From c5cf2652c6cc8afe527f967923d77c5d72e16088 Mon Sep 17 00:00:00 2001 From: igorkotof Date: Tue, 8 Nov 2022 21:46:29 +0300 Subject: [PATCH 1/3] tested proxy nginx --- ecs-modules/ecs-task/locals.tf | 7 ++ examples/web-nginx-proxy/data.tf | 23 ---- examples/web-nginx-proxy/main.tf | 108 ++++++++++-------- examples/web-nginx-proxy/output.tf | 2 +- .../{simple-prj => proxied-prj}/Dockerfile | 6 +- .../{simple-prj => proxied-prj}/Pipfile | 0 .../{simple-prj => proxied-prj}/Pipfile.lock | 0 .../{simple-prj => proxied-prj}/app.py | 0 .../entrypoint.sh} | 0 .../nginx.conf.template | 4 +- .../proxied-prj/public/style.css | 3 + .../simple-prj/public/index.html | 6 - examples/web-nginx-proxy/variables.tf | 19 +-- examples/web-nginx-proxy/versions.tf | 8 -- 14 files changed, 79 insertions(+), 107 deletions(-) delete mode 100644 examples/web-nginx-proxy/data.tf rename examples/web-nginx-proxy/{simple-prj => proxied-prj}/Dockerfile (77%) rename examples/web-nginx-proxy/{simple-prj => proxied-prj}/Pipfile (100%) rename examples/web-nginx-proxy/{simple-prj => proxied-prj}/Pipfile.lock (100%) rename examples/web-nginx-proxy/{simple-prj => proxied-prj}/app.py (100%) rename examples/web-nginx-proxy/{simple-prj/docker-entrypoint.sh => proxied-prj/entrypoint.sh} (100%) rename examples/web-nginx-proxy/{simple-prj => proxied-prj}/nginx.conf.template (87%) create mode 100644 examples/web-nginx-proxy/proxied-prj/public/style.css delete mode 100644 examples/web-nginx-proxy/simple-prj/public/index.html delete mode 100644 examples/web-nginx-proxy/versions.tf diff --git a/ecs-modules/ecs-task/locals.tf b/ecs-modules/ecs-task/locals.tf index 80f20a4..710411c 100644 --- a/ecs-modules/ecs-task/locals.tf +++ b/ecs-modules/ecs-task/locals.tf @@ -148,6 +148,13 @@ locals { "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${local.ssm_secret_path}/*", "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${local.ssm_global_secret_path}/*" ] + }, + { + "Action": [ + "kms:Decrypt" + ], + "Effect": "Allow", + "Resource": "*" } ]) } diff --git a/examples/web-nginx-proxy/data.tf b/examples/web-nginx-proxy/data.tf deleted file mode 100644 index b84e92c..0000000 --- a/examples/web-nginx-proxy/data.tf +++ /dev/null @@ -1,23 +0,0 @@ -data "aws_availability_zones" "available" {} -data "aws_caller_identity" "current" {} - -data "aws_ami" "amazon_linux_ecs_generic" { - most_recent = true - - owners = ["amazon"] - - filter { - name = "name" - values = ["amzn2-ami-ecs-hvm-*-x86_64-ebs"] - } - - filter { - name = "owner-alias" - values = ["amazon"] - } -} - -data "aws_route53_zone" "root" { - name = "${var.root_domain_name}." - private_zone = false -} diff --git a/examples/web-nginx-proxy/main.tf b/examples/web-nginx-proxy/main.tf index 9d1ca63..c8962c3 100644 --- a/examples/web-nginx-proxy/main.tf +++ b/examples/web-nginx-proxy/main.tf @@ -1,28 +1,48 @@ +# Versions +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } + required_version = ">= 1.0" +} + +# Data +data "aws_route53_zone" "root" { + name = "${var.root_domain_name}." + private_zone = false +} + +# Main module "vpc" { source = "registry.terraform.io/terraform-aws-modules/vpc/aws" version = "~> 3.0" name = "${var.env}-vpc" - cidr = "10.30.0.0/16" + cidr = "10.0.0.0/16" azs = [ - "${var.aws_region}a" + "${var.aws_region}a", + "${var.aws_region}b" ] public_subnets = [ - "10.30.10.0/23" + "10.0.10.0/23", + "10.0.12.0/23" ] private_subnets = [ - "10.30.20.0/23" + "10.0.20.0/23" ] + enable_nat_gateway = true + single_nat_gateway = true manage_default_network_acl = true default_network_acl_name = "${var.env}-${var.namespace}" } resource "aws_security_group" "default_permissive" { name = "${var.env}-default-permissive" vpc_id = module.vpc.vpc_id - description = "Managed by Terraform" ingress { protocol = -1 @@ -42,20 +62,12 @@ resource "aws_security_group" "default_permissive" { ] } - tags = { - Terraform = "true" - Env = var.env - Name = "${var.env}-default-permissive" - } } resource "aws_route53_record" "env_ns_record" { zone_id = data.aws_route53_zone.root.id name = "${var.env}.