.gitignore

@@ -1,4 +1,2 @@
 .*.sw?
 toclerbe
-data/
-.terraform

.tool-versions

@@ -1 +0,0 @@
-opentofu 1.8.0

Makefile

@@ -4,8 +4,6 @@ ECR_ACCOUNT_URL ?= 063932952339.dkr.ecr.us-west-2.amazonaws.com
 VERSION ?=`git describe`
 PORT ?= 8080
 
-TARGET_SERVER ?= sobeck.jdb-software.com
-
 default: serve-docker
 
 build: $(SOURCES)
@@ -35,16 +33,3 @@ serve-docker: build-image
 
 ecr-auth:
 	aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin $(ECR_ACCOUNT_URL)
-
-publish:
-	-mkdir deploy
-	m4 -D "TOCLERBE_VERSION=$(VERSION)" \
-		toclerbe.service \
-		> deploy/toclerbe.service
-	-ssh deployer@$(TARGET_SERVER) "docker stop toclerbe.service && sudo systemctl stop toclerbe"
-	ssh deployer@$(TARGET_SERVER) "aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $(ECR_ACCOUNT_URL) && docker pull $(ECR_ACCOUNT_URL)/toclerbe:$(VERSION)"
-	scp \
-		deploy/toclerbe.service \
-		deployer@$(TARGET_SERVER):/etc/systemd/system/toclerbe.service
-	ssh deployer@$(TARGET_SERVER) "sudo systemctl daemon-reload"
-	ssh deployer@$(TARGET_SERVER) "sudo systemctl start toclerbe"

operations/terraform/ecs.tf

@@ -0,0 +1,84 @@
+resource "aws_secretsmanager_secret" "toclerbe" {
+  name  = "${var.app_name}-config"
+}
+
+resource "aws_efs_mount_target" "ortis" {
+  file_system_id  = data.terraform_remote_state.jdbsoft.outputs.sobeck-efs.id
+  subnet_id       = data.terraform_remote_state.jdbsoft.outputs.aws_subnet_private2.id
+  security_groups = [ data.terraform_remote_state.jdbsoft.outputs.aws_security_group_private_traffic.id ]
+}
+
+
+resource "aws_ecs_task_definition" "toclerbe" {
+  family                    = var.app_name
+  network_mode              = "bridge"
+  requires_compatibilities  = ["EC2"]
+  execution_role_arn        = aws_iam_role.ecs_task.arn
+
+  # See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html
+  container_definitions = jsonencode([
+    {
+      name              = var.app_name
+      image             = "${aws_ecr_repository.toclerbe.repository_url}:${data.external.git_describe.result.version}"
+      cpu               = 128
+      memory            = 128
+      memoryReservation = 32
+      environment       = [
+        {
+          name  = "TOCLERBE_PORT"
+          value = "80"
+        }
+      ]
+      mountPoints       = [
+        {
+          containerPath = "/data"
+          sourceVolume  = "efs-toclerbe-data"
+        }
+      ]
+      portMappings      = [
+        {
+          protocol      = "tcp"
+          containerPort = 80
+        }
+      ]
+      secrets           = [
+        {
+          name        = "API_KEYS"
+          description = "API keys allowed to configure the service.."
+          valueFrom   = "${aws_secretsmanager_secret.toclerbe.arn}:apiKeys::"
+        }
+      ]
+    }
+  ])
+
+  volume {
+    name = "efs-toclerbe-data"
+
+    efs_volume_configuration {
+      file_system_id = data.terraform_remote_state.jdbsoft.outputs.sobeck-efs.id
+      root_directory = "/toclerbe/data"
+    }
+  }
+
+  tags = {
+    Name        = var.app_domain
+  }
+}
+
+resource "aws_ecs_service" "toclerbe" {
+  name            = var.app_name
+  cluster         = data.terraform_remote_state.jdbsoft.outputs.aws_ecs_cluster_ortis.id
+  task_definition = aws_ecs_task_definition.toclerbe.arn
+  desired_count   = 1
+  launch_type     = "EC2"
+
+  load_balancer {
+    target_group_arn  = aws_lb_target_group.toclerbe.arn
+    container_name    = var.app_name
+    container_port    = 80
+  }
+
+  tags = {
+    Name        = var.app_domain
+  }
+}

