Remove drizzle and serverless infra. Add terraform deployment.
This commit is contained in:
45
terraform/.terraform.lock.hcl
generated
Normal file
45
terraform/.terraform.lock.hcl
generated
Normal file
@@ -0,0 +1,45 @@
|
||||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/aws" {
|
||||
version = "6.28.0"
|
||||
constraints = "~> 6.0"
|
||||
hashes = [
|
||||
"h1:RwoFuX1yGMVaKJaUmXDKklEaQ/yUCEdt5k2kz+/g08c=",
|
||||
"zh:0ba0d5eb6e0c6a933eb2befe3cdbf22b58fbc0337bf138f95bf0e8bb6e6df93e",
|
||||
"zh:23eacdd4e6db32cf0ff2ce189461bdbb62e46513978d33c5de4decc4670870ec",
|
||||
"zh:307b06a15fc00a8e6fd243abde2cbe5112e9d40371542665b91bec1018dd6e3c",
|
||||
"zh:37a02d5b45a9d050b9642c9e2e268297254192280df72f6e46641daca52e40ec",
|
||||
"zh:3da866639f07d92e734557d673092719c33ede80f4276c835bf7f231a669aa33",
|
||||
"zh:480060b0ba310d0f6b6a14d60b276698cb103c48fd2f7e2802ae47c963995ec6",
|
||||
"zh:57796453455c20db80d9168edbf125bf6180e1aae869de1546a2be58e4e405ec",
|
||||
"zh:69139cba772d4df8de87598d8d8a2b1b4b254866db046c061dccc79edb14e6b9",
|
||||
"zh:7312763259b859ff911c5452ca8bdf7d0be6231c5ea0de2df8f09d51770900ac",
|
||||
"zh:8d2d6f4015d3c155d7eb53e36f019a729aefb46ebfe13f3a637327d3a1402ecc",
|
||||
"zh:94ce589275c77308e6253f607de96919b840c2dd36c44aa798f693c9dd81af42",
|
||||
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
|
||||
"zh:adaceec6a1bf4f5df1e12bd72cf52b72087c72efed078aef636f8988325b1a8b",
|
||||
"zh:d37be1ce187d94fd9df7b13a717c219964cd835c946243f096c6b230cdfd7e92",
|
||||
"zh:fe6205b5ca2ff36e68395cb8d3ae10a3728f405cdbcd46b206a515e1ebcf17a1",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/random" {
|
||||
version = "3.8.0"
|
||||
constraints = "~> 3.0"
|
||||
hashes = [
|
||||
"h1:BYpqK2+ZHqNF9sauVugKJSeFWMCx11I/z/1lMplwUC0=",
|
||||
"zh:0e71891d8f25564e8d0b61654ed2ca52101862b9a2a07d736395193ae07b134b",
|
||||
"zh:1c56852d094161997df5fd8a6cbca7c6c979b3f8c3c00fbcc374a59305d117b1",
|
||||
"zh:20698fb8a2eaa7e23c4f8e3d22250368862f578cf618be0281d5b61496cbef13",
|
||||
"zh:3afbdd5e955f6d0105fed4f6b7fef7ba165cd780569483e688002108cf06586c",
|
||||
"zh:4ce22b96e625dc203ea653d53551d46156dd63ad79e45bcbe0224b2e6357f243",
|
||||
"zh:4ff84b568ad468d140f8f6201a372c6c4bea17d64527b72e341ae8fafea65b8e",
|
||||
"zh:54b071cb509203c43e420cc589523709bbc6e65d80c1cd9384f5bd88fd1ff1a2",
|
||||
"zh:63fc5f9f341a573cd5c8bcfc994a58fa52a5ad88d2cbbd80f5a9f143c5006e75",
|
||||
"zh:73cb8b39887589914686d14a99b4de6e85e48603f7235d87da5594e3fbb7d8a7",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:7ee20f28aa6a25539a5b9fc249e751dec5a5b130dcd73c5d05efdf4d5e320454",
|
||||
"zh:994a83fddab1d44a8f546920ed34e45ea6caefe4f08735bada6c28dc9010e5e4",
|
||||
]
|
||||
}
|
||||
517
terraform/hasura.tf
Normal file
517
terraform/hasura.tf
Normal file
@@ -0,0 +1,517 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = "~> 6.0"
|
||||
}
|
||||
random = {
|
||||
source = "hashicorp/random"
|
||||
version = "~> 3.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
region = "ca-central-1"
|
||||
}
|
||||
|
||||
locals {
|
||||
# CONFIGURATION
|
||||
my_ip = "70.36.57.88/32" # REPLACE WITH YOUR IP
|
||||
domain_name = "db.es.imex.online"
|
||||
hosted_zone_name = "imex.online" # The root zone you manage in Route53
|
||||
region = "ca-central-1"
|
||||
app_name = "esdp-hasura"
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 1. SECRETS & CREDENTIALS (Auto-generated)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
