LRNT-019: Adjusting memory and CPU

Signed-off-by: Ulises Tirado Zatarain <[email protected]>
zatarain · Apr 28, 2024 · efdff1b · efdff1b
1 parent c850a7a
commit efdff1b
Show file tree

Hide file tree

Showing 6 changed files with 214 additions and 182 deletions.
diff --git a/portfolio/container-definition.json.tpl b/portfolio/container-definition.json.tpl
@@ -1,7 +1,7 @@
 {
 	"name": "${CONTAINER}",
 	"essential": true,
-	"memory": 512,
+	"memory": 384,
 	"cpu": 256,
 	"image": "${IMAGE}:${TAG}",
 	"environment": ${ENVIRONMENT},
@@ -12,6 +12,7 @@
 			"hostPort": ${PORT}
 		}
 	],
+	"logConfiguration": ${LOGS},
 	"linuxParameters": {
 		"initProcessEnabled": true
 	}

diff --git a/portfolio/ecs-nodes.tf b/portfolio/ecs-nodes.tf
@@ -27,15 +27,15 @@ resource "aws_iam_instance_profile" "ecs-node" {
 }
 
 # --- ECS Launch Template ---
-
+/**
 data "aws_ssm_parameter" "ecs-image" {
   name = "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
 }
 
 resource "aws_launch_template" "ecs-instance" {
   name_prefix            = "ecs-instance-"
   image_id               = data.aws_ssm_parameter.ecs-image.value
-  instance_type          = "t2.micro"
+  instance_type          = "t3.micro"
   vpc_security_group_ids = [aws_security_group.node-output.id]
 
   iam_instance_profile {
@@ -110,3 +110,4 @@ resource "aws_ecs_cluster_capacity_providers" "portfolio" {
     weight            = 100
   }
 }
+/**/
diff --git a/portfolio/main.tf b/portfolio/main.tf
@@ -1,195 +1,25 @@
-resource "aws_ecr_repository" "image" {
-  name = var.name
-}
-
 resource "aws_ecs_cluster" "portfolio" {
   name = var.name
 }
 
-locals {
-  api_container = "${var.prefix}-api-run"
-  web_container = "${var.prefix}-web-run"
-  postgres_user = one(aws_db_instance.postgres.master_user_secret)
-}
-
-data "template_file" "api" {
-  template = file("${path.module}/container-definition.json.tpl")
-  vars = {
-    CONTAINER = local.api_container
-    IMAGE     = replace(aws_ecr_repository.image.repository_url, "https://", "")
-    TAG       = "back-end"
-    PORT      = 3000
-    ENVIRONMENT = jsonencode([
-      {
-        name  = "AWS_ENVIRONMENT"
-        value = terraform.workspace
-      },
-			{
-				name  = "AWS_REGION"
-				value = "eu-west-1"
-			},
-			{
-				name  = "RAILS_ENV"
-				value = "production"
-			},
-      {
-        name  = "INSTAGRAM_REDIRECT_URI"
-        value = "https://${var.domain}"
-      },
-      {
-        name  = "POSTGRES_HOST"
-        value = aws_db_instance.postgres.address
-      },
-      {
-        name  = "POSTGRES_PORT"
-        value = tostring(aws_db_instance.postgres.port)
-      },
-    ])
-    SECRETS = jsonencode([
-      {
-        name  = "INSTAGRAM_CLIENT_ID"
-        valueFrom = "${aws_secretsmanager_secret.instagram.arn}:id::"
-      },
-      {
-        name  = "INSTAGRAM_CLIENT_SECRET"
-        valueFrom = "${aws_secretsmanager_secret.instagram.arn}:key::"
-      },
-      {
-        name  = "INSTAGRAM_ACCESS_TOKEN"
-        valueFrom = "${aws_secretsmanager_secret.instagram.arn}:token::"
-      },
-      {
-        name  = "POSTGRES_USERNAME"
-        valueFrom = "${local.postgres_user.secret_arn}:username::"
-      },
-      {
-        name  = "POSTGRES_PASSWORD"
-        valueFrom = "${local.postgres_user.secret_arn}:password::"
-      },
-    ])
-  }
-}
-
-resource "aws_iam_role" "task-runner" {
-  name               = "${var.prefix}-task-runner"
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
-}
-
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role_policy_attachment" "task-runner-policy" {
-  role       = aws_iam_role.task-runner.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-}
-
-resource "aws_iam_role" "task-command-executor" {
-  name               = "${var.prefix}-task-command-executor"
-  assume_role_policy = data.aws_iam_policy_document.command-executor.json
-}
-
-data "aws_iam_policy_document" "command-executor" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "secrets-manager-access" {
-  statement {
-    actions = ["secretsmanager:GetSecretValue"]
-    resources = [
-      aws_secretsmanager_secret.instagram.arn,
-      local.postgres_user.secret_arn,
-    ]
-  }
-}
-
-resource "aws_iam_policy" "secrets-access" {
-  name   = "PortfolioSecretsAccess"
-  path   = "/"
-  policy = data.aws_iam_policy_document.secrets-manager-access.json
-}
-
-resource "aws_iam_role_policy_attachment" "task-command-executor-policy" {
-  role       = aws_iam_role.task-command-executor.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-}
-
-resource "aws_iam_role_policy_attachment" "task-executor-access-to-s3" {
-  role       = aws_iam_role.task-command-executor.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+resource "aws_cloudwatch_log_group" "portfolio" {
+  name              = "/ecs/demo"
+  retention_in_days = 1
 }
 