${var.root_domain_name}" type = "NS" - // ttl = "172800" - - // Fast TTL for dev ttl = "60" records = aws_route53_zone.env_domain.name_servers } @@ -64,6 +76,22 @@ resource "aws_route53_zone" "env_domain" { name = "${var.env}.${var.root_domain_name}" } +module "env_acm" { + source = "registry.terraform.io/terraform-aws-modules/acm/aws" + version = "~> 4.0" + + domain_name = "${var.env}.${var.root_domain_name}" + + subject_alternative_names = [ + "*.${var.env}.${var.root_domain_name}" + ] + + zone_id = aws_route53_zone.env_domain.id + + tags = { + Name = "${var.env}.${var.root_domain_name}" + } +} module "ecs" { source = "registry.terraform.io/terraform-aws-modules/ecs/aws" @@ -71,55 +99,43 @@ module "ecs" { cluster_name = "${var.env}-${var.namespace}" } -module "web_complete" { +module "web_proxy" { source = "../.." - name = "app" - app_type = "web" - env = var.env - namespace = var.namespace - ecs_cluster_name = local.ecs_cluster_name - - # Proxy enabling - web_proxy_enabled = true + name = "app" + app_type = "web" + env = var.env + namespace = var.namespace + + # Nginx Proxy enabling + web_proxy_enabled = true + # We mount a shared volume to /etc/nginx dir in our container. In order to the web proxy to work - your app must copy(create) Nginx config template to /etc/nginx/templates/default.conf.template. See proxied-prj/entrypoint.sh. - # Image should have some customization, see Dockerfile example at ./simple-prj # Containers - docker_registry = local.docker_registry - image_id = local.image_id - docker_image_tag = local.docker_image_tag - iam_instance_profile = local.iam_instance_profile - key_name = local.key_name + ecs_cluster_name = module.ecs.cluster_name + docker_registry = var.docker_registry + docker_image_name = "322403564058.dkr.ecr.us-west-2.amazonaws.com/nginx-proxy" + docker_image_tag = var.docker_image_tag # Load Balancer public = true + https_enabled = true alb_health_check_path = "/" - alb_security_groups = local.alb_security_groups + alb_security_groups = [aws_security_group.default_permissive.id] tls_cert_arn = local.tls_cert_arn - # EFS settings - efs_enabled = false - efs_mount_point = "/mnt/efs" - efs_root_directory = "/" - # Network - vpc_id = local.vpc_id - public_subnets = local.public_subnets - private_subnets = local.private_subnets - security_groups = local.security_groups - root_domain_name = var.root_domain_name - zone_id = local.zone_id - route53_health_check_enabled = false - domain_names = [ - "app.${var.root_domain_name}" - ] + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.public_subnets + private_subnets = module.vpc.private_subnets + security_groups = [aws_security_group.default_permissive.id] + root_domain_name = var.root_domain_name + zone_id = aws_route53_zone.env_domain.id # Environment variables app_secrets = [ ] environment = { - ENV = var.env - APP_NAME = "App" } } diff --git a/examples/web-nginx-proxy/output.tf b/examples/web-nginx-proxy/output.tf index 12a7c2e..37e533d 100644 --- a/examples/web-nginx-proxy/output.tf +++ b/examples/web-nginx-proxy/output.tf @@ -7,7 +7,7 @@ output "private_subnet_cidrs" { } output "cloudwatch_log_group" { - value = module.web_complete.cloudwatch_log_group + value = module.web_proxy.cloudwatch_log_group } output "ecs_cluster_name" { diff --git a/examples/web-nginx-proxy/simple-prj/Dockerfile b/examples/web-nginx-proxy/proxied-prj/Dockerfile similarity index 77% rename from examples/web-nginx-proxy/simple-prj/Dockerfile rename to examples/web-nginx-proxy/proxied-prj/Dockerfile index 05f4ff0..9fb6630 100644 --- a/examples/web-nginx-proxy/simple-prj/Dockerfile +++ b/examples/web-nginx-proxy/proxied-prj/Dockerfile @@ -19,17 +19,17 @@ RUN set -ex && \ ln -s /usr/bin/python3 /usr/bin/python # Copy files and pipenv -COPY ${PROJECT_PATH}/public/index.html ./public/index.html +COPY ${PROJECT_PATH}/public/style.css ./public/style.css COPY ${PROJECT_PATH}/app.py ./ COPY ${PROJECT_PATH}/Pipfile* ./ COPY ${PROJECT_PATH}/nginx.conf.template ./ -COPY ${PROJECT_PATH}/docker-entrypoint.sh / +COPY ${PROJECT_PATH}/entrypoint.sh / RUN python3 -m pip install pipenv RUN pipenv install --deploy --system -ENTRYPOINT ["/docker-entrypoint.sh"] +ENTRYPOINT ["/entrypoint.sh"] EXPOSE 3000 diff --git a/examples/web-nginx-proxy/simple-prj/Pipfile b/examples/web-nginx-proxy/proxied-prj/Pipfile similarity index 100% rename from examples/web-nginx-proxy/simple-prj/Pipfile rename to examples/web-nginx-proxy/proxied-prj/Pipfile diff --git a/examples/web-nginx-proxy/simple-prj/Pipfile.lock b/examples/web-nginx-proxy/proxied-prj/Pipfile.lock similarity index 100% rename from examples/web-nginx-proxy/simple-prj/Pipfile.lock rename to examples/web-nginx-proxy/proxied-prj/Pipfile.lock diff --git a/examples/web-nginx-proxy/simple-prj/app.py b/examples/web-nginx-proxy/proxied-prj/app.py similarity index 100% rename from examples/web-nginx-proxy/simple-prj/app.py rename to examples/web-nginx-proxy/proxied-prj/app.py diff --git a/examples/web-nginx-proxy/simple-prj/docker-entrypoint.sh b/examples/web-nginx-proxy/proxied-prj/entrypoint.sh similarity index 100% rename from examples/web-nginx-proxy/simple-prj/docker-entrypoint.sh rename to examples/web-nginx-proxy/proxied-prj/entrypoint.sh diff --git a/examples/web-nginx-proxy/simple-prj/nginx.conf.template b/examples/web-nginx-proxy/proxied-prj/nginx.conf.template similarity index 87% rename from examples/web-nginx-proxy/simple-prj/nginx.conf.template rename to examples/web-nginx-proxy/proxied-prj/nginx.conf.template index 7758fa0..731aa94 100755 --- a/examples/web-nginx-proxy/simple-prj/nginx.conf.template +++ b/examples/web-nginx-proxy/proxied-prj/nginx.conf.template @@ -1,7 +1,7 @@ client_max_body_size 20M; upstream app { - # Puma socket, as defined previously + # Application server socket, as defined previously server ${APP_HOST} fail_timeout=10; } @@ -16,7 +16,7 @@ server { add_header Cache-Control public; } - try_files $uri/index.html $uri @app; + try_files $uri @app; location @app { proxy_pass http://app; diff --git a/examples/web-nginx-proxy/proxied-prj/public/style.css b/examples/web-nginx-proxy/proxied-prj/public/style.css new file mode 100644 index 0000000..d3281f6 --- /dev/null +++ b/examples/web-nginx-proxy/proxied-prj/public/style.css @@ -0,0 +1,3 @@ +body { + background-color: powderblue; +} \ No newline at end of file diff --git a/examples/web-nginx-proxy/simple-prj/public/index.html b/examples/web-nginx-proxy/simple-prj/public/index.html deleted file mode 100644 index 5dc9f8f..0000000 --- a/examples/web-nginx-proxy/simple-prj/public/index.html +++ /dev/null @@ -1,6 +0,0 @@ - - -

It Works!

-

You are using Proxy for ECS application.

