reviewing ECS - the service and task are both working

.gitignore

@@ -0,0 +1,4 @@
+.terraform/
+code.desktop 
+terraform/info.txt
+*.tfstate*

scripts/push.sh

@@ -6,6 +6,6 @@ eval $(aws ecr get-login --no-include-email --profile default --region ap-southe
 
 docker build -t wpimage:$SHA .
 
-docker tag wpimage:$SHA 672269152614.dkr.ecr.ap-southeast-2.amazonaws.com/wp-image:$SHA
+docker tag wpimage:$SHA 595875296375.dkr.ecr.ap-southeast-2.amazonaws.com/wp-image:$SHA
 
-docker push 672269152614.dkr.ecr.ap-southeast-2.amazonaws.com/wp-image:$SHA
+docker push 595875296375.dkr.ecr.ap-southeast-2.amazonaws.com/wp-image:$SHA

terraform/ecs.tf

@@ -1,41 +1,63 @@
+# Key-Name
+data "template_file" "ecs_public_key" {
+  template = "${file("~/.ssh/id_rsa.pub")}"
+}
+
+resource "aws_key_pair" "ecs_key_pair" {
+  key_name   = "ecs-key"
+  public_key = "${data.template_file.ecs_public_key.rendered}"
+}
+
 # ECS
 resource "aws_ecs_cluster" "ecs-da-wordpress" {
   name = "${var.project_name}-ecs"
 }
 
 # LC
 resource "aws_launch_configuration" "instance-ecs-da" {
-  name     = "${var.project_name}-lc"
-  security_groups = ["${aws_security_group.ecs.id}"]
-
-  image_id             = "${var.image_id}"
-  instance_type        = "${var.instance_type}"
-  iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-role.id}"
-  user_data            = <<EOF
-                    #!/bin/bash
-                    echo ECS_CLUSTER=${aws_ecs_cluster.ecs-da-wordpress.name} >> /etc/ecs/ecs.config
-                    EFS_DIR=/mnt/efs
-                    EFS_ID=${aws_efs_file_system.da-wordpress-efs.id}
-                    mkdir -p $${EFS_DIR}
-                    echo "$${EFS_ID}:/ $${EFS_DIR} efs tls,_netdev" >> /etc/fstab
-                    for i in $(seq 1 20); do mount -a -t efs defaults && break || sleep 60; done
-                          EOF
+  name_prefix = "${var.project_name}-lc"
 
+  image_id                    = "${var.image_id}"
+  instance_type               = "${var.instance_type}"
   associate_public_ip_address = true
 
+  security_groups = ["${aws_security_group.ecs.id}"]
+  key_name        = "sydney-key-pair"
+
+  iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-role.arn}"
+  user_data = <<EOF
+                  #!/bin/bash
+                  echo ECS_CLUSTER=${aws_ecs_cluster.ecs-da-wordpress.name} >> /etc/ecs/ecs.config
+                  mkdir -p /mnt/efs
+                  mount -t efs ${aws_efs_file_system.da-wordpress-efs.id}:/ /mnt/efs
+                EOF
+
   lifecycle {
     create_before_destroy = true
   }
 }
 
+/*
+                    #!/bin/bash
+                    cloud-init-per once install_amazon-efs-utils yum install -y amazon-efs-utils
+                    cloud-init-per once mkdir_efs mkdir /efs
+                    EFS_DIR=/mnt/efs
+                    EFS_ID=${aws_efs_file_system.da-wordpress-efs.id}
+
+                    cloud-init-per once mount_efs echo -e "$${EFS_ID}:/ $${EFS_DIR} efs tls,_netdev" >> /etc/fstab
+                    echo ECS_CLUSTER=${aws_ecs_cluster.ecs-da-wordpress.name} >> /etc/ecs/ecs.config
+*/
+
+
 # ASG
 resource "aws_autoscaling_group" "cluster-asg-da" {
-  name             = "${var.project_name}-asg"
-  vpc_zone_identifier       = ["${aws_subnet.private-wp-a.id}", "${aws_subnet.private-wp-b.id}"]
-  min_size         = 1
-  max_size         = 4
-  desired_capacity = 2
-  launch_configuration      = "${aws_launch_configuration.instance-ecs-da.name}"
+  name                 = "${var.project_name}-asg"
+  vpc_zone_identifier  = ["${aws_subnet.public-wp-a.id}", "${aws_subnet.public-wp-b.id}"]
+  min_size             = 2
+  max_size             = 4
+  desired_capacity     = 2
+  launch_configuration = "${aws_launch_configuration.instance-ecs-da.name}"
+  health_check_type    = "EC2"
   health_check_grace_period = 0
   default_cooldown          = 300
   termination_policies      = ["OldestInstance"]
@@ -47,7 +69,7 @@ resource "aws_autoscaling_group" "cluster-asg-da" {
 }
 
