-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathecs_resources.tf
142 lines (123 loc) · 4.74 KB
/
ecs_resources.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# If the cluster_name is set, it will retrieve the existent
# cluster and use it to deploy the sidecar.
data "aws_ecs_cluster" "existent_cluster" {
count = var.ecs_cluster_name != "" ? 1 : 0
cluster_name = var.ecs_cluster_name
}
# If the cluster_name is empty, it will create a new ECS
# cluster and use it to deploy the sidecar.
resource "aws_ecs_cluster" "sidecar_cluster" {
count = var.ecs_cluster_name == "" ? 1 : 0
name = "${local.sidecar.name_prefix}-sidecar-cluster"
}
# Define the cluster capacity configuration for the new cluster.
resource "aws_ecs_cluster_capacity_providers" "sidecar_capacity_provider" {
count = var.ecs_cluster_name == "" ? 1 : 0
cluster_name = aws_ecs_cluster.sidecar_cluster[0].name
capacity_providers = ["FARGATE"]
default_capacity_provider_strategy {
base = 1
weight = 100
capacity_provider = "FARGATE"
}
}
# Security group for the sidecar task.
resource "aws_security_group" "sidecar_sg" {
name = "${local.sidecar.name_prefix}-sidecar-container-sg"
description = "Allow inbound access to sidecar ports"
vpc_id = var.vpc_id
# Allow the healthcheck to work
ingress {
from_port = 9000
to_port = 9000
protocol = "tcp"
cidr_blocks = var.monitoring_inbound_cidr
}
dynamic "ingress" {
for_each = var.sidecar_ports
content {
from_port = ingress.value
to_port = ingress.value
protocol = "tcp"
cidr_blocks = var.db_inbound_cidr
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Setup load balancer for the sidecar task.
resource "aws_lb" "sidecar_nlb" {
name = "${local.sidecar.name_prefix}-sidecar-nlb"
load_balancer_type = "network"
internal = var.load_balancer_scheme == "internet-facing" ? false : true
subnets = length(var.load_balancer_subnets) > 0 ? var.load_balancer_subnets : var.subnets
enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
security_groups = var.load_balancer_security_groups
}
resource "aws_lb_listener" "sidecar_listener" {
for_each = { for port in var.sidecar_ports : tostring(port) => port }
load_balancer_arn = aws_lb.sidecar_nlb.arn
port = each.value
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.sidecar_tg[each.key].arn
}
}
resource "aws_lb_target_group" "sidecar_tg" {
for_each = { for port in var.sidecar_ports : tostring(port) => port }
name = "sidecar-tg-${each.key}"
port = each.value
protocol = "TCP"
vpc_id = var.vpc_id
target_type = "ip"
health_check {
port = 9000
protocol = "HTTP"
path = "/health"
}
}
# Define the task definition for the sidecar container.
# See the sidecar_container_definition.tf file to configure
# the container definitions.
resource "aws_ecs_task_definition" "sidecar_task_definition" {
family = "${local.sidecar.name_prefix}-sidecar-task"
execution_role_arn = aws_iam_role.ecs_role.arn
task_role_arn = aws_iam_role.ecs_task_role.arn
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = var.ecs_cpu
memory = var.ecs_memory
container_definitions = jsonencode(local.container_definition)
}
# Define the ECS service that will run the sidecar container task.
# It will create one service per each 5 sidecar ports, due
# to ECS quota limitation of 5 target groups per service.
resource "aws_ecs_service" "sidecar_service" {
count = length(local.ecs.service_ports)
name = "${local.sidecar.name_prefix}-sidecar-service-${count.index}"
cluster = var.ecs_cluster_name == "" ? aws_ecs_cluster.sidecar_cluster[0].arn : data.aws_ecs_cluster.existent_cluster[0].arn
task_definition = aws_ecs_task_definition.sidecar_task_definition.arn
desired_count = var.ecs_service_desired_count
launch_type = "FARGATE"
network_configuration {
subnets = var.subnets
security_groups = [aws_security_group.sidecar_sg.id]
assign_public_ip = var.ecs_assign_public_ip
}
# For each service port, a load balancer target group
# will be mapped to the respective sidecar container
# port.
dynamic "load_balancer" {
for_each = { for port in local.ecs.service_ports[count.index] : tostring(port) => port }
content {
target_group_arn = aws_lb_target_group.sidecar_tg[load_balancer.key].arn
container_name = local.ecs.container_name
container_port = aws_lb_target_group.sidecar_tg[load_balancer.key].port
}
}
}