refa: switch to Fargate ECS cluster

Author: kfc-manager

.github/diagrams/cluster-dark.png

@@ -1,27 +1,27 @@
 # Editor directories and files
-.vscode/*
-!.vscode/extensions.json
-.idea
-.DS_Store
-*.suo
-*.ntvs*
-*.njsproj
-*.sln
-*.sw?
+**/.vscode/*
+**/!.vscode/extensions.json
+**/.idea
+**/.DS_Store
+**/*.suo
+**/*.ntvs*
+**/*.njsproj
+**/*.sln
+**/*.sw?
 
-# Terraform files
-**/.terraform/*
-*.tfstate
-*.tfstate.*
-crash.log
-crash.*.log
-.terraform.lock.hcl
-*.tfvars
-*.tfvars.json
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-*tfplan*
-.terraformrc
-terraform.rc
+**/# Terraform files
+**/**/.terraform/*
+**/*.tfstate
+**/*.tfstate.*
+**/crash.log
+**/crash.*.log
+**/.terraform.lock.hcl
+**/*.tfvars
+**/*.tfvars.json
+**/override.tf
+**/override.tf.json
+**/*_override.tf
+**/*_override.tf.json
+**/*tfplan*
+**/.terraformrc
+**/terraform.rc

.github/diagrams/cluster-light.png

@@ -0,0 +1,120 @@
+# Modules: Cluster
+
+This is an agglomeration of Terraform modules relevant to build a Fargate ECS cluster. After creating a base ECS cluster any amount of services can be added to the cluster. With service discovery private DNS namespaces can be created for cluster internal communication between services. Services can also be autoscaled and publicly exposed by adding them to a target group of the load balancer module.
+
+![Cluster visualized](.github/diagrams/cluster-transparent.png)
+
+## Contents
+
+- [Requirements](#requirements)
+- [Examples](#examples)
+
+## Requirements
+
+| Name      | Version |
+| --------- | ------- |
+| terraform | >= 1.0  |
+| aws       | >= 5.20 |
+
+## Examples
+
+```hcl
+module "cluster" {
+  source = "github.com/custom-terraform-aws-modules/cluster/cluster"
+
+  identifier = "example-cluster"
+
+  log_config = {
+    retention_in_days = 7
+  }
+
+  tags = {
+    Project     = "example-project"
+    Environment = "dev"
+  }
+}
+
+module "load_balancer" {
+  source = "github.com/custom-terraform-aws-modules/cluster/load-balancer"
+
+  identifier = "example-load-balancer"
+  vpc_id     = "vpc-1234567890"
+  subnets    = ["subnet-1", "subnet-2", "subnet-3"]
+
+  target_groups = [
+    {
+      name              = "first-target-group"
+      host_domain       = "example.com"
+      certificate_arn   = "arn:aws:acm:eu-central-1:1234567890:example"
+      health_check_path = "/health"
+    }
+  ]
+
+  tags = {
+    Project     = "example-project"
+    Environment = "dev"
+  }
+}
+
+module "cache_service" {
+  source = "github.com/custom-terraform-aws-modules/cluster/service"
+
+  identifier         = "cache-service"
+  cluster_id         = module.cluster.id
+  region             = "eu-central-1"
+  cpu_architecture   = "ARM64"
+  dns_namespace      = "cache.local"
+  vpc_id             = "vpc-1234567890"
+  execution_role_arn = "arn:aws:iam::1234567890:role/execution-role"
+  container_port     = 6379
+  subnets            = ["subnet-1", "subnet-2", "subnet-3"]
+  task_count         = 1
+  task_cpu           = 256
+  task_memory        = 512
+
+  image = {
+    uri = "redis:latest"
+  }
+
+  log_config = {
+    retention_in_days = 7
+  }
+
+  tags = {
+    Project     = "example-project"
+    Environment = "dev"
+  }
+}
+
+module "web_server_service" {
+  source = "github.com/custom-terraform-aws-modules/cluster/service"
+
+  identifier         = "web-server-service"
+  cluster_id         = module.cluster.id
+  region             = "eu-central-1"
+  cpu_architecture   = "ARM64"
+  vpc_id             = "vpc-1234567890"
+  execution_role_arn = "arn:aws:iam::1234567890:role/execution-role"
+  container_port     = 8000
+  subnets            = ["subnet-1", "subnet-2", "subnet-3"]
+  security_groups    = [module.cache_service.security_group]
+  target_group       = module.load_balancer.target_groups[0]
+  task_count         = 3
+  task_cpu           = 256
+  task_memory        = 512
+
+  autoscaling = {
+    min_count = 3
+    max_count = 5
+  }
+
+  log_config = {
+    retention_in_days = 7
+  }
+
+  tags = {
+    Project     = "example-project"
+    Environment = "dev"
+  }
+}
+```

