github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/examples/aws-ecs-alb/main.tf

github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/examples/aws-ecs-alb/main.tf (about)

     1  # Specify the provider and access details
     2  provider "aws" {
     3    region = "${var.aws_region}"
     4  }
     5  
     6  ## EC2
     7  
     8  ### Network
     9  
    10  data "aws_availability_zones" "available" {}
    11  
    12  resource "aws_vpc" "main" {
    13    cidr_block = "10.10.0.0/16"
    14  }
    15  
    16  resource "aws_subnet" "main" {
    17    count             = "${var.az_count}"
    18    cidr_block        = "${cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)}"
    19    availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
    20    vpc_id            = "${aws_vpc.main.id}"
    21  }
    22  
    23  resource "aws_internet_gateway" "gw" {
    24    vpc_id = "${aws_vpc.main.id}"
    25  }
    26  
    27  resource "aws_route_table" "r" {
    28    vpc_id = "${aws_vpc.main.id}"
    29  
    30    route {
    31      cidr_block = "0.0.0.0/0"
    32      gateway_id = "${aws_internet_gateway.gw.id}"
    33    }
    34  }
    35  
    36  resource "aws_route_table_association" "a" {
    37    count          = "${var.az_count}"
    38    subnet_id      = "${element(aws_subnet.main.*.id, count.index)}"
    39    route_table_id = "${aws_route_table.r.id}"
    40  }
    41  
    42  ### Compute
    43  
    44  resource "aws_autoscaling_group" "app" {
    45    name                 = "tf-test-asg"
    46    vpc_zone_identifier  = ["${aws_subnet.main.*.id}"]
    47    min_size             = "${var.asg_min}"
    48    max_size             = "${var.asg_max}"
    49    desired_capacity     = "${var.asg_desired}"
    50    launch_configuration = "${aws_launch_configuration.app.name}"
    51  }
    52  
    53  data "template_file" "cloud_config" {
    54    template = "${file("${path.module}/cloud-config.yml")}"
    55  
    56    vars {
    57      aws_region         = "${var.aws_region}"
    58      ecs_cluster_name   = "${aws_ecs_cluster.main.name}"
    59      ecs_log_level      = "info"
    60      ecs_agent_version  = "latest"
    61      ecs_log_group_name = "${aws_cloudwatch_log_group.ecs.name}"
    62    }
    63  }
    64  
    65  data "aws_ami" "stable_coreos" {
    66    most_recent = true
    67  
    68    filter {
    69      name   = "description"
    70      values = ["CoreOS stable *"]
    71    }
    72  
    73    filter {
    74      name   = "architecture"
    75      values = ["x86_64"]
    76    }
    77  
    78    filter {
    79      name   = "virtualization-type"
    80      values = ["hvm"]
    81    }
    82  
    83    owners = ["595879546273"] # CoreOS
    84  }
    85  
    86  resource "aws_launch_configuration" "app" {
    87    security_groups = [
    88      "${aws_security_group.instance_sg.id}",
    89    ]
    90  
    91    key_name                    = "${var.key_name}"
    92    image_id                    = "${data.aws_ami.stable_coreos.id}"
    93    instance_type               = "${var.instance_type}"
    94    iam_instance_profile        = "${aws_iam_instance_profile.app.name}"
    95    user_data                   = "${data.template_file.cloud_config.rendered}"
    96    associate_public_ip_address = true
    97  
    98    lifecycle {
    99      create_before_destroy = true
   100    }
   101  }
   102  
   103  ### Security
   104  
   105  resource "aws_security_group" "lb_sg" {
   106    description = "controls access to the application ELB"
   107  
   108    vpc_id = "${aws_vpc.main.id}"
   109    name   = "tf-ecs-lbsg"
   110  
   111    ingress {
   112      protocol    = "tcp"
   113      from_port   = 80
   114      to_port     = 80
   115      cidr_blocks = ["0.0.0.0/0"]
   116    }
   117  
   118    egress {
   119      from_port = 0
   120      to_port   = 0
   121      protocol  = "-1"
   122  
   123      cidr_blocks = [
   124        "0.0.0.0/0",
   125      ]
   126    }
   127  }
   128  
   129  resource "aws_security_group" "instance_sg" {
   130    description = "controls direct access to application instances"
   131    vpc_id      = "${aws_vpc.main.id}"
   132    name        = "tf-ecs-instsg"
   133  
   134    ingress {
   135      protocol  = "tcp"
   136      from_port = 22
   137      to_port   = 22
   138  
   139      cidr_blocks = [
   140        "${var.admin_cidr_ingress}",
   141      ]
   142    }
   143  
   144    ingress {
   145      protocol  = "tcp"
   146      from_port = 8080
   147      to_port   = 8080
   148  
   149      security_groups = [
   150        "${aws_security_group.lb_sg.id}",
   151      ]
   152    }
   153  
   154    egress {
   155      from_port   = 0
   156      to_port     = 0
   157      protocol    = "-1"
   158      cidr_blocks = ["0.0.0.0/0"]
   159    }
   160  }
   161  
   162  ## ECS
