Skip to content

Commit f603bb4

Browse files
magenxmagenx
committed
Create configuration
1 parent a514c60 commit f603bb4

File tree

2 files changed

+50
-90
lines changed

2 files changed

+50
-90
lines changed

magenx.tf

Lines changed: 41 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -423,46 +423,43 @@ resource "aws_mq_broker" "this" {
423423
# Create ElastiCache parameter groups
424424
# # ---------------------------------------------------------------------------------------------------------------------#
425425
resource "aws_elasticache_parameter_group" "this" {
426-
for_each = var.redis["name"]
427-
name = "${var.app["brand"]}-${each.key}-parameter"
426+
name = "${var.app["brand"]}-${var.redis["name"]}-parameter"
428427
family = "redis6.x"
429-
description = "Parameter group for ${var.app["domain"]} ${each.key} backend"
428+
description = "Parameter group for ${var.app["domain"]} ${var.redis["name"]} backend"
430429
parameter {
431430
name = "cluster-enabled"
432431
value = "no"
433432
}
434433
tags = {
435-
Name = "${var.app["brand"]}-${each.key}-parameter"
434+
Name = "${var.app["brand"]}-${var.redis["name"]}-parameter"
436435
}
437436
}
438437
# # ---------------------------------------------------------------------------------------------------------------------#
439438
# Create ElastiCache - Redis Replication group - session + cache
440439
# # ---------------------------------------------------------------------------------------------------------------------#
441440
resource "aws_elasticache_replication_group" "this" {
442-
for_each = var.redis["name"]
443-
number_cache_clusters = length(values(aws_subnet.this).*.id)
441+
number_cache_clusters = var.redis["number_cache_clusters"]
444442
engine = "redis"
445443
engine_version = var.redis["engine_version"]
446-
replication_group_id = "${var.app["brand"]}-${each.key}-backend"
447-
replication_group_description = "Replication group for ${var.app["domain"]} ${each.key} backend"
444+
replication_group_id = "${var.app["brand"]}-${var.redis["name"]}-backend"
445+
replication_group_description = "Replication group for ${var.app["domain"]} ${var.redis["name"]} backend"
448446
node_type = var.redis["node_type"]
449447
port = var.redis["port"]
450-
parameter_group_name = aws_elasticache_parameter_group.this[each.key].id
451-
security_group_ids = [aws_security_group.this[each.key].id]
448+
parameter_group_name = aws_elasticache_parameter_group.this.id
449+
security_group_ids = [aws_security_group.this["redis"].id]
452450
subnet_group_name = aws_elasticache_subnet_group.this.name
453451
automatic_failover_enabled = var.redis["automatic_failover_enabled"]
454452
multi_az_enabled = var.redis["multi_az_enabled"]
455453
notification_topic_arn = aws_sns_topic.default.arn
456454
tags = {
457-
Name = "${var.app["brand"]}-${each.key}-backend"
455+
Name = "${var.app["brand"]}-${var.redis["name"]}-backend"
458456
}
459457
}
460458
# # ---------------------------------------------------------------------------------------------------------------------#
461459
# Create CloudWatch CPU Utilization metrics and email alerts
462460
# # ---------------------------------------------------------------------------------------------------------------------#
463461
resource "aws_cloudwatch_metric_alarm" "elasticache_cpu" {
464-
for_each = aws_elasticache_replication_group.this
465-
alarm_name = "${var.app["brand"]}-elasticache-${each.key}-cpu-utilization"
462+
alarm_name = "${var.app["brand"]}-elasticache-cpu-utilization"
466463
alarm_description = "Redis cluster CPU utilization"
467464
comparison_operator = "GreaterThanThreshold"
468465
evaluation_periods = "1"
@@ -475,15 +472,14 @@ resource "aws_cloudwatch_metric_alarm" "elasticache_cpu" {
475472
ok_actions = ["${aws_sns_topic.default.arn}"]
476473

