b3293527b8
Some checks failed
Cross-Node Transaction Testing / transaction-test (push) Has been cancelled
Deploy to Testnet / deploy-testnet (push) Has been cancelled
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Node Failover Simulation / failover-test (push) Has been cancelled
- Create main.tf with VPC, security groups, ECS, ALB, RDS, Redis, S3 - Add provider.tf with AWS provider configuration - Create variables.tf for infrastructure configuration - Add outputs.tf for infrastructure outputs - Implement ecs.tf with ECS task definitions and services - Add ecs_variables.tf for ECS-specific variables - Create comprehensive README.md with usage instructions - Implement state management with S3 backend and DynamoDB locking - Add security best practices (private subnets, encryption, secrets manager)
357 lines
8.3 KiB
HCL
357 lines
8.3 KiB
HCL
# Terraform main configuration for AITBC infrastructure
|
|
# This file defines the infrastructure resources for AITBC deployment
|
|
|
|
terraform {
|
|
required_version = ">= 1.0"
|
|
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
version = "~> 5.0"
|
|
}
|
|
random = {
|
|
source = "hashicorp/random"
|
|
version = "~> 3.0"
|
|
}
|
|
}
|
|
|
|
backend "s3" {
|
|
bucket = "aitbc-terraform-state"
|
|
key = "aitbc/terraform.tfstate"
|
|
region = "us-east-1"
|
|
encrypt = true
|
|
dynamodb_table = "aitbc-terraform-locks"
|
|
}
|
|
}
|
|
|
|
provider "aws" {
|
|
region = var.aws_region
|
|
|
|
default_tags {
|
|
tags = {
|
|
Project = "AITBC"
|
|
Environment = var.environment
|
|
ManagedBy = "Terraform"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Random resources for unique naming
|
|
resource "random_pet" "this" {
|
|
length = 2
|
|
}
|
|
|
|
# VPC
|
|
module "vpc" {
|
|
source = "terraform-aws-modules/vpc/aws"
|
|
version = "~> 5.0"
|
|
|
|
name = "${var.project_name}-${var.environment}-vpc"
|
|
cidr = var.vpc_cidr
|
|
|
|
azs = var.availability_zones
|
|
private_subnets = var.private_subnet_cidrs
|
|
public_subnets = var.public_subnet_cidrs
|
|
|
|
enable_nat_gateway = true
|
|
single_nat_gateway = true
|
|
one_nat_gateway_per_az = false
|
|
|
|
enable_vpn_gateway = false
|
|
enable_dns_hostnames = true
|
|
enable_dns_support = true
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-vpc"
|
|
}
|
|
}
|
|
|
|
# Security groups
|
|
resource "aws_security_group" "blockchain_rpc" {
|
|
name = "${var.project_name}-${var.environment}-blockchain-rpc"
|
|
description = "Security group for blockchain RPC service"
|
|
vpc_id = module.vpc.vpc_id
|
|
|
|
ingress {
|
|
from_port = 8006
|
|
to_port = 8006
|
|
protocol = "tcp"
|
|
cidr_blocks = var.allowed_cidr_blocks
|
|
}
|
|
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-blockchain-rpc"
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "api_gateway" {
|
|
name = "${var.project_name}-${var.environment}-api-gateway"
|
|
description = "Security group for API gateway"
|
|
vpc_id = module.vpc.vpc_id
|
|
|
|
ingress {
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
ingress {
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
egress {
|
|
from_port = 0
|
|
to_port = 0
|
|
protocol = "-1"
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-api-gateway"
|
|
}
|
|
}
|
|
|
|
# ECS Cluster
|
|
resource "aws_ecs_cluster" "this" {
|
|
name = "${var.project_name}-${var.environment}-cluster"
|
|
|
|
setting {
|
|
name = "containerInsights"
|
|
value = "enabled"
|
|
}
|
|
}
|
|
|
|
# Application Load Balancer
|
|
resource "aws_lb" "this" {
|
|
name = "${var.project_name}-${var.environment}-alb"
|
|
internal = false
|
|
load_balancer_type = "application"
|
|
security_groups = [aws_security_group.api_gateway.id]
|
|
subnets = module.vpc.public_subnets
|
|
|
|
enable_deletion_protection = false
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-alb"
|
|
}
|
|
}
|
|
|
|
resource "aws_lb_target_group" "api" {
|
|
name = "${var.project_name}-${var.environment}-api-tg"
|
|
port = 8000
|
|
protocol = "HTTP"
|
|
vpc_id = module.vpc.vpc_id
|
|
target_type = "ip"
|
|
|
|
health_check {
|
|
enabled = true
|
|
healthy_threshold = 2
|
|
interval = 30
|
|
matcher = "200"
|
|
path = "/health"
|
|
port = "traffic-port"
|
|
protocol = "HTTP"
|
|
timeout = 5
|
|
unhealthy_threshold = 3
|
|
}
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-api-tg"
|
|
}
|
|
}
|
|
|
|
resource "aws_lb_listener" "http" {
|
|
load_balancer_arn = aws_lb.this.arn
|
|
port = 80
|
|
protocol = "HTTP"
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
port = "443"
|
|
protocol = "HTTPS"
|
|
