Merge pull request #208 from filipedeschamps/terraform

Terraform: faz infraestrutura ser gerenciada por código

.env

@@ -1,9 +1,9 @@
-POSTGRES_USER=local
-POSTGRES_PASSWORD=local
+POSTGRES_USER=local_user
+POSTGRES_PASSWORD=local_password
 POSTGRES_DB=tabnews
 POSTGRES_HOST=localhost
 POSTGRES_PORT=54320
-DATABASE_URL=postgres://local:local@localhost:54320/tabnews
+DATABASE_URL=postgres://local_user:local_password@localhost:54320/tabnews
 WEBSERVER_HOST=localhost
 WEBSERVER_PORT=3000
 EMAIL_SMTP_HOST=localhost

.gitignore

@@ -104,4 +104,34 @@ dist
 
 .DS_Store
 
-.vscode
+.vscode
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl

infra/provisioning/modules/database/main.tf

@@ -0,0 +1,122 @@
+resource "random_password" "postgres_password" {
+  length           = 99
+  special          = true
+  override_special = "-+=_^~,."
+}
+
+resource "random_string" "postgres_username" {
+  length  = 62
+  special = false
+}
+
+resource "random_integer" "postgres_port" {
+  min = 1024
+  max = 49151
+}
+
+resource "random_integer" "postgres_random_identifier_suffix" {
+  min = 0
+  max = 999999999999
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_subnet" "postgres_subnet" {
+  count                   = 2
+  vpc_id                  = var.vpc_id
+  cidr_block              = cidrsubnet(var.vpc_cidr_block, 8, count.index)
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name        = "${var.environment}-postgres-subnet-${count.index}"
+    Environment = var.environment
+  }
+}
+
+resource "aws_db_subnet_group" "postgres_subnet_group" {
+  name       = "${var.environment}-postgres-subnet-group"
+  subnet_ids = aws_subnet.postgres_subnet.*.id
+
+  tags = {
+    Name        = "${var.environment}-postgres-subnet-group"
+    Environment = var.environment
+  }
+}
+
+resource "aws_route_table_association" "postgres_route_table_association" {
+  count          = length(aws_subnet.postgres_subnet)
+  subnet_id      = aws_subnet.postgres_subnet[count.index].id
+  route_table_id = var.route_table_id
+}
+
+resource "aws_security_group" "postgres_security_group" {
+  name                   = "${var.environment}-postgres-security-group"
+  vpc_id                 = var.vpc_id
+  revoke_rules_on_delete = true
+
+  ingress {
+    from_port        = random_integer.postgres_port.result
+    to_port          = random_integer.postgres_port.result
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name        = "${var.environment}-postgres-security-group"
+    Environment = var.environment
+  }
+}
+
+resource "aws_db_instance" "postgres" {
+  identifier        = "${var.environment}-postgres-${random_integer.postgres_random_identifier_suffix.result}"
+  storage_type      = "gp2"
+  allocated_storage = var.allocated_storage
+  engine            = "postgres"
+  engine_version    = var.engine_version
+  instance_class    = var.instance_class
+
+  username                    = "u${random_string.postgres_username.result}" # has to start with a letter
+  password                    = random_password.postgres_password.result
+  db_name                     = "tabnews"
+  port                        = random_integer.postgres_port.result
+  publicly_accessible         = true
+  multi_az                    = false
+  max_allocated_storage       = var.max_allocated_storage
+  allow_major_version_upgrade = true
+  auto_minor_version_upgrade  = true
+
+  db_subnet_group_name   = aws_db_subnet_group.postgres_subnet_group.name
+  vpc_security_group_ids = [aws_security_group.postgres_security_group.id]
+
+  apply_immediately         = true
+  backup_retention_period   = var.backup_retention_period
+  backup_window             = "04:00-05:00"
+  maintenance_window        = "wed:06:00-wed:07:00"
+  skip_final_snapshot       = var.skip_final_snapshot
+  final_snapshot_identifier = "${var.environment}-postgres-final-snapshot-${random_integer.postgres_random_identifier_suffix.result}"
+  copy_tags_to_snapshot     = true
+  deletion_protection       = var.deletion_protection
+  delete_automated_backups  = var.delete_automated_backups
+
+  tags = {
+    Name        = "${var.environment}-postgres"
+    Environment = var.environment
+  }
+
+}

