From 8d91aa18c7f4e66f634e98739f8c35e4ecfe185d Mon Sep 17 00:00:00 2001
From: Christian Papauschek <christian@journiapp.com>
Date: Wed, 15 Mar 2023 13:31:17 +0100
Subject: [PATCH 1/4] application cluster

---
 application.tf | 124 +++++++++++++++++++++++++++++++++++++++++++++++++
 cdn.tf         |   0
 database.tf    |   0
 provider.tf    |   4 ++
 storage.tf     |   3 ++
 5 files changed, 131 insertions(+)
 create mode 100644 application.tf
 create mode 100644 cdn.tf
 create mode 100644 database.tf
 create mode 100644 provider.tf
 create mode 100644 storage.tf

diff --git a/application.tf b/application.tf
new file mode 100644
index 0000000..836506a
--- /dev/null
+++ b/application.tf
@@ -0,0 +1,124 @@
+
+
+resource "aws_ecs_cluster" "cluster" {
+  name = "testapp"
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "capacity_providers" {
+  cluster_name = aws_ecs_cluster.cluster.name
+}
+
+resource "aws_security_group" "testapp" {
+  name        = "testapp"
+  description = "Security group for testapp"
+  vpc_id      = "vpc-06e54f0e170d7f275"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_lb" "testapp" {
+  name               = aws_ecs_cluster.cluster.name
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [ aws_security_group.testapp.id ]
+  subnets            = [ "subnet-068d8181df0250c7a", "subnet-0932f2b361be94828" ]
+}
+
+resource "aws_lb_listener" "testapp" {
+  load_balancer_arn = aws_lb.testapp.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.testapp.arn
+  }
+}
+
+resource "aws_lb_target_group" "testapp" {
+  name     = "testapp"
+  port     = 80
+  protocol = "HTTP"
+  target_type = "ip"
+  vpc_id   = aws_security_group.testapp.vpc_id
+
+  health_check {
+    matcher = "200"
+    path = "/api/v1.0/health/ready"
+    port = 80
+  }
+}
+
+resource "aws_ecs_task_definition" "testapp" {
+  family = "testapp"
+
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = 1024
+  memory                   = 2048
+
+  network_mode       = "awsvpc"
+
+  container_definitions = jsonencode([
+    {
+      name         = "testapp"
+      image        = "yeasy/simple-web:latest"
+      essential    = true
+      portMappings = [
+        {
+          containerPort = 80
+          hostPort      = 80
+        }
+      ]
+      environment = [
+        { name = "HTTPPORT", value = "80" },
+        { name = "MEM_MX", value = "2048m" },
+        { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://testapp.eu-west-1.rds.amazonaws.com:5432/testapp" },
+        { name = "DB_DEFAULT_USER", value = "testapp" },
+        { name = "DB_DEFAULT_PASSWORD", value = "xw3489sf" }
+      ]
+    }
+  ])
+}
+
+resource "aws_ecs_service" "testapp" {
+  name            = "testapp"
+  cluster         = aws_ecs_cluster.cluster.name
+  task_definition = "${aws_ecs_task_definition.testapp.id}:${aws_ecs_task_definition.testapp.revision}"
+
+  health_check_grace_period_seconds = 30
+  desired_count = 1
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.testapp.arn
+    container_name   = "testapp"
+    container_port   = 80
+  }
+
+  capacity_provider_strategy {
+    capacity_provider = "FARGATE"
+    weight = 1
+  }
+
+  network_configuration {
+    subnets            = aws_lb.testapp.subnets
+    security_groups    = aws_lb.testapp.security_groups
+    assign_public_ip   = true
+  }
+
+}
diff --git a/cdn.tf b/cdn.tf
new file mode 100644
index 0000000..e69de29
diff --git a/database.tf b/database.tf
new file mode 100644
index 0000000..e69de29
diff --git a/provider.tf b/provider.tf
new file mode 100644
index 0000000..6a26783
--- /dev/null
+++ b/provider.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
diff --git a/storage.tf b/storage.tf
new file mode 100644
index 0000000..84f5a83
--- /dev/null
+++ b/storage.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "testapp-files"
+}

