Remove drizzle and serverless infra. Add terraform deployment.

This commit is contained in:
Patrick Fic
2026-01-19 13:49:19 -08:00
parent fefbd45570
commit bcdc305251
30 changed files with 713 additions and 329 deletions

45
terraform/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,45 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "6.28.0"
constraints = "~> 6.0"
hashes = [
"h1:RwoFuX1yGMVaKJaUmXDKklEaQ/yUCEdt5k2kz+/g08c=",
"zh:0ba0d5eb6e0c6a933eb2befe3cdbf22b58fbc0337bf138f95bf0e8bb6e6df93e",
"zh:23eacdd4e6db32cf0ff2ce189461bdbb62e46513978d33c5de4decc4670870ec",
"zh:307b06a15fc00a8e6fd243abde2cbe5112e9d40371542665b91bec1018dd6e3c",
"zh:37a02d5b45a9d050b9642c9e2e268297254192280df72f6e46641daca52e40ec",
"zh:3da866639f07d92e734557d673092719c33ede80f4276c835bf7f231a669aa33",
"zh:480060b0ba310d0f6b6a14d60b276698cb103c48fd2f7e2802ae47c963995ec6",
"zh:57796453455c20db80d9168edbf125bf6180e1aae869de1546a2be58e4e405ec",
"zh:69139cba772d4df8de87598d8d8a2b1b4b254866db046c061dccc79edb14e6b9",
"zh:7312763259b859ff911c5452ca8bdf7d0be6231c5ea0de2df8f09d51770900ac",
"zh:8d2d6f4015d3c155d7eb53e36f019a729aefb46ebfe13f3a637327d3a1402ecc",
"zh:94ce589275c77308e6253f607de96919b840c2dd36c44aa798f693c9dd81af42",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:adaceec6a1bf4f5df1e12bd72cf52b72087c72efed078aef636f8988325b1a8b",
"zh:d37be1ce187d94fd9df7b13a717c219964cd835c946243f096c6b230cdfd7e92",
"zh:fe6205b5ca2ff36e68395cb8d3ae10a3728f405cdbcd46b206a515e1ebcf17a1",
]
}
provider "registry.terraform.io/hashicorp/random" {
version = "3.8.0"
constraints = "~> 3.0"
hashes = [
"h1:BYpqK2+ZHqNF9sauVugKJSeFWMCx11I/z/1lMplwUC0=",
"zh:0e71891d8f25564e8d0b61654ed2ca52101862b9a2a07d736395193ae07b134b",
"zh:1c56852d094161997df5fd8a6cbca7c6c979b3f8c3c00fbcc374a59305d117b1",
"zh:20698fb8a2eaa7e23c4f8e3d22250368862f578cf618be0281d5b61496cbef13",
"zh:3afbdd5e955f6d0105fed4f6b7fef7ba165cd780569483e688002108cf06586c",
"zh:4ce22b96e625dc203ea653d53551d46156dd63ad79e45bcbe0224b2e6357f243",
"zh:4ff84b568ad468d140f8f6201a372c6c4bea17d64527b72e341ae8fafea65b8e",
"zh:54b071cb509203c43e420cc589523709bbc6e65d80c1cd9384f5bd88fd1ff1a2",
"zh:63fc5f9f341a573cd5c8bcfc994a58fa52a5ad88d2cbbd80f5a9f143c5006e75",
"zh:73cb8b39887589914686d14a99b4de6e85e48603f7235d87da5594e3fbb7d8a7",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:7ee20f28aa6a25539a5b9fc249e751dec5a5b130dcd73c5d05efdf4d5e320454",
"zh:994a83fddab1d44a8f546920ed34e45ea6caefe4f08735bada6c28dc9010e5e4",
]
}

517
terraform/hasura.tf Normal file
View File

@@ -0,0 +1,517 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 6.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
provider "aws" {
region = "ca-central-1"
}
locals {
# CONFIGURATION
my_ip = "70.36.57.88/32" # REPLACE WITH YOUR IP
domain_name = "db.es.imex.online"
hosted_zone_name = "imex.online" # The root zone you manage in Route53
region = "ca-central-1"
app_name = "esdp-hasura"
}
# -----------------------------------------------------------------------------
# 1. SECRETS & CREDENTIALS (Auto-generated)
# -----------------------------------------------------------------------------
# Generate a random username
resource "random_string" "db_username" {
length = 8
special = false
numeric = false # PG usernames shouldn't start with numbers usually
upper = false
}
# Generate a secure random password
resource "random_password" "db_password" {
length = 24
special = true
override_special = "!#$%&*()-_=+[]{}<>:?" # Safe chars for Postgres
}
# Generate a random secret for Hasura Admin
resource "random_password" "hasura_admin_secret" {
length = 32
special = false
}
# Create the Secret Container in AWS Secrets Manager
resource "aws_secretsmanager_secret" "hasura_credentials" {
name = "${local.app_name}-credentials-${random_string.suffix.result}"
}
resource "random_string" "suffix" {
length = 6
special = false
upper = false
}
# Store the connection string and admin secret
# We wait for the DB to be created so we can grab the endpoint
resource "aws_secretsmanager_secret_version" "creds" {
secret_id = aws_secretsmanager_secret.hasura_credentials.id
secret_string = jsonencode({
# Hasura needs the full connection URL
database_url = "postgres://${random_string.db_username.result}:${random_password.db_password.result}@${aws_db_instance.default.endpoint}/esdp"
admin_secret = random_password.hasura_admin_secret.result
})
}