 # ASP
-/*resource "aws_autoscaling_policy" "cluster-asg-da-policy" {
+resource "aws_autoscaling_policy" "cluster-asg-da-policy" {
   name                      = "${var.project_name}-asg-policy"
   policy_type               = "TargetTrackingScaling"
   estimated_instance_warmup = "90"
@@ -56,43 +78,43 @@ resource "aws_autoscaling_group" "cluster-asg-da" {
 
   target_tracking_configuration {
     predefined_metric_specification {
-      predefined_metric_type = "ASGAverageCPUUtilization"
+    predefined_metric_type = "ASGAverageCPUUtilization"
     }
 
     target_value = 40
   }
 
-}*/
-
+}
+/*
 # TD
 resource "aws_ecs_task_definition" "da-ecs-task" {
   family                = var.project_name
-  execution_role_arn = aws_iam_role.ecs-instance-role.arn
+  execution_role_arn    = aws_iam_role.ecs-instance-role.arn
   container_definitions = file("tasks/wp_task_definition.json")
   volume {
     name = "service-storage-wp"
     #host_path = "/mnt/efs/wordpress"
-    
+
     efs_volume_configuration {
       file_system_id = aws_efs_file_system.fs.id
       root_directory = "/mnt/efs/wordpress"
     }
-  } 
+  }
 }
 
 # SV
 resource "aws_ecs_service" "da-ecs-service" {
-  name = "${var.project_name}-sv"
-  cluster = aws_ecs_cluster.ecs-da-wordpress.id
+  name            = "${var.project_name}-sv"
+  cluster         = aws_ecs_cluster.ecs-da-wordpress.id
   task_definition = aws_ecs_task_definition.da-ecs-task.family
-  desired_count = 2
+  desired_count   = 2
   load_balancer {
-      target_group_arn = "${aws_alb_target_group.target-group-alb.arn}"
-      container_name   = "da-wp-task"
-      container_port   = 80
+    target_group_arn = "${aws_alb_target_group.target-group-alb.arn}"
+    container_name   = "da-wp-task"
+    container_port   = 80
   }
 }
-
+*/
 /*<<EOF
                     #!/bin/bash
                     echo ECS_CLUSTER=${aws_ecs_cluster.ecs-da-wordpress.name} >> /etc/ecs/ecs.config
@@ -101,4 +123,5 @@ resource "aws_ecs_service" "da-ecs-service" {
                     echo mkdir -p $${EFS_DIR}
                     echo "$${EFS_ID}:/ $${EFS_DIR} efs tls,_netdev" >> /etc/fstab
                           for i in $(seq 1 20); do mount -a -t efs defaults && break || sleep 60; done
-                          EOF*/
+                          EOF*/
+

terraform/iam.tf

@@ -22,7 +22,55 @@ resource "aws_iam_instance_profile" "ecs-instance-role" {
   role = "${aws_iam_role.ecs-instance-role.name}"
 }
 
-resource "aws_iam_role_policy_attachment" "ecs-service-attach" {
+resource "aws_iam_role_policy_attachment" "ecs-service-attach-a" {
   role       = "${aws_iam_role.ecs-instance-role.name}"
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
 }
+
+resource "aws_iam_role_policy_attachment" "ecs-service-attach-b" {
+  role       = "${aws_iam_role.ecs-instance-role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
+}
+resource "aws_iam_role_policy_attachment" "ecs-service-attach-c" {
+  role       = "${aws_iam_role.ecs-instance-role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+
+
+
+resource "aws_iam_role" "ecs-role" {
+  name = "${var.project_name}-ecs"
+  assume_role_policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+  {
+    "Effect": "Allow",
+    "Principal": {
+      "Service": "ecs-tasks.amazonaws.com"
+    },
+    "Action": "sts:AssumeRole"
+  }
+]
+}
+EOF
+}
+
+#resource "aws_iam_instance_profile" "ecs-role" {
+#  name = "${var.project_name}-ecs"
+#  role = "${aws_iam_role.ecs-role.name}"
+#}
+
+resource "aws_iam_role_policy_attachment" "ecs-attach-a" {
+  role       = "${aws_iam_role.ecs-role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
+}
+resource "aws_iam_role_policy_attachment" "ecs-attach-b" {
+  role       = "${aws_iam_role.ecs-role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+}
+resource "aws_iam_role_policy_attachment" "ecs-attach-c" {
+  role       = "${aws_iam_role.ecs-role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}

terraform/lb.tf

@@ -5,9 +5,7 @@ resource "aws_alb" "alb-da-wordpress" {
   name = "alb-da"
   security_groups = ["${aws_security_group.sg-alb.id}"]
   subnets = ["${aws_subnet.public-wp-a.id}", "${aws_subnet.public-wp-b.id}"]
-  lifecycle {
-    create_before_destroy = true
-  }
+
 }
 
