add buetow.private dns zone. initial postgres.

4 files changed, 187 insertions, 4 deletions

diff --git a/org-buetow-base/data.tf b/org-buetow-base/data.tf
deleted file mode 100644
index b86bfe3..0000000
--- a/org-buetow-base/data.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-data "aws_route53_zone" "buetow_cloud" {
-  name = "buetow.cloud."
-  private_zone = false
-}
diff --git a/org-buetow-base/outputs.tf b/org-buetow-base/outputs.tf
index 21a1821..48d5d08 100644
--- a/org-buetow-base/outputs.tf
+++ b/org-buetow-base/outputs.tf
@@ -34,6 +34,10 @@ output "buetow_cloud_zone_id" {
   value = data.aws_route53_zone.buetow_cloud.zone_id
 }
 
+output "buetow_private_zone_id" {
+  value = aws_route53_zone.buetow_private.zone_id
+}
+
 output "buetow_cloud_certificate_arn" {
   value = "arn:aws:acm:eu-central-1:634617747016:certificate/fbf5627c-9a4c-4c62-9c33-038e140f3f12"
 }
diff --git a/org-buetow-base/zones.tf b/org-buetow-base/zones.tf
new file mode 100644
index 0000000..ce8f064
--- /dev/null
+++ b/org-buetow-base/zones.tf
@@ -0,0 +1,12 @@
+data "aws_route53_zone" "buetow_cloud" {
+  name         = "buetow.cloud."
+  private_zone = false
+}
+
+resource "aws_route53_zone" "buetow_private" {
+  name = "buetow.private"
+
+  vpc {
+    vpc_id = aws_vpc.vpc.id
+  }
+}
diff --git a/org-buetow-ecs/fluxpostgreservice.tf b/org-buetow-ecs/fluxpostgreservice.tf
new file mode 100644
index 0000000..6aeb81f
--- /dev/null
+++ b/org-buetow-ecs/fluxpostgreservice.tf
@@ -0,0 +1,171 @@
+resource "aws_lb" "fluxpostgres_nlb" {
+  name               = "fluxpostgres-nlb"
+  internal           = true
+  load_balancer_type = "network"
+  ip_address_type    = "dualstack"
+  security_groups = [
+    aws_security_group.fluxpostgres.id,
+  ]
+  subnets = [
+    data.terraform_remote_state.base.outputs.public_subnet_a_id,
+    data.terraform_remote_state.base.outputs.public_subnet_b_id,
+    data.terraform_remote_state.base.outputs.public_subnet_c_id,
+  ]
+}
+
+resource "aws_lb_listener" "fluxpostgres_tcp" {
+  load_balancer_arn = aws_lb.fluxpostgres_nlb.arn
+  protocol          = "TCP"
+  port              = 5432
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.fluxpostgres_tcp.arn
+  }
+}
+
+resource "aws_lb_target_group" "fluxpostgres_tcp" {
+  name        = "fluxpostgres-tcp"
+  port        = 5432
+  protocol    = "TCP"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc_id
+  target_type = "ip"
+}
+
+resource "aws_route53_record" "a_record_fluxpostgres" {
+  zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
+  name    = "fluxpostgres.buetow.cloud." # TODO, internal DNS?
+  type    = "A"
+
+  alias {
+    name                   = data.terraform_remote_state.elb.outputs.alb_dns_name
+    zone_id                = data.terraform_remote_state.elb.outputs.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "aaaa_record_fluxpostgres" {
+  zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
+  name    = "fluxpostgres.buetow.cloud." # TODO, internal DNS?
+  type    = "AAAA"
+
+  alias {
+    name                   = data.terraform_remote_state.elb.outputs.alb_dns_name
+    zone_id                = data.terraform_remote_state.elb.outputs.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_ecs_task_definition" "fluxpostgres" {
+  family                   = "fluxpostgres"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "256"
+  memory                   = "512"
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+
+  volume {
+    name = "fluxpostgres-efs-volume"
+    efs_volume_configuration {
+      file_system_id = data.terraform_remote_state.base.outputs.self_hosted_services_efs_id
+      root_directory = "/ecs/fluxpostgres/"
+    }
+  }
+
+  container_definitions = jsonencode([{
+    name  = "fluxpostgres",
+    image = "postgres:15",
+    portMappings = [
+      {
+        containerPort = 5432,
+        hostPort      = 5432,
+        protocol      = "tcp"
+      }
+    ],
+    environment = [
+      {
+        name  = "POSTGRES_USER",
+        value = "miniflux"
+      },
+      {
+        name  = "POSTGRES_PASSWORD",
+        value = "ONLYFORTESTING"
+      }
+    ],
+    mountPoints = [
+      {
+        sourceVolume  = "fluxpostgres-efs-volume"
+        containerPath = "/var/lib/postgres/data"
+        readOnly      = false
+      }
+    ],
+    #"logConfiguration" : {
+    #  "logDriver" : "awslogs",
+    #  "options" : {
+    #    "awslogs-group" : "/ecs/containers",
+    #    "awslogs-region" : "eu-central-1",
+    #    "awslogs-stream-prefix" : "fluxpostgres"
+    #  }
+    #}
+  }])
+}
+
+resource "aws_security_group" "fluxpostgres" {
+  name        = "allow-fluxpostgres"
+  description = "Allow traffic on fluxpostgres ports"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc_id
+
+  ingress {
+    description      = "Allow inbound TCP traffic on fluxpostgresQL port"
+    from_port        = 5432
+    to_port          = 5432
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "Allow inbound UDP traffic on fluxpostgresQL port"
+    from_port        = 5432
+    to_port          = 5432
+    protocol         = "udp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  # TODO: Required?
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1" # Allows all outbound traffic
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = "allow-fluxpostgres"
+  }
+}
+resource "aws_ecs_service" "fluxpostgres" {
+  name            = "fluxpostgres"
+  cluster         = aws_ecs_cluster.ecs_cluster.id
+  task_definition = aws_ecs_task_definition.fluxpostgres.arn
+  launch_type     = "FARGATE"
+  desired_count   = 1
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.fluxpostgres_tcp.arn
+    container_name   = "fluxpostgres"
+    container_port   = 5432
+  }
+
+  network_configuration {
+    subnets = [
+      data.terraform_remote_state.base.outputs.public_subnet_a_id,
+      data.terraform_remote_state.base.outputs.public_subnet_b_id,
+      data.terraform_remote_state.base.outputs.public_subnet_c_id,
+    ]
+    security_groups  = [aws_security_group.fluxpostgres.id]
+    assign_public_ip = false
+  }
+}