From b01aab4e50525c23b9c9dd430c8faffd9bc8f75a Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 11 Dec 2023 17:53:57 +0000 Subject: [PATCH] Optional VPC: Allow use of existing VPC and subnets --- ecs-cluster/keycloak.tf | 18 +++++++++++------- ecs-cluster/variables.tf | 18 ++++++++++++++++++ ecs-cluster/vpc.tf | 8 ++++++++ 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf index 8706233..8d82350 100644 --- a/ecs-cluster/keycloak.tf +++ b/ecs-cluster/keycloak.tf @@ -3,6 +3,10 @@ data "aws_caller_identity" "current" {} locals { container-port = 8443 keycloak-hostname = var.keycloak-hostname == "" ? aws_lb.keycloak.dns_name : var.keycloak-hostname + + vpc_id = var.vpc-id == "" ? module.vpc[0].vpc_id : var.vpc-id + public_subnets = var.public-subnets == [] ? module.vpc[0].public_subnets : var.public-subnets + private_subnets = var.private-subnets == [] ? module.vpc[0].private_subnets : var.private-subnets } resource "random_password" "db-password" { @@ -18,7 +22,7 @@ resource "random_string" "initial-keycloak-password" { resource "aws_security_group" "rds" { name = "${var.name}-sg-rds" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id ingress { from_port = 5432 @@ -30,7 +34,7 @@ resource "aws_security_group" "rds" { resource "aws_security_group" "alb" { name = "${var.name}-sg-alb" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id ingress { protocol = "tcp" @@ -56,7 +60,7 @@ resource "aws_security_group" "alb" { resource "aws_security_group" "ecs-task-keycloak" { name = "${var.name}-sg-task-keycloak" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id ingress { protocol = "tcp" @@ -80,7 +84,7 @@ resource "aws_lb" "keycloak" { internal = false load_balancer_type = "application" security_groups = [aws_security_group.alb.id] - subnets = module.vpc.public_subnets + subnets = local.public_subnets enable_deletion_protection = true @@ -91,7 +95,7 @@ resource "aws_alb_target_group" "keycloak" { name = "${var.name}-tg" port = 443 protocol = "HTTPS" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id target_type = "ip" health_check { @@ -172,7 +176,7 @@ resource "aws_db_parameter_group" "keycloak" { resource "aws_db_subnet_group" "keycloak" { name = "${var.name}-keycloak" - subnet_ids = module.vpc.private_subnets + subnet_ids = local.private_subnets } resource "aws_db_instance" "keycloak" { @@ -352,7 +356,7 @@ resource "aws_ecs_service" "keycloak" { aws_security_group.rds.id, aws_security_group.ecs-task-keycloak.id ] - subnets = module.vpc.private_subnets + subnets = local.private_subnets # TODO: Setting this to False means the image can't be pulled. Why? It works in K8s. # assign_public_ip = true } diff --git a/ecs-cluster/variables.tf b/ecs-cluster/variables.tf index 656ffe0..53ca523 100644 --- a/ecs-cluster/variables.tf +++ b/ecs-cluster/variables.tf @@ -22,6 +22,24 @@ variable "lb-cidr-blocks-in" { description = "CIDR blocks to allow access to the load balancer" } +variable "vpc-id" { + type = string + default = "" + description = "VPC ID, if empty creates a new VPC" +} + +variable "public-subnets" { + type = list(string) + default = [] + description = "Public subnet IDs, must be defined if vpc-id is provided" +} + +variable "private-subnets" { + type = list(string) + default = [] + description = "Private subnet IDs, must be defined if vpc-id is provided" +} + variable "db-name" { type = string default = "keycloak" diff --git a/ecs-cluster/vpc.tf b/ecs-cluster/vpc.tf index 0303fb4..273ea79 100644 --- a/ecs-cluster/vpc.tf +++ b/ecs-cluster/vpc.tf @@ -3,6 +3,7 @@ data "aws_availability_zones" "available" {} module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.2.0" + count = var.vpc-id == "" ? 1 : 0 name = "${var.name}-vpc" cidr = "10.199.0.0/16" @@ -18,3 +19,10 @@ module "vpc" { manage_default_network_acl = false map_public_ip_on_launch = true } + +# Backwards compatibility with existing deployments +# https://developer.hashicorp.com/terraform/language/modules/develop/refactoring#enabling-count-or-for_each-for-a-resource +moved { + from = module.vpc + to = module.vpc[0] +}