# Generate a random username
|
||||
resource "random_string" "db_username" {
|
||||
length = 8
|
||||
special = false
|
||||
numeric = false # PG usernames shouldn't start with numbers usually
|
||||
upper = false
|
||||
}
|
||||
|
||||
# Generate a secure random password
|
||||
resource "random_password" "db_password" {
|
||||
length = 24
|
||||
special = true
|
||||
override_special = "!#$%&*()-_=+[]{}<>:?" # Safe chars for Postgres
|
||||
}
|
||||
|
||||
# Generate a random secret for Hasura Admin
|
||||
resource "random_password" "hasura_admin_secret" {
|
||||
length = 32
|
||||
special = false
|
||||
}
|
||||
|
||||
# Create the Secret Container in AWS Secrets Manager
|
||||
resource "aws_secretsmanager_secret" "hasura_credentials" {
|
||||
name = "${local.app_name}-credentials-${random_string.suffix.result}"
|
||||
}
|
||||
|
||||
resource "random_string" "suffix" {
|
||||
length = 6
|
||||
special = false
|
||||
upper = false
|
||||
}
|
||||
|
||||
# Store the connection string and admin secret
|
||||
# We wait for the DB to be created so we can grab the endpoint
|
||||
resource "aws_secretsmanager_secret_version" "creds" {
|
||||
secret_id = aws_secretsmanager_secret.hasura_credentials.id
|
||||
secret_string = jsonencode({
|
||||
# Hasura needs the full connection URL
|
||||
database_url = "postgres://${random_string.db_username.result}:${random_password.db_password.result}@${aws_db_instance.default.endpoint}/esdp"
|
||||
admin_secret = random_password.hasura_admin_secret.result
|
||||
})
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 2. NETWORKING
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "aws_vpc" "main" {
|
||||
cidr_block = "10.0.0.0/16"
|
||||
enable_dns_hostnames = true
|
||||
enable_dns_support = true
|
||||
tags = { Name = "${local.app_name}-vpc" }
|
||||
}
|
||||
|
||||
resource "aws_internet_gateway" "gw" {
|
||||
vpc_id = aws_vpc.main.id
|
||||
}
|
||||
|
||||
# Get available AZs in the configured region
|
||||
data "aws_availability_zones" "available" {
|
||||
state = "available"
|
||||
}
|
||||
|
||||
# Public Subnets (ALB + Public DB + Fargate)
|
||||
resource "aws_subnet" "public_a" {
|
||||
vpc_id = aws_vpc.main.id
|
||||
cidr_block = "10.0.1.0/24"
|
||||
availability_zone = data.aws_availability_zones.available.names[0]
|
||||
map_public_ip_on_launch = true
|
||||
}
|
||||
|
||||
resource "aws_subnet" "public_b" {
|
||||
vpc_id = aws_vpc.main.id
|
||||
cidr_block = "10.0.2.0/24"
|
||||
availability_zone = data.aws_availability_zones.available.names[1]
|
||||
map_public_ip_on_launch = true
|
||||
}
|
||||
|
||||
resource "aws_route_table" "public" {
|
||||
vpc_id = aws_vpc.main.id
|
||||
route {
|
||||
cidr_block = "0.0.0.0/0"
|
||||
gateway_id = aws_internet_gateway.gw.id
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_route_table_association" "a" {
|
||||
subnet_id = aws_subnet.public_a.id
|
||||
route_table_id = aws_route_table.public.id
|
||||
}
|
||||
|
||||
resource "aws_route_table_association" "b" {
|
||||
subnet_id = aws_subnet.public_b.id
|
||||
route_table_id = aws_route_table.public.id
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 3. SECURITY GROUPS
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "aws_security_group" "alb_sg" {
|
||||
name = "${local.app_name}-alb-sg"
|
||||
vpc_id = aws_vpc.main.id
|
||||
|
||||
# Allow HTTPS from anywhere
|
||||
ingress {
|
||||
protocol = "tcp"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
