From 48fedbae1aa3a72cf8e8be0453aa2fc8580aad05 Mon Sep 17 00:00:00 2001
From: maurodandrea <98483756+maurodandrea@users.noreply.github.com>
Date: Tue, 13 Feb 2024 21:07:40 +0100
Subject: [PATCH] add-ecs-and-alb

---
 .infrastructure/16_ecs.tf | 79 +++++++++++++++++++++++++++++++++++++++
 .infrastructure/17_alb.tf | 53 ++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 .infrastructure/16_ecs.tf
 create mode 100644 .infrastructure/17_alb.tf

diff --git a/.infrastructure/16_ecs.tf b/.infrastructure/16_ecs.tf
new file mode 100644
index 000000000..308f901f7
--- /dev/null
+++ b/.infrastructure/16_ecs.tf
@@ -0,0 +1,79 @@
+## ECS for CMS Strapi
+module "cms_ecs_cluster" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-ecs.git//modules/cluster?ref=8b97783def49997d18a6fcb00dc21ce1edc0f538" # v5.9.0
+
+  cluster_name = "cms-ecs-cluster"
+}
+
+data "template_file" "cms_app" {
+  template = file("./task-definitions/cms_app.json.tpl")
+
+  vars = {
+    image                = module.ecr.repository_url
+    fargate_cpu          = var.cms_app_cpu
+    fargate_memory       = var.cms_app_memory
+    aws_region           = var.aws_region
+    db_host              = module.rds.cluster_endpoint
+    db_user              = module.rds.cluster_master_username
+    db_password_arn      = module.secret_cms_database_password.ssm_parameter_arn
+    bucket_name          = module.s3_bucket_cms.s3_bucket_id
+    admin_jwt_secret_arn = module.secret_cms_admin_jwt_secret.ssm_parameter_arn
+    db_name              = module.rds.cluster_database_name
+    db_client            = "postgres"
+    container_port       = var.cms_app_port
+    app_keys             = module.secret_cms_app_keys.ssm_parameter_arn
+    api_token_salt       = module.secret_cms_api_token_salt.ssm_parameter_arn
+    transfer_token_salt  = module.secret_cms_transfer_token_salt.ssm_parameter_arn
+    jwt_secret           = module.secret_cms_jwt_secret.ssm_parameter_arn
+    access_key_id        = module.secret_cms_access_key_id.ssm_parameter_arn
+    access_key_secret    = module.secret_cms_access_key_secret.ssm_parameter_arn
+    bucket_full_url      = module.s3_bucket_cms.s3_bucket_bucket_regional_domain_name
+    cdn_url              = "https://${module.cloudfront_cms.cloudfront_distribution_domain_name}"
+    aws_bucket_endpoint  = "https://s3.${var.aws_region}.amazonaws.com"
+    repo_owner           = "pagopa"
+    repo_name            = "developer-portal"
+    workflow_id          = "deploy_website.yaml"
+    target_branch        = "main"
+    github_pat           = module.secret_cms_github_pat.ssm_parameter_arn
+  }
+}
+
+resource "aws_ecs_task_definition" "cms_task_def" {
+  family                   = "cms-task-def"
+  execution_role_arn       = module.iam_role_ecs_task_execution.iam_role_arn
+  task_role_arn            = module.iam_role_task_role.iam_role_arn
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.cms_app_cpu
+  memory                   = var.cms_app_memory
+  container_definitions    = data.template_file.cms_app.rendered
+}
+
+module "cms_ecs_service" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-ecs.git//modules/service?ref=8b97783def49997d18a6fcb00dc21ce1edc0f538" # v5.9.0
+
+  name                              = "cms-ecs"
+  cluster_arn                       = module.cms_ecs_cluster.arn
+  desired_count                     = 1
+  create_task_definition            = false
+  create_iam_role                   = false
+  create_task_exec_iam_role         = false
+  create_security_group = false
+  launch_type                       = "FARGATE"
+  force_new_deployment              = true
+  task_definition_arn               = aws_ecs_task_definition.cms_task_def.arn
+  tasks_iam_role_arn                = module.iam_role_task_role.iam_role_arn
+  task_exec_iam_role_arn            = module.iam_role_ecs_task_execution.iam_role_arn
+
+  security_group_ids = [aws_security_group.ecs_tasks.id]
+  subnet_ids         = module.vpc.private_subnets
+  assign_public_ip   = true
+
+  load_balancer = {
+  cms-target-group = {
+    target_group_arn = module.cms_load_balancer.target_groups["cms-target-group"].arn
+    container_name   = "cms-docker"
+    container_port   = var.cms_app_port
+  }
+  }
+}
\ No newline at end of file
diff --git a/.infrastructure/17_alb.tf b/.infrastructure/17_alb.tf
new file mode 100644
index 000000000..cc5a15a8e
--- /dev/null
+++ b/.infrastructure/17_alb.tf
@@ -0,0 +1,53 @@
+## Application Load Balancer for CMS Strapi
+module "cms_load_balancer" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-alb.git?ref=3e9c6cbaf4c1d858c3bbee6f086f0c8ef17522ab" # v9.6.0
+
+  name            = "cms-load-balancer"
+  vpc_id          = module.vpc.vpc_id
+  subnets         = module.vpc.public_subnets
+  security_groups = [aws_security_group.cms_lb.id]
+  internal        = false
+  create_security_group = false
+  load_balancer_type = "application"
+
+  listeners = {
+    front_end_http = {
+      port     = 80
+      protocol = "HTTP"
+      redirect = {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+    front_end_https = {
+      port            = 443
+      protocol        = "HTTPS"
+      certificate_arn = module.acm.acm_certificate_arn
+      forward = {
+        target_group_key = "cms-target-group"
+      }
+    }
+  }
+
+  target_groups = {
+    cms-target-group = {
+      name        = "cms-target-group"
+      protocol    = "HTTP"
+      port        = var.cms_app_port
+      target_type = "ip"
+      vpc_id      = module.vpc.vpc_id
+
+    health_check = {
+      healthy_threshold   = "3"
+      interval            = "30"
+      protocol            = "HTTP"
+      matcher             = "204"
+      timeout             = "3"
+      path                = "/_health"
+      unhealthy_threshold = "2"
+    }
+	create_attachment = false
+  }
+  }
+}
\ No newline at end of file