status_code = "HTTP_301"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_lb_listener" "https" {
|
|
load_balancer_arn = aws_lb.this.arn
|
|
port = 443
|
|
protocol = "HTTPS"
|
|
certificate_arn = var.acm_certificate_arn
|
|
|
|
default_action {
|
|
type = "forward"
|
|
target_group_arn = aws_lb_target_group.api.arn
|
|
}
|
|
}
|
|
|
|
# RDS PostgreSQL
|
|
resource "aws_db_subnet_group" "this" {
|
|
name = "${var.project_name}-${var.environment}-db-subnet-group"
|
|
subnet_ids = module.vpc.private_subnets
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-db-subnet-group"
|
|
}
|
|
}
|
|
|
|
resource "aws_db_instance" "this" {
|
|
identifier = "${var.project_name}-${var.environment}-db"
|
|
|
|
engine = "postgres"
|
|
engine_version = "15.4"
|
|
instance_class = var.db_instance_class
|
|
|
|
allocated_storage = var.db_allocated_storage
|
|
max_allocated_storage = var.db_max_allocated_storage
|
|
storage_type = "gp3"
|
|
storage_encrypted = true
|
|
|
|
db_name = var.db_name
|
|
username = var.db_username
|
|
password = var.db_password
|
|
|
|
db_subnet_group_name = aws_db_subnet_group.this.name
|
|
vpc_security_group_ids = [aws_security_group.blockchain_rpc.id]
|
|
|
|
multi_az = var.db_multi_az
|
|
backup_retention_period = var.db_backup_retention_period
|
|
backup_window = var.db_backup_window
|
|
maintenance_window = var.db_maintenance_window
|
|
|
|
performance_insights_enabled = true
|
|
|
|
skip_final_snapshot = false
|
|
final_snapshot_identifier = "${var.project_name}-${var.environment}-db-final-snapshot"
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-db"
|
|
}
|
|
}
|
|
|
|
# ElastiCache Redis
|
|
resource "aws_elasticache_subnet_group" "this" {
|
|
name = "${var.project_name}-${var.environment}-redis-subnet-group"
|
|
subnet_ids = module.vpc.private_subnets
|
|
}
|
|
|
|
resource "aws_elasticache_replication_group" "this" {
|
|
replication_group_id = "${var.project_name}-${var.environment}-redis"
|
|
replication_group_description = "${var.project_name} Redis cluster for ${var.environment}"
|
|
|
|
node_type = var.redis_node_type
|
|
num_cache_clusters = var.redis_num_nodes
|
|
port = 6379
|
|
|
|
engine = "redis"
|
|
engine_version = "7.0"
|
|
parameter_group_name = "default.redis7"
|
|
|
|
subnet_group_name = aws_elasticache_subnet_group.this.name
|
|
security_group_ids = [aws_security_group.blockchain_rpc.id]
|
|
|
|
automatic_failover_enabled = true
|
|
multi_az_enabled = true
|
|
|
|
snapshot_retention_limit = var.redis_snapshot_retention_limit
|
|
snapshot_window = var.redis_snapshot_window
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-redis"
|
|
}
|
|
}
|
|
|
|
# CloudWatch Log Groups
|
|
resource "aws_cloudwatch_log_group" "api" {
|
|
name = "/aws/ecs/${var.project_name}-${var.environment}/api"
|
|
retention_in_days = var.log_retention_days
|
|
}
|
|
|
|
resource "aws_cloudwatch_log_group" "blockchain" {
|
|
name = "/aws/ecs/${var.project_name}-${var.environment}/blockchain"
|
|
retention_in_days = var.log_retention_days
|
|
}
|
|
|
|
# S3 Bucket for data storage
|
|
resource "aws_s3_bucket" "data" {
|
|
bucket = "${var.project_name}-${var.environment}-data-${random_pet.this.id}"
|
|
|
|
tags = {
|
|
Name = "${var.project_name}-${var.environment}-data"
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_versioning" "data" {
|
|
bucket = aws_s3_bucket.data.id
|
|
|
|
versioning_configuration {
|
|
status = "Enabled"
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
|
|
bucket = aws_s3_bucket.data.id
|
|
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
sse_algorithm = "AES256"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Outputs
|
|
output "vpc_id" {
|
|
description = "VPC ID"
|
|
value = module.vpc.vpc_id
|
|
}
|
|
|
|
output "private_subnet_ids" {
|
|
description = "Private subnet IDs"
|
|
value = module.vpc.private_subnets
|
|
}
|
|
|
|
output "public_subnet_ids" {
|
|
description = "Public subnet IDs"
|
|
value = module.vpc.public_subnets
|
|
}
|
|
|
|
output "ecs_cluster_id" {
|
|
description = "ECS Cluster ID"
|
|
value = aws_ecs_cluster.this.id
|
|
}
|
|
|
|
output "alb_dns_name" {
|
|
description = "ALB DNS name"
|
|
value = aws_lb.this.dns_name
|
|
}
|
|
|
|
output "db_endpoint" {
|
|
description = "RDS endpoint"
|
|
value = aws_db_instance.this.endpoint
|
|
sensitive = true
|
|
}
|
|
|
|
output "redis_endpoint" {
|
|
description = "Redis endpoint"
|
|
value = aws_elasticache_replication_this.primary_endpoint_address
|
|
}
|
|
|
|
output "s3_bucket_name" {
|
|
description = "S3 bucket name"
|
|
value = aws_s3_bucket.data.id
|
|
}
|