blob: f566d94ad527b99e472b379dd0e5b9c938f041a0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
resource "aws_route53_record" "a_record_vault" {
zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
name = "vault.buetow.cloud."
type = "A"
alias {
name = data.terraform_remote_state.elb.outputs.alb_dns_name
zone_id = data.terraform_remote_state.elb.outputs.alb_zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "aaaa_record_vault" {
zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
name = "vault.buetow.cloud."
type = "AAAA"
alias {
name = data.terraform_remote_state.elb.outputs.alb_dns_name
zone_id = data.terraform_remote_state.elb.outputs.alb_zone_id
evaluate_target_health = true
}
}
resource "aws_ecs_task_definition" "vault" {
family = "vault"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_execution_role.arn
volume {
name = "vault-data-efs-volume"
efs_volume_configuration {
file_system_id = data.terraform_remote_state.base.outputs.self_hosted_services_efs_id
root_directory = "/ecs/vault/data"
}
}
container_definitions = jsonencode([{
name = "vault",
image = "vaultwarden/server:latest",
portMappings = [{
containerPort = 80,
hostPort = 80
}],
mountPoints = [
{
sourceVolume = "vault-data-efs-volume"
containerPath = "/data"
readOnly = false
}
],
"logConfiguration" : {
"logDriver" : "awslogs",
"options" : {
"awslogs-group" : "/ecs/containers",
"awslogs-region" : "eu-central-1",
"awslogs-stream-prefix" : "vault"
}
}
}])
}
resource "aws_ecs_service" "vault" {
name = "vault"
cluster = aws_ecs_cluster.ecs_cluster.id
task_definition = aws_ecs_task_definition.vault.arn
launch_type = "FARGATE"
desired_count = 1
load_balancer {
target_group_arn = aws_lb_target_group.vault_tg.arn
container_name = "vault" # Must match the name in your container definition
container_port = 80 # The port your container is listening on
}
network_configuration {
subnets = [
data.terraform_remote_state.base.outputs.public_subnet_a_id,
data.terraform_remote_state.base.outputs.public_subnet_b_id,
data.terraform_remote_state.base.outputs.public_subnet_c_id,
]
security_groups = [data.terraform_remote_state.base.outputs.allow_web_sg_id]
assign_public_ip = true
}
}
resource "aws_lb_target_group" "vault_tg" {
name = "vault-tg"
port = 80
protocol = "HTTP"
vpc_id = data.terraform_remote_state.base.outputs.vpc_id
target_type = "ip"
health_check {
enabled = true
healthy_threshold = 2
unhealthy_threshold = 2
interval = 30
path = "/"
protocol = "HTTP"
timeout = 3
matcher = "200-299"
}
}
resource "aws_lb_listener_rule" "vault_https_listener_rule" {
listener_arn = data.terraform_remote_state.elb.outputs.alb_https_listener_arn
priority = 103
action {
type = "forward"
target_group_arn = aws_lb_target_group.vault_tg.arn
}
condition {
host_header {
values = ["vault.buetow.cloud"]
}
}
}
|
