Add infra for web scrambles

.gitignore

@@ -26,3 +26,7 @@ gradle.properties
 
 .idea/
 .vscode/
+
+.terraform/
+
+.DS_Store

iac/README.md

@@ -0,0 +1,17 @@
+# IAC for TNoodle
+
+## Requirements
+
+-   Terraform
+-   AWS Account with credentials configured
+
+## Get started
+
+```bash
+cd iac
+terraform init
+terraform apply -target='module.tnoodle_frontend.aws_s3_bucket.fontend_bucket'
+terraform apply
+```
+
+If you agree with the plan in the output, type `yes`.

iac/alb.tf

@@ -0,0 +1,50 @@
+resource "aws_alb" "tnoodle_load_balancer" {
+  name            = "tnoodle-alb"
+  security_groups = [aws_security_group.http_security_group.id]
+  subnets         = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
+  idle_timeout    = 300
+
+  tags = {
+    (var.type) = var.type_alb
+  }
+}
+
+resource "aws_alb_listener" "api_lb_listener" {
+  load_balancer_arn = aws_alb.tnoodle_load_balancer.arn
+  port              = var.https_port
+  protocol          = "HTTPS"
+  certificate_arn   = data.aws_acm_certificate.certificate.arn
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.tnoodle_tg.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_target_group" "tnoodle_tg" {
+  name_prefix = "kctg1"
+  port        = var.tnoodle_port
+  protocol    = "HTTP"
+  vpc_id      = aws_default_vpc.default.id
+  target_type = "ip"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    healthy_threshold   = "3"
+    interval            = "60"
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = "3"
+    path                = "/"
+    unhealthy_threshold = "2"
+  }
+
+  tags = {
+    (var.type) = var.type_tg
+  }
+  depends_on = [aws_alb.tnoodle_load_balancer]
+}

iac/certificate.tf

@@ -0,0 +1,17 @@
+data "aws_acm_certificate" "certificate" {
+  domain   = "*.${var.domain_name}"
+  statuses = ["ISSUED"]
+}
+
+provider "aws" {
+  region = "us-east-1"
+  alias  = "us_east_1"
+}
+
+data "aws_acm_certificate" "certificate_us_east_1" {
+  domain   = "*.${var.domain_name}"
+  statuses = ["ISSUED"]
+
+  provider = aws.us_east_1
+}
+

iac/data-ssm.tf

@@ -0,0 +1,3 @@
+data "aws_ssm_parameter" "wca_zone_id" {
+  name = "/route53/wca-zone-id"
+}

iac/ecr.tf

@@ -0,0 +1,17 @@
+resource "aws_ecr_repository" "tnoodle" {
+  name = "tnoodle"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    (var.type) = var.type_ecr
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "expire_policy" {
+  repository = aws_ecr_repository.tnoodle.name
+
+  policy = templatefile("./templates/ecr/expire-policy.json", {})
+}

iac/ecs.tf

@@ -0,0 +1,54 @@
+resource "aws_ecs_cluster" "tnoodle_cluster" {
+  name = "tnoodle-cluster"
+
+  tags = {
+    (var.type) = var.type_ecs
+  }
+}
+
+resource "aws_ecs_task_definition" "tnoodle_task_definition" {
+  family                   = "tnoodle-task-definition"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.fargate_cpu
+  memory                   = var.fargate_memory
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
+
+  container_definitions = templatefile("./templates/container-definitions/tnoodle.json.tpl", {
+    app_image      = aws_ecr_repository.tnoodle.repository_url
+    aws_region     = var.aws_region
+    app_port       = var.tnoodle_port
+    container_name = var.tnoodle_name
+    fargate_cpu    = var.fargate_cpu
+    fargate_memory = var.fargate_memory
+  })
+  tags = {
+    (var.type) = var.type_ecs
+  }
+}
+
+resource "aws_ecs_service" "tnoodle_service" {
+  name          = "tnoodle-service"
+  cluster       = aws_ecs_cluster.tnoodle_cluster.id
+  desired_count = 1
+  launch_type   = "FARGATE"
+
+  task_definition = aws_ecs_task_definition.tnoodle_task_definition.arn
+
+  network_configuration {
+    subnets          = [aws_default_subnet.default_az1.id]
+    security_groups  = [aws_security_group.allow_tnoodle_default_port.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.tnoodle_tg.arn
+    container_name   = var.tnoodle_name
+    container_port   = var.tnoodle_port
+  }
+
+  tags = {
+    (var.type) = var.type_ecs
+  }
+}

