Merge pull request #99 from ruby-no-kai/tfmod

terraform module

ruby-no-kai/rubykaigi-net#210

Author: sorah

tf/.gitignore

@@ -1,23 +1,24 @@
-data "external" "apprunner-deploy" {
-  program = ["ruby", "${path.module}/apprunner_deploy.rb"]
-}
+# Note: apprunner_deploy.rb script handling is deferred
+# Image identifier and environment variables should be managed outside Terraform
+# Using lifecycle ignore_changes to prevent Terraform from reverting manual updates
+
+resource "aws_apprunner_service" "main" {
+  count = var.enable_apprunner ? 1 : 0
 
-resource "aws_apprunner_service" "prd" {
-  service_name = "sponsor-app"
+  service_name = var.service_name
 
   source_configuration {
     image_repository {
       image_configuration {
         port = "3000"
-        runtime_environment_variables = merge(jsondecode(data.external.apprunner-deploy.result.runtime_environment_variables), {
-        })
-        runtime_environment_secrets = jsondecode(data.external.apprunner-deploy.result.runtime_environment_secrets)
+        runtime_environment_variables = {}
+        runtime_environment_secrets = {}
       }
-      image_identifier      = data.external.apprunner-deploy.result.image_identifier
+      image_identifier      = "${var.enable_shared_resources ? aws_ecr_repository.app[0].repository_url : "005216166247.dkr.ecr.us-west-2.amazonaws.com/sponsor-app"}:latest"
       image_repository_type = "ECR"
     }
     authentication_configuration {
-      access_role_arn = aws_iam_role.app-runner-access.arn
+      access_role_arn = aws_iam_role.app-runner-access[0].arn
     }
     auto_deployments_enabled = false
   }
@@ -38,18 +39,30 @@ resource "aws_apprunner_service" "prd" {
   }
 
   tags = {
-    Name        = "sponsor-app"
-    Environment = "production"
+    Name        = var.service_name
+    Environment = var.environment
+  }
+
+  lifecycle {
+    ignore_changes = [
+      source_configuration[0].image_repository[0].image_identifier,
+      source_configuration[0].image_repository[0].image_configuration[0].runtime_environment_variables,
+      source_configuration[0].image_repository[0].image_configuration[0].runtime_environment_secrets,
+    ]
   }
 }
 
 resource "aws_iam_role" "app-runner-access" {
-  name               = "AppraSponsorApp"
-  description        = "prd tf/iam.tf"
-  assume_role_policy = data.aws_iam_policy_document.app-runner-access-trust.json
+  count = var.enable_apprunner ? 1 : 0
+
+  name               = var.iam_apprunner_access_name
+  description        = "${var.environment} tf/iam.tf"
+  assume_role_policy = data.aws_iam_policy_document.app-runner-access-trust[0].json
 }
 
 data "aws_iam_policy_document" "app-runner-access-trust" {
+  count = var.enable_apprunner ? 1 : 0
+
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -63,11 +76,15 @@ data "aws_iam_policy_document" "app-runner-access-trust" {
 }
 
 resource "aws_iam_role_policy" "app-runner-access" {
-  role   = aws_iam_role.app-runner-access.name
-  policy = data.aws_iam_policy_document.app-runner-access.json
+  count = var.enable_apprunner ? 1 : 0
+
+  role   = aws_iam_role.app-runner-access[0].name
+  policy = data.aws_iam_policy_document.app-runner-access[0].json
 }
 
 data "aws_iam_policy_document" "app-runner-access" {
+  count = var.enable_apprunner ? 1 : 0
+
   statement {
     effect = "Allow"
     actions = [
@@ -85,8 +102,7 @@ data "aws_iam_policy_document" "app-runner-access" {
       "ecr:DescribeImages",
     ]
     resources = [
-      aws_ecr_repository.app.arn,
+      var.enable_shared_resources ? aws_ecr_repository.app[0].arn : "arn:aws:ecr:us-west-2:005216166247:repository/sponsor-app",
     ]
   }
 }
-

tf/.mairu.json

@@ -1,37 +1,5 @@
-data "aws_caller_identity" "current" {}
-
-locals {
-  aws_account_id = "005216166247"
-}
+data "aws_region" "current" {}
 
