Dbeaver devops#2197 aws ecs deployment improvements (#200)

* dbeaver/dbeaver-devops#2197 Global refactoring AWS ECS deployment

* dbeaver/dbeaver-devops#2197 Added optional creating ECS cluster in existing VPC

* dbeaver/dbeaver-devops#2197 Fixed migration of old resources to new modules

* dbeaver/dbeaver-devops#2197 Added removed old aws_route_table during mugration

* dbeaver/dbeaver-devops#2197 Reverter remove

* dbeaver/dbeaver-devops#2197 Fixed long destroying vpc

* dbeaver/dbeaver-devops#2197 Removed rds vars

* dbeaver/dbeaver-devops#2197 Created modules in AWS ECS deployment, added migration from flat deployment to modules

* dbeaver/dbeaver-devops#2197 Added variable efs_encrypted and added warning about enabling encryption on existet EFS volumes

* dbeaver/dbeaver-devops#2197 Added modules description

Author: ggxed

AWS/ecs-fargate/README.md

@@ -75,3 +75,19 @@ git clone https://github.com/dbeaver/team-edition-deploy.git
 2. Specify the desired version in  `variables.tf` in the `dbeaver_te_version` variable.
 
 3. Run `terraform apply` to upgrade the ECS cluster and complete the deployment.
+
+
+## Modules description
+
+This deployment is built on self-contained parameterized Terraform modules. All modules are located in the local [`./modules/`](./modules/) folder, so every piece of infrastructure can be reviewed, customized and maintained. Root `*.tf` files only wire modules together and pass variables, resource definitions are kept inside the modules.
+
+- **alb** — Application Load Balancer with HTTP to HTTPS redirect and HTTPS listener.
+- **alb-route** — Target group and listener rule for a single backend service.
+- **ecs-cluster** — ECS cluster with Fargate capacity providers.
+- **ecs-service** — Fargate task definition and ECS service, with optional EFS volumes and ALB target group.
+- **efs-volume** — EFS file system, mount targets and optional access point.
+- **iam** — ECS task and execution IAM roles with CloudWatch Logs and EFS access policies.
+- **rds** — RDS instance and DB subnet group.
+- **vpc** — VPC with public/private subnets, Internet Gateway, NAT Gateway and route tables.
+
+For customers who used the previous flat Terraform deployment, the [`migration.tf`](./migration.tf) file remaps the existing Terraform state to the new module layout, so `terraform apply` preserves the environment without losing data.

AWS/ecs-fargate/alb.tf

@@ -1,194 +1,19 @@
 ################################################################################
-# ALB
+# AWS ALB
 ################################################################################
 
-resource "aws_lb" "dbeaver_te_lb" {
-  name               = "DBeaverTE-${var.deployment_id}-ALB"
-  internal           = false
-  load_balancer_type = "application"
-  security_groups    = [aws_security_group.dbeaver_alb.id]
-  subnets            = aws_subnet.public_subnets[*].id
-  tags = {
-    env = var.deployment_id
-  }
-}
-
-
-# This resources must be edited if HTTPS not used
-resource "aws_lb_listener" "dbeaver-te-listener" {
-
-  load_balancer_arn = aws_lb.dbeaver_te_lb.arn
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    type = "redirect"
-
-    redirect {
-      port        = "443"
-      protocol    = "HTTPS"
-      status_code = "HTTP_301"
-    }
-  }
-}
-
-# This resources must be edited if HTTPS not used
-resource "aws_lb_listener" "dbeaver-te-listener-https" {
-
-  load_balancer_arn = aws_lb.dbeaver_te_lb.arn
-  port              = "443"
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
-  certificate_arn   = "arn:aws:acm:${var.aws_region}:${var.aws_account_id}:certificate/${var.alb_certificate_Identifier}"
-
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.dbeaver_te.arn
-  }
-}
+module "alb" {
+  source = "./modules/alb"
 
-resource "aws_lb_listener_rule" "forward_to_service_uri_dc" {
-  listener_arn = aws_lb_listener.dbeaver-te-listener-https.arn
-  priority     = 99
+  name               = "${local.name_prefix}-${var.deployment_id}-ALB"
+  deployment_id      = var.deployment_id
+  vpc_id             = local.vpc_id
+  public_subnets     = local.public_subnets
+  security_group_ids = [aws_security_group.dbeaver_alb.id]
+  certificate_arn    = "arn:aws:acm:${var.aws_region}:${var.aws_account_id}:certificate/${var.alb_certificate_Identifier}"
+  ssl_policy         = "ELBSecurityPolicy-TLS13-1-2-2021-06"
 
-  condition {
-    path_pattern {
-      values = ["/dc*"]
-    }
-  }
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.dbeaver_dc.arn
-  }
-}
-
-resource "aws_lb_listener_rule" "forward_to_service_uri_qm" {
-  listener_arn = aws_lb_listener.dbeaver-te-listener-https.arn
-  priority     = 98
-
-  condition {
-    path_pattern {
-      values = ["/qm*"]
-    }
-  }
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.dbeaver_qm.arn
-  }
-}
-
-resource "aws_lb_listener_rule" "forward_to_service_uri_rm" {
-  listener_arn = aws_lb_listener.dbeaver-te-listener-https.arn
-  priority     = 97
-
-  condition {
-    path_pattern {
-      values = ["/rm*"]
-    }
-  }
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.dbeaver_rm.arn
-  }
-}
-
-
-resource "aws_lb_listener_rule" "forward_to_service_uri_tm" {
-  listener_arn = aws_lb_listener.dbeaver-te-listener-https.arn
-  priority     = 94
-
-  condition {
-    path_pattern {
-      values = ["/tm*"]
-    }
-  }
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.dbeaver_tm.arn
-  }
-}
-
-
-resource "aws_lb_target_group" "dbeaver_dc" {
-  name        = "DBeaverTE-${var.deployment_id}-dc"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = aws_vpc.dbeaver_net.id
-
-  health_check {
-    matcher = "200,302"
-    unhealthy_threshold = 7
-    enabled = true
-    path    = "/dc/health"
-  }
-}
-
-resource "aws_lb_target_group" "dbeaver_te" {
-  name        = "DBeaverTE-${var.deployment_id}"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = aws_vpc.dbeaver_net.id
-
-  health_check {
-    matcher = "200,302"
-    unhealthy_threshold = 10
-    enabled = true
-    path    = "/"
-  }
-  stickiness {
-    enabled = true
-    type    = "lb_cookie" 
-    cookie_duration = 86400
-  }
-}
-
-resource "aws_lb_target_group" "dbeaver_qm" {
-  name        = "DBeaverTE-${var.deployment_id}-qm"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = aws_vpc.dbeaver_net.id
-
-  health_check {
-    matcher = "200,302"
-    unhealthy_threshold = 7
-    enabled = true
-    path    = "/qm/health"
-  }
-}
-
-resource "aws_lb_target_group" "dbeaver_rm" {
-  name        = "DBeaverTE-${var.deployment_id}-rm"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = aws_vpc.dbeaver_net.id
-
-  health_check {
-    matcher = "200,302"
-    unhealthy_threshold = 7
-    enabled = true
-    path    = "/rm/health"
-  }
-}
-
-resource "aws_lb_target_group" "dbeaver_tm" {
-  name        = "DBeaverTE-${var.deployment_id}-tm"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = aws_vpc.dbeaver_net.id
-
-  health_check {
-    matcher = "200,302"
-    unhealthy_threshold = 7
-    enabled = true
-    path    = "/tm/health"
+  tags = {
+    Env = var.deployment_id
   }
 }