superset infra

Author: MOUHAOUIR-Amine

.gitignore

@@ -0,0 +1,144 @@
+
+# Created by https://www.toptal.com/developers/gitignore/api/terraform,pycharm
+# Edit at https://www.toptal.com/developers/gitignore?templates=terraform,pycharm
+
+### PyCharm ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### PyCharm Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+# https://plugins.jetbrains.com/plugin/7973-sonarlint
+.idea/**/sonarlint/
+
+# SonarQube Plugin
+# https://plugins.jetbrains.com/plugin/7238-sonarqube-community-plugin
+.idea/**/sonarIssues.xml
+
+# Markdown Navigator plugin
+# https://plugins.jetbrains.com/plugin/7896-markdown-navigator-enhanced
+.idea/**/markdown-navigator.xml
+.idea/**/markdown-navigator-enh.xml
+.idea/**/markdown-navigator/
+
+# Cache file creation bug
+# See https://youtrack.jetbrains.com/issue/JBR-2257
+.idea/$CACHE_FILE$
+
+# CodeStream plugin
+# https://plugins.jetbrains.com/plugin/12206-codestream
+.idea/codestream.xml
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+.terraform.lock.hcl
+# .tfstate files
+*.tfstate
+*.tfstate.*
+*.tfvars
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# SNOWFLAKE
+
+*snowsql*.log
+*idea*
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# End of https://www.toptal.com/developers/gitignore/api/terraform,pycharm

README.md

@@ -0,0 +1,97 @@
+<img src="https://github.com/apache/superset/raw/master/superset-frontend/src/assets/branding/superset-logo-horiz-apache.png" alt="Superset" width="500"/>
+A modern, enterprise-ready business intelligence web application.
+
+### Overview
+
+Preparing the AWS Infrastructure for Superset
+
+### Usage
+
+```hcl
+module "superset-db" {
+  source            = "../../../stacks/aws/superset-db"
+  prefix            = local.prefix
+  vpc_id            = module.base.vpc_id
+  identifier        = var.db_identifier
+  allocated_storage = var.allocated_storage
+  cidr_block        = module.base.cidr_block
+  db_config         = var.superset_db_config
+  subnet_ids        = module.base.private_subnet_ids
+  kms               = module.base.kms_arn
+  instance_class    = var.instance_class
+  security_group = [
+    module.base.default_sg_id,
+    module.superset-core.ecs_service_security_group_id,
+    module.superset-core.app_service_security_group_id,
+    module.superset-core.worker_beat_service_security_group_id,
+    data.terraform_remote_state.east1_adm.outputs.argo_sg_id
+  ]
+}
+module "superset-redis" {
+  source               = "../../../modules/aws/redis"
+  prefix               = local.prefix
+  common_tags          = local.common_tags
+  vpc_id               = module.base.vpc_id
+  private_subnet_ids   = module.base.private_subnet_ids
+  node_type            = var.node_type
+  parameter_group_name = var.parameter_group_name
+  engine_version       = var.engine_version
+  port                 = 6379
+  allowed_security_groups = {
+    "worker"      = module.superset-core.ecs_service_security_group_id
+    "app"         = module.superset-core.app_service_security_group_id
+    "worker_beat" = module.superset-core.worker_beat_service_security_group_id
+  }
+}
+module "superset-core" {
+  source             = "../../../stacks/aws/superset-core-apps"
+  repository_name    = join("-", [local.prefix, "superset"])
+  prefix             = local.prefix
+  common_tags        = local.common_tags
+  kms_arn            = module.base.kms_arn
+  vpc_id             = module.base.vpc_id
+  private_subnet_ids = module.base.private_subnet_ids
+  service_discovery  = module.base.service_discovery
+  ecs_cluster        = module.base.ecs_cluster
+  env_vars           = var.env_vars
+  public_alb         = module.base.public_alb
+  worker_ecs_params = {
+    desired_count  = 1
+    cpu            = 512
+    memory         = 1024
+    port           = 8088
+    container_name = "superset-wrk"
+  }
+  worker_beat_ecs_params = {
+    desired_count  = 1
+    cpu            = 512
+    memory         = 1024
+    port           = 8088
+    container_name = "superset-beat"
+  }
+  app_ecs_params = {
+    desired_count  = 1
+    cpu            = 2048
+    memory         = 4096
+    port           = 8088
+    container_name = "superset-app"
+  }
+  alb_security_group = module.base.public_alb.sg_id
+  ssm_role_arn       = data.terraform_remote_state.east1_adm.outputs.ssm_role_arn
+}
+```
+
+### Requirements
+
+| Name      | Version   |
+| --------- | --------- |
+| terraform | >= 0.15.0 |
+| aws       | = 3.65.0  |
+
+### Providers
+
+| Name | Version  |
+| ---- | -------- |
+| aws  | = 3.65.0 |
+
+### Inputs

