feat: full terra

Author: iam-oov

.env

@@ -1,10 +1,17 @@
 # project config
 PROJECT_NAME_PREFIX="poc2-terraform-node-hw"
 AWS_REGION="us-east-1"
+APP_PORT="3011"
+HEALTH_CHECK_PATH="/"
 
 # AWS tf infra output names
 S3_BUCKET_OUTPUT_NAME="s3_bucket_name"
 DYNAMODB_TABLE_OUTPUT_NAME="dynamodb_lock_table_name"
+LOG_RETENTION_DAYS_IN_CLOUDWATCH="3"
+FARGATE_CPU="1024"
+FARGATE_MEMORY="2048"
+TASK_DESIRED_COUNT="3"
+
 
 # ALB config
 # MIN_NUM_INSTANCES=1

.github/workflows/deploy-to-ecr.yml

@@ -8,7 +8,7 @@ on:
 env:
   AWS_REGION: ${{ secrets.AWS_REGION }}
   AWS_IAM_ROLE_ARN: ${{ secrets.AWS_IAM_ROLE_ARN }}
-  TERRAFORM_DIR: ./01-tf
+  TERRAFORM_DIR: ${{ vars.TERRAFORM_DIR }}
   TERRAFORM_VERSION: '1.12.0'
 
 jobs:
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      id-token: write # Required for OIDC with AWS
 
     steps:
       - name: Checkout code
@@ -39,27 +39,44 @@ jobs:
         run: terraform init -input=false
         working-directory: ${{ env.TERRAFORM_DIR }}
 
-      - name: Terraform Apply
-        id: apply
+      # First Apply: Create ECR and other infrastructure
+      - name: Terraform Apply (ECR and initial setup)
+        id: apply_infra
         run: terraform apply -auto-approve -input=false
         working-directory: ${{ env.TERRAFORM_DIR }}
 
-      - name: Get ECR Repository URL
-        id: get_ecr_url
-        run: echo "ECR_REPOSITORY_URL=$(terraform output -raw ecr_repository_url)" >> $GITHUB_ENV
+      - name: Get ECR Details from Terraform Output
+        id: get_ecr_details
+        run: |
+          ECR_FULL_REPO_URL=$(terraform output -raw ecr_repository_url)
+          ECR_REGISTRY=$(echo "$ECR_FULL_REPO_URL" | cut -d'/' -f1)
+          echo "ECR_REGISTRY=$ECR_REGISTRY" >> $GITHUB_ENV
         working-directory: ${{ env.TERRAFORM_DIR }}
 
       - name: Login to Amazon ECR
         id: login-ecr
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.ECR_REPOSITORY_URL }}
+          registry: ${{ env.ECR_REGISTRY }} # Use the registry extracted
 
       - name: Build, tag, and push image to Amazon ECR
         id: build-image
+        env:
+          ECR_REPOSITORY_URL: ${{ env.ECR_REPOSITORY_URL }}
+          IMAGE_TAG: ${{ github.sha }}
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           push: true
-          tags: ${{ env.ECR_REPOSITORY_URL }}:latest
+          tags: | # Allow multiple tags
+            ${{ env.ECR_REPOSITORY_URL }}:${{ env.IMAGE_TAG }}
+            ${{ env.ECR_REPOSITORY_URL }}:latest
+
+      # Second Apply: Update ECS with new image
+      - name: Terraform Apply (Update ECS with new image)
+        id: apply_ecs_update
+        env:
+          TF_VAR_app_image_uri: '${{ env.ECR_REPOSITORY_URL }}:${{ github.sha }}'
+        run: terraform apply -auto-approve -input=false
+        working-directory: ${{ env.TERRAFORM_DIR }}

