StayWell · Jan 10, 2025 · Jan 10, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
Showing with 188 additions and 278 deletions.

+4 −95 alb.tf

+4 −0 data.tf

+50 −62 ecs.tf

+5 −10 outputs.tf

+0 −101 rds.tf

+70 −0 sg.tf

+55 −10 variables.tf
diff --git a/alb.tf b/alb.tf
@@ -1,22 +1,18 @@
 resource "aws_lb" "this" {
+  count = var.create_alb ? 1 : 0
+
   name_prefix     = "mb-"
   security_groups = ["${aws_security_group.alb.id}"]
   subnets         = tolist(var.public_subnet_ids)
   tags            = var.tags
 
-  access_logs {
-    bucket  = aws_s3_bucket.this.bucket
-    enabled = true
-  }
-
   lifecycle {
     create_before_destroy = true
   }
 }
 
 resource "aws_lb_listener" "http" {
-  load_balancer_arn = aws_lb.this.arn
-  depends_on        = [aws_lb.this] # https://github.com/terraform-providers/terraform-provider-aws/issues/9976
+  load_balancer_arn = var.alb_arn != "" ? var.alb_arn : aws_lb.this[0].arn
   port              = "80"
   protocol          = "HTTP"
 
@@ -36,8 +32,7 @@ resource "aws_lb_listener" "http" {
 }
 
 resource "aws_lb_listener" "https" {
-  load_balancer_arn = aws_lb.this.arn
-  depends_on        = [aws_lb.this] # https://github.com/terraform-providers/terraform-provider-aws/issues/9976
+  load_balancer_arn = var.alb_arn != "" ? var.alb_arn : aws_lb.this[0].arn
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = var.ssl_policy
@@ -57,89 +52,3 @@ resource "aws_lb_listener" "https" {
     create_before_destroy = true
   }
 }
-
-resource "aws_s3_bucket" "this" {
-  bucket_prefix = "mb-"
-  acl           = "private"
-  force_destroy = ! var.protection
-  tags          = var.tags
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
-
-  lifecycle_rule {
-    enabled = true
-
-    expiration {
-      days = var.log_retention
-    }
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.s3.json
-}
-
-data "aws_elb_service_account" "this" {}
-
-data "aws_iam_policy_document" "s3" {
-  statement {
-    actions   = ["s3:PutObject"]
-    resources = ["${aws_s3_bucket.this.arn}/*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = [data.aws_elb_service_account.this.arn]
-    }
-  }
-}
-
-resource "aws_security_group" "alb" {
-  name_prefix = "${var.id}-alb-"
-  vpc_id      = var.vpc_id
-  tags        = var.tags
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_security_group_rule" "alb_egress_ecs" {
-  description              = "ECS"
-  type                     = "egress"
-  from_port                = 0
-  to_port                  = 0
-  protocol                 = "-1"
-  security_group_id        = aws_security_group.alb.id
-  source_security_group_id = aws_security_group.ecs.id
-}
-
-resource "aws_security_group_rule" "alb_ingress_http" {
-  description       = "Internet"
-  type              = "ingress"
-  from_port         = 80
-  to_port           = 80
-  protocol          = "tcp"
-  security_group_id = aws_security_group.alb.id
-  cidr_blocks       = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "alb_ingress_https" {
-  description       = "Internet"
-  type              = "ingress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  security_group_id = aws_security_group.alb.id
-  cidr_blocks       = ["0.0.0.0/0"]
-}
diff --git a/data.tf b/data.tf
@@ -0,0 +1,4 @@
+data "aws_ecs_cluster" "this" {
+  count        = var.create_cluster ? 0 : 1
+  cluster_name = var.cluster_name
+}
diff --git a/ecs.tf b/ecs.tf
@@ -1,14 +1,26 @@
 resource "aws_ecs_cluster" "this" {
-  name               = var.id
-  capacity_providers = ["FARGATE"]
-  tags               = var.tags
+  count = var.create_cluster ? 1 : 0
+  name  = var.cluster_name
+  tags  = var.tags
 
   setting {
     name  = "containerInsights"
     value = "enabled"
   }
 }
 
+resource "aws_ecs_cluster_capacity_providers" "this" {
+  cluster_name = var.cluster_name
+
+  capacity_providers = ["FARGATE"]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = "FARGATE"
+  }
+}
+
 resource "aws_ecs_task_definition" "this" {
   family                   = var.id
   container_definitions    = jsonencode(local.container)
@@ -22,17 +34,17 @@ resource "aws_ecs_task_definition" "this" {
 
