Merge pull request #42 from hazelops/core-443

Proxy pick up nginx config

Author: igorkotof

ecs-modules/ecs-task/locals.tf

@@ -121,11 +121,11 @@ locals {
         "Resource" = "*"
       },
       {
-        "Effect" : "Allow",
-        "Action" : [
+        "Effect" = "Allow",
+        "Action" = [
           "firehose:PutRecordBatch"
         ],
-        "Resource" : [
+        "Resource" = [
           "*"
         ]
       },
@@ -148,6 +148,13 @@ locals {
           "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${local.ssm_secret_path}/*",
           "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${local.ssm_global_secret_path}/*"
         ]
+      },
+      {
+          "Action" = [
+            "kms:Decrypt"
+          ],
+          "Effect" = "Allow",
+          "Resource" = "*"
       }
     ])
   }

examples/web-nginx-proxy/data.tf

@@ -1,28 +1,48 @@
+# Versions
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 1.0"
+}
+
+# Data
+data "aws_route53_zone" "root" {
+  name         = "${var.root_domain_name}."
+  private_zone = false
+}
+
+# Main
 module "vpc" {
   source  = "registry.terraform.io/terraform-aws-modules/vpc/aws"
   version = "~> 3.0"
 
   name = "${var.env}-vpc"
-  cidr = "10.30.0.0/16"
+  cidr = "10.0.0.0/16"
 
   azs = [
-    "${var.aws_region}a"
+    "${var.aws_region}a",
+    "${var.aws_region}b"
   ]
   public_subnets = [
-    "10.30.10.0/23"
+    "10.0.10.0/23",
+    "10.0.12.0/23"
   ]
 
   private_subnets = [
-    "10.30.20.0/23"
+    "10.0.20.0/23"
   ]
 
+  enable_nat_gateway                  = true
+  single_nat_gateway                  = true
   manage_default_network_acl          = true
   default_network_acl_name            = "${var.env}-${var.namespace}"
 }
 resource "aws_security_group" "default_permissive" {
   name        = "${var.env}-default-permissive"
   vpc_id      = module.vpc.vpc_id
-  description = "Managed by Terraform"
 
   ingress {
     protocol    = -1
@@ -42,20 +62,12 @@ resource "aws_security_group" "default_permissive" {
     ]
   }
 
-  tags = {
-    Terraform = "true"
-    Env       = var.env
-    Name      = "${var.env}-default-permissive"
-  }
 }
 
 resource "aws_route53_record" "env_ns_record" {
   zone_id = data.aws_route53_zone.root.id
   name    = "${var.env}.${var.root_domain_name}"
   type    = "NS"
-  //  ttl  = "172800"
-
-  // Fast TTL for dev
   ttl     = "60"
   records = aws_route53_zone.env_domain.name_servers
 }
@@ -64,62 +76,48 @@ resource "aws_route53_zone" "env_domain" {
   name = "${var.env}.${var.root_domain_name}"
 }
 
-
 module "ecs" {
   source             = "registry.terraform.io/terraform-aws-modules/ecs/aws"
   version            = "~> 4.0"
   cluster_name       = "${var.env}-${var.namespace}"
 }
 
-module "web_complete" {
+module "web_proxy" {
   source = "../.."
 
-  name             = "app"
-  app_type         = "web"
-  env              = var.env
-  namespace        = var.namespace
-  ecs_cluster_name = local.ecs_cluster_name
-
-  # Proxy enabling
-  web_proxy_enabled = true
+  name                  = "app"
+  app_type              = "web"
+  env                   = var.env
+  namespace             = var.namespace
+  
+  # Nginx Proxy enabling
+  web_proxy_enabled     = true
+  # We mount a shared volume to /etc/nginx dir in our container. In order to the web proxy to work - your app must copy(create) Nginx config template to /etc/nginx/templates/default.conf.template. See proxied-prj/entrypoint.sh.  
 
