Module first commit

Author: helderklemp

TODO.md

@@ -0,0 +1,3 @@
+- change to launch template
+- add spot
+- dns records

_data.tf

@@ -0,0 +1,19 @@
+data "aws_ami" "amzn" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-*"]
+  }
+
+  name_regex = ".+-amazon-ecs-optimized$"
+}
+
+data "aws_caller_identity" "current" {}
+
+#-------
+# KMS
+data "aws_kms_key" "ebs" {
+  key_id = "alias/aws/ebs"
+}

_outputs.tf

@@ -0,0 +1,59 @@
+output "alb_id" {
+  value = "${aws_lb.ecs.*.id}"
+}
+
+output "alb_arn" {
+  value = "${aws_lb.ecs.*.arn}"
+}
+
+output "alb_dns_name" {
+  value = "${aws_lb.ecs.*.dns_name}"
+}
+
+output "alb_zone_id" {
+  value = "${aws_lb.ecs.*.zone_id}"
+}
+
+output "ecs_iam_role_arn" {
+  value = "${aws_iam_role.ecs.arn}"
+}
+
+output "ecs_iam_role_name" {
+  value = "${aws_iam_role.ecs.name}"
+}
+
+output "ecs_service_iam_role_arn" {
+  value = "${aws_iam_role.ecs_service.arn}"
+}
+
+output "ecs_service_iam_role_name" {
+  value = "${aws_iam_role.ecs_service.name}"
+}
+
+output "ecs_task_iam_role_arn" {
+  value = "${aws_iam_role.ecs_task.arn}"
+}
+
+output "ecs_task_iam_role_name" {
+  value = "${aws_iam_role.ecs_task.name}"
+}
+
+output "ecs_id" {
+  value = "${aws_ecs_cluster.ecs.id}"
+}
+
+output "ecs_arn" {
+  value = "${aws_ecs_cluster.ecs.arn}"
+}
+
+output "ecs_name" {
+  value = "${aws_ecs_cluster.ecs.name}"
+}
+
+output "alb_listener_https_arn" {
+  value = "${aws_lb_listener.ecs_https.*.arn}"
+}
+
+output "ecs_nodes_secgrp_id" {
+  value = "${aws_security_group.ecs_nodes.id}"
+}

_variables.tf

@@ -0,0 +1,62 @@
+# == REQUIRED VARS
+
+variable "name" {
+  description = "Name of this ECS cluster"
+}
+
+variable "instance_type_1" {
+  description = "Instance type for ECS workers (first priority)"
+}
+
+variable "instance_type_2" {
+  description = "Instance type for ECS workers (second priority)"
+}
+
+variable "instance_type_3" {
+  description = "Instance type for ECS workers (third priority)"
+}
+
+variable "on_demand_percentage" {
+  description = "Percentage of on-demand intances vs spot"
+  default     = 100
+}
+
+variable "vpc_id" {
+  description = "VPC ID to deploy the ECS cluster"
+}
+
+variable "private_subnet_ids" {
+  type        = "list"
+  description = "List of private subnet IDs for ECS instances"
+}
+
+variable "public_subnet_ids" {
+  type        = "list"
+  description = "List of public subnet IDs for ECS ALB"
+}
+
+variable "secure_subnet_ids" {
+  type        = "list"
+  description = "List of secure subnet IDs for EFS"
+}
+
+variable "certificate_arn" {}
+
+# == OPTIONAL VARS
+
+variable "alb" {
+  default     = true
+  description = "Whether to deploy an ALB or not with the cluster"
+}
+
+variable "asg_min" {
+  default = 1
+}
+
+variable "asg_max" {
+  default = 4
+}
+
+variable "asg_memory_target" {
+  default = 60
+}

alb.tf

@@ -0,0 +1,69 @@
+resource "aws_lb" "ecs" {
+  count = "${var.alb ? 1 : 0}"
+
+  load_balancer_type = "application"
+  internal           = false
+  name               = "ecs-${var.name}"
+  subnets            = ["${var.public_subnet_ids}"]
+
+  security_groups = [
+    "${aws_security_group.alb.id}",
+  ]
+
+  idle_timeout = 400
+
+  tags = {
+    Name = "ecs-${var.name}"
+  }
+}
+
+resource "aws_lb_listener" "ecs_https" {
+  count = "${var.alb ? 1 : 0}"
+
+  load_balancer_arn = "${aws_lb.ecs.arn}"
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = "${var.certificate_arn}"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.ecs_default_https.arn}"
+  }
+}
+
+resource "aws_lb_listener" "ecs_http_redirect" {
+  count = "${var.alb ? 1 : 0}"
+
+  load_balancer_arn = "${aws_lb.ecs.arn}"
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+resource "aws_lb_target_group" "ecs_default_http" {
+  count = "${var.alb ? 1 : 0}"
+
+  name     = "ecs-${var.name}-default-http"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = "${var.vpc_id}"
+}
+
+resource "aws_lb_target_group" "ecs_default_https" {
+  count = "${var.alb ? 1 : 0}"
+
+  name     = "ecs-${var.name}-default-https"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = "${var.vpc_id}"
+}