# Allow HTTP for redirection
|
||||
ingress {
|
||||
protocol = "tcp"
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
egress {
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "ecs_sg" {
|
||||
name = "${local.app_name}-ecs-sg"
|
||||
vpc_id = aws_vpc.main.id
|
||||
|
||||
# Only accept traffic from ALB
|
||||
ingress {
|
||||
protocol = "tcp"
|
||||
from_port = 8080
|
||||
to_port = 8080
|
||||
security_groups = [aws_security_group.alb_sg.id]
|
||||
}
|
||||
|
||||
egress {
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "db_sg" {
|
||||
name = "${local.app_name}-db-sg"
|
||||
vpc_id = aws_vpc.main.id
|
||||
|
||||
# 1. Allow ECS Tasks
|
||||
ingress {
|
||||
protocol = "tcp"
|
||||
from_port = 5432
|
||||
to_port = 5432
|
||||
security_groups = [aws_security_group.ecs_sg.id]
|
||||
}
|
||||
|
||||
# 2. Allow YOUR IP (Strict Access)
|
||||
ingress {
|
||||
protocol = "tcp"
|
||||
from_port = 5432
|
||||
to_port = 5432
|
||||
cidr_blocks = [local.my_ip]
|
||||
}
|
||||
|
||||
egress {
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 4. DATABASE (RDS Postgres t4g.micro)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "aws_db_subnet_group" "default" {
|
||||
name = "${local.app_name}-db-subnets"
|
||||
subnet_ids = [aws_subnet.public_a.id, aws_subnet.public_b.id]
|
||||
}
|
||||
|
||||
resource "aws_db_instance" "default" {
|
||||
identifier = "${local.app_name}-db"
|
||||
engine = "postgres"
|
||||
engine_version = "17.6"
|
||||
instance_class = "db.t4g.micro"
|
||||
allocated_storage = 20
|
||||
storage_type = "gp3"
|
||||
|
||||
db_name = "esdp"
|
||||
username = random_string.db_username.result
|
||||
password = random_password.db_password.result
|
||||
|
||||
publicly_accessible = true
|
||||
vpc_security_group_ids = [aws_security_group.db_sg.id]
|
||||
db_subnet_group_name = aws_db_subnet_group.default.name
|
||||
skip_final_snapshot = true
|
||||
apply_immediately = true
|
||||
deletion_protection = true
|
||||
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 5. DOMAIN & SSL (ACM + Route53)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
data "aws_route53_zone" "main" {
|
||||
name = local.hosted_zone_name
|
||||
private_zone = false
|
||||
}
|
||||
|
||||
resource "aws_acm_certificate" "cert" {
|
||||
domain_name = local.domain_name
|
||||
validation_method = "DNS"
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
# Create DNS Record for Validation
|
||||
resource "aws_route53_record" "cert_validation" {
|
||||
for_each = {
|
||||
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => dvo
|
||||
}
|
||||
allow_overwrite = true
|
||||
name = each.value.resource_record_name
|
||||
records = [each.value.resource_record_value]
|
||||
ttl = 60
|
||||
type = each.value.resource_record_type
|
||||
zone_id = data.aws_route53_zone.main.zone_id
|
||||
}
|
||||
|
||||
# Wait for Validation to complete
|
||||
resource "aws_acm_certificate_validation" "cert" {
|
||||
certificate_arn = aws_acm_certificate.cert.arn
|
||||
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
|
||||
}
|
||||
|
||||
# Point Domain to ALB
|
||||
resource "aws_route53_record" "www" {
|
||||
zone_id = data.aws_route53_zone.main.zone_id
|
||||
name = local.domain_name
|
||||
type = "A"
|
||||
|
||||
alias {
|
||||
name = aws_lb.main.dns_name
|
||||
zone_id = aws_lb.main.zone_id
|
||||
evaluate_target_health = true
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 6. LOAD BALANCER (ALB)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "aws_lb" "main" {
