Skip to content

Latest commit

 

History

History

ecs-cluster-vpc-nat

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docs
docs
 
 
modules
modules
 
 
README.md
README.md
 
 
api-docs.md
api-docs.md
 
 
main.tf
main.tf
 
 
provider.tf
provider.tf
 
 
terraform.tfvars.example
terraform.tfvars.example
 
 
variables.tf
variables.tf
 
 

README.md

ECS cluster + VPC + NAT gateway + Internet Gateway

Terraform

Elastic Container Service (ECS) cluster with VPC, NAT Gateway, Internet Gateway and custom domain (needs to be manually associated) with SSL using Terraform.

See API Docs for reference.

Note

Part of this project was based on Cleber Gasparotto's repository. Check his YouTube Channel for more content.

The provisioned resources follow the diagram below (created by Cleber Gasparotto):

Architecture

Stack

Important

Check the pricing of the resources before deploying them. ECS Fargate Cluster and NAT Gateway are not free.

You will be charged for Elastic IPs, NAT Gateway and the resources running on the ECS Cluster.

  • ECS Fargate Cluster (free, pay-per-use) - service and task definition are not included, read ECS module documentation
  • VPC (CIDR block fixed on 10.0.0.0/16 range to easily control this project, change it if needed)
    • Subnets - 2 Availabity Zones with 1 public subnet + 1 private subnet each
    • Security Groups
    • Route Tables
    • Internet Gateway
    • NAT Gateway (1 per Availability Zone)
    • Elastic IP (1 per NAT Gateway)
  • Amazon Certificate Manager
    • Custom SSL Certificate

Resource groups

Check all resources created by this project using Resource Groups & Tag Editor on AWS Console.

This project apply the following tags to all resources:

  • Name - A friendly name for the resource
  • ServiceName - The name of the service
  • Service - The name of the service + stage (e.g. my-service-dev)
  • Stage - The stage of the service (e.g. dev, prod)

Check the default_tags map on provider.tf file.

Region

This stack was created using us-east-1 as the default region. You can change it passing the region as a variable.

Warning

Not tested on other regions and some resources may not be available in all regions._**

VPC + subnets

Note

VPC CIDR block: 10.0.0.0/16

The VPC will be created with the following subnets:

  • Availability Zone 1 (us-east-1a)
    • Public Subnet (CIDR block: 10.0.0.0/20)
    • Private Subnet (CIDR block: 10.0.128.0/20)
  • Availability Zone 2 (us-east-1b)
    • Public Subnet (CIDR block: 10.0.16.0/20)
    • Private Subnet (CIDR block: 10.0.144.0/20)

To change CIDR blocks or edit other settings, go to the following folder modules:

Security Groups

  • default
    • Allow all outbound traffic from the VPC
    • Allow all inbound traffic from the VPC
  • cluster_from_internet_to_alb
    • Allow inbound traffic from the Internet to the Application Load Balancer (ports 80, 443 and 3000)
    • Allow outbound traffic to the Internet
  • cluster_from_alb_to_ecs
    • Allow inbound traffic from the Application Load Balancer to the ECS Cluster
    • Allow outbound traffic to the Internet

Requirements

  • Before starting, you need to have a Route53 hosted zone in your AWS account.

Usage

  1. Clone this repository
  2. Install Terraform
  3. Create a terraform.tfvars and define the variables values (check the terraform.tfvars.example for reference)
  4. Run the following commands:
terraform init
terraform plan
terraform apply

Own domain

To use your own domain, go to the Route53 and create a alias for the Application Load Balancer (ALB).

  • Record name: choose-a-domain.your-domain.com (use the same domain you used on the ACM certificate)
  • Record type: A - Routes traffic to an IPv4 address and some AWS resources
  • Alias: Yes
  • Route traffic to: Alias to Application and Classic Load Balancer
    • Region: us-east-1 (or the region you are using)
    • Select the ALB created by this project
  • Routing policy: Simple
  • Evaluate target health: Yes
  • Save the record