ci(infra): Post 0.7.x Fargate Terraform Stack (TracecatHQ#344)

Co-authored-by: Jason Ostrom <[email protected]>

Author: topher-lo

alembic/env.py

@@ -8,6 +8,17 @@
 from alembic import context
 from tracecat.db import schemas  # noqa: F401
 
+
+TRACECAT__DB_URI = os.getenv("TRACECAT__DB_URI")
+if not TRACECAT__DB_URI:
+    username = os.getenv("TRACECAT__DB_USER", "postgres")
+    password = os.getenv("TRACECAT__DB_PASS")
+    host = os.getenv("TRACECAT__DB_ENDPOINT")
+    port = os.getenv("TRACECAT__DB_PORT", 5432)
+    database = os.getenv("TRACECAT__DB_NAME", "postgres")
+    TRACECAT__DB_URI = f"postgresql+psycopg://{username}:{password}@{host}:{port!s}/{database}"
+
+
 # this is the Alembic Config object, which provides
 # access to the values within the .ini file in use.
 config = context.config
@@ -31,9 +42,8 @@
 
 def run_migrations_offline() -> None:
     """Run migrations in 'offline' mode."""
-    url = os.environ["TRACECAT__DB_URI"]
     context.configure(
-        url=url,
+        url=TRACECAT__DB_URI,
         target_metadata=target_metadata,
         literal_binds=True,
         dialect_opts={"paramstyle": "named"},
@@ -49,7 +59,7 @@ def run_migrations_online() -> None:
         configuration=config.get_section(config.config_ini_section, {}),
         prefix="sqlalchemy.",
         poolclass=pool.NullPool,
-        url=os.environ["TRACECAT__DB_URI"],
+        url=TRACECAT__DB_URI
     )
 
     with connectable.connect() as connection:

deployments/aws/fargate/.gitignore

@@ -0,0 +1,3 @@
+.env
+.env.example
+env.sh

deployments/aws/fargate/acm.tf

@@ -0,0 +1,30 @@
+resource "aws_acm_certificate" "this" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "cert_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.hosted_zone_id
+}
+
+resource "aws_acm_certificate_validation" "this" {
+  certificate_arn         = aws_acm_certificate.this.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
+}

deployments/aws/fargate/alb.tf

@@ -0,0 +1,62 @@
+# Application Load Balancer
+resource "aws_alb" "this" {
+  name               = "tracecat-alb"
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = aws_subnet.public[*].id
+  security_groups    = [aws_security_group.alb.id]
+
+  tags = {
+    Name = "tracecat-alb"
+  }
+}
+
+# Target Group for Caddy
+resource "aws_alb_target_group" "caddy" {
+  name        = "tracecat-caddy-tg"
+  port        = 80
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.tracecat.id
+  target_type = "ip"
+
+  health_check {
+    healthy_threshold   = "3"
+    interval            = "30"
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = "3"
+    path                = "/"
+    unhealthy_threshold = "2"
+  }
+}
+
+# HTTPS Listener
+resource "aws_alb_listener" "https" {
+  load_balancer_arn = aws_alb.this.id
+  port              = "443"
+  protocol          = "HTTPS"
+
+  ssl_policy      = "ELBSecurityPolicy-2016-08"
+  certificate_arn = aws_acm_certificate.this.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.caddy.id
+    type             = "forward"
+  }
+}
+
+# HTTP to HTTPS Redirect
+resource "aws_alb_listener" "http" {
+  load_balancer_arn = aws_alb.this.id
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}

deployments/aws/fargate/cloudwatch.tf

@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "tracecat_log_group" {
+  name              = "/ecs/tracecat"
+  retention_in_days = 30
+}

deployments/aws/fargate/dns.tf

@@ -0,0 +1,11 @@
+resource "aws_route53_record" "a_record" {
+  zone_id = var.hosted_zone_id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.this.dns_name
+    zone_id                = aws_alb.this.zone_id
+    evaluate_target_health = true
+  }
+}