|
||||
name = "${local.app_name}-alb"
|
||||
internal = false
|
||||
load_balancer_type = "application"
|
||||
security_groups = [aws_security_group.alb_sg.id]
|
||||
subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
|
||||
}
|
||||
|
||||
resource "aws_lb_target_group" "hasura" {
|
||||
name = "${local.app_name}-tg"
|
||||
port = 8080
|
||||
protocol = "HTTP"
|
||||
vpc_id = aws_vpc.main.id
|
||||
target_type = "ip"
|
||||
|
||||
health_check {
|
||||
path = "/healthz"
|
||||
matcher = "200"
|
||||
interval = 60
|
||||
}
|
||||
}
|
||||
|
||||
# HTTP Listener (Redirect to HTTPS)
|
||||
resource "aws_lb_listener" "http" {
|
||||
load_balancer_arn = aws_lb.main.arn
|
||||
port = "80"
|
||||
protocol = "HTTP"
|
||||
|
||||
default_action {
|
||||
type = "redirect"
|
||||
redirect {
|
||||
port = "443"
|
||||
protocol = "HTTPS"
|
||||
status_code = "HTTP_301"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# HTTPS Listener
|
||||
resource "aws_lb_listener" "https" {
|
||||
load_balancer_arn = aws_lb.main.arn
|
||||
port = "443"
|
||||
protocol = "HTTPS"
|
||||
ssl_policy = "ELBSecurityPolicy-2016-08"
|
||||
certificate_arn = aws_acm_certificate_validation.cert.certificate_arn
|
||||
|
||||
default_action {
|
||||
type = "forward"
|
||||
target_group_arn = aws_lb_target_group.hasura.arn
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 7. ECS FARGATE (Compute)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
# IAM Role for Task Execution (Needs permission to pull images + read secrets)
|
||||
resource "aws_iam_role" "ecs_execution_role" {
|
||||
name = "${local.app_name}-execution-role"
|
||||
|
||||
assume_role_policy = jsonencode({
|
||||
Version = "2012-10-17"
|
||||
Statement = [{
|
||||
Action = "sts:AssumeRole"
|
||||
Effect = "Allow"
|
||||
Principal = { Service = "ecs-tasks.amazonaws.com" }
|
||||
}]
|
||||
})
|
||||
}
|
||||
|
||||
# Attach basic ECS policy
|
||||
resource "aws_iam_role_policy_attachment" "ecs_execution_basic" {
|
||||
role = aws_iam_role.ecs_execution_role.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
|
||||
}
|
||||
|
||||
# Attach Secrets Manager Read Policy
|
||||
resource "aws_iam_policy" "secrets_policy" {
|
||||
name = "${local.app_name}-secrets-policy"
|
||||
policy = jsonencode({
|
||||
Version = "2012-10-17"
|
||||
Statement = [{
|
||||
Effect = "Allow"
|
||||
Action = ["secretsmanager:GetSecretValue"]
|
||||
Resource = [aws_secretsmanager_secret.hasura_credentials.arn]
|
||||
}]
|
||||
})
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "ecs_secrets_attach" {
|
||||
role = aws_iam_role.ecs_execution_role.name
|
||||
policy_arn = aws_iam_policy.secrets_policy.arn
|
||||
}
|
||||
|
||||
# CloudWatch Logs Policy for log group creation
|
||||
resource "aws_iam_policy" "cloudwatch_logs_policy" {
|
||||
name = "${local.app_name}-cloudwatch-logs-policy"
|
||||
policy = jsonencode({
|
||||
Version = "2012-10-17"
|
||||
Statement = [{
|
||||
Effect = "Allow"
|
||||
Action = [
|
||||
"logs:CreateLogGroup",
|
||||
"logs:CreateLogStream",
|
||||
"logs:PutLogEvents"
|
||||
]
|
||||
Resource = "arn:aws:logs:${local.region}:*:log-group:/ecs/${local.app_name}*"
|
||||
}]
|
||||
})
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "ecs_logs_attach" {
|
||||
role = aws_iam_role.ecs_execution_role.name
|
||||
policy_arn = aws_iam_policy.cloudwatch_logs_policy.arn
|
||||
}
|