asg.tf

@@ -0,0 +1,66 @@
+resource "aws_autoscaling_group" "ecs" {
+  name = "ecs-${var.name}"
+
+  mixed_instances_policy {
+    launch_template {
+      launch_template_specification {
+        launch_template_id = "${aws_launch_template.ecs.id}"
+        version            = "$$Latest"
+      }
+
+      override {
+        instance_type = "${var.instance_type_1}"
+      }
+
+      override {
+        instance_type = "${var.instance_type_2}"
+      }
+
+      override {
+        instance_type = "${var.instance_type_3}"
+      }
+    }
+
+    instances_distribution {
+      spot_instance_pools                      = 3
+      on_demand_base_capacity                  = 0
+      on_demand_percentage_above_base_capacity = "${var.on_demand_percentage}"
+    }
+  }
+
+  vpc_zone_identifier = ["${var.private_subnet_ids}"]
+
+  min_size = "${var.asg_min}"
+  max_size = "${var.asg_max}"
+
+  tags = [
+    "${map("key", "Name", "value", "ecs-node-${var.name}", "propagate_at_launch", true)}",
+  ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_policy" "ecs_memory_tracking" {
+  name                      = "ecs-${var.name}-memory"
+  adjustment_type           = "ChangeInCapacity"
+  policy_type               = "TargetTrackingScaling"
+  autoscaling_group_name    = "${aws_autoscaling_group.ecs.name}"
+  estimated_instance_warmup = "180"
+
+  target_tracking_configuration {
+    customized_metric_specification {
+      metric_dimension {
+        name  = "ClusterName"
+        value = "${aws_autoscaling_group.ecs.name}"
+      }
+
+      metric_name = "MemoryReservation"
+      namespace   = "AWS/ECS"
+      statistic   = "Average"
+    }
+
+    target_value = "${var.asg_memory_target}"
+  }
+}

ec2-launch-template.tf

@@ -0,0 +1,28 @@
+data "template_file" "userdata" {
+  template = "${file("${path.module}/userdata.tpl")}"
+
+  vars {
+    tf_cluster_name = "${aws_ecs_cluster.ecs.name}"
+    tf_efs_id       = "${aws_efs_file_system.ecs.id}"
+  }
+}
+
+resource "aws_launch_template" "ecs" {
+  name_prefix   = "ecs-${var.name}-"
+  image_id      = "${data.aws_ami.amzn.image_id}"
+  instance_type = "${var.instance_type_1}"
+
+  iam_instance_profile = {
+    name = "${aws_iam_instance_profile.ecs.name}"
+  }
+
+  vpc_security_group_ids = [
+    "${aws_security_group.ecs_nodes.id}",
+  ]
+
+  user_data = "${base64encode(data.template_file.userdata.rendered)}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

ecs.tf

@@ -0,0 +1,3 @@
+resource "aws_ecs_cluster" "ecs" {
+  name = "${var.name}"
+}

efs.tf

@@ -0,0 +1,42 @@
+resource "aws_efs_file_system" "ecs" {
+  creation_token = "ecs-${var.name}"
+  encrypted      = true
+
+  tags {
+    Name = "ecs-${var.name}"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_efs_mount_target" "ecs" {
+  count          = "${length(var.secure_subnet_ids)}"
+  file_system_id = "${aws_efs_file_system.ecs.id}"
+  subnet_id      = "${var.secure_subnet_ids[count.index]}"
+
+  security_groups = [
+    "${aws_security_group.efs.id}",
+  ]
+}
+
+resource "aws_security_group" "efs" {
+  name        = "ecs-${var.name}-efs"
+  description = "for EFS to talk to ECS cluster"
+  vpc_id      = "${var.vpc_id}"
+
+  tags = {
+    Name = "ecs-efs-${var.name}"
+  }
+}
+
+resource "aws_security_group_rule" "nfs_from_ecs_to_efs" {
+  description              = "ECS to EFS"
+  type                     = "ingress"
+  from_port                = 2049
+  to_port                  = 2049
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.efs.id}"
+  source_security_group_id = "${aws_security_group.ecs_nodes.id}"
+}