 resource "aws_ecs_service" "this" {
   name                              = var.id
-  cluster                           = aws_ecs_cluster.this.id
+  cluster                           = var.create_cluster ? aws_ecs_cluster.this[0].id : data.aws_ecs_cluster.this[0].id
   task_definition                   = aws_ecs_task_definition.this.arn
   desired_count                     = var.desired_count
   launch_type                       = "FARGATE"
   propagate_tags                    = "SERVICE"
-  health_check_grace_period_seconds = 30
+  health_check_grace_period_seconds = 600
   depends_on                        = [aws_lb_listener_rule.this]
   tags                              = var.tags
 
   load_balancer {
-    target_group_arn = aws_lb_target_group.this.id
+    target_group_arn = aws_lb_target_group.this.arn
     container_name   = local.container[0].name
     container_port   = local.container[0].portMappings[0].containerPort
   }
@@ -53,13 +65,6 @@ locals {
       essential   = true
       environment = concat(local.environment, var.environment)
 
-      secrets = [
-        {
-          name      = "MB_DB_PASS"
-          valueFrom = aws_ssm_parameter.this.name
-        },
-      ]
-
       portMappings = [
         {
           containerPort = 3000
@@ -75,34 +80,50 @@ locals {
           awslogs-stream-prefix = "ecs"
         }
       }
+
+      healthCheck = {
+        command     = ["CMD-SHELL", "curl -f http://localhost:3000/api/health || exit 1"]
+        interval    = 30
+        timeout     = 5
+        retries     = 3
+        startPeriod = 60
+      }
     }
   ]
 
   environment = [
+    {
+      name  = "MB_JETTY_HOST"
+      value = "0.0.0.0"
+    },
     {
       name  = "JAVA_TIMEZONE"
       value = var.java_timezone
     },
     {
       name  = "MB_DB_TYPE"
-      value = "mysql"
+      value = "postgres"
     },
     {
       name  = "MB_DB_DBNAME"
-      value = aws_rds_cluster.this.database_name
+      value = var.db_dbname
     },
     {
       name  = "MB_DB_PORT"
-      value = tostring(aws_rds_cluster.this.port)
+      value = var.db_port
     },
     {
       name  = "MB_DB_USER"
-      value = aws_rds_cluster.this.master_username
+      value = var.db_user
     },
     {
       name  = "MB_DB_HOST"
-      value = aws_rds_cluster.this.endpoint
+      value = var.db_host
     },
+    {
+      name  = "MB_DB_PASS"
+      value = var.db_pass
+    }
   ]
 }
 
@@ -146,7 +167,15 @@ resource "aws_lb_target_group" "this" {
   tags        = var.tags
 
   health_check {
-    path = "/"
+    enabled             = true
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 5
+    interval            = 30
+    path                = "/api/health"
+    matcher             = "200"
+    port                = "traffic-port"
+    protocol            = "HTTP"
   }
 }
 
@@ -171,8 +200,8 @@ resource "aws_route53_record" "this" {
   zone_id = var.zone_id
 