-  # Image should have some customization, see Dockerfile example at ./simple-prj
   # Containers
-  docker_registry      = local.docker_registry
-  image_id             = local.image_id
-  docker_image_tag     = local.docker_image_tag
-  iam_instance_profile = local.iam_instance_profile
-  key_name             = local.key_name
+  ecs_cluster_name      = module.ecs.cluster_name
+  docker_registry       = var.docker_registry
+  docker_image_tag      = var.docker_image_tag
 
   # Load Balancer
   public                = true
+  https_enabled         = false
   alb_health_check_path = "/"
-  alb_security_groups   = local.alb_security_groups
+  alb_security_groups   = [aws_security_group.default_permissive.id]
   tls_cert_arn          = local.tls_cert_arn
 
-  # EFS settings
-  efs_enabled        = false
-  efs_mount_point    = "/mnt/efs"
-  efs_root_directory = "/"
-
   # Network
-  vpc_id                       = local.vpc_id
-  public_subnets               = local.public_subnets
-  private_subnets              = local.private_subnets
-  security_groups              = local.security_groups
-  root_domain_name             = var.root_domain_name
-  zone_id                      = local.zone_id
-  route53_health_check_enabled = false
-  domain_names = [
-    "app.${var.root_domain_name}"
-  ]
+  vpc_id                        = module.vpc.vpc_id
+  public_subnets                = module.vpc.public_subnets
+  private_subnets               = module.vpc.private_subnets
+  security_groups               = [aws_security_group.default_permissive.id]
+  root_domain_name              = var.root_domain_name
+  zone_id                       = aws_route53_zone.env_domain.id
 
   # Environment variables
   app_secrets = [
   ]
   environment = {
-    ENV      = var.env
-    APP_NAME = "App"
   }
 }
 

examples/web-nginx-proxy/main.tf

@@ -7,7 +7,7 @@ output "private_subnet_cidrs" {
 }
 
 output "cloudwatch_log_group" {
-  value = module.web_complete.cloudwatch_log_group
+  value = module.web_proxy.cloudwatch_log_group
 }
 
 output "ecs_cluster_name" {

examples/web-nginx-proxy/output.tf

@@ -19,17 +19,17 @@ RUN set -ex && \
     ln -s /usr/bin/python3 /usr/bin/python
 
 # Copy files and pipenv
-COPY ${PROJECT_PATH}/public/index.html  ./public/index.html
+COPY ${PROJECT_PATH}/public/style.css  ./public/style.css
 COPY ${PROJECT_PATH}/app.py  ./
 COPY ${PROJECT_PATH}/Pipfile* ./
 COPY ${PROJECT_PATH}/nginx.conf.template ./
-COPY ${PROJECT_PATH}/docker-entrypoint.sh /
+COPY ${PROJECT_PATH}/entrypoint.sh /
 
 
 RUN python3 -m pip install pipenv
 
 RUN pipenv install --deploy --system
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]
 
 EXPOSE 3000

examples/web-nginx-proxy/simple-prj/Dockerfile renamed to examples/web-nginx-proxy/proxied-prj/Dockerfile

@@ -1,7 +1,7 @@
 client_max_body_size 20M;
 
 upstream app {
-    # Puma socket, as defined previously
+    # Application server socket, as defined previously
     server ${APP_HOST} fail_timeout=10;
 }
 
@@ -16,7 +16,7 @@ server {
         add_header Cache-Control public;
     }
 
-    try_files $uri/index.html $uri @app;
+    try_files $uri @app;
 
     location @app {
         proxy_pass http://app;

examples/web-nginx-proxy/simple-prj/Pipfile renamed to examples/web-nginx-proxy/proxied-prj/Pipfile

@@ -0,0 +1,3 @@
+body {
+    background-color: powderblue;
+}

examples/web-nginx-proxy/simple-prj/Pipfile.lock renamed to examples/web-nginx-proxy/proxied-prj/Pipfile.lock

@@ -1,28 +1,7 @@
-locals {
-  env                  = var.env
-  namespace            = var.namespace
-
-  public_subnets       = module.vpc.public_subnets
-  private_subnets      = module.vpc.private_subnets
-  vpc_id               = module.vpc.vpc_id
-  security_groups      = [aws_security_group.default_permissive.id]
-  alb_security_groups  = [aws_security_group.default_permissive.id]
-  root_domain_name     = var.root_domain_name
-  zone_id              = aws_route53_zone.env_domain.id
-
-  image_id             = data.aws_ami.amazon_linux_ecs_generic.id
-  docker_registry      = var.docker_registry
-  docker_image_tag     = var.docker_image_tag
-
-  ecs_cluster_name     = module.ecs.cluster_name
-  tls_cert_arn         = length(module.env_acm.acm_certificate_arn) > 0 ? module.env_acm.acm_certificate_arn : null
-}
-
 variable "env" {}
 variable "namespace" {}
 variable "aws_profile" {}
 variable "aws_region" {}
-variable "ssh_public_key" {}
 variable "docker_registry" {}
 variable "docker_image_tag" {}
 variable "root_domain_name" {}