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html | string | `cron(0 11 ? * MON-FRI *)` | no |
 71 | | slack_webhook | An endpoint that will receive scale up/down notifications | string | `` | no |
 72 | | tags | Tags for the infrastructure | map | - | yes |
 73 | | vpc | The VPC to use for the Fargate cluster | string | - | yes |
 74 | 
 75 | ## Outputs
 76 | 
 77 | | Name | Description |
 78 | |------|-------------|
 79 | | aws_profile | Command to set the AWS_PROFILE |
 80 | | cicd_keys | The AWS keys for the CICD user to use in a build system |
 81 | | deploy | Command to deploy a new task definition to the service using Docker Compose |
 82 | | docker_registry | The URL for the docker image repo in ECR |
 83 | | lb_dns | The load balancer DNS name |
 84 | | scale_out | Command to scale out the number of tasks (container replicas) |
 85 | | scale_up | Command to scale up cpu and memory |
 86 | | status | Command to view the status of the Fargate service |
 87 | 
 88 | 
 89 | 
 90 | [edm]: main.tf
 91 | [ede]: ecs.tf
 92 | [edl]: lb.tf
 93 | [edn]: nsg.tf
 94 | [edlhttp]: lb-http.tf
 95 | [edlhttps]: lb-https.tf
 96 | [edd]: dashboard.tf
 97 | [edr]: role.tf
 98 | [edc]: cicd.tf
 99 | [edap]: autoscale-perf.tf
100 | [edat]: autoscale-time.tf
101 | [edll]: logs-logzio.tf
102 | [alb-docs]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html
103 | [up]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html
104 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright 2016 Turner Broadcasting System, Inc.
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.


--------------------------------------------------------------------------------