 # target group
@@ -17,13 +15,16 @@ resource "aws_alb_target_group" "target-group-alb" {
     protocol = "HTTP"
     vpc_id = "${aws_vpc.da-wordpress-vpc.id}"
 
-    depends_on = [aws_alb.alb-da-wordpress]
+    #depends_on = [aws_alb.alb-da-wordpress]
+    lifecycle {
+      create_before_destroy = true
+  }
 }
 
 # port listener
 resource "aws_alb_listener" "albListeners-wp" {
   load_balancer_arn = "${aws_alb.alb-da-wordpress.arn}"
-  port              = "80"
+  port              = 80
   protocol          = "HTTP"
   default_action {
     type = "forward"

terraform/provider.tf

@@ -3,3 +3,4 @@ provider "aws" {
   region  = "ap-southeast-2"
 }
 
+

terraform/sg.tf

@@ -12,8 +12,8 @@ resource "aws_security_group" "ecs" {
   }
 
   ingress {
-    from_port   = 443
-    to_port     = 443
+    from_port   = 22
+    to_port     = 22
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
@@ -77,14 +77,25 @@ resource "aws_security_group" "database" {
 resource "aws_security_group" "sg-alb" {
   name   = "alb-sg"
   vpc_id = "${aws_vpc.da-wordpress-vpc.id}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
-resource "aws_security_group_rule" "sg-alb" {
+resource "aws_security_group_rule" "sg-alb-in" {
   type              = "ingress"
-  from_port         = "443"
-  to_port           = "443"
-  protocol          = "tcp"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.sg-alb.id}"
+}
+resource "aws_security_group_rule" "sg-alb-eg" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = "${aws_security_group.sg-alb.id}"
 }
-

terraform/tasks.tf

@@ -1,65 +1,62 @@
 # wordpress
 
 ##### EFS volume #####
-resource "aws_efs_file_system" "fs" {
-    tags = {
-    Name = "ECS-EFS-FS"
-    }
-}
+#resource "aws_efs_file_system" "fs" {
+#    tags = {
+#    Name = "ECS-EFS-FS"
+#    }
+#}
 
 ##### task definition #####
 # describes how a docker container should launch
 data "template_file" "task_definition_json" {
     template = "${file("${path.module}/tasks/wp_task_definition.json")}"
 }
-/*
+
 # It can be thought of as an “instance” of a Task Definition
 resource "aws_ecs_task_definition" "wordpress-app" {
-    family = "ecs-task-wp"
+    family = "ecs-tasks-wp"
 
     container_definitions  = "${data.template_file.task_definition_json.rendered}"
 
     volume {
         name = "service-storage-wp"
 
-        #efs_volume_configuration {
-        #    file_system_id = "${aws_efs_file_system.fs.id}"
-        #    root_directory = "/var/www/html"
-        #    },
-        host_path  = "/mnt/efs"
+        efs_volume_configuration {
+            file_system_id = aws_efs_file_system.da-wordpress-efs.id
+            root_directory = "/"
+            }   
+        #host_path  = "/mnt/efs"
 
     }
-    memory                   = "256"
-    cpu                      = "128"
     requires_compatibilities = ["EC2"]  
-    network_mode     = "awsvpc"
+    #network_mode     = "awsvpc"
 
-    execution_role_arn = "${aws_iam_role.ecs-ec2-role_.arn}"
+    execution_role_arn = "${aws_iam_role.ecs-role.arn}"
 }
 
 
 ##### ECS service #####
 
 resource "aws_ecs_service" "wordpress-app" {
     name = "ecs-wp"
-    cluster = "${aws_ecs_cluster.ecs-da-migration.id}"
-    task_definition = "${aws_ecs_task_definition.wordpress-app.family}"
+    cluster = "${aws_ecs_cluster.ecs-da-wordpress.id}"
+    task_definition = aws_ecs_task_definition.wordpress-app.family
     #iam_role = "${aws_iam_role.ecs-service-role.name}"
     desired_count = 2
-    launch_type   = "EC2"
+    #launch_type   = "EC2"
 
     # attaching an ELB with an ECS service
     load_balancer {
-        target_group_arn = "${aws_alb_target_group.target-group-alb.id}"
+        target_group_arn = "${aws_alb_target_group.target-group-alb.arn}"
         container_name = "da-wp-task"
         container_port = 80
     }
-    depends_on = ["aws_alb_listener.albListeners-wp"]
+    depends_on = ["aws_alb.alb-da-wordpress"]
 
     # providing our containers with public IPs
-    network_configuration {
-    subnets          = ["${aws_subnet.public-wp-a.id}", "${aws_subnet.public-wp-b.id}"]
-    assign_public_ip = true 
-    }
+    #network_configuration {
+    #subnets          = ["${aws_subnet.public-wp-a.id}", "${aws_subnet.public-wp-b.id}"]
+    #assign_public_ip = true 
+    #}
 }
-*/