How to create 1 ALB external and 2 EC2 ECS-NGINX with Terraform

Vasile.Minica · January 21, 2021, 5:08pm

First let’s set up our provider:

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/provider.tf

provider "aws" {
  profile = "default"
  region  = "${var.aws_region}"
}

We creates a new VPC:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/vpc.tf

### Network
 
# Internet VPC
 
resource "aws_vpc" "sys-vpc" {
  cidr_block           = "172.21.0.0/16"
  instance_tenancy     = "default"
  enable_dns_support   = "true"
  enable_dns_hostnames = "true"
  enable_classiclink   = "false"
 
  tags = {
    Name = "sys-vpc"
  }
}
 
# Subnets
resource "aws_subnet" "sys-public-1" {
  vpc_id                  = "${aws_vpc.sys-vpc.id}"
  cidr_block              = "172.21.10.0/24"

This file has been truncated. show original

We have the configuration for the Application Load Balancer:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/alb.tf

## ALB
resource "aws_alb" "sys-eu-alb" {
  name            = "sys-web-eu-alb"
  subnets         = ["${aws_subnet.sys-public-1.id}", "${aws_subnet.sys-public-2.id}", "${aws_subnet.sys-public-3.id}"]
  security_groups = ["${aws_security_group.lb_sg.id}"]
  enable_http2    = "true"
  idle_timeout    = 600
}
 
output "alb_output" {
  value = "${aws_alb.sys-eu-alb.dns_name}"
}
 
resource "aws_alb_listener" "front_end" {
  load_balancer_arn = "${aws_alb.sys-eu-alb.id}"
  port              = "80"
  protocol          = "HTTP"
 
  default_action {
    target_group_arn = "${aws_alb_target_group.nginx.id}"

This file has been truncated. show original

We set the AMI that will update and launch configuration of the cluster:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/data.tf

# Get the latest ECS AMI
data "aws_ami" "sys-ecs-ami" {
  most_recent = true
 
  filter {
    name   = "name"
    values = ["*amazon-ecs-optimized"]
  }
 
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
 
  owners = ["222222222"] # AWS Architect account owner will be your account
}
 
# User data for ECS cluster
data "template_file" "ecs-cluster" {
  template = "${file("ecs-cluster.tpl")}"

This file has been truncated. show original

Adding the configuration for our ECS cluster:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/ecs-cluster.tf

# ECS cluster
resource "aws_ecs_cluster" "sys-web" {
  name = "sys-web"
}
#Compute
resource "aws_autoscaling_group" "sys-web-cluster" {
  name                      = "sys-web-cluster"
  vpc_zone_identifier       = ["${aws_subnet.sys-public-1.id}", "${aws_subnet.sys-public-2.id}", "${aws_subnet.sys-public-3.id}"]
  min_size                  = "2"
  max_size                  = "10"
  desired_capacity          = "2"
  launch_configuration      = "${aws_launch_configuration.sys-web-cluster-lc.name}"
  health_check_grace_period = 120
  default_cooldown          = 30
  termination_policies      = ["OldestInstance"]
 
  tag {
    key                 = "Name"
    value               = "ECS-sys-web"
    propagate_at_launch = true

This file has been truncated. show original

And the tpl file:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/ecs-cluster.tpl

#!/bin/bash
echo ECS_CLUSTER=${ecs_cluster} >> /etc/ecs/ecs.config

Adding our ECS service and task and Cloud Watch configurations:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/ecs-nginx.tf

# NGINX Service
resource "aws_ecs_service" "nginx" {
  name            = "nginx"
  cluster         = "${aws_ecs_cluster.sys-web.id}"
  task_definition = "${aws_ecs_task_definition.nginx.arn}"
  desired_count   = 4
  iam_role        = "${aws_iam_role.ecs-service-role.arn}"
  depends_on      = ["aws_iam_role_policy_attachment.ecs-service-attach"]
 
  load_balancer {
    target_group_arn = "${aws_alb_target_group.nginx.id}"
    container_name   = "nginx"
    container_port   = "80"
  }
 
  lifecycle {
    ignore_changes = ["task_definition"]
  }
}

This file has been truncated. show original

Adding the IAM roles for the EC2 instances so they can communicate with the ECS service:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/iam.tf

# ecs ec2 role
resource "aws_iam_role" "ecs-ec2-role" {
  name = "ecs-ec2-role-test"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

This file has been truncated. show original

We can see that the load balancer is open to the world on tcp/80 and tcp/443 and the ECS EC2 instances have ports 32768 to 65535 open from the load balancer. This is because when we select the container port to 0 in the task definition AWS will randomly assign a port from this range to the container:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/security.tf

resource "aws_security_group" "lb_sg" {
  description = "controls access to the application ELB"
 
  vpc_id = "${aws_vpc.sys-vpc.id}"
  name   = "sys-web-ELB"
 
  ingress {
    protocol    = "tcp"
    from_port   = 80
    to_port     = 80
    cidr_blocks = ["0.0.0.0/0"]
  }
 
  ingress {
    protocol    = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["0.0.0.0/0"]
  }

This file has been truncated. show original

We have our variables file:

github.com

vmbs/Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform/blob/main/vars.tf

variable "aws_region" {
  description = "The AWS region to create things in."
  default     = "eu-central-1"
}
 
variable "instance_type" {
  default     = "t2.micro"
  description = "AWS instance type"
}

Also you can go to my personal GIT on Vasile Minica / Creating-1-ALB-external-and-2-EC2-ECS-NGINX-with-Terraform · GitLab