-
-
Notifications
You must be signed in to change notification settings - Fork 11
/
main.tf
178 lines (154 loc) · 6.15 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#------------------------------------------------------------------------------
# AWS KMS Encryption Key
#------------------------------------------------------------------------------
# resource "aws_kms_key" "encryption_key" {
# description = "Nexus Encryption Key"
# is_enabled = true
# enable_key_rotation = true
# }
#------------------------------------------------------------------------------
# AWS Cloudwatch Logs
#------------------------------------------------------------------------------
module "aws_cw_logs" {
source = "cn-terraform/cloudwatch-logs/aws"
version = "1.0.12"
# source = "../terraform-aws-cloudwatch-logs"
create_kms_key = var.create_kms_key
log_group_kms_key_id = var.log_group_kms_key_id
log_group_retention_in_days = var.log_group_retention_in_days
logs_path = "/ecs/service/${var.name_prefix}-nexus"
}
#------------------------------------------------------------------------------
# EFS
#------------------------------------------------------------------------------
# resource "aws_efs_file_system" "nexus_data" {
# creation_token = "${var.name_prefix}-nexus-efs"
# tags = {
# Name = "${var.name_prefix}-nexus-efs"
# }
# }
# resource "aws_security_group" "nexus_data_allow_nfs_access" {
# name = "${var.name_prefix}-nexus-efs-allow-nfs"
# description = "Allow NFS inbound traffic to EFS"
# vpc_id = var.vpc_id
# egress {
# from_port = 0
# to_port = 0
# protocol = "-1"
# cidr_blocks = ["0.0.0.0/0"]
# }
# tags = {
# Name = "${var.name_prefix}-nexus-efs-allow-nfs"
# }
# }
# data "aws_subnet" "private_subnets" {
# count = length(var.private_subnets_ids)
# id = element(var.private_subnets_ids, count.index)
# }
# resource "aws_security_group_rule" "nexus_data_allow_nfs_access_rule" {
# security_group_id = aws_security_group.nexus_data_allow_nfs_access.id
# type = "ingress"
# from_port = 2049
# to_port = 2049
# protocol = "tcp"
# source_security_group_id = module.ecs-fargate-service.ecs_tasks_sg_id
# }
# resource "aws_efs_mount_target" "nexus_data_mount_targets" {
# count = length(var.private_subnets_ids)
# file_system_id = aws_efs_file_system.nexus_data.id
# subnet_id = element(var.private_subnets_ids, count.index)
# security_groups = [aws_security_group.nexus_data_allow_nfs_access.id]
# }
#------------------------------------------------------------------------------
# ECS Fargate Service
#------------------------------------------------------------------------------
module "ecs_fargate" {
source = "cn-terraform/ecs-fargate/aws"
version = "2.0.52"
# source = "../terraform-aws-ecs-fargate"
name_prefix = "${var.name_prefix}-nexus"
vpc_id = var.vpc_id
public_subnets_ids = var.public_subnets_ids
private_subnets_ids = var.private_subnets_ids
container_name = "${var.name_prefix}-nexus"
container_image = var.nexus_image
container_cpu = var.container_cpu
container_memory = var.container_memory
container_memory_reservation = var.container_memory_reservation
# Deployment circuit breaker
deployment_circuit_breaker_enabled = var.deployment_circuit_breaker_enabled
deployment_circuit_breaker_rollback = var.deployment_circuit_breaker_rollback
# Container ephemeral storage on Fargate tasks
ephemeral_storage_size = var.ephemeral_storage_size
volumes = var.volumes
mount_points = var.mount_points
# Application Load Balancer
custom_lb_arn = var.custom_lb_arn
lb_http_ports = var.lb_http_ports
lb_https_ports = var.lb_https_ports
lb_enable_cross_zone_load_balancing = var.lb_enable_cross_zone_load_balancing
lb_waf_web_acl_arn = var.lb_waf_web_acl_arn
default_certificate_arn = var.configure_loadbalancer_ssl.enable_ssl ? module.acm[0].acm_certificate_arn : null
# Application Load Balancer Logs
enable_s3_logs = var.enable_s3_logs
block_s3_bucket_public_access = var.block_s3_bucket_public_access
enable_s3_bucket_server_side_encryption = var.enable_s3_bucket_server_side_encryption
s3_bucket_server_side_encryption_sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm
s3_bucket_server_side_encryption_key = var.s3_bucket_server_side_encryption_key
port_mappings = [
{
containerPort = 8081
hostPort = 8081
protocol = "tcp"
}
]
environment = [
{
name = "NEXUS_SECURITY_RANDOMPASSWORD"
value = "false"
},
]
log_configuration = {
logDriver = "awslogs"
options = {
"awslogs-region" = var.region
"awslogs-group" = "/ecs/service/${var.name_prefix}-nexus"
"awslogs-stream-prefix" = "ecs"
}
secretOptions = null
}
ulimits = [
{
name = "nofile"
hardLimit = 65536
softLimit = 65536
}
]
tags = var.tags
}
#------------------------------------------------------------------------------
# ACM - Load Balancer Certificate
#------------------------------------------------------------------------------
resource "aws_route53_record" "record_dns" {
count = var.configure_loadbalancer_ssl.enable_ssl ? 1 : 0
zone_id = var.configure_loadbalancer_ssl.dns_zone_id
name = var.configure_loadbalancer_ssl.https_record_name
type = "A"
alias {
name = module.ecs_fargate.aws_lb_lb_dns_name
zone_id = module.ecs_fargate.aws_lb_lb_zone_id
evaluate_target_health = true
}
}
module "acm" {
count = var.configure_loadbalancer_ssl.enable_ssl ? 1 : 0
source = "terraform-aws-modules/acm/aws"
version = "4.3.2"
domain_name = var.configure_loadbalancer_ssl.https_record_domain_name
zone_id = var.configure_loadbalancer_ssl.dns_zone_id
subject_alternative_names = [
"*.${var.configure_loadbalancer_ssl.https_record_domain_name}",
]
wait_for_validation = true
tags = var.tags
}