From 491e4d00a66fd266a13f0ec3441066a182698885 Mon Sep 17 00:00:00 2001
From: Christian Papauschek <christian@journiapp.com>
Date: Wed, 15 Mar 2023 13:53:13 +0100
Subject: [PATCH 2/4] add cloudfront

---
 application.tf | 51 ++++++++++++++++++++++++--------------------------
 cdn.tf         | 42 +++++++++++++++++++++++++++++++++++++++++
 provider.tf    |  2 ++
 3 files changed, 68 insertions(+), 27 deletions(-)

diff --git a/application.tf b/application.tf
index 836506a..51f799e 100644
--- a/application.tf
+++ b/application.tf
@@ -2,42 +2,18 @@
 
 resource "aws_ecs_cluster" "cluster" {
   name = "testapp"
-  setting {
-    name  = "containerInsights"
-    value = "enabled"
-  }
 }
 
 resource "aws_ecs_cluster_capacity_providers" "capacity_providers" {
   cluster_name = aws_ecs_cluster.cluster.name
 }
 
-resource "aws_security_group" "testapp" {
-  name        = "testapp"
-  description = "Security group for testapp"
-  vpc_id      = "vpc-06e54f0e170d7f275"
-
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-  }
-}
-
 resource "aws_lb" "testapp" {
   name               = aws_ecs_cluster.cluster.name
   internal           = false
   load_balancer_type = "application"
   security_groups    = [ aws_security_group.testapp.id ]
-  subnets            = [ "subnet-068d8181df0250c7a", "subnet-0932f2b361be94828" ]
+  subnets            = var.subnets
 }
 
 resource "aws_lb_listener" "testapp" {
@@ -60,7 +36,7 @@ resource "aws_lb_target_group" "testapp" {
 
   health_check {
     matcher = "200"
-    path = "/api/v1.0/health/ready"
+    path = "/"
     port = 80
   }
 }
@@ -90,7 +66,8 @@ resource "aws_ecs_task_definition" "testapp" {
         { name = "MEM_MX", value = "2048m" },
         { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://testapp.eu-west-1.rds.amazonaws.com:5432/testapp" },
         { name = "DB_DEFAULT_USER", value = "testapp" },
-        { name = "DB_DEFAULT_PASSWORD", value = "xw3489sf" }
+        { name = "DB_DEFAULT_PASSWORD", value = "xw3489sf" },
+        { name = "S3_BUCKET", value = aws_s3_bucket.bucket.bucket }
       ]
     }
   ])
@@ -122,3 +99,23 @@ resource "aws_ecs_service" "testapp" {
   }
 
 }
+
+resource "aws_security_group" "testapp" {
+  name        = "testapp"
+  description = "Security group for testapp"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+}
diff --git a/cdn.tf b/cdn.tf
index e69de29..8ff80ec 100644
--- a/cdn.tf
+++ b/cdn.tf
@@ -0,0 +1,42 @@
+resource "aws_cloudfront_distribution" "cloudfront" {
+
+  comment                        = "testapp"
+  enabled                        = true
+  http_version                   = "http2"
+
+  default_cache_behavior {
+    target_origin_id         = aws_lb.testapp.dns_name
+    allowed_methods          = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+    cached_methods           = [ "GET", "HEAD" ]
+    viewer_protocol_policy   = "redirect-to-https"
+
+    forwarded_values {
+      query_string            = true
+      cookies {
+        forward           = "all"
+      }
+    }
+  }
+
+  origin {
+    domain_name         = aws_lb.testapp.dns_name
+    origin_id           = aws_lb.testapp.dns_name
+    custom_origin_config {
+      http_port                = 80
+      https_port               = 443
+      origin_protocol_policy   = "http-only"
+      origin_ssl_protocols     = [ "TLSv1", "TLSv1.1", "TLSv1.2" ]
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+}
diff --git a/provider.tf b/provider.tf
index 6a26783..f5b72ba 100644
--- a/provider.tf
+++ b/provider.tf
@@ -2,3 +2,5 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+variable "vpc_id" { type = string }
+variable "subnets" { type = list(string) }