||||
|
||||
resource "aws_ecs_cluster" "main" {
|
||||
name = "${local.app_name}-cluster"
|
||||
}
|
||||
|
||||
resource "aws_ecs_task_definition" "hasura" {
|
||||
family = "${local.app_name}-task"
|
||||
network_mode = "awsvpc"
|
||||
requires_compatibilities = ["FARGATE"]
|
||||
cpu = 256 # 0.25 vCPU
|
||||
memory = 512 # 0.5 GB
|
||||
execution_role_arn = aws_iam_role.ecs_execution_role.arn
|
||||
|
||||
container_definitions = jsonencode([
|
||||
{
|
||||
name = "hasura"
|
||||
image = "hasura/graphql-engine:v2.48.10"
|
||||
essential = true
|
||||
portMappings = [{ containerPort = 8080 }]
|
||||
|
||||
# INJECT SECRETS HERE
|
||||
secrets = [
|
||||
{
|
||||
name = "HASURA_GRAPHQL_DATABASE_URL"
|
||||
valueFrom = "${aws_secretsmanager_secret.hasura_credentials.arn}:database_url::"
|
||||
},
|
||||
{
|
||||
name = "HASURA_GRAPHQL_ADMIN_SECRET"
|
||||
valueFrom = "${aws_secretsmanager_secret.hasura_credentials.arn}:admin_secret::"
|
||||
}
|
||||
]
|
||||
|
||||
environment = [
|
||||
{ name = "HASURA_GRAPHQL_ENABLE_CONSOLE", value = "true" }, # Set false for strict prod,
|
||||
]
|
||||
|
||||
logConfiguration = {
|
||||
logDriver = "awslogs"
|
||||
options = {
|
||||
"awslogs-group" = "/ecs/${local.app_name}"
|
||||
"awslogs-region" = local.region
|
||||
"awslogs-stream-prefix" = "ecs"
|
||||
"awslogs-create-group" = "true"
|
||||
}
|
||||
}
|
||||
}
|
||||
])
|
||||
}
|
||||
|
||||
resource "aws_ecs_service" "hasura" {
|
||||
name = "${local.app_name}-service"
|
||||
cluster = aws_ecs_cluster.main.id
|
||||
task_definition = aws_ecs_task_definition.hasura.arn
|
||||
desired_count = 1
|
||||
launch_type = "FARGATE"
|
||||
|
||||
network_configuration {
|
||||
subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
|
||||
security_groups = [aws_security_group.ecs_sg.id]
|
||||
assign_public_ip = true
|
||||
}
|
||||
|
||||
load_balancer {
|
||||
target_group_arn = aws_lb_target_group.hasura.arn
|
||||
container_name = "hasura"
|
||||
container_port = 8080
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# 8. AUTO SCALING
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "aws_appautoscaling_target" "ecs_target" {
|
||||
max_capacity = 3
|
||||
min_capacity = 1
|
||||
resource_id = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.hasura.name}"
|
||||
scalable_dimension = "ecs:service:DesiredCount"
|
||||
service_namespace = "ecs"
|
||||
}
|
||||
|
||||
resource "aws_appautoscaling_policy" "ecs_policy_cpu" {
|
||||
name = "scale-cpu"
|
||||
policy_type = "TargetTrackingScaling"
|
||||
resource_id = aws_appautoscaling_target.ecs_target.resource_id
|
||||
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
|
||||
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
|
||||
|
||||
target_tracking_scaling_policy_configuration {
|
||||
predefined_metric_specification {
|
||||
predefined_metric_type = "ECSServiceAverageCPUUtilization"
|
||||
}
|
||||
target_value = 70.0
|
||||
scale_in_cooldown = 60
|
||||
scale_out_cooldown = 60
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# OUTPUTS
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
output "hasura_console_url" {
|
||||
value = "https://${local.domain_name}/console"
|
||||
}
|
||||
|
||||
output "db_public_endpoint" {
|
||||
value = aws_db_instance.default.endpoint
|
||||
}
|
||||
|
||||
output "secrets_arn" {
|
||||
value = aws_secretsmanager_secret.hasura_credentials.arn
|
||||
}
|
||||
Reference in New Issue
Block a user