modules/aws/ecr/ecr_lifecycle_policy.tf

@@ -0,0 +1,37 @@
+resource "aws_ecr_lifecycle_policy" "this" {
+  repository = aws_ecr_repository.this.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep images tagged as prod for 1 year",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["prod"],
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 365
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 5,
+            "description": "Expire images older than 30 days",
+            "selection": {
+                "tagStatus": "any",
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}

modules/aws/ecr/ecr_repository.tf

@@ -0,0 +1,7 @@
+resource "aws_ecr_repository" "this" {
+  name = var.repository_name
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}

modules/aws/ecr/input.tf

@@ -0,0 +1,3 @@
+variable "repository_name" {
+  type = string
+}

modules/aws/ecr/output.tf

@@ -0,0 +1,3 @@
+output "repository_url" {
+  value = aws_ecr_repository.this.repository_url
+}

modules/aws/ecs/cloudwatch_logs.tf

@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_group" "main" {
+  name              = "/aws/ecs/${local.prefix}"
+  retention_in_days = local.common_tags["env"] == "prd" ? 0 : 30
+  kms_key_id        = var.kms_arn
+
+  tags = local.common_tags
+}

modules/aws/ecs/data.tf

@@ -0,0 +1,12 @@
+data "aws_caller_identity" "current" {
+}
+
+data "aws_ecs_task_definition" "default" {
+  task_definition = aws_ecs_task_definition.default.family
+
+  depends_on = [aws_ecs_task_definition.default]
+}
+
+data "aws_iam_policy" "AmazonECSTaskExecutionRolePolicy" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}

modules/aws/ecs/ecs_service.tf

@@ -0,0 +1,28 @@
+resource "aws_ecs_service" "default" {
+  name                   = local.prefix
+  cluster                = var.ecs_cluster["name"]
+  task_definition        = aws_ecs_task_definition.default.arn
+  desired_count          = var.desired_count
+  launch_type            = "FARGATE"
+  platform_version       = var.platform_version
+  enable_execute_command = true
+  dynamic "service_registries" {
+    for_each = var.service_discovery != null ? var.service_discovery : {}
+    content {
+      registry_arn   = aws_service_discovery_service._[0].arn
+      container_name = var.container_name
+    }
+  }
+  network_configuration {
+    security_groups = [aws_security_group.ecs-service.id]
+    subnets         = var.ecs_service_subnet_ids
+  }
+  dynamic "load_balancer" {
+    for_each = var.alb_target_group_id != null ? var.alb_target_group_id : {}
+    content {
+      container_name   = load_balancer.value["container_name"]
+      container_port   = load_balancer.value["container_port"]
+      target_group_arn = load_balancer.value["alb_target_group_id"]
+    }
+  }
+}

modules/aws/ecs/ecs_task_definition.tf

@@ -0,0 +1,24 @@
+resource "aws_ecs_task_definition" "default" {
+  family                   = local.prefix
+  network_mode             = "awsvpc"
+  cpu                      = var.cpu
+  memory                   = var.memory
+  requires_compatibilities = ["FARGATE"]
+  task_role_arn            = aws_iam_role.ecs-role.arn
+  execution_role_arn       = aws_iam_role.ecs-role.arn
+  container_definitions    = var.container_definitions
+  volume {
+    name = "superset_app"
+    efs_volume_configuration {
+      file_system_id = var.file_system_id
+
+      transit_encryption      = "ENABLED"
+      transit_encryption_port = 2999
+
+      authorization_config {
+        access_point_id = var.efs_access_point_id
+        iam             = "ENABLED"
+      }
+    }
+  }
+}