.github/diagrams/cluster-transparent.png

@@ -0,0 +1,38 @@
+# Cluster: Cluster
+
+This module creates the ECS cluster and is the foundation for the other modules of this repository to build on top of.
+
+## Contents
+
+- [Requirements](#requirements)
+- [Inputs](#inputs)
+- [Outputs](#outputs)
+
+## Requirements
+
+| Name      | Version |
+| --------- | ------- |
+| terraform | >= 1.0  |
+| aws       | >= 5.20 |
+
+## Inputs
+
+| Name       | Description                                                              | Type          | Default | Required |
+| ---------- | ------------------------------------------------------------------------ | ------------- | ------- | :------: |
+| identifier | The unique identifier to differentiate resources.                        | `string`      | n/a     |   yes    |
+| log_config | Object to define logging configuration for the ECS master to CloudWatch. | `object`      | null    |    no    |
+| tags       | A map of tags to add to all resources.                                   | `map(string)` | {}      |    no    |
+
+### `log_config`
+
+| Name              | Description                                                                                                                | Type     | Default | Required |
+| ----------------- | -------------------------------------------------------------------------------------------------------------------------- | -------- | ------- | :------: |
+| retention_in_days | Specifies the number of days the log events shall be retained. Valid values: 1, 3, 5, 7, 14, 30, 365 and 0 (never expire). | `number` | n/a     |   yes    |
+
+## Outputs
+
+| Name               | Description                                                               |
+| ------------------ | ------------------------------------------------------------------------- |
+| id                 | The ID of the ECS cluster.                                                |
+| execution_role_arn | The ARN of the execution IAM role for the ECS services.                   |
+| log_group_arn      | The ARN of the CloudWatch log group created for the ECS master to log to. |

.github/diagrams/cluster.drawio

@@ -0,0 +1,49 @@
+resource "aws_cloudwatch_log_group" "main" {
+  count             = var.log_config != null ? 1 : 0
+  name              = var.identifier
+  retention_in_days = var.log_config["retention_in_days"]
+
+  tags = var.tags
+}
+
+resource "aws_ecs_cluster" "main" {
+  name = var.identifier
+
+  dynamic "configuration" {
+    for_each = var.log_config != null ? [1] : []
+    content {
+      execute_command_configuration {
+        logging = "OVERRIDE"
+
+        log_configuration {
+          cloud_watch_log_group_name = aws_cloudwatch_log_group.main[0].name
+        }
+      }
+    }
+  }
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "main" {
+  name               = "${var.identifier}-ExecutionRoleForTasks"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "main" {
+  role       = aws_iam_role.main.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}

.gitignore

@@ -0,0 +1,14 @@
+output "id" {
+  description = "The ID of the ECS cluster."
+  value       = aws_ecs_cluster.main.id
+}
+
+output "execution_role_arn" {
+  description = "The ARN of the execution IAM role for the ECS services."
+  value       = aws_iam_role.main.arn
+}
+
+output "log_group_arn" {
+  description = "The ARN of the CloudWatch log group."
+  value       = try(aws_cloudwatch_log_group.main[0].arn, null)
+}