Add deployment configuration for Stun server

stun_server/dns.tf

@@ -0,0 +1,11 @@
+data "cloudflare_zone" "dns_zone" {
+  name = var.domain_name
+}
+
+resource "cloudflare_record" "instance_dns" {
+  zone_id = data.cloudflare_zone.dns_zone.id
+  name    = "" # TODO: Add the subdomain
+  content = data.aws_network_interface.stun_server_interface.association[0].public_ip
+  type    = "A"
+  proxied = true
+}

stun_server/ecs.tf

@@ -0,0 +1,87 @@
+resource "aws_ecs_service" "stun-server" {
+  name = "stun-server"
+
+  cluster         = data.tfe_outputs.infrastructure.values.ecs_cluster
+  task_definition = aws_ecs_task_definition.stun-server.arn
+  count           = 1
+  desired_count   = 1
+
+  deployment_minimum_healthy_percent = 100
+  deployment_maximum_percent         = 200
+  health_check_grace_period_seconds  = 90
+  launch_type                        = "FARGATE"
+
+  # Required to fetch the public IP address of the ECS service
+  enable_ecs_managed_tags = true
+  wait_for_steady_state   = true
+
+  network_configuration {
+    assign_public_ip = true
+    security_groups  = [aws_security_group.stun_sg.id]
+    subnets = [
+      data.tfe_outputs.infrastructure.values.public_subnets[0],
+      data.tfe_outputs.infrastructure.values.public_subnets[1]
+    ]
+  }
+}
+
+data "aws_network_interface" "stun_server_interface" {
+  filter {
+    name   = "tag:aws:ecs:serviceName"
+    values = [aws_ecs_service.stun-server.name]
+  }
+}
+
+resource "aws_cloudwatch_log_group" "aws_logs" {
+  name              = "/ecs/stun-server"
+  retention_in_days = 14
+}
+
+resource "aws_ecs_task_definition" "stun-server" {
+  family = "stun-server"
+
+  count  = 1
+  cpu    = 2048
+  memory = 4096
+
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "ARM64"
+  }
+
+  container_definitions = jsonencode([
+    {
+      name      = "stun-server"
+      image     = "ghcr.io/home-assistant/stun:${var.image_tag}"
+      cpu       = 2048
+      memory    = 4096
+      essential = true
+
+      portMappings = [
+        {
+          containerPort = 3478
+          hostPort      = 3478
+          protocol      = "tcp"
+        },
+        {
+          containerPort = 3478
+          hostPort      = 3478
+          protocol      = "udp"
+        }
+      ],
+
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = "/ecs/stun-server"
+          "awslogs-region"        = "us-east-1"
+          "awslogs-stream-prefix" = "ecs"
+        }
+      }
+    }
+  ])
+}

stun_server/main.tf

@@ -0,0 +1,18 @@
+terraform {
+  cloud {
+    organization = "home_assistant"
+
+    workspaces {
+      name = "infrastructure"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "tfe_outputs" "infrastructure" {
+  organization = "home_assistant"
+  workspace    = "infrastructure"
+}

stun_server/network.tf

@@ -0,0 +1,26 @@
+resource "aws_security_group" "stun_sg" {
+  vpc_id = data.tfe_outputs.infrastructure.values["us-east-1"].network_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic TCP"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic UDF"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

stun_server/outputs.tf

@@ -0,0 +1,4 @@
+output "stun_server_ip" {
+  description = "The public IP address of the stun server"
+  value       = data.aws_network_interface.stun_server_interface.association[0].public_ip
+}

stun_server/variables.tf

@@ -0,0 +1,9 @@
+variable "domain_name" {
+  description = "The base domain name"
+  type        = string
+}
+
+variable "image_tag" {
+  description = "Version of the Stun server to deploy"
+  type        = string
+}

stun_server/versions.tf

@@ -0,0 +1,19 @@
+terraform {
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+
+    tfe = {
+      source  = "hashicorp/tfe"
+      version = "~> 0.58.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}