477474
dimensions = {
478-
CacheClusterId = aws_elasticache_replication_group.this[each.key].id
475+
CacheClusterId = aws_elasticache_replication_group.this.id
479476
}
480477
}
481478
# # ---------------------------------------------------------------------------------------------------------------------#
482479
# Create CloudWatch Freeable Memory metrics and email alerts
483480
# # ---------------------------------------------------------------------------------------------------------------------#
484481
resource "aws_cloudwatch_metric_alarm" "elasticache_memory" {
485-
for_each = aws_elasticache_replication_group.this
486-
alarm_name = "${var.app["brand"]}-elasticache-${each.key}-freeable-memory"
482+
alarm_name = "${var.app["brand"]}-elasticache-freeable-memory"
487483
alarm_description = "Redis cluster freeable memory"
488484
comparison_operator = "LessThanThreshold"
489485
evaluation_periods = "1"
@@ -496,7 +492,7 @@ resource "aws_cloudwatch_metric_alarm" "elasticache_memory" {
496492
ok_actions = ["${aws_sns_topic.default.arn}"]
497493

498494
dimensions = {
499-
CacheClusterId = aws_elasticache_replication_group.this[each.key].id
495+
CacheClusterId = aws_elasticache_replication_group.this.id
500496
}
501497
}
502498

