Port python services (backend, resources_api & pybot) to ECS (#180)

* initial working version of python_backend on ECS spot instances

Signed-off-by: Irving Popovetsky <[email protected]>

* terraform fmt and make cpu/mem/count different for staging

Signed-off-by: Irving Popovetsky <[email protected]>

* Implement resources_api largely copy-pasta from python_backend

Signed-off-by: Irving Popovetsky <[email protected]>

* Update image tags to match values from k8s, and solve a mystery about why backend was being weird

Signed-off-by: Irving Popovetsky <[email protected]>

* use the Terraform orb

Signed-off-by: Irving Popovetsky <[email protected]>

* Is it even looking in the right place?

Signed-off-by: Irving Popovetsky <[email protected]>

* Add pybot configs

Signed-off-by: Irving Popovetsky <[email protected]>

* Scale up the environment a bit

Signed-off-by: Irving Popovetsky <[email protected]>

* Updating TF to reflect shutdown of Resources API and departure of Pybot

Signed-off-by: Irving Popovetsky <[email protected]>

* save a few pennies and get faster disks

Signed-off-by: Irving Popovetsky <[email protected]>

* We dont need no fancy dynamic scaling its just trying to cost us money

Signed-off-by: Irving Popovetsky <[email protected]>

Signed-off-by: Irving Popovetsky <[email protected]>

Author: irvingpop

.circleci/config.yml

@@ -1,77 +1,16 @@
-version: 2
-jobs:
-  validate:
-    docker:
-      - image: hashicorp/terraform:0.11.14
-
-    steps:
-      - checkout
-
-      - run:
-          command: |
-            mkdir bin
-            curl -sSL https://github.com/gruntwork-io/terragrunt/releases/download/v0.18.3/terragrunt_linux_amd64 -o bin/terragrunt
-            chmod +x bin/terragrunt
-
-      - run:
-          command: |
-            cd dns/operationcode.net/
-            /root/project/bin/terragrunt validate
-
-      - save_cache:
-          key: terragrunt
-          paths:
-            - bin/terragrunt
-
-  plan:
-    docker:
-      - image: hashicorp/terraform:0.11.14
-    steps:
-      - checkout
-
-      - restore_cache:
-          key: terragrunt
-          paths:
-            - bin/terragrunt
-
-      - run:
-          name: terraform plan
-          command: |
-            /root/project/bin/terragrunt plan-all
-
-      - save_cache:
-          key: terragrunt
-          paths:
-            - bin/terragrunt
-
-  apply:
-    docker:
-      - image: hashicorp/terraform:0.11.14
-    steps:
-      - checkout
-
-      - restore_cache:
-          key: terragrunt
-          paths:
-            - bin/terragrunt
-
-      - run:
-          name: terraform apply
-          command: |
-            /root/project/bin/terragrunt apply-all --terragrunt-non-interactive
-
+version: '2.1'
+orbs:
+  terraform: circleci/[email protected]
 workflows:
-  version: 2
-  terraform:
+  deploy_infrastructure:
     jobs:
-      - validate
-      - plan:
+      - terraform/fmt:
+          checkout: true
+          context: terraform
+          path: terraform
+      - terraform/validate:
+          checkout: true
+          context: terraform
+          path: terraform
           requires:
-            - validate
-      - apply:
-          requires:
-            - validate
-            - plan
-          filters:
-            branches:
-              only: main
+            - terraform/fmt

terraform/.terraform.lock.hcl

@@ -0,0 +1,84 @@
+# load balancer ARN  arn:aws:acm:us-east-2:633607774026:certificate/8de9fd02-191c-485f-b952-e5ba32e90acb
+################################################################################
+resource "aws_security_group" "lb_security_group" {
+  name_prefix = "ecs"
+  vpc_id      = data.aws_vpc.use2.id
+
+  # allow incoming traffic
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # allow all outgoing traffic
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [data.aws_vpc.use2.cidr_block]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb" "ecs" {
+  name_prefix     = "oc"
+  security_groups = [aws_security_group.lb_security_group.id]
+
+  load_balancer_type = "application"
+  internal           = false
+
+  subnets = data.aws_subnets.use2.ids
+
+  # idle_timeout = 60
+}
+
+
+resource "aws_lb_listener" "default_http" {
+  depends_on = [aws_lb.ecs]
+
+  load_balancer_arn = aws_lb.ecs.arn
+  protocol          = "HTTP"
+  port              = 80
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+
+resource "aws_lb_listener" "default_https" {
+  depends_on = [aws_lb.ecs]
+
+  load_balancer_arn = aws_lb.ecs.arn
+  protocol          = "HTTPS"
+  port              = 443
+  certificate_arn   = "arn:aws:acm:us-east-2:633607774026:certificate/8de9fd02-191c-485f-b952-e5ba32e90acb"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Not Found"
+      status_code  = "404"
+    }
+  }
+}

