Add deployment configuration for Stun server

.modules/service/ecs.tf

@@ -56,4 +56,4 @@ resource "aws_ecs_task_definition" "task" {
       }
     }, var.container_definitions)
   ])
-}
+}

.modules/webservice/dns.tf

@@ -5,8 +5,8 @@ data "cloudflare_zone" "dns_zone" {
 resource "cloudflare_record" "instance_dns" {
   zone_id = data.cloudflare_zone.dns_zone.id
   name    = coalesce(var.subdomain, lower(var.service_name))
-  value   = lower(aws_alb.main.dns_name)
+  content = lower(aws_alb.main.dns_name)
   type    = "CNAME"
   ttl     = 1
   proxied = var.cloudflare_proxy
-}
+}

stun_server/main.tf

@@ -0,0 +1,40 @@
+terraform {
+  cloud {
+    organization = "home_assistant"
+
+    workspaces {
+      name = "stun_server"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+module "us_east_1" {
+  source = "./region"
+
+  region      = "us-east-1"
+  domain_name = var.domain_name
+  subdomain   = "stun-us"
+  image_tag   = var.image_tag
+}
+
+module "eu_central_1" {
+  source = "./region"
+
+  region      = "eu-central-1"
+  domain_name = var.domain_name
+  subdomain   = "stun-eu"
+  image_tag   = var.image_tag
+}
+
+module "ap_southeast_1" {
+  source = "./region"
+
+  region      = "ap-southeast-1"
+  domain_name = var.domain_name
+  subdomain   = "stun-ap"
+  image_tag   = var.image_tag
+}

stun_server/outputs.tf

@@ -0,0 +1,4 @@
+output "stun_server_ip" {
+  description = "The public IP address of the stun server"
+  value       = data.aws_network_interface.stun_server_interface.association[0].public_ip
+}

stun_server/region/dns.tf

@@ -0,0 +1,11 @@
+data "cloudflare_zone" "dns_zone" {
+  name = var.domain_name
+}
+
+resource "cloudflare_record" "instance_dns" {
+  zone_id = data.cloudflare_zone.dns_zone.id
+  name    = var.subdomain
+  content = module.stun_server.aws_network_interface.stun_server_interface.association[0].public_ip
+  type    = "A"
+  proxied = true
+}

stun_server/region/ecs.tf

@@ -0,0 +1,30 @@
+resource "aws_ecs_service" "stun-server" {
+  name                               = local.service_name
+  cluster                            = data.tfe_outputs.infrastructure.values[var.region].ecs_cluster
+  task_definition                    = module.stun_server.task_definition
+  desired_count                      = 1
+  deployment_minimum_healthy_percent = 100
+  deployment_maximum_percent         = 200
+  health_check_grace_period_seconds  = 90
+  launch_type                        = local.launch_type
+
+  # Required to fetch the public IP address of the ECS service
+  enable_ecs_managed_tags = true
+  wait_for_steady_state   = true
+
+  network_configuration {
+    assign_public_ip = true
+    security_groups  = [aws_security_group.stun_sg.id]
+    subnets = [
+      data.tfe_outputs.infrastructure.values.public_subnets[0],
+      data.tfe_outputs.infrastructure.values.public_subnets[1]
+    ]
+  }
+}
+
+data "aws_network_interface" "stun_server_interface" {
+  filter {
+    name   = "tag:aws:ecs:serviceName"
+    values = [aws_ecs_service.stun-server.name]
+  }
+}

stun_server/region/module.tf

@@ -0,0 +1,37 @@
+locals {
+  service_name = "stun-server"
+  launch_type  = "FARGATE"
+}
+
+data "tfe_outputs" "infrastructure" {
+  organization = "home_assistant"
+  workspace    = "infrastructure"
+}
+
+module "stun_server" {
+  source = "../../.modules/service"
+
+  service_name      = local.service_name
+  container_image   = "ghcr.io/home-assistant/stun-server"
+  container_version = var.image_tag
+  launch_type       = local.launch_type
+  region            = var.region
+  ecs_cpu           = 2048
+  ecs_memory        = 4096
+  container_definitions = {
+    portMappings = [
+      {
+        containerPort = 3478
+        hostPort      = 3478
+        protocol      = "tcp"
+      },
+      {
+        containerPort = 3478
+        hostPort      = 3478
+        protocol      = "udp"
+      }
+    ],
+  }
+  webservice      = true
+  rolling_updates = true
+}

stun_server/region/network.tf

@@ -0,0 +1,26 @@
+resource "aws_security_group" "stun_sg" {
+  vpc_id = data.tfe_outputs.infrastructure.values[var.region].network_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic TCP"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow STUN traffic UDF"
+    from_port   = 3478
+    to_port     = 3478
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

stun_server/region/variables.tf

@@ -0,0 +1,19 @@
+variable "region" {
+  description = "The region to deploy the STUN server to"
+  type        = string
+
+}
+
+variable "domain_name" {
+  description = "The base domain name"
+  type        = string
+}
+
+variable "subdomain" {
+  description = "The subdomain to use for the STUN server"
+  type        = string
+}
+variable "image_tag" {
+  description = "Version of the Stun server to deploy"
+  type        = string
+}

stun_server/variables.tf

@@ -0,0 +1,9 @@
+variable "domain_name" {
+  description = "The base domain name"
+  type        = string
+}
+
+variable "image_tag" {
+  description = "Version of the Stun server to deploy"
+  type        = string
+}

stun_server/versions.tf

@@ -0,0 +1,19 @@
+terraform {
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+
+    tfe = {
+      source  = "hashicorp/tfe"
+      version = "~> 0.58.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}