# -----------------------------------------------------------------------------
# 2. NETWORKING
# -----------------------------------------------------------------------------
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = { Name = "${local.app_name}-vpc" }
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
}
# Get available AZs in the configured region
data "aws_availability_zones" "available" {
state = "available"
}
# Public Subnets (ALB + Public DB + Fargate)
resource "aws_subnet" "public_a" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = data.aws_availability_zones.available.names[0]
map_public_ip_on_launch = true
}
resource "aws_subnet" "public_b" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.2.0/24"
availability_zone = data.aws_availability_zones.available.names[1]
map_public_ip_on_launch = true
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
}
resource "aws_route_table_association" "a" {
subnet_id = aws_subnet.public_a.id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "b" {
subnet_id = aws_subnet.public_b.id
route_table_id = aws_route_table.public.id
}
# -----------------------------------------------------------------------------
# 3. SECURITY GROUPS
# -----------------------------------------------------------------------------
resource "aws_security_group" "alb_sg" {
name = "${local.app_name}-alb-sg"
vpc_id = aws_vpc.main.id
# Allow HTTPS from anywhere
ingress {
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
}
# Allow HTTP for redirection
ingress {
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "ecs_sg" {
name = "${local.app_name}-ecs-sg"
vpc_id = aws_vpc.main.id
# Only accept traffic from ALB
ingress {
protocol = "tcp"
from_port = 8080
to_port = 8080
security_groups = [aws_security_group.alb_sg.id]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "db_sg" {
name = "${local.app_name}-db-sg"
vpc_id = aws_vpc.main.id
# 1. Allow ECS Tasks
ingress {
protocol = "tcp"
from_port = 5432
to_port = 5432
security_groups = [aws_security_group.ecs_sg.id]
}
# 2. Allow YOUR IP (Strict Access)
ingress {
protocol = "tcp"
from_port = 5432
to_port = 5432
cidr_blocks = [local.my_ip]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
# -----------------------------------------------------------------------------
# 4. DATABASE (RDS Postgres t4g.micro)
# -----------------------------------------------------------------------------
resource "aws_db_subnet_group" "default" {
name = "${local.app_name}-db-subnets"
subnet_ids = [aws_subnet.public_a.id, aws_subnet.public_b.id]
}
resource "aws_db_instance" "default" {
identifier = "${local.app_name}-db"
engine = "postgres"
engine_version = "17.6"
instance_class = "db.t4g.micro"
allocated_storage = 20
storage_type = "gp3"
db_name = "esdp"
username = random_string.db_username.result
password = random_password.db_password.result
publicly_accessible = true
vpc_security_group_ids = [aws_security_group.db_sg.id]
db_subnet_group_name = aws_db_subnet_group.default.name
skip_final_snapshot = true
apply_immediately = true
deletion_protection = true
}
# -----------------------------------------------------------------------------
# 5. DOMAIN & SSL (ACM + Route53)
# -----------------------------------------------------------------------------
data "aws_route53_zone" "main" {
name = local.hosted_zone_name
private_zone = false
}
resource "aws_acm_certificate" "cert" {
domain_name = local.domain_name
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
# Create DNS Record for Validation
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => dvo
}
allow_overwrite = true
name = each.value.resource_record_name
records = [each.value.resource_record_value]
ttl = 60
type = each.value.resource_record_type
zone_id = data.aws_route53_zone.main.zone_id
}
# Wait for Validation to complete
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
# Point Domain to ALB
resource "aws_route53_record" "www" {
zone_id = data.aws_route53_zone.main.zone_id
name = local.domain_name
type = "A"
alias {
name = aws_lb.main.dns_name
zone_id = aws_lb.main.zone_id
evaluate_target_health = true
}
}
# -----------------------------------------------------------------------------
# 6. LOAD BALANCER (ALB)
# -----------------------------------------------------------------------------
resource "aws_lb" "main" {
name = "${local.app_name}-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb_sg.id]
subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
}
resource "aws_lb_target_group" "hasura" {
name = "${local.app_name}-tg"
port = 8080
protocol = "HTTP"
vpc_id = aws_vpc.main.id
target_type = "ip"
health_check {
