From 44813bb6d5fc0de6810fea1769a18028ce31ed43 Mon Sep 17 00:00:00 2001 From: Radon Rosborough Date: Sun, 4 Jul 2021 04:25:02 +0000 Subject: [PATCH] Split up Terraform --- tf/acm.tf | 13 ++ tf/alb.tf | 47 +++++++ tf/asg.tf | 115 +++++++++++++++++ tf/ecr.tf | 4 + tf/iam.tf | 72 +++++++++++ tf/infra.tf | 336 -------------------------------------------------- tf/main.tf | 51 ++++++++ tf/outputs.tf | 12 ++ tf/s3.tf | 17 +++ 9 files changed, 331 insertions(+), 336 deletions(-) create mode 100644 tf/acm.tf create mode 100644 tf/alb.tf create mode 100644 tf/asg.tf create mode 100644 tf/ecr.tf create mode 100644 tf/iam.tf delete mode 100644 tf/infra.tf create mode 100644 tf/main.tf create mode 100644 tf/outputs.tf create mode 100644 tf/s3.tf diff --git a/tf/acm.tf b/tf/acm.tf new file mode 100644 index 0000000..ef4e7fa --- /dev/null +++ b/tf/acm.tf @@ -0,0 +1,13 @@ +resource "aws_acm_certificate" "riju" { + domain_name = "riju.codes" + subject_alternative_names = ["*.riju.codes"] + validation_method = "DNS" + + tags = { + Name = "Riju server" + } +} + +resource "aws_acm_certificate_validation" "riju" { + certificate_arn = aws_acm_certificate.riju.arn +} diff --git a/tf/alb.tf b/tf/alb.tf new file mode 100644 index 0000000..b8a271b --- /dev/null +++ b/tf/alb.tf @@ -0,0 +1,47 @@ +resource "aws_security_group" "alb" { + name = "riju-alb" + description = "Security group for Riju application load balancer" + + ingress { + description = "HTTP" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_lb" "server" { + name = "riju-server" + security_groups = [aws_security_group.alb.id] + subnets = data.aws_subnet_ids.default.ids +} + +resource "aws_lb_target_group" "server_http" { + name = "riju-server-http" + port = 80 + protocol = "HTTP" + vpc_id = data.aws_vpc.default.id +} + +resource "aws_lb_target_group" "server_https" { + name = "riju-server-https" + port = 443 + protocol = "HTTPS" + vpc_id = data.aws_vpc.default.id +} diff --git a/tf/asg.tf b/tf/asg.tf new file mode 100644 index 0000000..3e98b93 --- /dev/null +++ b/tf/asg.tf @@ -0,0 +1,115 @@ +data "aws_ami" "server" { + count = local.ami_available ? 1 : 0 + + owners = ["self"] + + filter { + name = "name" + values = [data.external.env.result.AMI_NAME] + } +} + +resource "aws_security_group" "server" { + name = "riju-server" + description = "Security group for Riju server" + + ingress { + description = "SSH" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "HTTP" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_launch_template" "server" { + count = local.ami_available ? 1 : 0 + + name = "riju-server" + image_id = data.aws_ami.server[0].id + instance_type = "t3.small" + security_group_names = [aws_security_group.server.name] + + update_default_version = true + + block_device_mappings { + device_name = "/dev/sdh" + ebs { + volume_type = "gp3" + volume_size = 125 + } + } + + tags = { + Name = "Riju server" + } + + tag_specifications { + resource_type = "instance" + tags = { + Name = "Riju server" + } + } +} + +resource "aws_autoscaling_group" "server" { + count = local.ami_available ? 1 : 0 + + name = "riju-server" + + availability_zones = [ + for subnet in data.aws_subnet.default : subnet.availability_zone + ] + desired_capacity = 1 + min_size = 1 + max_size = 3 + + launch_template { + id = aws_launch_template.server[0].id + } + + target_group_arns = [ + aws_lb_target_group.server_http.arn, + aws_lb_target_group.server_https.arn, + ] + + tags = concat( + [ + { + key = "Name" + value = "Riju server" + propagate_at_launch = false + } + ], + [ + for key, value in local.tags : { + key = key, + value = value, + propagate_at_launch = true, + } + ], + ) +} diff --git a/tf/ecr.tf b/tf/ecr.tf new file mode 100644 index 0000000..9202998 --- /dev/null +++ b/tf/ecr.tf @@ -0,0 +1,4 @@ +resource "aws_ecr_repository" "riju" { + name = "riju" + image_tag_mutability = "IMMUTABLE" +} diff --git a/tf/iam.tf b/tf/iam.tf new file mode 100644 index 0000000..acd8066 --- /dev/null +++ b/tf/iam.tf @@ -0,0 +1,72 @@ +resource "aws_iam_user" "deploy" { + name = "riju-deploy" +} + +resource "aws_iam_access_key" "deploy" { + user = aws_iam_user.deploy.name +} + +data "aws_iam_policy_document" "deploy" { + statement { + actions = [ + "s3:ListBucket", + ] + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.riju.bucket}", + ] + } + + statement { + actions = [ + "s3:*Object", + ] + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.riju.bucket}/*", + ] + } +} + +resource "aws_iam_policy" "deploy" { + name = "riju-deploy" + description = "Role used by CI to deploy Riju" + policy = data.aws_iam_policy_document.deploy.json +} + +resource "aws_iam_user_policy_attachment" "deploy" { + user = aws_iam_user.deploy.name + policy_arn = aws_iam_policy.deploy.arn +} + +data "aws_iam_policy_document" "riju" { + statement { + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:ListBucket", + ] + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.riju.bucket}", + ] + } + + statement { + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:GetObject", + ] + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.riju.bucket}/*", + ] + } +} diff --git a/tf/infra.tf b/tf/infra.tf deleted file mode 100644 index b76b5ce..0000000 --- a/tf/infra.tf +++ /dev/null @@ -1,336 +0,0 @@ -terraform { - backend "s3" { - key = "state" - region = "us-west-1" - } - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.45" - } - null = { - source = "hashicorp/null" - version = "~> 3.1" - } - } -} - -data "external" "env" { - program = ["jq", "-n", "env"] -} - -locals { - tags = { - Terraform = "Managed by Terraform" - BillingCategory = "Riju" - } - - ami_available = lookup(data.external.env.result, "AMI_NAME", "") != "" ? true : false -} - -provider "aws" { - region = "us-west-1" - default_tags { - tags = local.tags - } -} - -data "aws_region" "current" {} - -data "aws_vpc" "default" { - default = true -} - -data "aws_subnet_ids" "default" { - vpc_id = data.aws_vpc.default.id -} - -data "aws_subnet" "default" { - for_each = data.aws_subnet_ids.default.ids - id = each.value -} - -resource "aws_iam_user" "deploy" { - name = "riju-deploy" -} - -resource "aws_iam_access_key" "deploy" { - user = aws_iam_user.deploy.name -} - -data "aws_iam_policy_document" "deploy" { - statement { - actions = [ - "s3:ListBucket", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.riju.bucket}", - ] - } - - statement { - actions = [ - "s3:*Object", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.riju.bucket}/*", - ] - } -} - -resource "aws_iam_policy" "deploy" { - name = "riju-deploy" - description = "Role used by CI to deploy Riju" - policy = data.aws_iam_policy_document.deploy.json -} - -resource "aws_iam_user_policy_attachment" "deploy" { - user = aws_iam_user.deploy.name - policy_arn = aws_iam_policy.deploy.arn -} - -data "aws_iam_policy_document" "riju" { - statement { - principals { - type = "*" - identifiers = ["*"] - } - - actions = [ - "s3:ListBucket", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.riju.bucket}", - ] - } - - statement { - principals { - type = "*" - identifiers = ["*"] - } - - actions = [ - "s3:GetObject", - ] - - resources = [ - "arn:aws:s3:::${aws_s3_bucket.riju.bucket}/*", - ] - } -} - -resource "aws_acm_certificate" "riju" { - domain_name = "riju.codes" - subject_alternative_names = ["*.riju.codes"] - validation_method = "DNS" - - tags = { - Name = "Riju server" - } -} - -resource "aws_acm_certificate_validation" "riju" { - certificate_arn = aws_acm_certificate.riju.arn -} - -resource "aws_s3_bucket" "riju" { - bucket = data.external.env.result.S3_BUCKET -} - -resource "aws_s3_bucket_public_access_block" "riju" { - bucket = aws_s3_bucket.riju.id - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - -resource "aws_s3_bucket_policy" "riju" { - bucket = aws_s3_bucket.riju.id - policy = data.aws_iam_policy_document.riju.json -} - -resource "aws_ecr_repository" "riju" { - name = "riju" - image_tag_mutability = "IMMUTABLE" -} - -data "aws_ami" "server" { - count = local.ami_available ? 