terraform/alb.tf

@@ -0,0 +1,191 @@
+resource "aws_cloudwatch_log_group" "ecslogs" {
+  name_prefix       = "ecs-"
+  retention_in_days = 7
+}
+
+# Secrets access stuff
+################################################################################
+data "aws_iam_role" "ecs_task_execution_role" {
+  name = "ecsTaskExecutionRole"
+}
+
+# attach aws secrets manager policy to ecs task execution role
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_attach" {
+  role       = data.aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+}
+
+# The Apps
+################################################################################
+
+# Backend Prod
+module "python_backend_prod" {
+  source = "./python_backend"
+
+  env                 = "prod"
+  vpc_id              = data.aws_vpc.use2.id
+  logs_group          = aws_cloudwatch_log_group.ecslogs.name
+  ecs_cluster_id      = module.ecs.cluster_id
+  task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+  image_tag           = "master"
+}
+
+resource "aws_lb_listener_rule" "python_backend_prod" {
+  listener_arn = aws_lb_listener.default_https.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = module.python_backend_prod.lb_tg_arn
+  }
+
+  condition {
+    host_header {
+      values = ["backend.operationcode.org", "api.operationcode.org"]
+    }
+  }
+}
+
+# Backend Staging
+module "python_backend_staging" {
+  source = "./python_backend"
+
+  env                 = "staging"
+  vpc_id              = data.aws_vpc.use2.id
+  logs_group          = aws_cloudwatch_log_group.ecslogs.name
+  ecs_cluster_id      = module.ecs.cluster_id
+  task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+  image_tag           = "staging"
+}
+
+resource "aws_lb_listener_rule" "python_backend_staging" {
+  listener_arn = aws_lb_listener.default_https.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = module.python_backend_staging.lb_tg_arn
+  }
+
+  condition {
+    host_header {
+      values = ["backend-staging.operationcode.org", "api.staging.operationcode.org"]
+    }
+  }
+}
+
+# Redirector for shut down sites
+resource "aws_lb_listener_rule" "shutdown_sites_redirector" {
+  listener_arn = aws_lb_listener.default_https.arn
+
+  action {
+    type = "redirect"
+
+    redirect {
+      host        = "www.operationcode.org"
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+
+  condition {
+    host_header {
+      values = [
+        "resources.operationcode.org",
+        "resources.staging.operationcode.org",
+        "resources-staging.operationcode.org",
+        "pybot.staging.operationcode.org",
+      ]
+    }
+  }
+}
+
+
+# Resources API has been shut down
+# # Resources API prod
+# module "resources_api_prod" {
+#   source = "./resources_api"
+
+#   env                 = "prod"
+#   vpc_id              = data.aws_vpc.use2.id
+#   logs_group          = aws_cloudwatch_log_group.ecslogs.name
+#   ecs_cluster_id      = module.ecs.cluster_id
+#   task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+#   image_tag           = "202b27d4a8be4418089469e1c79e04277268962e"
+# }
+
+# resource "aws_lb_listener_rule" "resources_api_prod" {
+#   listener_arn = aws_lb_listener.default_https.arn
+
+#   action {
+#     type             = "forward"
+#     target_group_arn = module.resources_api_prod.lb_tg_arn
+#   }
+
+#   condition {
+#     host_header {
+#       values = ["resources.operationcode.org"]
+#     }
+#   }
+# }
+
+# # Resources API staging
+# module "resources_api_staging" {
+#   source = "./resources_api"
+
+#   env                 = "staging"
+#   vpc_id              = data.aws_vpc.use2.id
+#   logs_group          = aws_cloudwatch_log_group.ecslogs.name
+#   ecs_cluster_id      = module.ecs.cluster_id
+#   task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+#   image_tag           = "fb8c59d54a5a4aed9f9cf58144eecee69f9fc58e"
+# }
+
+# resource "aws_lb_listener_rule" "resources_api_staging" {
+#   listener_arn = aws_lb_listener.default_https.arn
+
+#   action {
+#     type             = "forward"
+#     target_group_arn = module.resources_api_staging.lb_tg_arn
+#   }
+
+#   condition {
+#     host_header {
+#       values = ["resources.staging.operationcode.org", "resources-staging.operationcode.org"]
+#     }
+#   }
+# }
+
+
+# note: pybot moving off to Render.com
+# Pybot staging
+# module "pybot_staging" {
+#   source = "./pybot"
+
+#   env                 = "staging"
+#   vpc_id              = data.aws_vpc.use2.id
+#   logs_group          = aws_cloudwatch_log_group.ecslogs.name
+#   ecs_cluster_id      = module.ecs.cluster_id
+#   task_execution_role = data.aws_iam_role.ecs_task_execution_role.arn
+#   image_tag           = "staging"
+# }
+
+# resource "aws_lb_listener_rule" "pybot_staging" {
+#   listener_arn = aws_lb_listener.default_https.arn
+
+#   action {
+#     type             = "forward"
+#     target_group_arn = module.pybot_staging.lb_tg_arn
+#   }
+
+#   condition {
+#     host_header {
+#       values = ["pybot.staging.operationcode.org"]
+#     }
+#   }
+
+#   condition {
+#     path_pattern {
+#       values = ["/slack/*", "/pybot/*", "/airtable/*"]
+#     }
+#   }
+# }