infra/provisioning/modules/database/outputs.tf

@@ -0,0 +1,20 @@
+output "db_name" {
+  value = aws_db_instance.postgres.db_name
+}
+
+output "username" {
+  value = aws_db_instance.postgres.username
+}
+
+output "password" {
+  value     = aws_db_instance.postgres.password
+  sensitive = true
+}
+
+output "port" {
+  value = aws_db_instance.postgres.port
+}
+
+output "address" {
+  value = aws_db_instance.postgres.address
+}

infra/provisioning/modules/database/variables.tf

@@ -0,0 +1,48 @@
+variable "environment" {
+  type = string
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "vpc_cidr_block" {
+  type = string
+}
+
+variable "route_table_id" {
+  type = string
+}
+
+variable "allocated_storage" {
+  type = number
+}
+
+variable "max_allocated_storage" {
+  type = number
+}
+
+variable "engine_version" {
+  type = string
+}
+
+variable "instance_class" {
+  type = string
+}
+
+variable "backup_retention_period" {
+  type = number
+}
+
+variable "skip_final_snapshot" {
+  type = bool
+}
+
+variable "deletion_protection" {
+  type = bool
+}
+
+variable "delete_automated_backups" {
+  type = bool
+}
+

infra/provisioning/modules/state/main.tf

@@ -0,0 +1,65 @@
+resource "random_string" "s3_bucket_postfix" {
+  length  = 40
+  special = false
+  lower   = true
+  upper   = false
+}
+
+resource "aws_s3_bucket" "terraform_state" {
+  bucket        = "${var.environment}-tfstate-${random_string.s3_bucket_postfix.result}"
+  force_destroy = true
+
+  tags = {
+    Name        = "${var.environment}-terraform-state"
+    Environment = var.environment
+  }
+}
+
+resource "aws_s3_bucket_acl" "acl" {
+  bucket = aws_s3_bucket.terraform_state.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_kms_key" "s3_key" {
+  description             = "${var.environment}-s3-key"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+
+  tags = {
+    Name        = "${var.environment}-s3-key"
+    Environment = var.environment
+  }
+}
+
+resource "aws_kms_alias" "kms_s3_key_alias" {
+  name          = "alias/${var.environment}-terraform-state"
+  target_key_id = aws_kms_key.s3_key.key_id
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_key.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}

infra/provisioning/modules/state/outputs.tf

@@ -0,0 +1,7 @@
+output "s3_bucket" {
+  value = aws_s3_bucket.terraform_state.bucket
+}
+
+output "kms_s3_key_alias_name" {
+  value = aws_kms_alias.kms_s3_key_alias.name
+}

infra/provisioning/modules/state/variables.tf

@@ -0,0 +1,3 @@
+variable "environment" {
+  type = string
+}

infra/provisioning/modules/vpc/main.tf

@@ -0,0 +1,33 @@
+resource "aws_vpc" "vpc" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name        = "${var.environment}-vpc"
+    Environment = var.environment
+  }
+}
+
+resource "aws_internet_gateway" "internet_gateway" {
+  vpc_id = aws_vpc.vpc.id
+
+  tags = {
+    Name        = "${var.environment}-igw"
+    Environment = var.environment
+  }
+}
+
+resource "aws_route_table" "route_table" {
+  vpc_id = aws_vpc.vpc.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.internet_gateway.id
+  }
+
+  tags = {
+    Name        = "${var.environment}-rt"
+    Environment = var.environment
+  }
+}

infra/provisioning/modules/vpc/outputs.tf

@@ -0,0 +1,11 @@
+output "vpc_id" {
+  value = aws_vpc.vpc.id
+}
+
+output "vpc_cidr_block" {
+  value = aws_vpc.vpc.cidr_block
+}
+
+output "route_table_id" {
+  value = aws_route_table.route_table.id
+}

infra/provisioning/modules/vpc/variables.tf

@@ -0,0 +1,3 @@
+variable "environment" {
+  type = string
+}