1 : 0 - - owners = ["self"] - - filter { - name = "name" - values = [data.external.env.result.AMI_NAME] - } -} - -resource "aws_security_group" "server" { - name = "riju-server" - description = "Security group for Riju server" - - ingress { - description = "SSH" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "HTTP" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_security_group" "alb" { - name = "riju-alb" - description = "Security group for Riju application load balancer" - - ingress { - description = "HTTP" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_launch_template" "server" { - count = local.ami_available ? 1 : 0 - - name = "riju-server" - image_id = data.aws_ami.server[0].id - instance_type = "t3.small" - security_group_names = [aws_security_group.server.name] - - block_device_mappings { - device_name = "/dev/sdh" - ebs { - volume_type = "gp3" - volume_size = 125 - } - } - - tags = { - Name = "Riju server" - } - - tag_specifications { - resource_type = "instance" - tags = { - Name = "Riju server" - } - } -} - -resource "aws_autoscaling_group" "server" { - count = local.ami_available ? 1 : 0 - - name = "riju-server" - - availability_zones = [ - for subnet in data.aws_subnet.default : subnet.availability_zone - ] - desired_capacity = 0 - min_size = 0 - max_size = 3 - - launch_template { - id = aws_launch_template.server[0].id - } - - target_group_arns = [ - aws_lb_target_group.server_http.arn, - aws_lb_target_group.server_https.arn, - ] - - tags = concat( - [ - { - key = "Name" - value = "Riju server" - propagate_at_launch = false - } - ], - [ - for key, value in local.tags : { - key = key, - value = value, - propagate_at_launch = true, - } - ], - ) -} - -resource "aws_lb" "server" { - name = "riju-server" - security_groups = [aws_security_group.alb.id] - subnets = data.aws_subnet_ids.default.ids -} - -resource "aws_lb_target_group" "server_http" { - name = "riju-server-http" - port = 80 - protocol = "HTTP" - vpc_id = data.aws_vpc.default.id -} - -resource "aws_lb_target_group" "server_https" { - name = "riju-server-https" - port = 443 - protocol = "HTTPS" - vpc_id = data.aws_vpc.default.id -} - -output "alb_dns_name" { - value = aws_lb.server.dns_name -} - -output "deploy_aws_access_key_id" { - value = aws_iam_access_key.deploy.id -} - -output "deploy_aws_secret_access_key" { - value = aws_iam_access_key.deploy.secret - sensitive = true -} diff --git a/tf/main.tf b/tf/main.tf new file mode 100644 index 0000000..d32bec5 --- /dev/null +++ b/tf/main.tf @@ -0,0 +1,51 @@ +terraform { + backend "s3" { + key = "state" + region = "us-west-1" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.45" + } + null = { + source = "hashicorp/null" + version = "~> 3.1" + } + } +} + +data "external" "env" { + program = ["jq", "-n", "env"] +} + +locals { + tags = { + Terraform = "Managed by Terraform" + BillingCategory = "Riju" + } + + ami_available = lookup(data.external.env.result, "AMI_NAME", "") != "" ? true : false +} + +provider "aws" { + region = "us-west-1" + default_tags { + tags = local.tags + } +} + +data "aws_region" "current" {} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnet_ids" "default" { + vpc_id = data.aws_vpc.default.id +} + +data "aws_subnet" "default" { + for_each = data.aws_subnet_ids.default.ids + id = each.value +} diff --git a/tf/outputs.tf b/tf/outputs.tf new file mode 100644 index 0000000..630adbc --- /dev/null +++ b/tf/outputs.tf @@ -0,0 +1,12 @@ +output "alb_dns_name" { + value = aws_lb.server.dns_name +} + +output "deploy_aws_access_key_id" { + value = aws_iam_access_key.deploy.id +} + +output "deploy_aws_secret_access_key" { + value = aws_iam_access_key.deploy.secret + sensitive = true +} diff --git a/tf/s3.tf b/tf/s3.tf new file mode 100644 index 0000000..67584aa --- /dev/null +++ b/tf/s3.tf @@ -0,0 +1,17 @@ +resource "aws_s3_bucket" "riju" { + bucket = data.external.env.result.S3_BUCKET +} + +resource "aws_s3_bucket_public_access_block" "riju" { + bucket = aws_s3_bucket.riju.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_policy" "riju" { + bucket = aws_s3_bucket.riju.id + policy = data.aws_iam_policy_document.riju.json +}