56kcloud · jwavoet · Jul 22, 2024 · Jul 22, 2024 · Jul 22, 2024 · Jul 22, 2024
diff --git a/README.md b/README.md
diff --git a/container-definition/container-definition.json b/container-definition/container-definition.json
@@ -1,7 +1,7 @@
 [
   {
-    "name": "${container_name}",
-    "image": "${image}:${version}",
+    "name": "grafana",
+    "image": "${grafana_image}:${grafana_version}",
     "logConfiguration": {
       "logDriver": "awslogs",
       "options": {
@@ -12,70 +12,84 @@
     },
     "portMappings": [
       {
-        "hostPort": ${container_port},
+        "name": "grafana-${grafana_container_port}-tcp",
+        "containerPort": ${grafana_container_port},
+        "hostPort": 3000,
         "protocol": "tcp",
-        "containerPort": ${container_port}
+        "appProtocol": "http"
       }
     ],
-    "cpu": ${cpu},
-    "memoryReservation": ${memory},
+    "cpu": ${grafana_cpu},
+    "memoryReservation": ${grafana_memory},
     "mountPoints": [
       {
         "containerPath": "/var/lib/grafana",
         "sourceVolume": "grafana-db"
       }
     ],
-    "secrets": [
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_ALLOW_SIGN_UP",
-        "name": "GF_AUTH_GITHUB_ALLOW_SIGN_UP"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_ALLOWED_ORGANIZATIONS",
-        "name": "GF_AUTH_GITHUB_ALLOWED_ORGANIZATIONS"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_API_URL",
-        "name": "GF_AUTH_GITHUB_API_URL"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_AUTH_URL",
-        "name": "GF_AUTH_GITHUB_AUTH_URL"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_CLIENT_ID",
-        "name": "GF_AUTH_GITHUB_CLIENT_ID"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_CLIENT_SECRET",
-        "name": "GF_AUTH_GITHUB_CLIENT_SECRET"
-      },
-      {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_ENABLED",
-        "name": "GF_AUTH_GITHUB_ENABLED"
-      },
+    "secrets": [],
+    "volumesFrom": [],
+    "essential": true,
+    "environment": [
       {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_SCOPES",
-        "name": "GF_AUTH_GITHUB_SCOPES"
+        "name": "GF_LOG_FILTERS",
+        "value": "rendering:debug"
       },
       {
-        "valueFrom": "/grafana/GF_AUTH_GITHUB_TOKEN_URL",
-        "name": "GF_AUTH_GITHUB_TOKEN_URL"
+        "name": "GF_RENDERING_CALLBACK_URL",
+        "value": "http://localhost:3000/"
       },
       {
-        "valueFrom": "/grafana/GF_SERVER_ROOT_URL",
-        "name": "GF_SERVER_ROOT_URL"
+        "name": "GF_RENDERING_SERVER_URL",
+        "value": "http://localhost:8081/render"
       },
       {
-        "valueFrom": "/grafana/GF_SERVER_ENABLE_GZIP",
-        "name": "GF_SERVER_ENABLE_GZIP"
+        "name": "GF_SERVER_ROOT_URL",
+        "value": "${grafana_root_url}"
       },
       {
-        "valueFrom": "/grafana/GF_DEFAULT_INSTANCE_NAME",
-        "name": "GF_DEFAULT_INSTANCE_NAME"
+        "name": "GF_SECURITY_ALLOW_EMBEDDING",
+        "value": "${grafana_allow_embedding}"
       }
     ],
+    "healthCheck": {
+      "command": [
+          "CMD-SHELL",
+          "curl -f http://localhost:3000/login || exit 1"
+      ],
+      "interval": 30,
+      "timeout": 5,
+      "retries": 3
+    }
+  },
+  {
+    "name": "renderer",
+    "image": "${renderer_image}:${renderer_version}",
+    "cpu": 256,
+    "memoryReservation": 512,
+    "portMappings": [
+        {
+            "name": "renderer-8081-tcp",
+            "containerPort": 8081,
+            "hostPort": 8081,
+            "protocol": "tcp",
+            "appProtocol": "http"
+        }
+    ],
+    "essential": false,
+    "environment": [],
+    "environmentFiles": [],
+    "mountPoints": [],
     "volumesFrom": [],
-    "essential": true
+    "healthCheck": {
+        "command": [
+            "CMD-SHELL",
+            "wget --spider http://localhost:8081/ || exit 1"
+        ],
+        "interval": 30,
+        "timeout": 5,
+        "retries": 3
+    },
+    "systemControls": []
   }
 ]
diff --git a/ecs.tf b/ecs.tf
@@ -0,0 +1,218 @@
+# Define the assume role IAM policy document for the ECS service scheduler IAM role
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# Create the IAM roles for the ECS task
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name               = "${var.service_name}-task-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.this.json
+}
+
+resource "aws_iam_role" "ecs_task_role" {
+  name               = "${var.service_name}-task-role"
+  assume_role_policy = data.aws_iam_policy_document.this.json
+}
+
+# Configure additional IAM policies for the ECS service and task
+resource "aws_iam_policy" "ecs_task_custom_policy" {
+  name = "${var.service_name}-ecs-task-custom-policy"
+  path = "/"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
+      "Effect": "Allow",
+      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "AllowReadingResourcesForTags",
+      "Effect": "Allow",