01-tf/alb.tf

@@ -0,0 +1,64 @@
+##################################################
+## Application Load Balancer (ALB) & Target Group
+##################################################
+
+# --- Target Group (type ip) ---
+resource "aws_lb_target_group" "app_tg" {
+  name        = "${var.project_name_prefix}-app-tg"
+  port        = var.app_port
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.main.id
+  target_type = "ip"
+
+  health_check {
+    enabled             = true
+    interval            = 30
+    path                = var.health_check_path
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    timeout             = 5
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+    matcher             = "200"
+  }
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name = "${var.project_name_prefix}-app-tg"
+    }
+  )
+}
+
+# --- Application Load Balancer ---
+resource "aws_lb" "app_alb" {
+  name               = "${var.project_name_prefix}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_sg.id]
+  # The ALB is deployed in public subnets to be accessible
+  subnets = aws_subnet.public[*].id
+
+  # ! Important
+  # ! Change to 'true' in production
+  enable_deletion_protection = false
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name = "${var.project_name_prefix}-alb"
+    }
+  )
+}
+
+# --- Listener of the ALB (HTTP:80) ---
+resource "aws_lb_listener" "http_listener" {
+  load_balancer_arn = aws_lb.app_alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app_tg.arn
+  }
+}

01-tf/auto_generated_variables.tf

@@ -13,3 +13,61 @@ variable "project_name_prefix" {
   type        = string
   default     = "poc2-terraform-node-hw"
 }
+
+variable "common_tags" {
+  description = "Tags to be applied to all resources"
+  type        = map(string)
+  default = {
+    Project     = "poc2-terraform-node-hw"
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "app_port" {
+  description = "Port on which the application inside the container listens"
+  type        = number
+  default     = "3011"
+}
+
+variable "health_check_path" {
+  description = "Path to be used for health checks"
+  type        = string
+  default     = "/"
+}
+
+variable "log_retention_days" {
+  description = "Number of days to retain logs in CloudWatch"
+  type        = number
+  default     = "3"
+}
+
+variable "fargate_cpu" {
+  description = "Number of vCPUs for the Fargate task"
+  type        = string
+  default     = "1024"
+}
+
+variable "fargate_memory" {
+  description = "Amount of memory in MiB for the Fargate task"
+  type        = string
+  default     = "2048"
+}
+
+variable "app_image_uri" {
+  description = "The full URI of the Docker image in ECR"
+  type        = string
+  default     = "nginx:latest"
+}
+
+variable "task_desired_count" {
+  description = "Number of desired tasks to run"
+  type        = number
+  default     = "3"
+}

01-tf/ecs-cluster.tf

@@ -0,0 +1,67 @@
+##################################################
+## ECS Cluster Fargate
+##################################################
+
+resource "aws_ecs_cluster" "main_cluster" {
+  name = "${var.project_name_prefix}-cluster-fargate"
+
+  setting {
+    name  = "containerInsights"
+    value = "disabled"
+  }
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name = "${var.project_name_prefix}-cluster-fargate"
+    }
+  )
+}
+
+##################################################
+## ECS Service
+##################################################
+
+resource "aws_ecs_service" "main_service" {
+  name             = "${var.project_name_prefix}-service"
+  cluster          = aws_ecs_cluster.main_cluster.id
+  task_definition  = aws_ecs_task_definition.app_task.arn
+  desired_count    = var.task_desired_count
+  launch_type      = "FARGATE"
+  platform_version = "LATEST"
+
+  health_check_grace_period_seconds = 60
+
+  enable_ecs_managed_tags = true
+  propagate_tags          = "TASK_DEFINITION"
+
+  deployment_controller {
+    type = "ECS"
+  }
+  deployment_minimum_healthy_percent = 100
+  deployment_maximum_percent         = 200
+
+  network_configuration {
+    subnets = [
+      aws_subnet.private[0].id,
+      aws_subnet.private[1].id
+    ]
+    security_groups  = [aws_security_group.ecs_tasks_sg.id]
+    assign_public_ip = false
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.app_tg.arn
+    container_name   = "node-hw"
+    container_port   = var.app_port
+  }
+
+  depends_on = [aws_lb_listener.http_listener]
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name = "${var.project_name_prefix}-service"
+    }
+  )
+}