@@ -544,13 +540,13 @@ resource "aws_s3_bucket_policy" "media" {
544540
AWS = "*"
545541
}
546542
Resource = [
547-
"${aws_s3_bucket.this["media "].arn}/*"
548-
],
543+
"${aws_s3_bucket.this["media"].arn}/*"
544+
]
549545
Condition = {
550-
test = "StringNotLike"
551-
variable = "aws:Referer"
552-
values = [ var.app["domain"] ]
546+
StringNotLike = {
547+
"aws:Referer" = [ var.app["domain"] ]
553548
}
549+
}
554550
},
555551
{
556552
Action = ["s3:PutObject"],
@@ -559,14 +555,14 @@ resource "aws_s3_bucket_policy" "media" {
559555
AWS = [ aws_iam_user.s3.arn ]
560556
}
561557
Resource = [
562-
"${aws_s3_bucket.this["media "].arn}",
563-
"${aws_s3_bucket.this["media "].arn}/*"
564-
],
558+
"${aws_s3_bucket.this["media"].arn}",
559+
"${aws_s3_bucket.this["media"].arn}/*"
560+
]
565561
Condition = {
566-
test = "StringEquals"
567-
variable = "aws:SourceVpc"
568-
values = [ aws_vpc.this.id ]
562+
StringEquals = {
563+
"aws:SourceVpc" = [ aws_vpc.this.id ]
569564
}
565+
}
570566
},
571567
{
572568
Action = ["s3:GetObject", "s3:GetObjectAcl"],
@@ -575,8 +571,8 @@ resource "aws_s3_bucket_policy" "media" {
575571
AWS = [ aws_iam_user.s3.arn ]
576572
}
577573
Resource = [
578-
"${aws_s3_bucket.this["media "].arn}",
579-
"${aws_s3_bucket.this["media "].arn}/*"
574+
"${aws_s3_bucket.this["media"].arn}",
575+
"${aws_s3_bucket.this["media"].arn}/*"
580576
]
581577
},
582578
{
@@ -585,7 +581,7 @@ resource "aws_s3_bucket_policy" "media" {
585581
Principal = {
586582
AWS = [ aws_iam_user.s3.arn ]
587583
}
588-
Resource = "${aws_s3_bucket.this["media "].arn}"
584+
Resource = "${aws_s3_bucket.this["media"].arn}"
589585
},
590586
]
591587
Version = "2012-10-17"
@@ -646,11 +642,6 @@ resource "aws_elasticsearch_domain" "this" {
646642
cluster_config {
647643
instance_type = var.elk["instance_type"]
648644
instance_count = var.elk["instance_count"]
649-
650-
zone_awareness_enabled = true
651-
zone_awareness_config {
652-
availability_zone_count = var.elk["instance_count"]
653-
}
654645
}
655646
ebs_options {
656647
ebs_enabled = var.elk["ebs_enabled"]
@@ -727,12 +718,11 @@ EOF
727718
# Create RDS parameter groups
728719
# # ---------------------------------------------------------------------------------------------------------------------#
729720
resource "aws_db_parameter_group" "this" {
730-
for_each = var.rds["name"]
731-
name = "${var.app["brand"]}-${each.key}-parameters"
721+
name = "${var.app["brand"]}-${var.rds["name"]}-parameters"
732722
family = "mariadb10.5"
733-
description = "Parameter group for ${var.app["brand"]} ${each.key} database"
723+
description = "Parameter group for ${var.app["brand"]} ${var.rds["name"]} database"
734724
tags = {
735-
Name = "${var.app["brand"]}-${each.key}-parameters"
725+
Name = "${var.app["brand"]}-${var.rds["name"]}-parameters"
736726
}
737727
}
738728
# # ---------------------------------------------------------------------------------------------------------------------#
@@ -750,7 +740,7 @@ resource "aws_db_instance" "this" {
750740
name = "${var.app["brand"]}_${var.rds["name"]}"
751741
username = var.app["brand"]
752742
password = random_password.this["rds"].result
753-
parameter_group_name = aws_db_parameter_group.this[each.key].id
743+
parameter_group_name = aws_db_parameter_group.this.id
754744
skip_final_snapshot = var.rds["skip_final_snapshot"]
755745
vpc_security_group_ids = [aws_security_group.this["rds"].id]
756746
db_subnet_group_name = aws_db_subnet_group.this.name
@@ -920,7 +910,7 @@ resource "aws_lb_target_group" "this" {
920910
}
921911
}
922912
# # ---------------------------------------------------------------------------------------------------------------------#
923-
# Create https:// listener for Load Balancer - forward to admin
913+
# Create https:// listener for Load Balancer - default response
924914
# # ---------------------------------------------------------------------------------------------------------------------#
925915
resource "aws_lb_listener" "https" {
926916
depends_on = [aws_acm_certificate_validation.default]
@@ -955,7 +945,7 @@ resource "aws_lb_listener" "http" {
955945
}
956946
}
957947
# # ---------------------------------------------------------------------------------------------------------------------#
958-
# Create conditional listener rule for INNER Load Balancer - forward to admin
948+
# Create conditional listener rule for Load Balancer - forward to admin
959949
# # ---------------------------------------------------------------------------------------------------------------------#
960950
resource "aws_lb_listener_rule" "default" {
961951
listener_arn = aws_lb_listener.https.arn
@@ -964,6 +954,11 @@ resource "aws_lb_listener_rule" "default" {
964954
type = "forward"
965955
target_group_arn = aws_lb_target_group.this["admin"].arn
966956
}
957+
condition {
958+
host_header {
959+
values = [var.app["domain"]]
960+
}
961+
}
967962
condition {
968963
http_header {
969964
http_header_name = "X-Magenx-Header"
@@ -1347,7 +1342,7 @@ RABBITMQ_PASSWORD='${random_password.this["mq"].result}'
13471342
13481343
ELASTICSEARCH_ENDPOINT="https://${aws_elasticsearch_domain.this.endpoint}:443"
13491344
1350-
REDIS_CACHE_BACKEND="${aws_elasticache_replication_group.this["cache"].primary_endpoint_address}"
1345+
REDIS_CACHE_BACKEND="${aws_elasticache_replication_group.this.primary_endpoint_address}"
13511346
13521347
ALB_DNS_NAME="${aws_lb.this.dns_name}"
13531348
@@ -1605,7 +1600,7 @@ mainSteps:
16051600
--cache-backend=redis \
16061601
--cache-backend-redis-server=${aws_elasticache_replication_group.this.primary_endpoint_address} \
16071602
--cache-backend-redis-port=6379 \
1608-
--cache-backend-redis-db=0 \
1603+
--cache-backend-redis-db=2 \
16091604
--cache-backend-redis-compress-data=1 \
16101605
--cache-backend-redis-compression-lib=l4z \
16111606
-n"
@@ -1615,7 +1610,7 @@ mainSteps:
16151610
--session-save-redis-host=${aws_elasticache_replication_group.this.primary_endpoint_address} \
16161611
--session-save-redis-port=6379 \
16171612
--session-save-redis-log-level=3 \
1618-
--session-save-redis-db=0 \
1613+
--session-save-redis-db=1 \
16191614
--session-save-redis-compression-lib=lz4 \
16201615
--session-save-redis-persistent-id=${random_string.this["persistent"].result} \
16211616
-n"

variables.tf

Lines changed: 9 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ variable "redis" {
9292
name = "cache"
9393
engine_version = "6.x"
9494
port = "6379"
95+
number_cache_clusters = 1
9596
automatic_failover_enabled = false
9697
multi_az_enabled = false
9798
}
@@ -157,12 +158,12 @@ variable "az_number" {
157158
}
158159

159160
locals {
160-
security_group = setunion(var.redis["name"],["ec2","rds","elk","mq","efs","alb"])
161+
security_group = setunion(["ec2","rds","elk","mq","efs","alb","redis"])
161162
}
162163