+      "Action": "tag:GetResources",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "task_custom" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = aws_iam_policy.ecs_task_custom_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "task_ecr" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+}
+
+resource "aws_iam_role_policy_attachment" "task_cloudwatch" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "task_ssm_ro" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_custom" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.ecs_task_custom_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_ecr" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_cloudwatch" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "task_execution_ssm_ro" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
+}
+
+# Create the ECS cluster
+resource "aws_ecs_cluster" "this" {
+  name = var.service_name
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+# Create CloudWatch log group
+resource "aws_cloudwatch_log_group" "this" {
+  name              = var.cloudwatch_log_group_name
+  retention_in_days = 30
+}
+
+# Create the task definition by passing it the container definition
+locals {
+  container_definitions = templatefile("${path.module}/container-definition/container-definition.json", {
+    aws_region                = var.aws_region
+    cloudwatch_log_group_name = aws_cloudwatch_log_group.this.name
+    grafana_image             = var.grafana_image
+    grafana_version           = var.grafana_version
+    renderer_image            = var.renderer_image
+    renderer_version          = var.renderer_version
+    grafana_cpu               = (var.cpu - 256)
+    grafana_memory            = (var.memory - 512)
+    grafana_container_port    = var.grafana_container_port
+    grafana_root_url          = var.grafana_root_url
+    grafana_allow_embedding   = var.grafana_allow_embedding
+  })
+}
+
+resource "aws_ecs_task_definition" "this" {
+  family                   = var.service_name
+  container_definitions    = local.container_definitions
+  network_mode             = "awsvpc"
+  cpu                      = var.cpu
+  memory                   = var.memory
+  requires_compatibilities = ["FARGATE"]
+  task_role_arn            = aws_iam_role.ecs_task_role.arn
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+
+  volume {
+    name = "grafana-db"
+
+    efs_volume_configuration {
+      file_system_id     = aws_efs_file_system.this.id
+      root_directory     = "/"
+      transit_encryption = "ENABLED"
+      authorization_config {
+        access_point_id = aws_efs_access_point.this.id
+        iam             = "DISABLED"
+      }
+    }
+  }
+}
+
+# Create the ECS service(s)
+resource "aws_ecs_service" "fargate_ondemand" {
+  # Create this resource when 'var.enable_spot' & 'var.enable_fallback' are both true.
+  count = (var.enable_spot && !var.enable_fallback) ? 0 : 1
+
+  name                               = "${var.service_name}-ondemand"
+  cluster                            = aws_ecs_cluster.this.arn
+  task_definition                    = aws_ecs_task_definition.this.arn
+  desired_count                      = 0
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  health_check_grace_period_seconds  = var.health_check_grace_period_seconds
+  launch_type                        = "FARGATE"
+  platform_version                   = var.platform_version
+  depends_on                         = [aws_lb_target_group.this]
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.this.arn
+    container_name   = var.service_name
+    container_port   = var.grafana_container_port
+  }
+
+  network_configuration {
+    subnets          = var.private_subnet_ids
+    security_groups  = [aws_security_group.ecs_service_sg.id]
+    assign_public_ip = var.assign_public_ip
+  }
+
+  lifecycle {
+    replace_triggered_by = [aws_security_group.ecs_service_sg.id]
+  }
+}
+
+resource "aws_ecs_service" "fargate_spot" {
+  # Create this resource when either 'var.enable_spot' or 'var.enable_fallback' is true.
+  count = (var.enable_spot || var.enable_fallback) ? 1 : 0
+
+  name                               = "${var.service_name}-spot"
+  cluster                            = aws_ecs_cluster.this.arn
+  task_definition                    = aws_ecs_task_definition.this.arn
+  desired_count                      = var.desired_number_of_tasks
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  health_check_grace_period_seconds  = var.health_check_grace_period_seconds
+
+  capacity_provider_strategy {
+    capacity_provider = "FARGATE_SPOT"
+    weight            = 1
+    base              = 1
+  }
+
+  platform_version = var.platform_version
+  depends_on       = [aws_lb_target_group.this]
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.this.arn
+    container_name   = var.service_name
+    container_port   = var.grafana_container_port
+  }
+
+  network_configuration {
+    subnets          = var.private_subnet_ids
+    security_groups  = [aws_security_group.ecs_service_sg.id]
+    assign_public_ip = var.assign_public_ip
+  }
+
+  lifecycle {
+    replace_triggered_by = [aws_security_group.ecs_service_sg.id]
+  }
+}