Skip to content

Commit

Permalink
beanstalk module
Browse files Browse the repository at this point in the history
  • Loading branch information
tkjwa committed Jul 5, 2022
0 parents commit 812b283
Show file tree
Hide file tree
Showing 13 changed files with 605 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.idea
30 changes: 30 additions & 0 deletions certificate.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "aws_acm_certificate" "certificate" {
domain_name = "${local.sub_domain}.${local.domain_name}"
validation_method = "DNS"

lifecycle {
create_before_destroy = true
}
}

resource "aws_route53_record" "certificate_validation_records" {
for_each = {
for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}

allow_overwrite = true
name = each.value.name
records = [each.value.record]
type = each.value.type
zone_id = data.aws_route53_zone.api_domain_route53_zone.id
ttl = 60
}

resource "aws_acm_certificate_validation" "certificate_validation" {
certificate_arn = aws_acm_certificate.certificate.arn
validation_record_fqdns = [for record in aws_route53_record.certificate_validation_records : record.fqdn]
}
9 changes: 9 additions & 0 deletions data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
data "aws_route53_zone" "api_domain_route53_zone" {
name = local.domain_name
}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

data "aws_elastic_beanstalk_hosted_zone" "current" {}
11 changes: 11 additions & 0 deletions dns.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
resource "aws_route53_record" "platform_api_domain_record" {
name = "${local.sub_domain}.${local.domain_name}"
type = "A"
zone_id = data.aws_route53_zone.api_domain_route53_zone.id

alias {
evaluate_target_health = false
name = aws_elastic_beanstalk_environment.beanstalk_env.cname
zone_id = data.aws_elastic_beanstalk_hosted_zone.current.id
}
}
30 changes: 30 additions & 0 deletions environment.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "aws_elastic_beanstalk_environment" "beanstalk_env" {
name = local.env_name
application = local.app_name
cname_prefix = local.env_name
description = "${local.env_name} environment for ${local.app_name}"
tier = "WebServer"
solution_stack_name = local.solution_stack_name

dynamic "setting" {
for_each = local.beanstalk_settings

content {
namespace = setting.value["namespace"]
name = setting.value["name"]
value = setting.value["value"]
resource = ""
}
}

dynamic "setting" {
for_each = local.beanstalk_env_vars

content {
namespace = "aws:elasticbeanstalk:application:environment"
name = setting.value["name"]
value = setting.value["value"]
resource = ""
}
}
}
94 changes: 94 additions & 0 deletions instance-profile.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
resource "aws_iam_role" "beanstalk_instances_role" {
name = terraform.workspace
description = "Role for ${terraform.workspace} instances"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}

resource "aws_iam_instance_profile" "beanstalk_instances_profile" {
name = "${terraform.workspace}-instance-profile"
role = aws_iam_role.beanstalk_instances_role.name
}

data "aws_iam_policy" "beanstalk_default_policy" {
name = "AWSElasticBeanstalkWebTier"
}

resource "aws_iam_role_policy_attachment" "beanstalk_default_policy_attachment" {
policy_arn = data.aws_iam_policy.beanstalk_default_policy.arn
role = aws_iam_role.beanstalk_instances_role.name
}

data "aws_iam_policy" "beanstalk_health_policy" {
name = "AWSElasticBeanstalkEnhancedHealth"
}

resource "aws_iam_role_policy_attachment" "beanstalk_health_policy_attachment" {
policy_arn = data.aws_iam_policy.beanstalk_health_policy.arn
role = aws_iam_role.beanstalk_instances_role.name
}

data "aws_iam_policy" "ssm_managed_instance_core" {
name = "AmazonSSMManagedInstanceCore"
}

resource "aws_iam_role_policy_attachment" "ssm_managed_instance_core_policy_attachment" {
policy_arn = data.aws_iam_policy.ssm_managed_instance_core.arn
role = aws_iam_role.beanstalk_instances_role.name
}

data "aws_iam_policy" "ecr_ro_policy" {
name = "AmazonEC2ContainerRegistryReadOnly"
}

resource "aws_iam_role_policy_attachment" "ecr_ro_attachment" {
policy_arn = data.aws_iam_policy.ecr_ro_policy.arn
role = aws_iam_role.beanstalk_instances_role.name
}

resource "aws_iam_role_policy" "platform_api_cloudwatch_logs_policy" {
name = "CloudWatchLogsStreaming"
role = aws_iam_role.beanstalk_instances_role.id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["logs:CreateLogGroup"]
Effect = "Allow"
Resource = "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
}
]
})
}