path = "/healthz"
matcher = "200"
interval = 60
}
}
# HTTP Listener (Redirect to HTTPS)
resource "aws_lb_listener" "http" {
load_balancer_arn = aws_lb.main.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
# HTTPS Listener
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.main.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = aws_acm_certificate_validation.cert.certificate_arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.hasura.arn
}
}
# -----------------------------------------------------------------------------
# 7. ECS FARGATE (Compute)
# -----------------------------------------------------------------------------
# IAM Role for Task Execution (Needs permission to pull images + read secrets)
resource "aws_iam_role" "ecs_execution_role" {
name = "${local.app_name}-execution-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ecs-tasks.amazonaws.com" }
}]
})
}
# Attach basic ECS policy
resource "aws_iam_role_policy_attachment" "ecs_execution_basic" {
role = aws_iam_role.ecs_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# Attach Secrets Manager Read Policy
resource "aws_iam_policy" "secrets_policy" {
name = "${local.app_name}-secrets-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["secretsmanager:GetSecretValue"]
Resource = [aws_secretsmanager_secret.hasura_credentials.arn]
}]
})
}
resource "aws_iam_role_policy_attachment" "ecs_secrets_attach" {
role = aws_iam_role.ecs_execution_role.name
policy_arn = aws_iam_policy.secrets_policy.arn
}
# CloudWatch Logs Policy for log group creation
resource "aws_iam_policy" "cloudwatch_logs_policy" {
name = "${local.app_name}-cloudwatch-logs-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:${local.region}:*:log-group:/ecs/${local.app_name}*"
}]
})
}
resource "aws_iam_role_policy_attachment" "ecs_logs_attach" {
role = aws_iam_role.ecs_execution_role.name
policy_arn = aws_iam_policy.cloudwatch_logs_policy.arn
}
resource "aws_ecs_cluster" "main" {
name = "${local.app_name}-cluster"
}
resource "aws_ecs_task_definition" "hasura" {
family = "${local.app_name}-task"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = 256 # 0.25 vCPU
memory = 512 # 0.5 GB
execution_role_arn = aws_iam_role.ecs_execution_role.arn
container_definitions = jsonencode([
{
name = "hasura"
image = "hasura/graphql-engine:v2.48.10"
essential = true
portMappings = [{ containerPort = 8080 }]
# INJECT SECRETS HERE
secrets = [
{
name = "HASURA_GRAPHQL_DATABASE_URL"
valueFrom = "${aws_secretsmanager_secret.hasura_credentials.arn}:database_url::"
},
{
name = "HASURA_GRAPHQL_ADMIN_SECRET"
valueFrom = "${aws_secretsmanager_secret.hasura_credentials.arn}:admin_secret::"
}
]
environment = [
{ name = "HASURA_GRAPHQL_ENABLE_CONSOLE", value = "true" }, # Set false for strict prod,
]
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = "/ecs/${local.app_name}"
"awslogs-region" = local.region
"awslogs-stream-prefix" = "ecs"
"awslogs-create-group" = "true"
}
}
}
])
}
resource "aws_ecs_service" "hasura" {
name = "${local.app_name}-service"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.hasura.arn
desired_count = 1
launch_type = "FARGATE"
network_configuration {
subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
security_groups = [aws_security_group.ecs_sg.id]
assign_public_ip = true
}
load_balancer {
target_group_arn = aws_lb_target_group.hasura.arn
container_name = "hasura"
container_port = 8080
}
}
# -----------------------------------------------------------------------------
# 8. AUTO SCALING
# -----------------------------------------------------------------------------
resource "aws_appautoscaling_target" "ecs_target" {
max_capacity = 3
min_capacity = 1
resource_id = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.hasura.name}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}
resource "aws_appautoscaling_policy" "ecs_policy_cpu" {
name = "scale-cpu"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.ecs_target.resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "ECSServiceAverageCPUUtilization"
}
target_value = 70.0
scale_in_cooldown = 60
scale_out_cooldown = 60
}
}
# -----------------------------------------------------------------------------
# OUTPUTS
# -----------------------------------------------------------------------------
output "hasura_console_url" {
value = "https://${local.domain_name}/console"
}
output "db_public_endpoint" {
value = aws_db_instance.default.endpoint
}
output "secrets_arn" {
value = aws_secretsmanager_secret.hasura_credentials.arn
}