- - \ No newline at end of file diff --git a/examples/web-nginx-proxy/variables.tf b/examples/web-nginx-proxy/variables.tf index f6e4a0d..b3ee255 100644 --- a/examples/web-nginx-proxy/variables.tf +++ b/examples/web-nginx-proxy/variables.tf @@ -1,28 +1,11 @@ locals { - env = var.env - namespace = var.namespace - - public_subnets = module.vpc.public_subnets - private_subnets = module.vpc.private_subnets - vpc_id = module.vpc.vpc_id - security_groups = [aws_security_group.default_permissive.id] - alb_security_groups = [aws_security_group.default_permissive.id] - root_domain_name = var.root_domain_name - zone_id = aws_route53_zone.env_domain.id - - image_id = data.aws_ami.amazon_linux_ecs_generic.id - docker_registry = var.docker_registry - docker_image_tag = var.docker_image_tag - - ecs_cluster_name = module.ecs.cluster_name - tls_cert_arn = length(module.env_acm.acm_certificate_arn) > 0 ? module.env_acm.acm_certificate_arn : null + tls_cert_arn = length(module.env_acm.acm_certificate_arn) > 0 ? module.env_acm.acm_certificate_arn : null } variable "env" {} variable "namespace" {} variable "aws_profile" {} variable "aws_region" {} -variable "ssh_public_key" {} variable "docker_registry" {} variable "docker_image_tag" {} variable "root_domain_name" {} diff --git a/examples/web-nginx-proxy/versions.tf b/examples/web-nginx-proxy/versions.tf deleted file mode 100644 index 70c797c..0000000 --- a/examples/web-nginx-proxy/versions.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - } - } - required_version = ">= 1.0" -} From 7932d37462b1be08864230145f6da10bac09f20f Mon Sep 17 00:00:00 2001 From: igorkotof Date: Tue, 8 Nov 2022 21:49:04 +0300 Subject: [PATCH 2/3] style --- ecs-modules/ecs-task/locals.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ecs-modules/ecs-task/locals.tf b/ecs-modules/ecs-task/locals.tf index 710411c..9644ba8 100644 --- a/ecs-modules/ecs-task/locals.tf +++ b/ecs-modules/ecs-task/locals.tf @@ -121,11 +121,11 @@ locals { "Resource" = "*" }, { - "Effect" : "Allow", - "Action" : [ + "Effect" = "Allow", + "Action" = [ "firehose:PutRecordBatch" ], - "Resource" : [ + "Resource" = [ "*" ] }, @@ -150,11 +150,11 @@ locals { ] }, { - "Action": [ + "Action" = [ "kms:Decrypt" ], - "Effect": "Allow", - "Resource": "*" + "Effect" = "Allow", + "Resource" = "*" } ]) } From d4a7d4b21bbe3cc0429f74859ef51999847718b0 Mon Sep 17 00:00:00 2001 From: igorkotof Date: Tue, 8 Nov 2022 22:34:01 +0300 Subject: [PATCH 3/3] clear code --- examples/web-nginx-proxy/main.tf | 20 +------------------- examples/web-nginx-proxy/variables.tf | 4 ---- 2 files changed, 1 insertion(+), 23 deletions(-) diff --git a/examples/web-nginx-proxy/main.tf b/examples/web-nginx-proxy/main.tf index c8962c3..3584e0d 100644 --- a/examples/web-nginx-proxy/main.tf +++ b/examples/web-nginx-proxy/main.tf @@ -76,23 +76,6 @@ resource "aws_route53_zone" "env_domain" { name = "${var.env}.${var.root_domain_name}" } -module "env_acm" { - source = "registry.terraform.io/terraform-aws-modules/acm/aws" - version = "~> 4.0" - - domain_name = "${var.env}.${var.root_domain_name}" - - subject_alternative_names = [ - "*.${var.env}.${var.root_domain_name}" - ] - - zone_id = aws_route53_zone.env_domain.id - - tags = { - Name = "${var.env}.${var.root_domain_name}" - } -} - module "ecs" { source = "registry.terraform.io/terraform-aws-modules/ecs/aws" version = "~> 4.0" @@ -114,12 +97,11 @@ module "web_proxy" { # Containers ecs_cluster_name = module.ecs.cluster_name docker_registry = var.docker_registry - docker_image_name = "322403564058.dkr.ecr.us-west-2.amazonaws.com/nginx-proxy" docker_image_tag = var.docker_image_tag # Load Balancer public = true - https_enabled = true + https_enabled = false alb_health_check_path = "/" alb_security_groups = [aws_security_group.default_permissive.id] tls_cert_arn = local.tls_cert_arn diff --git a/examples/web-nginx-proxy/variables.tf b/examples/web-nginx-proxy/variables.tf index b3ee255..97ce6c3 100644 --- a/examples/web-nginx-proxy/variables.tf +++ b/examples/web-nginx-proxy/variables.tf @@ -1,7 +1,3 @@ -locals { - tls_cert_arn = length(module.env_acm.acm_certificate_arn) > 0 ? module.env_acm.acm_certificate_arn : null -} - variable "env" {} variable "namespace" {} variable "aws_profile" {}