deployments/aws/fargate/ecs-api.tf

@@ -0,0 +1,92 @@
+# ECS Task Definition for API Service
+resource "aws_ecs_task_definition" "api_task_definition" {
+  family                   = "TracecatApiTaskDefinition"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.api_cpu
+  memory                   = var.api_memory
+  execution_role_arn       = aws_iam_role.api_execution.arn
+  task_role_arn            = aws_iam_role.api_worker_task.arn
+
+  container_definitions = jsonencode([
+    {
+      name  = "TracecatApiContainer"
+      image = "${var.tracecat_image}:${var.tracecat_image_tag}"
+      portMappings = [
+        {
+          containerPort = 8000
+          hostPort      = 8000
+          name          = "api"
+          appProtocol   = "http"
+        }
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.tracecat_log_group.name
+          awslogs-region        = var.aws_region
+          awslogs-stream-prefix = "api"
+        }
+      }
+      environment = concat(local.api_env, [
+        {
+          name  = "TRACECAT__DB_ENDPOINT"
+          value = local.core_db_hostname
+        }
+      ])
+      secrets = local.tracecat_secrets
+      dockerPullConfig = {
+        maxAttempts = 3
+        backoffTime = 10
+      }
+    }
+  ])
+
+  depends_on = [
+    aws_ecs_service.temporal_service
+  ]
+}
+
+resource "aws_ecs_service" "tracecat_api" {
+  name            = "tracecat-api"
+  cluster         = aws_ecs_cluster.tracecat_cluster.id
+  task_definition = aws_ecs_task_definition.api_task_definition.arn
+  launch_type     = "FARGATE"
+  desired_count   = 1
+  force_new_deployment = var.force_new_deployment
+
+  network_configuration {
+    subnets = aws_subnet.private[*].id
+    security_groups = [
+      aws_security_group.core.id,
+      aws_security_group.core_db.id,
+    ]
+  }
+
+  service_connect_configuration {
+    enabled   = true
+    namespace = local.local_dns_namespace
+    service {
+      port_name      = "api"
+      discovery_name = "api-service"
+      client_alias {
+        port     = 8000
+        dns_name = "api-service"
+      }
+    }
+
+    log_configuration {
+      log_driver = "awslogs"
+      options = {
+        awslogs-group         = aws_cloudwatch_log_group.tracecat_log_group.name
+        awslogs-region        = var.aws_region
+        awslogs-stream-prefix = "service-connect-api"
+      }
+    }
+  }
+
+  depends_on = [
+    aws_ecs_service.temporal_service,
+  ]
+
+}

deployments/aws/fargate/ecs-caddy.tf

@@ -0,0 +1,103 @@
+# ECS Task Definition for Caddy Service
+resource "aws_ecs_task_definition" "caddy_task_definition" {
+  family                   = "TracecatCaddyTaskDefinition"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "256"
+  memory                   = "512"
+  execution_role_arn       = aws_iam_role.caddy_execution.arn
+  task_role_arn            = aws_iam_role.caddy_task.arn
+
+  container_definitions = jsonencode([
+    {
+      name  = "TracecatCaddyContainer"
+      image = "caddy:2.8.4-alpine"
+      portMappings = [
+        {
+          containerPort = 80
+          hostPort      = 80
+          name          = "caddy"
+          appProtocol   = "http"
+        }
+      ]
+      command = [
+        "/bin/sh",
+        "-c",
+        <<EOT
+cat <<EOF > /etc/caddy/Caddyfile
+:80 {
+  handle_path /api* {
+    reverse_proxy http://api-service:8000
+  }
+  reverse_proxy http://ui-service:3000
+}
+EOF
+caddy run --config /etc/caddy/Caddyfile
+EOT
+      ]
+
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.tracecat_log_group.name
+          awslogs-region        = var.aws_region
+          awslogs-stream-prefix = "caddy"
+        }
+      }
+      dockerPullConfig = {
+        maxAttempts = 3
+        backoffTime = 10
+      }
+    }
+  ])
+}
+
+resource "aws_ecs_service" "tracecat_caddy" {
+  name            = "tracecat-caddy"
+  cluster         = aws_ecs_cluster.tracecat_cluster.id
+  task_definition = aws_ecs_task_definition.caddy_task_definition.arn
+  launch_type     = "FARGATE"
+  desired_count   = 1
+
+  network_configuration {
+    subnets         = aws_subnet.private[*].id
+    security_groups = [
+      aws_security_group.caddy.id,
+      aws_security_group.core.id
+    ]
+  }
+
+  service_connect_configuration {
+    enabled   = true
+    namespace = local.local_dns_namespace
+    
+    service {
+      port_name      = "caddy"
+      discovery_name = "caddy-service"
+      client_alias {
+        port     = 80
+        dns_name = "caddy-service"
+      }
+    }
+
+    log_configuration {
+      log_driver = "awslogs"
+      options = {
+        awslogs-group         = aws_cloudwatch_log_group.tracecat_log_group.name
+        awslogs-region        = var.aws_region 
+        awslogs-stream-prefix = "service-connect-caddy"
+      }
+    }
+  }
+
+  load_balancer {
+    target_group_arn = aws_alb_target_group.caddy.id
+    container_name   = "TracecatCaddyContainer"
+    container_port   = 80
+  }
+
+  depends_on = [
+    aws_ecs_service.tracecat_api,
+    aws_ecs_service.tracecat_ui
+  ]
+}