-resource "aws_iam_role_policy_attachment" "task-executor-access-to-secrets" {
-  role       = aws_iam_role.task-runner.name
-  policy_arn = aws_iam_policy.secrets-access.arn
-}
-
-data "template_file" "web" {
-  template = file("${path.module}/container-definition.json.tpl")
-  vars = {
-    CONTAINER = local.web_container
-    IMAGE     = replace(aws_ecr_repository.image.repository_url, "https://", "")
-    TAG       = "front-end"
-    PORT      = 5000
-    ENVIRONMENT = jsonencode([
-      {
-        name = "AWS_ENVIRONMENT"
-        value = terraform.workspace
-      },
-			{
-				name= "API_URL",
-				value= "https://api.${var.domain}"
-			},
-			{
-				name= "NODE_ENV",
-				value= "production"
-			},
-    ])
-    SECRETS = jsonencode([])
-  }
-}
-
-data "template_file" "task-definition" {
-  template = file("${path.module}/task-definition.json.tpl")
-  vars = {
-    SERVICE = data.template_file.api.rendered
-    WEBSITE = data.template_file.web.rendered
-  }
-}
-
-resource "aws_ecs_task_definition" "website-run" {
-  family                   = var.name    # Naming our task
-  container_definitions    = data.template_file.task-definition.rendered
-  requires_compatibilities = ["EC2"]     # Stating that we are using EC2 Instances as ECS Nodes
-  network_mode             = "awsvpc"    # Using awsvpc as our network mode as this is required for Fargate
-  memory                   = 2048        # Specifying the memory our swarm requires
-  cpu                      = 1024        # Specifying the CPU our swarm requires
-  execution_role_arn       = aws_iam_role.task-runner.arn
-  task_role_arn            = aws_iam_role.task-command-executor.arn
-}
 
+/**
 resource "aws_ecs_service" "website" {
   name    = "${var.prefix}-website"
   cluster = aws_ecs_cluster.portfolio.id
 
   # Referencing the task our service will spin up
   task_definition        = aws_ecs_task_definition.website-run.arn
   enable_execute_command = true
-  desired_count          = 2
+  desired_count          = 1
+
+  # Prevent premature shutdown
+  health_check_grace_period_seconds = 300
 
   # Capacity and Life cycle
   capacity_provider_strategy {
@@ -221,11 +51,12 @@ resource "aws_ecs_service" "website" {
   }
 
   network_configuration {
-    assign_public_ip = true
+    # assign_public_ip = true
     subnets          = var.subnets
 
     security_groups = [
       var.alb-access.id,
     ]
   }
 }
+/**/
diff --git a/portfolio/roles.tf b/portfolio/roles.tf
@@ -0,0 +1,67 @@
+resource "aws_iam_role" "task-runner" {
+  name               = "${var.prefix}-task-runner"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "task-runner-policy" {
+  role       = aws_iam_role.task-runner.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role" "task-command-executor" {
+  name               = "${var.prefix}-task-command-executor"
+  assume_role_policy = data.aws_iam_policy_document.command-executor.json
+}
+
+data "aws_iam_policy_document" "command-executor" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "secrets-manager-access" {
+  statement {
+    actions = ["secretsmanager:GetSecretValue"]
+    resources = [
+      aws_secretsmanager_secret.instagram.arn,
+      local.postgres_user.secret_arn,
+    ]
+  }
+}
+
+resource "aws_iam_policy" "secrets-access" {
+  name   = "PortfolioSecretsAccess"
+  path   = "/"
+  policy = data.aws_iam_policy_document.secrets-manager-access.json
+}
+
+resource "aws_iam_role_policy_attachment" "task-command-executor-policy" {
+  role       = aws_iam_role.task-command-executor.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_role_policy_attachment" "task-executor-access-to-s3" {
+  role       = aws_iam_role.task-command-executor.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "task-executor-access-to-secrets" {
+  role       = aws_iam_role.task-runner.name
+  policy_arn = aws_iam_policy.secrets-access.arn
+}