Added AWS Fargate Service module. (#5)

README.md

@@ -9,15 +9,17 @@ terraform.
 
 ## Modules
 
-| Provider | Module                               | Description                                                              |
-|----------|--------------------------------------|--------------------------------------------------------------------------|
-| AWS      | [backend][aws-backend]               | S3 storage backend for tfstate.                                          |
-| AWS      | [cloudfront_waf][aws-cloudfront-waf] | CloudFront distribution that passes traffic through WAF without caching. |
-| AWS      | [logging][aws-logging]               | CloudFront distribution that passes traffic through WAF without caching. |
-| AWS      | [vpc][aws-vpc]                       | CloudFront distribution that passes traffic through WAF without caching. |
+| Provider | Module                                 | Description                                                              |
+|----------|----------------------------------------|--------------------------------------------------------------------------|
+| AWS      | [backend][aws-backend]                 | S3 storage backend for tfstate.                                          |
+| AWS      | [cloudfront_waf][aws-cloudfront-waf]   | CloudFront distribution that passes traffic through WAF without caching. |
+| AWS      | [fargate_service][aws-fargate_service] | CloudFront distribution that passes traffic through WAF without caching. |
+| AWS      | [logging][aws-logging]                 | CloudFront distribution that passes traffic through WAF without caching. |
+| AWS      | [vpc][aws-vpc]                         | CloudFront distribution that passes traffic through WAF without caching. |
 
 [aws-backend]: ./aws/backend/README.md
 [aws-cloudfront-waf]: ./aws/cloudfront_waf/README.md
+[aws-fargate_service]: ./aws/fargate_service/README.md
 [aws-logging]: ./aws/logging/README.md
 [aws-vpc]: ./aws/vpc/README.md
 [opentofu]: https://opentofu.org/

aws/backend/README.md

@@ -14,7 +14,7 @@ to match your desired configuration. For example:
 module "backend" {
   source = "github.com/codeforamerica/tofu-modules/aws/backend"
 
-  project = "my-project"
+  project     = "my-project"
   environment = "dev"
 }
 ```
@@ -35,7 +35,7 @@ Add the backend configuration to your `main.tf` file:
 terraform {
   backend "s3" {
     bucket = "my-project-dev-tfstate"
-    key = "my-project.tfstate" # Choose an appropriate key
+    key    = "my-project.tfstate" # Choose an appropriate key
     region = "us-east-1"
   }
 }

aws/cloudfront_waf/README.md

@@ -13,10 +13,10 @@ to match your desired configuration. For example, to create a new distribution
 module "cloudfront_waf" {
   source = "github.com/codeforamerica/tofu-modules/aws/cloudfront_waf"
 
-  project = "my-project"
+  project     = "my-project"
   environment = "dev"
-  domain = "my-project.org"
-  log_bucket = module.logging.bucket
+  domain      = "my-project.org"
+  log_bucket  = module.logging.bucket
 }
 ```
 

aws/fargate_service/README.md

@@ -0,0 +1,72 @@
+# AWS Fargate Service Module
+
+This module launches a service on AWS Fargate. It creates a cluster, task
+definition, service, and container repository. In addition, it creates the load
+balancer, ACM certificate, Route53 records, and security groups needed to expose
+the service.
+
+## Usage
+
+Add this module to your `main.tf` (or appropriate) file and configure the inputs
+to match your desired configuration. For example:
+
+```hcl
+module "cloudfront_waf" {
+  source = "github.com/codeforamerica/tofu-modules/aws/fargate_service"
+
+  project       = "my-project"
+  project_short = "my-proj"
+  environment   = "dev"
+  service       = "worker"
+  service_short = "wrk"
+
+  domain          = "dev.worker.my-project.org"
+  vpc_id          = module.vpc.vpc_id
+  private_subnets = module.vpc.private_subnets
+  public_subnets  = module.vpc.public_subnets
+  logging_key_id  = module.logging.kms_key_arn
+  container_port  = 3000
+}
+```
+
+Make sure you re-run `tofu init` after adding the module to your configuration.
+
+```bash
+tofu init
+tofu plan
+```
+
+To update the source for this module, pass `-upgrade` to `tofu init`:
+
+```bash
+tofu init -upgrade
+```
+
+## Inputs
+
+| Name                     | Description                                                                            | Type     | Default    | Required |
+|--------------------------|----------------------------------------------------------------------------------------|----------|------------|----------|
+| domain                   | Domain name for service. Example: `"staging.service.org"`                              | `string` | n/a        | yes      |
+| logging_key_id           | KMS key to use for log encryption.                                                     | `string` | n/a        | yes      |
+| private_subnets          | List of private subnet CIDR blocks.                                                    | `list`   | n/a        | yes      |
+| project                  | Name of the project.                                                                   | `string` | n/a        | yes      |
+| project_short            | Short name for the project. Used in resource names with character limits.              | `string` | n/a        | yes      |
+| public_subnets           | List of public subnet CIDR blocks.                                                     | `list`   | n/a        | yes      |
+| service                  | Service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"`     | `string` | n/a        | yes      |
+| service_short            | Short name for the service. Used in resource names with character limits.              | `string` | n/a        | yes      |
+| vpc_id                   | Id of the VPC to deploy into.                                                          | `string` | n/a        | yes      |
+| container_port           | Port the container listens on.                                                         | `number` | `80`       | no       |
+| environment              | Environment for the project.                                                           | `string` | `"dev"`    | no       |
+| force_delete             | Force deletion of resources. If changing to true, be sure to apply before destroying.  | `bool`   | `false`    | no       |
+| image_tag                | Tag of the container image to be deployed.                                             | `string` | `"latest"` | no       |
+| internal                 | Creates an internal ALB instead of a public one.                                       | `bool`   | `false`    | no       |
+| key_recovery_period      | Number of days to recover the service KMS key after deletion.                          | `number` | `30`       | no       |
+| log_retention_period     | Retention period for flow logs, in days.                                               | `number` | `30`       | no       |
+| untagged_image_retention | Retention period (after push) for untagged images, in days.                            | `number` | `14`       | no       |
+
+## Outputs
+
+| Name         | Description                                                  | Type     |
+|--------------|--------------------------------------------------------------|----------|
+| cluster_name | Name of the ECS Fargate cluster.                             | `string` |
+| docker_push  | Commands to push a Docker image to the container repository. | `string` |