resource "aws_iam_role_policy" "platform_api_secrets_manager_policy" {
name = "PlatformApiSecretsManagerPolicy"
role = aws_iam_role.beanstalk_instances_role.id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["secretsmanager:GetSecretValue"]
Effect = "Allow"
Resource = [
"arn:aws:secretsmanager:eu-central-1:188232076030:secret:platform/api/db-pwd/*",
"arn:aws:secretsmanager:eu-central-1:188232076030:secret:okta/*",
]
}
]
})
}
18 changes: 18 additions & 0 deletions locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
locals {
app_name = var.app_name
env_name = var.env_name

vpc_id = var.vpc_id
elb_subnets_ids = var.elb_subnets_ids
app_subnets_ids = var.app_subnets_ids

solution_stack_name = var.solution_stack_name

ha = var.ha
production = var.production

domain_name = var.domain_name
sub_domain = var.sub_domain

beanstalk_env_vars = var.beanstalk_env_vars
}
35 changes: 35 additions & 0 deletions logs-bucket.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
resource "aws_s3_bucket" "aws_logs_bucket" {
bucket = "${local.env_name}-${data.aws_region.current.name}"
force_destroy = local.production ? false : true
}

resource "aws_s3_bucket_acl" "aws_logs_bucket_acl" {
bucket = aws_s3_bucket.aws_logs_bucket.id
acl = "private"
}

resource "aws_s3_bucket_public_access_block" "aws_logs_bucket_public_access_block" {
bucket = aws_s3_bucket.aws_logs_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

resource "aws_s3_bucket_policy" "aws_logs_bucket_policy" {
bucket = aws_s3_bucket.aws_logs_bucket.id
policy = data.aws_iam_policy_document.aws_logs_bucket_policy.json
}

data "aws_iam_policy_document" "aws_logs_bucket_policy" {
statement {
principals {
# The AWS account for eu-central-1
# See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
identifiers = ["arn:aws:iam::054676820928:root"]
type = "AWS"
}
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::${aws_s3_bucket.aws_logs_bucket.id}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
}
}
9 changes: 9 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
terraform {
required_version = "~> 1.0"

required_providers {
aws = {
version = ">= 4.2"
}
}
}
3 changes: 3 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "instances_security_group" {
value = aws_security_group.instances_security_group
}
79 changes: 79 additions & 0 deletions security-groups.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
########################################################################################################################
#### LOAD BALANCER
########################################################################################################################
resource "aws_security_group" "load_balancer_security_group" {
name = "${terraform.workspace}-load-balancer"
description = "${terraform.workspace} load balancer security group"
vpc_id = local.vpc_id

tags = {
Name = "${terraform.workspace}-load-balancer"
}
}

resource "aws_security_group_rule" "allow_http_traffic_to_lb" {
description = "Allow HTTP inbound traffic to ${terraform.workspace} load balancer on port 80"
type = "ingress"
from_port = 80
to_port = 80
protocol = "TCP"
security_group_id = aws_security_group.load_balancer_security_group.id
cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "allow_https_traffic_to_lb" {
description = "Allow HTTPS inbound traffic to ${terraform.workspace} load balancer on port 443"
type = "ingress"
from_port = 443
to_port = 443
protocol = "TCP"
security_group_id = aws_security_group.load_balancer_security_group.id
cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "allow_all_outbound_traffic_from_lb" {
description = "Allow outbound traffic from ${terraform.workspace} load balancer on port 80"
type = "egress"
from_port = 80
to_port = 80
protocol = "TCP"
security_group_id = aws_security_group.load_balancer_security_group.id
source_security_group_id = aws_security_group.instances_security_group.id
}

########################################################################################################################
#### BEANSTALK INSTANCES
########################################################################################################################

# TODO: rename to beanstalk_instances_security_group
resource "aws_security_group" "instances_security_group" {
name = "${terraform.workspace}-beanstalk-instances"
description = "${terraform.workspace} ec2 beanstalk instances security group"
vpc_id = local.vpc_id

tags = {
Name = "${terraform.workspace}-beanstalk-instances"
}
}

resource "aws_security_group_rule" "allow_traffic_from_lb_to_beanstalk_instances" {
description = "Allow inbound traffic to ${terraform.workspace} beanstalk instances on port 80"
from_port = 80
protocol = "TCP"
security_group_id = aws_security_group.instances_security_group.id
to_port = 80
source_security_group_id = aws_security_group.load_balancer_security_group.id
type = "ingress"
}

# TODO: rename to allow_all_outbound_traffic_from_beanstalk_instances
resource "aws_security_group_rule" "allow_outbound_traffic_from_beanstalk_instances" {
description = "Allow all outbound traffic from ${terraform.workspace} beanstalk instances"
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
security_group_id = aws_security_group.instances_security_group.id
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
Loading

0 comments on commit 812b283

Please sign in to comment.