feat: cluster & first container

pbenefice · Apr 27, 2023 · 3bada7d · 3bada7d
1 parent b4e3dad
commit 3bada7d
Show file tree

Hide file tree

Showing 11 changed files with 253 additions and 0 deletions.
diff --git a/doc/article.md b/doc/article.md
@@ -0,0 +1,130 @@
+# ECS with terraform
+
+## Prerequis
+
+Nous considérerons ici que certains éléments existent déjà dans le compte AWS ou nous ferons nos tests. Notamment un VPC configuré avec des réseaux privé ayant un accès a internet via une NAT Gateway.  
+Le repository de démonstration contient du code permettant de mettre en place ces prerequis si necessaire.  
+
+## Cluster et 1er container
+
+Commençons par créer le cluster et faire tourner un simple container dessus.  
+Il nous faut donc :
+- un cluster et un log group associé,
+- un service & une task definition,
+- un rôle iam (qui permettra à terme de donner des droits au container),
+- un security group
+
+Nous prendrons une image Debian pour faciliter les tests dans un premier temps. Le code ressemble donc à :  
+
+```terraform
+locals {
+  prefix   = "${var.project_prefix}-${var.env}"
+  app_name = "myapp"
+}
+
+resource "aws_cloudwatch_log_group" "ecs_cluster" {
+  name = "${local.prefix}-ecs-cluster"
+}
+resource "aws_ecs_cluster" "this" {
+  name = local.prefix
+
+  configuration {
+    execute_command_configuration {
+      logging = "OVERRIDE"
+
+      log_configuration {
+        cloud_watch_log_group_name = aws_cloudwatch_log_group.ecs_cluster.name
+      }
+    }
+  }
+}
+
+resource "aws_ecs_task_definition" "myapp" {
+  family                   = "${local.prefix}-${local.app_name}"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 1024
+  memory                   = 2048
+
+  task_role_arn = aws_iam_role.ecs_task_role_myapp.arn
+
+  container_definitions = jsonencode([
+    {
+      name   = local.app_name
+      image  = "debian:buster-20230411-slim"
+      cpu    = 1024
+      memory = 2048
+
+      command         = [ "sleep", "3600" ],
+      linuxParameters = {
+        "initProcessEnabled"= true
+      }
+    }
+  ])
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "X86_64"
+  }
+}
+resource "aws_ecs_service" "myapp" {
+  name            = "${local.prefix}-${local.app_name}"
+  cluster         = aws_ecs_cluster.this.id
+  task_definition = aws_ecs_task_definition.myapp.arn
+  desired_count   = 1
+
+  enable_execute_command = true
+
+  launch_type = "FARGATE"
+
+  network_configuration {
+    subnets          = var.private_subnets
+    security_groups  = [aws_security_group.myapp.id]
+    assign_public_ip = false
+  }
+}
+
+resource "aws_iam_role" "ecs_task_role_myapp" {
+  name = "${local.prefix}-ecs-task-role-${local.app_name}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "requirements-for-ecs-exec"
+
+    policy = jsonencode({
+      Version: "2012-10-17",
+      Statement: []
+    })
+  }
+}
+
+resource "aws_security_group" "myapp" {
+  name        = "${local.prefix}-ecs-${local.app_name}"
+  description = "manage rules for ${local.app_name} ecs service"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+}
+```
+
+We now have a first container running on aws :  
+![cluster-1st-container-running](./img/cluster-1st-container-running.png)  
diff --git a/doc/img/cluster-1st-container-running.png b/doc/img/cluster-1st-container-running.png
diff --git a/terraform/modules/ecs/README.md b/terraform/modules/ecs/README.md
@@ -0,0 +1,3 @@
+# ecs-global
+
+Define common ecs resource like ecs cluster or s3 bucket to store artifacts.  
diff --git a/terraform/modules/ecs/ecs-app.tf b/terraform/modules/ecs/ecs-app.tf
@@ -0,0 +1,41 @@
+resource "aws_ecs_task_definition" "myapp" {
+  family                   = "${local.prefix}-${local.app_name}"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 1024
+  memory                   = 2048
+
+  task_role_arn = aws_iam_role.ecs_task_role_myapp.arn
+
+  container_definitions = jsonencode([
+    {
+      name    = local.app_name
+      image   = "debian:buster-20230411-slim"
+      cpu     = 1024
+      memory  = 2048
+      command = [ "sleep", "3600" ]
+    }
+  ])
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "X86_64"
+  }
+}
+
+resource "aws_ecs_service" "myapp" {
+  name            = "${local.prefix}-${local.app_name}"
+  cluster         = aws_ecs_cluster.this.id
+  task_definition = aws_ecs_task_definition.myapp.arn
+  desired_count   = 1
+
+  enable_execute_command = true
+
+  launch_type = "FARGATE"
+
+  network_configuration {
+    subnets          = var.private_subnets
+    security_groups  = [aws_security_group.myapp.id]
+    assign_public_ip = false
+  }
+}
diff --git a/terraform/modules/ecs/ecs-cluster.tf b/terraform/modules/ecs/ecs-cluster.tf
@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_log_group" "ecs_cluster" {
+  name = "${local.prefix}-ecs-cluster"
+}
+
+resource "aws_ecs_cluster" "this" {
+  name = local.prefix
+
+  configuration {
+    execute_command_configuration {
+      logging = "OVERRIDE"
+
+      log_configuration {
+        cloud_watch_log_group_name = aws_cloudwatch_log_group.ecs_cluster.name
+      }
+    }
+  }
+}
diff --git a/terraform/modules/ecs/iam.tf b/terraform/modules/ecs/iam.tf
@@ -0,0 +1,18 @@
+resource "aws_iam_role" "ecs_task_role_myapp" {
+  name = "${local.prefix}-ecs-task-role-${local.app_name}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
diff --git a/terraform/modules/ecs/locals.tf b/terraform/modules/ecs/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  prefix   = "${var.project_prefix}-${var.env}"
+  app_name = "myapp"
+}
diff --git a/terraform/modules/ecs/network.tf b/terraform/modules/ecs/network.tf
@@ -0,0 +1,13 @@
+resource "aws_security_group" "myapp" {
+  name        = "${local.prefix}-ecs-${local.app_name}"
+  description = "manage rules for ${local.app_name} ecs service"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+}
diff --git a/terraform/modules/ecs/outputs.tf b/terraform/modules/ecs/outputs.tf
diff --git a/terraform/modules/ecs/variables.tf b/terraform/modules/ecs/variables.tf
@@ -0,0 +1,18 @@
+variable "env" {
+  description = "The env"
+  type        = string
+}
+variable "project_prefix" {
+  description = "The prefix to use for naming resources, used in conjonction with env"
+  type        = string
+  default     = "ec2_ssm"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "The id of the VPC to use"
+}
+variable "private_subnets" {
+  type        = list(string)
+  description = "The list of ids of the private_subnets to use"
+}
diff --git a/terraform/stacks/ecs-with-terraform/main.tf b/terraform/stacks/ecs-with-terraform/main.tf
@@ -15,3 +15,12 @@ module "bastion" {
   subnet_id     = data.aws_subnets.private_selected.ids[0]
   allowed_cidrs = [data.aws_vpc.selected.cidr_block]
 }
+
+module "ecs" {
+  source = "../../modules/ecs"
+
+  project_prefix  = local.prefix
+  env             = var.env
+  vpc_id          = data.aws_vpc.selected.id
+  private_subnets = data.aws_subnets.private_selected.ids
+}