Terraform improvements and fixes and EKS GitHub Action parametrization

.github/workflows/deploy-eks.yml

@@ -4,19 +4,19 @@ on:
   workflow_dispatch:
 
 env:
-  ECR_REPOSITORY: authentication-api
-  EKS_CLUSTER_NAME: default-cluster 
-  AWS_REGION: us-east-1
-  IMAGE_NAME: authentication-api
-  NODE_ENV: development
-  LOG_STRATEGY: CONSOLE
-  SECRETS_LIST: ""
+  ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY || 'authentication-api' }}
+  EKS_CLUSTER_NAME:  ${{ vars.EKS_CLUSTER_NAME || 'default-cluster' }}
+  AWS_REGION:  ${{ vars.AWS_REGION || 'us-east-1' }}
+  IMAGE_NAME:  ${{ vars.IMAGE_NAME || 'authentication-api' }}
+  NODE_ENV:  ${{ vars.NODE_ENV || 'development' }}
+  LOG_STRATEGY:  ${{ vars.LOG_STRATEGY || 'CONSOLE' }}
+  SECRETS_LIST:  ${{ vars.SECRETS_LIST || '' }}
 
-  PASSWORD_SALT: "10"
-  JWT_SECRET: ""
-  JWT_EXPIRE_MINUTES: "60"
-  JWT_COOKIE_KEY: "JWT_COOKIE"
-  DATABASE_URL: ""
+  PASSWORD_SALT: ${{ secrets.PASSWORD_SALT || '10' }}
+  JWT_SECRET: ${{ secrets.JWT_SECRET }} 
+  JWT_EXPIRE_MINUTES: ${{ secrets.JWT_EXPIRE_MINUTES || '60' }}
+  JWT_COOKIE_KEY: ${{ secrets.JWT_COOKIE_KEY || 'JWT_COOKIE' }}
+  DATABASE_URL: ${{ secrets.DATABASE_URL }}
 
 jobs:
 

.gitignore

@@ -145,4 +145,5 @@ docs
 *.tfvars.json
 *.tfstate
 *.tfstate.*
+**/*tfplan*
 **/.terraform/*

terraform/main.tf

@@ -19,6 +19,8 @@ provider "aws" {
 resource "aws_vpc" "main_vpc" {
   cidr_block       = var.vpc_cidr
 
+  enable_dns_hostnames = true
+
   tags = {
     "Environment"   = var.infra_env
     "Name"          = "auth-vpc-${var.infra_env}"
@@ -28,10 +30,11 @@ resource "aws_vpc" "main_vpc" {
   }
 }
 
+## Public resources
 resource "aws_subnet" "public_subnets" {
   for_each = var.public_subnet_map
 
-  vpc_id                  = "${aws_vpc.vpc.id}"
+  vpc_id                  = "${aws_vpc.main_vpc.id}"
   cidr_block              = "${each.value}"
   availability_zone       = "${each.key}"
   map_public_ip_on_launch = true
@@ -45,10 +48,6 @@ resource "aws_subnet" "public_subnets" {
   }
 }
 
-locals {
-  public_subnet_ids = [ for subnet in aws_subnet.public_subnets : subnet.id ]
-}
-
 resource "aws_internet_gateway" "igw" {
   vpc_id = "${aws_vpc.main_vpc.id}"
 
@@ -80,9 +79,9 @@ resource "aws_route" "public_internet_gateway" {
 }
 
 resource "aws_route_table_association" "public_subnets_associations" {
-  for_each        = toset(local.public_subnet_ids)
+  for_each       = aws_subnet.public_subnets
 
-  subnet_id      =  each.key
+  subnet_id      = each.value.id
   route_table_id = aws_route_table.public_route_table.id
 }
 
@@ -117,7 +116,7 @@ resource "aws_security_group" "public_sg" {
     from_port   = "0"
     to_port     = "0"
     protocol    = "-1"
-    cidr_blocks = [ "0.0.0.0" ]
+    cidr_blocks = [ "0.0.0.0/0" ]
   }
   tags = {
     "Environment"   = var.infra_env
@@ -128,6 +127,54 @@ resource "aws_security_group" "public_sg" {
   }
 }
 