   alias {
-    name                   = aws_lb.this.dns_name
-    zone_id                = aws_lb.this.zone_id
+    name                   = var.alb_dns_name != "" ? var.alb_dns_name : aws_lb.this[0].dns_name
+    zone_id                = var.alb_zone_id != "" ? var.alb_zone_id : aws_lb.this[0].zone_id
     evaluate_target_health = false
   }
 }
@@ -182,44 +211,3 @@ resource "aws_cloudwatch_log_group" "this" {
   retention_in_days = var.log_retention
   tags              = var.tags
 }
-
-resource "aws_security_group" "ecs" {
-  name_prefix = "${var.id}-ecs-"
-  vpc_id      = var.vpc_id
-  tags        = var.tags
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_security_group_rule" "ecs_egress_internet" {
-  count             = var.internet_egress ? 1 : 0
-  description       = "Internet"
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  security_group_id = aws_security_group.ecs.id
-  cidr_blocks       = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "ecs_egress_rds" {
-  description              = "ALB"
-  type                     = "egress"
-  from_port                = 0
-  to_port                  = 0
-  protocol                 = "-1"
-  security_group_id        = aws_security_group.ecs.id
-  source_security_group_id = aws_security_group.rds.id
-}
-
-resource "aws_security_group_rule" "ecs_ingress_alb" {
-  description              = "ALB"
-  type                     = "ingress"
-  from_port                = 0
-  to_port                  = 0
-  protocol                 = "-1"
-  security_group_id        = aws_security_group.ecs.id
-  source_security_group_id = aws_security_group.alb.id
-}
diff --git a/outputs.tf b/outputs.tf
@@ -1,13 +1,3 @@
-output "rds_security_group_id" {
-  description = "https://www.terraform.io/docs/providers/aws/r/security_group.html#id"
-  value       = aws_security_group.rds.id
-}
-
-output "rds_port" {
-  description = "https://www.terraform.io/docs/providers/aws/r/rds_cluster.html#port-1"
-  value       = aws_rds_cluster.this.port
-}
-
 output "listener_arn" {
   description = "https://www.terraform.io/docs/providers/aws/r/lb_listener.html#arn"
   value       = aws_lb_listener.https.arn
@@ -17,3 +7,8 @@ output "target_group_arn" {
   description = "https://www.terraform.io/docs/providers/aws/r/lb_target_group.html#arn"
   value       = aws_lb_target_group.this.arn
 }
+
+output "security_group_id" {
+  description = "https://www.terraform.io/docs/providers/aws/r/security_group.html#id"
+  value       = aws_security_group.ecs.id
+}
diff --git a/rds.tf b/rds.tf
diff --git a/sg.tf b/sg.tf
@@ -0,0 +1,70 @@
+resource "aws_security_group" "alb" {
+  name_prefix = "${var.id}-alb-"
+  vpc_id      = var.vpc_id
+  tags        = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "alb_egress_ecs" {
+  description              = "ECS"
+  type                     = "egress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.alb.id
+  source_security_group_id = aws_security_group.ecs.id
+}
+
+resource "aws_security_group_rule" "alb_ingress_http" {
+  description       = "Internet"
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "alb_ingress_https" {
+  description       = "Internet"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group" "ecs" {
+  name_prefix = "${var.id}-ecs-"
+  vpc_id      = var.vpc_id
+  tags        = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "ecs_egress_internet" {
+  count             = var.internet_egress ? 1 : 0
+  description       = "Internet"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.ecs.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "ecs_ingress_alb" {
+  description              = "ALB"
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.ecs.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,33 @@
+variable "create_cluster" {
+  description = "(Optional) Create an ECS cluster"
+  default     = true
+}
+
+variable "cluster_name" {
+  description = "(Optional) Name of the ECS cluster"
+  default     = "metabase"
+}
+
+variable "create_alb" {
+  description = "(Optional) Create an ALB"
+  default     = true
+}
+
+variable "alb_arn" {
+  description = "(Optional) ARN of an existing ALB to use"
+  default     = ""
+}
+
+variable "alb_dns_name" {
+  description = "(Optional) DNS name of an existing ALB to use"
+  default     = ""
+}
+
+variable "alb_zone_id" {
+  description = "(Optional) Zone ID of an existing ALB to use"
+  default     = ""
+}
+
 variable "private_subnet_ids" {
   description = "(Required) IDs of the subnets to which the services and database will be deployed"
 }
@@ -22,6 +52,31 @@ variable "vpc_id" {
   description = "(Required) https://www.terraform.io/docs/providers/aws/r/security_group.html#vpc_id"
 }
 
+variable "db_dbname" {
+  description = "(Required) https://www.metabase.com/docs/latest/operations-guide/environment-variables.html#mb_db_dbname"
+  default     = "metabase"
+}
+
+variable "db_host" {
+  description = "(Required) https://www.metabase.com/docs/latest/operations-guide/environment-variables.html#mb_db_host"
+  default     = "metabase-db"
+}
+
+variable "db_port" {
+  description = "(Required) https://www.metabase.com/docs/latest/operations-guide/environment-variables.html#mb_db_port"
+  default     = "5432"
+}
+
+variable "db_user" {
+  description = "(Required) https://www.metabase.com/docs/latest/operations-guide/environment-variables.html#mb_db_user"
+  default     = "metabase"
+}
+
+variable "db_pass" {
+  description = "(Required) https://www.metabase.com/docs/latest/operations-guide/environment-variables.html#mb_db_pass"
+  default     = "metabase"
+}
+
 variable "id" {
   description = "(Optional) Unique identifier for naming resources"
   default     = "metabase"
@@ -91,13 +146,3 @@ variable "java_timezone" {
   description = "(Optional) https://www.metabase.com/docs/v0.21.1/operations-guide/running-metabase-on-docker.html#setting-the-java-timezone"
   default     = "US/Pacific"
 }
-
-variable "db_cluster_parameter_group_name" {
-  description = "(Optional) https://www.terraform.io/docs/providers/aws/r/rds_cluster.html#db_cluster_parameter_group_name"
-  default     = ""
-}
-
-variable "auto_pause" {
-  description = "(Optional) https://www.terraform.io/docs/providers/aws/r/rds_cluster.html#auto_pause"
-  default     = false
-}