   163  
   164  resource "aws_ecs_cluster" "main" {
   165    name = "terraform_example_ecs_cluster"
   166  }
   167  
   168  data "template_file" "task_definition" {
   169    template = "${file("${path.module}/task-definition.json")}"
   170  
   171    vars {
   172      image_url        = "ghost:latest"
   173      container_name   = "ghost"
   174      log_group_region = "${var.aws_region}"
   175      log_group_name   = "${aws_cloudwatch_log_group.app.name}"
   176    }
   177  }
   178  
   179  resource "aws_ecs_task_definition" "ghost" {
   180    family                = "tf_example_ghost_td"
   181    container_definitions = "${data.template_file.task_definition.rendered}"
   182  }
   183  
   184  resource "aws_ecs_service" "test" {
   185    name            = "tf-example-ecs-ghost"
   186    cluster         = "${aws_ecs_cluster.main.id}"
   187    task_definition = "${aws_ecs_task_definition.ghost.arn}"
   188    desired_count   = 1
   189    iam_role        = "${aws_iam_role.ecs_service.name}"
   190  
   191    load_balancer {
   192      target_group_arn = "${aws_alb_target_group.test.id}"
   193      container_name   = "ghost"
   194      container_port   = "2368"
   195    }
   196  
   197    depends_on = [
   198      "aws_iam_role_policy.ecs_service",
   199      "aws_alb_listener.front_end",
   200    ]
   201  }
   202  
   203  ## IAM
   204  
   205  resource "aws_iam_role" "ecs_service" {
   206    name = "tf_example_ecs_role"
   207  
   208    assume_role_policy = <<EOF
   209  {
   210    "Version": "2008-10-17",
   211    "Statement": [
   212      {
   213        "Sid": "",
   214        "Effect": "Allow",
   215        "Principal": {
   216          "Service": "ecs.amazonaws.com"
   217        },
   218        "Action": "sts:AssumeRole"
   219      }
   220    ]
   221  }
   222  EOF
   223  }
   224  
   225  resource "aws_iam_role_policy" "ecs_service" {
   226    name = "tf_example_ecs_policy"
   227    role = "${aws_iam_role.ecs_service.name}"
   228  
   229    policy = <<EOF
   230  {
   231    "Version": "2012-10-17",
   232    "Statement": [
   233      {
   234        "Effect": "Allow",
   235        "Action": [
   236          "ec2:Describe*",
   237          "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   238          "elasticloadbalancing:DeregisterTargets",
   239          "elasticloadbalancing:Describe*",
   240          "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   241          "elasticloadbalancing:RegisterTargets"
   242        ],
   243        "Resource": "*"
   244      }
   245    ]
   246  }
   247  EOF
   248  }
   249  
   250  resource "aws_iam_instance_profile" "app" {
   251    name  = "tf-ecs-instprofile"
   252    roles = ["${aws_iam_role.app_instance.name}"]
   253  }
   254  
   255  resource "aws_iam_role" "app_instance" {
   256    name = "tf-ecs-example-instance-role"
   257  
   258    assume_role_policy = <<EOF
   259  {
   260    "Version": "2012-10-17",
   261    "Statement": [
   262      {
   263        "Sid": "",
   264        "Effect": "Allow",
   265        "Principal": {
   266          "Service": "ec2.amazonaws.com"
   267        },
   268        "Action": "sts:AssumeRole"
   269      }
   270    ]
   271  }
   272  EOF
   273  }
   274  
   275  data "template_file" "instance_profile" {
   276    template = "${file("${path.module}/instance-profile-policy.json")}"
   277  
   278    vars {
   279      app_log_group_arn = "${aws_cloudwatch_log_group.app.arn}"
   280      ecs_log_group_arn = "${aws_cloudwatch_log_group.ecs.arn}"
   281    }
   282  }
   283  
   284  resource "aws_iam_role_policy" "instance" {
   285    name   = "TfEcsExampleInstanceRole"
   286    role   = "${aws_iam_role.app_instance.name}"
   287    policy = "${data.template_file.instance_profile.rendered}"
   288  }
   289  
   290  ## ALB
   291  
   292  resource "aws_alb_target_group" "test" {
   293    name     = "tf-example-ecs-ghost"
   294    port     = 80
   295    protocol = "HTTP"
   296    vpc_id   = "${aws_vpc.main.id}"
   297  }
   298  
   299  resource "aws_alb" "main" {
   300    name            = "tf-example-alb-ecs"
   301    subnets         = ["${aws_subnet.main.*.id}"]
   302    security_groups = ["${aws_security_group.lb_sg.id}"]
   303  }
   304  
   305  resource "aws_alb_listener" "front_end" {
   306    load_balancer_arn = "${aws_alb.main.id}"
   307    port              = "80"
   308    protocol          = "HTTP"
   309  
   310    default_action {
   311      target_group_arn = "${aws_alb_target_group.test.id}"
   312      type             = "forward"
   313    }
   314  }
   315  
   316  ## CloudWatch Logs
   317  
   318  resource "aws_cloudwatch_log_group" "ecs" {
   319    name = "tf-ecs-group/ecs-agent"
   320  }
   321  
   322  resource "aws_cloudwatch_log_group" "app" {
   323    name = "tf-ecs-group/app-ghost"
   324  }