aws/fargate_service/alb.tf

@@ -0,0 +1,100 @@
+module "alb" {
+  source                     = "terraform-aws-modules/alb/aws"
+  version                    = "~> 9.9"
+  enable_deletion_protection = !var.force_delete
+
+  name               = local.prefix_short
+  load_balancer_type = "application"
+  security_groups    = [module.endpoint_security_group.security_group_id]
+  subnets            = var.internal ? var.private_subnets : var.public_subnets
+  vpc_id             = var.vpc_id
+
+  # TODO: Support IPv6 and/or dualstack.
+  ip_address_type = "ipv4"
+
+  listeners = {
+    http = {
+      port     = 80
+      protocol = "HTTP"
+      redirect = {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+
+    https = {
+      port            = 443
+      protocol        = "HTTPS"
+      ssl_policy      = "ELBSecurityPolicy-TLS-1-2-2017-01"
+      certificate_arn = aws_acm_certificate.endpoint.arn
+      forward = {
+        target_group_key = "endpoint"
+      }
+    }
+  }
+
+  target_groups = {
+    endpoint = {
+      name        = "${local.prefix_short}-app"
+      protocol    = "HTTP"
+      target_type = "ip"
+      port        = var.container_port
+
+      # Theres nothing to attach here in this definition. Instead, ECS will
+      # attach the IPs of the tasks to this target group.
+      create_attachment = false
+
+      health_check = {
+        path                = "/health"
+        healthy_threshold   = 5
+        unhealthy_threshold = 2
+      }
+    }
+  }
+}
+
+resource "aws_acm_certificate" "endpoint" {
+  domain_name       = var.domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "endpoint" {
+  name    = var.domain
+  type    = "A"
+  zone_id = data.aws_route53_zone.domain.zone_id
+
+  alias {
+    name                   = module.alb.dns_name
+    zone_id                = module.alb.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "endpoint_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.endpoint.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.domain.zone_id
+}
+
+resource "aws_acm_certificate_validation" "endpoint" {
+  certificate_arn = aws_acm_certificate.endpoint.arn
+  validation_record_fqdns = [
+    for record in aws_route53_record.endpoint_validation : record.fqdn
+  ]
+}

aws/fargate_service/data.tf

@@ -0,0 +1,13 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_route53_zone" "domain" {
+  name = var.domain
+}
+
+data "aws_vpc" "current" {
+  id = var.vpc_id
+}

aws/fargate_service/iam.tf

@@ -0,0 +1,56 @@
+resource "aws_iam_policy" "execution" {
+  name        = "${local.prefix}-execution"
+  description = "${var.service} task execution policy for ${var.project} ${var.environment}."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/execution-policy.yaml.tftpl", {
+    project     = var.project
+    environment = var.environment
+    ecr_arn     = module.ecr.repository_arn
+  })))
+}
+
+resource "aws_iam_role" "execution" {
+  name        = "${local.prefix}-execution"
+  description = "${var.service} task execution role for ${var.project} ${var.environment}."
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  managed_policy_arns = [
+    #     aws_iam_policy.execution.arn
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+  ]
+}
+
+resource "aws_iam_role" "task" {
+  name        = "${local.prefix}-task"
+  description = "${var.service} task role for ${var.project} ${var.environment}."
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  managed_policy_arns = [
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/CloudWatchFullAccess",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMFullAccess"
+  ]
+}

aws/fargate_service/kms.tf

@@ -0,0 +1,16 @@
+resource "aws_kms_key" "fargate" {
+  description             = "${var.service} hosting encryption key for ${var.project} ${var.environment}"
+  deletion_window_in_days = var.key_recovery_period
+  enable_key_rotation     = true
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id,
+    partition : data.aws_partition.current.partition,
+    region : data.aws_region.current.name,
+    repository_name : local.prefix,
+  })))
+}
+
+resource "aws_kms_alias" "fargate" {
+  name          = "alias/${var.project}/${var.environment}/${var.service}"
+  target_key_id = aws_kms_key.fargate.id
+}

aws/fargate_service/local.tf

@@ -0,0 +1,4 @@
+locals {
+  prefix       = "${var.project}-${var.environment}-${var.service}"
+  prefix_short = "${var.project_short}-${var.environment}-${var.service_short}"
+}

aws/fargate_service/logs.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "service" {
+  name              = "/aws/ecs/${var.project}/${var.environment}/${var.service}"
+  retention_in_days = 30
+  kms_key_id        = var.logging_key_id
+}