operations/terraform/iam.tf

@@ -0,0 +1,68 @@
+resource "aws_iam_role" "ecs_task" {
+  name  = "${var.app_name}-EcsTaskRole"
+
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Action    = "sts:AssumeRole"
+        Effect    = "Allow"
+        Sid       = ""
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name    = "AllowSecretsAccessFor${var.app_name}Tasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "secretsmanager:GetSecretValue",
+            "kms:Decrypt"
+          ]
+          Resource  = [
+            aws_secretsmanager_secret.toclerbe.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  inline_policy {
+    name    = "AllowAccessToEcrFor${var.app_name}Tasks"
+    policy  = jsonencode({
+      Version   = "2012-10-17"
+      Statement = [
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:GetAuthorizationToken"
+          ]
+          Resource  = [ "*" ]
+        },
+        {
+          Effect    = "Allow"
+          Action    = [
+            "ecr:BatchGetImage",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:DescribeImages",
+            "ecr:GetDownloadUrlForLayer"
+          ]
+          Resource  = [
+            aws_ecr_repository.toclerbe.arn
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    Name        = "${var.app_name}-EcsTaskRole"
+  }
+}

operations/terraform/load-balancer.tf

@@ -42,11 +42,5 @@ resource "aws_lb_listener_rule" "toclerbe" {
 
 resource "aws_lb_listener_certificate" "toclerbe" {
   listener_arn    = data.terraform_remote_state.jdbsoft.outputs.aws_lb_listener_https.arn
-  certificate_arn = aws_acm_certificate.clerbe.arn
+  certificate_arn = data.terraform_remote_state.jdbsoft.outputs.aws_acm_certificate_clerbe_arn
-}
-
-resource "aws_lb_target_group_attachment" "toclerbe" {
-  target_group_arn  = aws_lb_target_group.toclerbe.arn
-  target_id         = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id
-  port              = 6001
 }

prod.env

@@ -1,2 +0,0 @@
-TOCLERBE_PORT=80
-TOCLERBE_API_KEYS=CHANGEME

server-setup.sh

@@ -1,16 +0,0 @@
-# From dev machine
-cd ~/projects/to.cler.be
-scp prod.env sobeck.jdb-software.com:~/temp/to.cler.be.prod.env
-scp to.cler.be.service sobeck.jdb-software.com:~/temp/to.cler.be.service
-
-# SSH into sobeck
-sudo mkdir /etc/to.cler.be
-sudo mv temp/to.cler.be.prod.env /etc/to.cler.be/prod.env
-sudo mv temp/toclerbe.service /etc/systemd/system/toclerbe.service
-sudo chown root:root /etc/to.cler.be/*
-
-sudo vim /etc/to.cler.be/prod.env # add value for API keys, etc.
-
-sudo systemctl daemon-reload
-sudo systemctl enable toclerbe
-sudo systemctl start toclerbe

toclerbe.service

@@ -1,18 +0,0 @@
-[Unit]
-Description=to.cler.be URL shortener
-After=network-online.target
-Requires=docker.service
-
-[Service]
-TimeoutStartSec=0
-Restart=always
-ExecStartPre=-/usr/bin/docker exec %n stop
-ExecStartPre=-/usr/bin/docker rm %n
-ExecStart=/usr/bin/docker run --rm -p 6001:80 --name %n \
-  --env-file /etc/to.cler.be/prod.env \
-  -v /efs/toclerbe/data:/data \
-  063932952339.dkr.ecr.us-west-2.amazonaws.com/to.cler.be:TOCLERBE_VERSION
-ExecStop=/usr/bin/docker stop --name %n
-
-[Install]
-WantedBy=default.target