-provider "aws" {
-  region              = "us-west-2"
-  allowed_account_ids = [local.aws_account_id]
-  default_tags {
-    tags = {
-      Project = "sponsor-app"
-    }
-  }
-}
-
-provider "aws" {
-  alias               = "use1"
-  region              = "us-east-1"
-  allowed_account_ids = [local.aws_account_id]
-  default_tags {
-    tags = {
-      Project = "sponsor-app"
-    }
-  }
-}
+data "aws_caller_identity" "current" {}
 
-provider "aws" {
-  alias               = "apne1"
-  region              = "ap-northeast-1"
-  allowed_account_ids = [local.aws_account_id]
-  default_tags {
-    tags = {
-      Project = "sponsor-app"
-    }
-  }
-}
+data "aws_default_tags" "current" {}

tf/.terraform.lock.hcl

@@ -1,36 +1,43 @@
-resource "aws_cloudfront_distribution" "prd" {
-  comment = "sponsor-app"
+resource "aws_cloudfront_distribution" "main" {
+  count = var.enable_cloudfront ? 1 : 0
+
+  provider = aws.cloudfront
+
+  comment = var.cloudfront_comment != "" ? var.cloudfront_comment : "sponsor-app"
 
   enabled         = true
   is_ipv6_enabled = true
   http_version    = "http2and3"
   price_class     = "PriceClass_All"
 
-  aliases = ["sponsorships.rubykaigi.org"]
+  aliases = [var.app_domain]
 
   viewer_certificate {
-    acm_certificate_arn            = data.aws_acm_certificate.use1-sponsorships-rk-o.arn
+    acm_certificate_arn            = var.certificate_arn
     cloudfront_default_certificate = false
     iam_certificate_id             = null
     minimum_protocol_version       = "TLSv1.2_2021"
     ssl_support_method             = "sni-only"
   }
 
-  logging_config {
-    bucket          = "rk-aws-logs.s3.amazonaws.com"
-    include_cookies = false
-    prefix          = "cf/sponsorships.rubykaigi.org/"
+  dynamic "logging_config" {
+    for_each = var.cloudfront_log_bucket != "" ? [1] : []
+    content {
+      bucket          = var.cloudfront_log_bucket
+      include_cookies = false
+      prefix          = var.cloudfront_log_prefix
+    }
   }
 
   origin {
     origin_id           = "apprunner"
-    domain_name         = replace(aws_apprunner_service.prd.service_url, "https://", "")
+    domain_name         = replace(aws_apprunner_service.main[0].service_url, "https://", "")
     origin_path         = null
     connection_attempts = 3
     connection_timeout  = 10
     custom_header {
       name  = "x-forwarded-host"
-      value = "sponsorships.rubykaigi.org"
+      value = var.app_domain
     }
     custom_origin_config {
       http_port                = 80
@@ -97,7 +104,3 @@ resource "aws_cloudfront_distribution" "prd" {
     }
   }
 }
-import {
-  to = aws_cloudfront_distribution.prd
-  id = "E2ZBMTEBD45786"
-}

tf/acm.tf

@@ -1,8 +1,11 @@
 resource "aws_cloudwatch_log_group" "worker" {
+  count             = var.enable_shared_resources ? 1 : 0
   name              = "/ecs/sponsor-app-worker"
   retention_in_days = 3
 }
+
 resource "aws_cloudwatch_log_group" "batch" {
+  count             = var.enable_shared_resources ? 1 : 0
   name              = "/ecs/sponsor-app-batch"
   retention_in_days = 3
 }