163164
locals {
164165
security_rule = {
165-
outer_alb_https_in = {
166+
alb_https_in = {
166167
type = "ingress"
167168
description = "Allow all inbound traffic on the load balancer https listener port"
168169
from_port = 443
@@ -171,7 +172,7 @@ locals {
171172
cidr_blocks = ["0.0.0.0/0"]
172173
security_group_id = aws_security_group.this["alb"].id
173174
},
174-
outer_alb_http_in = {
175+
alb_http_in = {
175176
type = "ingress"
176177
description = "Allow all inbound traffic on the load balancer http listener port"
177178
from_port = 80
@@ -180,16 +181,7 @@ locals {
180181
cidr_blocks = ["0.0.0.0/0"]
181182
security_group_id = aws_security_group.this["alb"].id
182183
},
183-
outer_alb_http_out = {
184-
type = "egress"
185-
description = "Allow outbound traffic to instances on the load balancer listener port"
186-
from_port = 80
187-
to_port = 80
188-
protocol = "tcp"
189-
source_security_group_id = aws_security_group.this["ec2"].id
190-
security_group_id = aws_security_group.this["alb"].id
191-
},
192-
inner_alb_http_in = {
184+
ec2_alb_http_in = {
193185
type = "ingress"
194186
description = "Allow inbound traffic from the VPC CIDR on the load balancer listener port"
195187
from_port = 80
@@ -198,7 +190,7 @@ locals {
198190
source_security_group_id = aws_security_group.this["ec2"].id
199191
security_group_id = aws_security_group.this["alb"].id
200192
},
201-
inner_alb_http_out = {
193+
alb_http_out = {
202194
type = "egress"
203195
description = "Allow outbound traffic to instances on the load balancer listener port"
204196
from_port = 80
@@ -243,22 +235,13 @@ locals {
243235
source_security_group_id = aws_security_group.this["mq"].id
244236
security_group_id = aws_security_group.this["ec2"].id
245237
},
246-
ec2_redis_session_out = {
247-
type = "egress"
248-
description = "Allow outbound traffic on the instance Redis port"
249-
from_port = 6379
250-
to_port = 6379
251-
protocol = "tcp"
252-
source_security_group_id = aws_security_group.this["cache"].id
253-
security_group_id = aws_security_group.this["ec2"].id
254-
},
255238
ec2_redis_cache_out = {
256239
type = "egress"
257240
description = "Allow outbound traffic on the instance Redis port"
258241
from_port = 6379
259242
to_port = 6379
260243
protocol = "tcp"
261-
source_security_group_id = aws_security_group.this["cache"].id
244+
source_security_group_id = aws_security_group.this["redis"].id
262245
security_group_id = aws_security_group.this["ec2"].id
263246
},
264247
ec2_efs_out = {
@@ -297,16 +280,7 @@ locals {
297280
source_security_group_id = aws_security_group.this["ec2"].id
298281
security_group_id = aws_security_group.this["ec2"].id
299282
},
300-
ec2_http_in_inner = {
301-
type = "ingress"
302-
description = "Allow all inbound traffic from the load balancer on http port"
303-
from_port = 80
304-
to_port = 80
305-
protocol = "tcp"
306-
source_security_group_id = aws_security_group.this["alb"].id
307-
security_group_id = aws_security_group.this["ec2"].id
308-
},
309-
ec2_http_in_outer = {
283+
ec2_http_in = {
310284
type = "ingress"
311285
description = "Allow all inbound traffic from the load balancer on http port"
312286
from_port = 80
@@ -324,23 +298,14 @@ locals {
324298
source_security_group_id = aws_security_group.this["ec2"].id
325299
security_group_id = aws_security_group.this["rds"].id
326300
},
327-
redis_session_in = {
328-
type = "ingress"
329-
description = "Allow access instances to Redis Session"
330-
from_port = 6379
331-
to_port = 6379
332-
protocol = "tcp"
333-
source_security_group_id = aws_security_group.this["ec2"].id
334-
security_group_id = aws_security_group.this["cache"].id
335-
},
336301
redis_cache_in = {
337302
type = "ingress"
338303
description = "Allow access instances to Redis Cache"
339304
from_port = 6379
340305
to_port = 6379
341306
protocol = "tcp"
342307
source_security_group_id = aws_security_group.this["ec2"].id
343-
security_group_id = aws_security_group.this["cache"].id
308+
security_group_id = aws_security_group.this["redis"].id
344309
},
345310
rabbitmq_in = {
346311
type = "ingress"

0 commit comments

Comments
 (0)