Add deployment configuration for Stun server (#87)

* Add deployment configuration for Stun server

* Update stun_server/main.tf

Co-authored-by: Joakim Sørensen <[email protected]>

* Migrate to using service module, support multiple regions

* PR review fixes

* Add required Terraform version

* Started using AWS region variable, fixed missing AWS provider issue

* Fix image URL, make subdomain be constructed from region

* TF config fixes

* Add region tag to resources

* Code improvements based on PR suggestions

* Change stun server IP output key

* More PR improvements

* Upgrade AWS provider version

* Add dependencies between ECS service, network interface filter and Cloudflare DNS

---------

Co-authored-by: Joakim Sørensen <[email protected]>

stun_server/main.tf

@@ -0,0 +1,37 @@
+terraform {
+  cloud {
+    organization = "home_assistant"
+
+    workspaces {
+      name = "stun_server"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+module "us_east_1" {
+  source = "./region"
+
+  region      = "us-east-1"
+  domain_name = var.domain_name
+  image_tag   = var.image_tag
+}
+
+module "eu_central_1" {
+  source = "./region"
+
+  region      = "eu-central-1"
+  domain_name = var.domain_name
+  image_tag   = var.image_tag
+}
+
+module "ap_southeast_1" {
+  source = "./region"
+
+  region      = "ap-southeast-1"
+  domain_name = var.domain_name
+  image_tag   = var.image_tag
+}

stun_server/outputs.tf

@@ -0,0 +1,8 @@
+output "ip" {
+  description = "The public IP address of the stun server"
+  value = {
+    "us-east-1"      = module.us_east_1.stun_server_ip
+    "eu-central-1"   = module.eu_central_1.stun_server_ip
+    "ap-southeast-1" = module.ap_southeast_1.stun_server_ip
+  }
+}

stun_server/region/dns.tf

@@ -0,0 +1,12 @@
+data "cloudflare_zone" "dns_zone" {
+  name = var.domain_name
+}
+
+resource "cloudflare_record" "instance_dns" {
+  zone_id    = data.cloudflare_zone.dns_zone.id
+  name       = join("-", ["stun", data.aws_region.current.name])
+  content    = data.aws_network_interface.stun_server_interface.association[0].public_ip
+  type       = "A"
+  proxied    = true
+  depends_on = [data.aws_network_interface.stun_server_interface]
+}

stun_server/region/ecs.tf

@@ -0,0 +1,32 @@
+resource "aws_ecs_service" "stun-server" {
+  name                               = local.service_name
+  cluster                            = local.infrastructure_region_outputs.ecs_cluster
+  task_definition                    = module.stun_server.task_definition
+  desired_count                      = 1
+  deployment_minimum_healthy_percent = 100
+  deployment_maximum_percent         = 200
+  health_check_grace_period_seconds  = 90
+  launch_type                        = "FARGATE"
+
+  # Required to fetch the public IP address of the ECS service
+  enable_ecs_managed_tags = true
+  wait_for_steady_state   = true
+
+  network_configuration {
+    assign_public_ip = true
+    security_groups  = [aws_security_group.stun_sg.id]
+    subnets          = local.infrastructure_region_outputs.public_subnets
+  }
+
+  tags = {
+    region = data.aws_region.current.name
+  }
+}
+
+data "aws_network_interface" "stun_server_interface" {
+  filter {
+    name   = "tag:aws:ecs:serviceName"
+    values = [aws_ecs_service.stun-server.name]
+  }
+  depends_on = [aws_ecs_service.stun-server]
+}

stun_server/region/module.tf

@@ -0,0 +1,41 @@
+locals {
+  service_name                  = "stun-server"
+  infrastructure_region_outputs = data.tfe_outputs.infrastructure.values[data.aws_region.current.name]
+}
+
+provider "aws" {
+  region = var.region
+}
+
+data "tfe_outputs" "infrastructure" {
+  organization = "home_assistant"
+  workspace    = "infrastructure"
+}
+
+data "aws_region" "current" {}
+
+module "stun_server" {
+  source = "../../.modules/service"
+
+  service_name      = local.service_name
+  container_image   = "ghcr.io/home-assistant/stun"
+  container_version = var.image_tag
+  region            = data.aws_region.current.name
+  ecs_cpu           = 512
+  ecs_memory        = 1024
+  container_definitions = {
+    portMappings = [
+      {
+        containerPort = 3478
+        hostPort      = 3478
+        protocol      = "tcp"
+      },
+      {
+        containerPort = 3478
+        hostPort      = 3478
+        protocol      = "udp"
+      }
+    ],
+  }
+  webservice = true
+}

stun_server/region/network.tf

@@ -0,0 +1,30 @@
+resource "aws_security_group" "stun_sg" {
+  vpc_id = local.infrastructure_region_outputs.network_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic TCP"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic UDF"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    region = data.aws_region.current.name
+  }
+}

stun_server/region/outputs.tf

@@ -0,0 +1,4 @@
+output "stun_server_ip" {
+  description = "The public IP address of the stun server"
+  value       = data.aws_network_interface.stun_server_interface.association[0].public_ip
+}

stun_server/region/variables.tf

@@ -0,0 +1,14 @@
+variable "region" {
+  description = "The region to deploy the STUN server to"
+  type        = string
+}
+
+variable "domain_name" {
+  description = "The base domain name"
+  type        = string
+}
+
+variable "image_tag" {
+  description = "Version of the Stun server to deploy"
+  type        = string
+}

stun_server/region/versions.tf

@@ -0,0 +1,19 @@
+terraform {
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+
+    tfe = {
+      source  = "hashicorp/tfe"
+      version = "~> 0.58.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}

stun_server/variables.tf

@@ -0,0 +1,9 @@
+variable "domain_name" {
+  description = "The base domain name"
+  type        = string
+}
+
+variable "image_tag" {
+  description = "Version of the Stun server to deploy"
+  type        = string
+}

stun_server/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "= 1.9.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}