From 8d00c6fcd96d0e5dd554c3aa9b97cd95e3d9af30 Mon Sep 17 00:00:00 2001
From: Christian Papauschek <christian@journiapp.com>
Date: Thu, 16 Mar 2023 10:57:24 +0100
Subject: [PATCH 3/4] add postgres database

---
 application.tf |  6 ++++--
 cdn.tf         |  2 ++
 database.tf    | 20 ++++++++++++++++++++
 storage.tf     |  2 ++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/application.tf b/application.tf
index 51f799e..bc95f56 100644
--- a/application.tf
+++ b/application.tf
@@ -1,4 +1,4 @@
-
+# ECS cluster, service and load balancer for running the application
 
 resource "aws_ecs_cluster" "cluster" {
   name = "testapp"
@@ -53,6 +53,8 @@ resource "aws_ecs_task_definition" "testapp" {
   container_definitions = jsonencode([
     {
       name         = "testapp"
+
+      # this is a sample http container that responds on port 80
       image        = "yeasy/simple-web:latest"
       essential    = true
       portMappings = [
@@ -64,7 +66,7 @@ resource "aws_ecs_task_definition" "testapp" {
       environment = [
         { name = "HTTPPORT", value = "80" },
         { name = "MEM_MX", value = "2048m" },
-        { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://testapp.eu-west-1.rds.amazonaws.com:5432/testapp" },
+        { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://${aws_db_instance.database.endpoint}:5432/testapp" },
         { name = "DB_DEFAULT_USER", value = "testapp" },
         { name = "DB_DEFAULT_PASSWORD", value = "xw3489sf" },
         { name = "S3_BUCKET", value = aws_s3_bucket.bucket.bucket }
diff --git a/cdn.tf b/cdn.tf
index 8ff80ec..92660f1 100644
--- a/cdn.tf
+++ b/cdn.tf
@@ -1,3 +1,5 @@
+# Cloudfront CDN serving the load balancer from the ECS service
+
 resource "aws_cloudfront_distribution" "cloudfront" {
 
   comment                        = "testapp"
diff --git a/database.tf b/database.tf
index e69de29..1fbe70e 100644
--- a/database.tf
+++ b/database.tf
@@ -0,0 +1,20 @@
+
+# Postgres Database for the app
+resource "aws_db_instance" "database" {
+
+  db_name = "testappdb"
+  identifier = "testapp-db"
+
+  instance_class = "db.t3.micro"
+  engine = "postgres"
+  engine_version = "15.2"
+
+  multi_az = false
+  allocated_storage    = 10 # gibibytes
+
+  username = "root"
+  password = "xw3489sf"
+
+  apply_immediately = true
+  skip_final_snapshot = true
+}
\ No newline at end of file
diff --git a/storage.tf b/storage.tf
index 84f5a83..b9c482f 100644
--- a/storage.tf
+++ b/storage.tf
@@ -1,3 +1,5 @@
+
+# Storage bucket for the app
 resource "aws_s3_bucket" "bucket" {
   bucket = "testapp-files"
 }

From 48ef7c6dfdb32a40d35d1f032f98575a4a9f2fb6 Mon Sep 17 00:00:00 2001
From: Christian Papauschek <christian@journiapp.com>
Date: Thu, 16 Mar 2023 10:58:32 +0100
Subject: [PATCH 4/4] remove port

---
 application.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application.tf b/application.tf
index bc95f56..b64b789 100644
--- a/application.tf
+++ b/application.tf
@@ -66,7 +66,7 @@ resource "aws_ecs_task_definition" "testapp" {
       environment = [
         { name = "HTTPPORT", value = "80" },
         { name = "MEM_MX", value = "2048m" },
-        { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://${aws_db_instance.database.endpoint}:5432/testapp" },
+        { name = "DB_DEFAULT_URL", value = "jdbc:postgresql://${aws_db_instance.database.endpoint}/testapp" },
         { name = "DB_DEFAULT_USER", value = "testapp" },
         { name = "DB_DEFAULT_PASSWORD", value = "xw3489sf" },
         { name = "S3_BUCKET", value = aws_s3_bucket.bucket.bucket }