iac/frontend.tf

@@ -0,0 +1,10 @@
+module "tnoodle_frontend" {
+  source = "./modules/frontend"
+
+  aws_region      = var.aws_region
+  project_name    = var.tnoodle_name
+  zone_id         = data.aws_ssm_parameter.wca_zone_id.value
+  domain_name     = var.domain_name
+  org_name        = var.org_name
+  certificate_arn = data.aws_acm_certificate.certificate_us_east_1.arn
+}

iac/main.tf

@@ -0,0 +1,20 @@
+terraform {
+  backend "s3" {
+    bucket = "NON-EXISTING-BUCKET"
+    key    = "tnoodle-web-scramble"
+    region = "us-west-2"
+  }
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-west-2"
+}

iac/modules/frontend/README.md

@@ -0,0 +1,3 @@
+# Frontend Module
+
+This holds the infra to deploy TNoodle's frontend.

iac/modules/frontend/cloudfront.tf

@@ -0,0 +1,37 @@
+module "cdn" {
+  source = "cloudposse/cloudfront-s3-cdn/aws"
+
+  # Cloud Posse recommends pinning every module to a specific version
+  version = "0.92.0"
+
+  origin_bucket             = aws_s3_bucket.fontend_bucket.id
+  s3_access_logging_enabled = false
+  logging_enabled           = false
+  cached_methods            = ["HEAD", "GET", "OPTIONS"]
+  default_ttl               = "86400"
+  name                      = "cdn"
+  stage                     = terraform.workspace
+  namespace                 = var.domain_name
+  error_document            = "index.html"
+  aliases                   = ["${var.project_name}.${var.domain_name}"]
+  dns_alias_enabled         = false
+  acm_certificate_arn       = var.certificate_arn
+  minimum_protocol_version  = "TLSv1.2_2021"
+
+  custom_error_response = [
+    {
+      error_caching_min_ttl = 10,
+      error_code            = 403
+      response_code         = 403
+      response_page_path    = "/index.html"
+    },
+    {
+      error_caching_min_ttl = 10,
+      error_code            = 404
+      response_code         = 404
+      response_page_path    = "/index.html"
+    }
+  ]
+
+  depends_on = [aws_s3_bucket.fontend_bucket]
+}

iac/modules/frontend/outputs.tf

@@ -0,0 +1,9 @@
+output "deployment_bucket" {
+  value = aws_s3_bucket.fontend_bucket.bucket
+}
+
+output "cf_distribution_id" {
+  value = module.cdn.cf_id
+}
+
+

iac/modules/frontend/route53.tf

@@ -0,0 +1,11 @@
+resource "aws_route53_record" "project_record" {
+  zone_id = var.zone_id
+  name    = var.project_name
+  type    = "A"
+
+  alias {
+    name                   = module.cdn.cf_domain_name
+    evaluate_target_health = true
+    zone_id                = module.cdn.cf_hosted_zone_id
+  }
+}

iac/modules/frontend/s3.tf

@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "fontend_bucket" {
+  bucket = "${var.org_name}-${var.project_name}-frontend"
+}

iac/modules/frontend/variables.tf

@@ -0,0 +1,23 @@
+variable "aws_region" {
+  description = "AWS Region"
+}
+
+variable "project_name" {
+  description = "The name of this project"
+}
+
+variable "zone_id" {
+  description = "The Route53 zone ID"
+}
+
+variable "domain_name" {
+  description = "The domain name, web URL"
+}
+
+variable "org_name" {
+  description = "The name of the organization"
+}
+
+variable "certificate_arn" {
+  description = "The ARN of the ACM certificate"
+}

iac/outputs.tf

@@ -0,0 +1,7 @@
+output "tnoodle_deployment_bucket" {
+  value = module.tnoodle_frontend.deployment_bucket
+}
+
+output "tnoodle_distribution_id" {
+  value = module.tnoodle_frontend.cf_distribution_id
+}