move modules to infrastructure

terraform/infrastructure/modules/db/main.tf

@@ -0,0 +1,48 @@
+resource "aws_db_subnet_group" "test_db_subnet_group" {
+  name       = "test-db-subnet-group"
+  subnet_ids = ["${aws_default_subnet.default_subnet_a.id}", "${aws_default_subnet.default_subnet_b.id}", "${aws_default_subnet.default_subnet_c.id}"]
+
+}
+
+resource "aws_security_group" "rds_sg" {
+  name   = "rds-sg"
+  vpc_id = aws_default_vpc.default_vpc.id
+
+  ingress {
+    description = "connection from the VPC"
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_secretsmanager_secret" "db_auth" {
+  name                    = "db-auth"
+  recovery_window_in_days = 0
+  #checkov:skip=CKV2_AWS_57: Disabled Secrets Manager secrets automatic rotation
+}
+
+resource "aws_secretsmanager_secret_version" "db" {
+  secret_id     = aws_secretsmanager_secret.db_auth.id
+  secret_string = random_password.db_password.result
+}
+
+resource "aws_db_instance" "rds_pgs" {
+  identifier                          = "rds-pgs"
+  allocated_storage                   = 10
+  engine                              = "postgres"
+  db_name                             = "postgres"
+  engine_version                      = "15.3"
+  instance_class                      = "db.t3.micro"
+  username                            = "go_rest_api"
+  password                            = aws_secretsmanager_secret_version.db.secret_string
+  multi_az                            = true
+  db_subnet_group_name                = aws_db_subnet_group.test_db_subnet_group.name
+  vpc_security_group_ids              = [aws_security_group.rds_sg.id]
+  backup_retention_period             = 35
+  parameter_group_name                = "default.postgres15"
+  backup_window                       = "21:00-23:00"
+  iam_database_authentication_enabled = true
+  final_snapshot_identifier           = false
+}

terraform/infrastructure/modules/db/outputs.tf

@@ -0,0 +1,12 @@
+output "rds-pgs_string_arn" {
+  value = aws_ssm_parameter.db_endpoint.arn
+}
+
+output "db_user_name" {
+  value = aws_db_instance.rds_pgs.username
+}
+
+output "db_password_arn" {
+  value = aws_secretsmanager_secret_version.db.arn
+}
+

terraform/infrastructure/modules/db/random.tf

@@ -0,0 +1,6 @@
+#https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html#auth-overview
+resource "random_password" "db_password" {
+  length           = 128
+  special          = true
+  override_special = "!&#$^<>-"
+}

terraform/infrastructure/modules/db/ssm_parameter.tf

@@ -0,0 +1,7 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "db_endpoint" {
+  name  = "/rds_db/endpoint"
+  type  = "SecureString"
+  value = split(":", aws_db_instance.rds_pgs.endpoint)[0]
+}
+

terraform/infrastructure/modules/db/variables.tf

@@ -0,0 +1,4 @@
+variable "availability_zones" {
+  description = "us-east-1 AZs"
+  type        = list(string)
+}

terraform/infrastructure/modules/db/vpc.tf

@@ -0,0 +1,14 @@
+# Deploy cluster in default VPC
+resource "aws_default_vpc" "default_vpc" {}
+
+resource "aws_default_subnet" "default_subnet_a" {
+  availability_zone = var.availability_zones[0]
+}
+
+resource "aws_default_subnet" "default_subnet_b" {
+  availability_zone = var.availability_zones[1]
+}
+
+resource "aws_default_subnet" "default_subnet_c" {
+  availability_zone = var.availability_zones[2]
+}

terraform/infrastructure/modules/ecs/cloudwatch.tf

@@ -0,0 +1,3 @@
+resource "aws_cloudwatch_log_group" "go-rest-api-log-group" {
+  name = "go-rest-api-log-group"
+}

terraform/infrastructure/modules/ecs/data.tf

@@ -0,0 +1,8 @@
+data "aws_ecr_repository" "go_rest_api_ecr_repo" {
+  name = var.ecr_repo_name
+}
+
+data "aws_db_instance" "rds_pgs" {
+  depends_on             = [var.aws_db_instance]
+  db_instance_identifier = "rds-pgs"
+}

terraform/infrastructure/modules/ecs/elb.tf

@@ -0,0 +1,40 @@
+resource "aws_lb" "go-rest-api-lb" {
+  name               = var.aws_lb_name
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets = [
+    "${aws_default_subnet.default_subnet_a.id}",
+    "${aws_default_subnet.default_subnet_b.id}",
+    "${aws_default_subnet.default_subnet_c.id}"
+  ]
+
+}
+
+resource "aws_lb_target_group" "go-rest-api-tg" {
+  name        = var.aws_lb_target_group_name
+  port        = 80
+  protocol    = "HTTP"
+  vpc_id      = aws_default_vpc.default_vpc.id
+  target_type = "ip"
+  health_check {
+    path                = "/"
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
+    timeout             = 60
+    interval            = 300
+    matcher             = "200,301,302"
+  }
+}
+
+
+resource "aws_lb_listener" "go-rest-api-lb-listener" {
+  load_balancer_arn = aws_lb.go-rest-api-lb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.go-rest-api-tg.arn
+  }
+}

terraform/infrastructure/modules/ecs/iam.tf

@@ -0,0 +1,114 @@
+# IAM policies 
+resource "aws_iam_policy" "go-rest-api-policy" {
+  name = var.go_rest_api_policy_name
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "elb:*",
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs-iam-policy-attachment" {
+  role       = aws_iam_role.go-rest-api-role.name
+  policy_arn = aws_iam_policy.go-rest-api-policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attachment" {
+  role       = aws_iam_role.go-rest-api-role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_policy" "rds_access_policy" {
+  name   = var.rds_access_policy_name
+  policy = file("rds-access.json")
+}
+
+resource "aws_iam_role_policy_attachment" "rds_policy_attachment" {
+  role       = aws_iam_role.go-rest-api-role.name
+  policy_arn = aws_iam_policy.rds_access_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "secret_manager_policy_attachment" {
+  role       = aws_iam_role.go-rest-api-role.name
+  policy_arn = aws_iam_policy.secret_manager_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_parameter_policy_attachment" {
+  role       = aws_iam_role.go-rest-api-role.name
+  policy_arn = aws_iam_policy.ssm_parameter_policy.arn
+}
+
+#Create a policy to read from the specific parameter store
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "ssm_parameter_policy" {
+  name        = var.go_rest_api_ssm_parameter_policy_name
+  path        = "/"
+  description = "Policy to read the Postgres endpoint from SSM Parameter Store."
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [var.postgres_endpoint_arn]
+      }
+    ]
+  })
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "secret_manager_policy" {
+  name        = var.secret_manager_policy_name
+  path        = "/"
+  description = "Policy to read Postgres password stored with AWS Secrets Manager"
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = [var.postgres_password_arn]
+      }
+    ]
+  })
+}
+
+# The ecs role
+resource "aws_iam_role" "go-rest-api-role" {
+  name = "go-rest-api-role"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}

terraform/infrastructure/modules/ecs/kms.tf

@@ -0,0 +1,4 @@
+resource "aws_kms_key" "go-rest-api-kms" {
+  description             = "go-rest-api-kms"
+  deletion_window_in_days = 7
+}