+## Private resources
+resource "aws_eip" "nat" {
+  domain = "vpc"
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-nat-eip"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+}
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = values(aws_subnet.public_subnets)[0].id
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-nat-eip"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource "aws_subnet" "private_subnets" {
+  for_each          = var.private_subnet_map
+
+  vpc_id            = aws_vpc.main_vpc.id
+  cidr_block        = each.value
+  availability_zone = each.key
+
+  map_public_ip_on_launch = false
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-private-subnet"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+    "kubernetes.io/role/internal-elb"                               = "1"
+    "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "owned"
+  }
+}
+
 resource "aws_security_group" "private_sg" {
   name        = "auth-private-sg"
   description = "Security group for internal VPC traffic"
@@ -145,17 +192,47 @@ resource "aws_security_group" "private_sg" {
     from_port   = "0"
     to_port     = "0"
     protocol    = "-1"
-    cidr_blocks = [ "0.0.0.0" ]
+    cidr_blocks = [ "0.0.0.0/0" ]
   }
   tags = {
     "Environment"   = var.infra_env
-    "Name"          = "auth-public-sg"
+    "Name"          = "auth-private-sg"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+}
+
+resource "aws_route_table" "private_route_table" {
+  vpc_id = "${aws_vpc.main_vpc.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.nat.id
+  }
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-vpc-private-rt"
     "Project"       = "authentication-app"
     "ManagedBy"     = "terraform"
     "Organization"  = "andrewlod"
   }
 }
 
+resource "aws_route_table_association" "private_subnets_associations" {
+  for_each       = aws_subnet.private_subnets
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.private_route_table.id
+}
+
+
+locals {
+  public_subnet_ids = values(aws_subnet.public_subnets)[*].id
+  private_subnet_ids = values(aws_subnet.private_subnets)[*].id
+}
+
 # RDS Resources
 resource "aws_db_subnet_group" "authentication_db_sng" {
   name       = "authdbsng"
@@ -172,7 +249,7 @@ resource "aws_db_subnet_group" "authentication_db_sng" {
 
 resource "aws_db_instance" "authentication_db" {
   allocated_storage    = var.db_storage
-  db_name              = "${var.db_name}-${var.infra_env}"
+  db_name              = "${var.db_name}${var.infra_env}"
   engine               = "postgres"
   engine_version       = "16.2"
   instance_class       = var.db_instance_type
@@ -182,6 +259,7 @@ resource "aws_db_instance" "authentication_db" {
   publicly_accessible  = true
 
   db_subnet_group_name = aws_db_subnet_group.authentication_db_sng.name
+  vpc_security_group_ids = [aws_security_group.public_sg.id]
 
   tags = {
     "Environment"   = var.infra_env
@@ -230,7 +308,7 @@ resource "aws_iam_role" "eks_fargate_execution_role" {
 
 resource "aws_iam_role_policy_attachment" "eks_fargate_execution_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
-  role       = aws_iam_role.eks_fargate_execution_role.arn
+  role       = aws_iam_role.eks_fargate_execution_role.name
 }
 
 resource "aws_iam_role" "eks_cluster_role" {
@@ -258,6 +336,18 @@ resource "aws_iam_role_policy_attachment" "eks_cluster_vpc_policy_attachment" {
 }
 
 # EKS Resources
+resource "aws_ecrpublic_repository" "ecr_authentication_api" {
+  repository_name = "authentication-api"
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "authentication-api"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+}
+
 resource "aws_eks_cluster" "authentication_cluster" {
   name = "authentication-cluster-${var.infra_env}"
   role_arn = aws_iam_role.eks_cluster_role.arn
@@ -280,7 +370,7 @@ resource "aws_eks_fargate_profile" "auth_cluster_fargate_profile" {
   fargate_profile_name = "authentication-cluster-profile-${var.infra_env}"
   cluster_name = aws_eks_cluster.authentication_cluster.name
   pod_execution_role_arn = aws_iam_role.eks_fargate_execution_role.arn
-  subnet_ids = local.public_subnet_ids
+  subnet_ids = local.private_subnet_ids
 
   selector {
     namespace = "default"

terraform/variables.tf

@@ -24,24 +24,24 @@ variable "aws_region" {
 variable "vpc_cidr" {
   type        = string
   description = "CIDR of the main VPC"
-  default     = "10.0.0.0/24"
+  default     = "10.0.0.0/18"
 }
 
 variable "public_subnet_map" {
   type        = map(string)
   description = "Mapping between public subnet AZs and CIDRs"
   default = {
-    "us-east-1a" = "10.0.0.0/28"
-    "us-east-1b" = "10.0.0.16/28"
+    "us-east-1a" = "10.0.0.0/20"
+    "us-east-1b" = "10.0.16.0/20"
   }
 }
 
 variable "private_subnet_map" {
   type        = map(string)
   description = "Mapping between private subnet AZs and CIDRs"
   default = {
-    "us-east-1a" = "10.0.0.32/28"
-    "us-east-1b" = "10.0.0.48/28"
+    "us-east-1a" = "10.0.32.0/20"
+    "us-east-1b" = "10.0.48.0/20"
   }
 }