add initial starter code

Author: tomsharp

.gitignore

@@ -0,0 +1,7 @@
+*.venv
+*__pycache__
+*.env
+*.env.sh
+*backend.tf
+*.terraform*
+*terraform.*

Makefile

@@ -0,0 +1,23 @@
+include .env 
+
+.EXPORT_ALL_VARIABLES:
+APP_NAME=my-app-name
+
+TAG=latest
+TF_VAR_app_name=${APP_NAME}
+REGISTRY_NAME=${APP_NAME}
+TF_VAR_image=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${REGISTRY_NAME}:${TAG}
+TF_VAR_region=${AWS_REGION}
+
+
+setup-ecr: 
+	cd infra/setup && terraform init && terraform apply -auto-approve
+
+deploy-container:
+	cd app && sh deploy.sh
+
+deploy-service:
+	cd infra/app && terraform init && terraform apply -auto-approve
+
+destroy-service:
+	cd infra/app && terraform init && terraform destroy -auto-approve

README.md

@@ -0,0 +1,67 @@
+# How to use this Repo
+## Warning
+- Always make sure to destroy your API Service. Forgetting to do so could incur a large AWS fee
+- Never commit your AWS Account ID to git. Save it in an `.env` file and ensure `.env` is added to your `.gitiginore`
+
+## Setup, Deploy, and Destroy
+
+### Setup Env Variables
+Add an `.env` file containing your AWS account ID and region. Example file:
+```
+AWS_ACCOUNT_ID=1234567890
+AWS_REGION=ap-southeast-1
+```
+
+Create a `backend.tf` file and add it to both `/infra/setup/backend.tf` and `/infra/app/backend.tf`. Example files:
+```
+terraform {
+  backend "s3" {
+    region = "<AWS_REGION>"
+    bucket = "<BUCKET_NAME>"
+    key    = "<APP_NAME>/terraform.tfstate"
+  }
+}
+```
+```
+terraform {
+  backend "s3" {
+    region = "<AWS_REGION>"
+    bucket = "<BUCKET_NAME>"
+    key    = "<APP_NAME>/terraform.tfstate"
+  }
+}
+```
+Alternatively you can skip this step to store your Terraform state locally.
+
+<br>
+
+### Setup, Deploy, and Destroy Infrastructure/App
+All of the following commands are run via the Makefile.
+
+1. Setup your ECR Repository (one time)
+    ```
+    make setup-ecr
+    ```
+
+<br>
+
+2. Build and deploy your container
+    ```
+    make deploy-container
+    ```
+
+<br>
+
+3. Deploy your API Service on ECS Fargate
+    ```
+    make deploy-service
+    ```
+    Note: The URL for your endpoint will be printed by Terraform once the above command is done executing. Example: `alb_dns_name = "<APP_NAME>-alb-123456789.<AWS_REGION>.elb.amazonaws.com"`. Navigate to that URL in your browser to ensure the API is working. You can also check out the API docs at the `<URL>/docs` endpoint.
+
+<br>
+
+4. Destroy your API Service on ECS Fargate
+    ```
+    make destroy-service
+    ```
+

app/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3.11-slim
+WORKDIR /app
+COPY . /app
+RUN pip install --no-cache-dir -r requirements.txt
+EXPOSE 80
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]

app/deploy.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Logging in to ECR"
+aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+echo "Building image"
+docker build --no-cache --platform=linux/amd64 -t $REGISTRY_NAME .
+
+echo "Tagging image"
+docker tag $REGISTRY_NAME:$TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REGISTRY_NAME:$TAG
+
+echo "Pushing image to ECR"
+docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REGISTRY_NAME:$TAG

app/main.py

@@ -0,0 +1,7 @@
+from fastapi import FastAPI
+
+app = FastAPI()
+
+@app.get("/")
+def root():
+    return {"message": "Welcome to the API"}

app/requirements.txt

@@ -0,0 +1,2 @@
+fastapi==0.109.2
+uvicorn==0.27.1

infra/app/ecs/main.tf

@@ -0,0 +1,191 @@
+# ALB
+resource "aws_security_group" "alb" {
+  name   = "${var.app_name}-alb-sg"
+  vpc_id = var.vpc_id
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+resource "aws_lb" "this" {
+  name               = "${var.app_name}-alb"
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = var.public_subnet_ids
+}
+resource "aws_lb_target_group" "this" {
+  name        = "${var.app_name}-lb-tg"
+  vpc_id      = var.vpc_id
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  health_check {
+    port                = 80
+    path                = "/docs"
+    interval            = 30
+    protocol            = "HTTP"
+    timeout             = 5
+    unhealthy_threshold = 2
+    matcher             = 200
+  }
+}
+resource "aws_lb_listener" "http" {
+  port              = "80"
+  protocol          = "HTTP"
+  load_balancer_arn = aws_lb.this.arn
+  default_action {
+    target_group_arn = aws_lb_target_group.this.arn
+    type             = "forward"
+  }
+  depends_on = [aws_lb_target_group.this]
+}
+resource "aws_lb_listener_rule" "this" {
+  listener_arn = aws_lb_listener.http.arn
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+  condition {
+    path_pattern {
+      values = ["*"]
+    }
+  }
+}
+
+# IAM 
+data "aws_iam_policy_document" "ecs_assume_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+resource "aws_iam_role" "ecs_execution_role" {
+  name               = "${var.app_name}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.ecs_assume_policy.json
+}
+resource "aws_iam_policy" "ecs_execution_policy" {
+  name = "${var.app_name}-ecs-execution-role-policy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect : "Allow",
+        Action : [
+          "ecr:*",
+          "ecs:*",
+          "elasticloadbalancing:*",
+          "cloudwatch:*",
+          "logs:*"
+        ],
+        Resource : "*"
+      }
+    ]
+  })
+}
+resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy_attach" {
+  role       = aws_iam_role.ecs_execution_role.name
+  policy_arn = aws_iam_policy.ecs_execution_policy.arn
+}
+
+# ECS 
+resource "aws_cloudwatch_log_group" "ecs" {
+  name = "/aws/ecs/${var.app_name}/cluster"
+}
+resource "aws_ecs_task_definition" "api" {
+  family                   = "${var.app_name}-api-task"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_execution_role.arn
+  cpu                      = 256
+  memory                   = 512
+  container_definitions = jsonencode([
+    {
+      name    = "${var.app_name}-api-container"
+      image   = "${var.image}"
+      command = ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]
+      portMappings = [
+        {
+          hostPort      = 80
+          containerPort = 80
+          protocol      = "tcp"
+        }
+      ],
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.ecs.name
+          awslogs-stream-prefix = "ecs"
+          awslogs-region        = var.region
+        }
+      }
+    }
+  ])
+}
+
+# Cluster 
+resource "aws_ecs_cluster" "this" {
+  name = "${var.app_name}-cluster"
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+# Security Group and Service
+resource "aws_security_group" "ecs" {
+  name   = "${var.app_name}-ecs-sg"
+  vpc_id = var.vpc_id
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port       = 80
+    to_port         = 80
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+}
+resource "aws_ecs_service" "api" {
+  name            = "${var.app_name}-ecs-service"
+  cluster         = aws_ecs_cluster.this.name
+  launch_type     = "FARGATE"
+  desired_count   = length(var.private_subnet_ids)
+  task_definition = aws_ecs_task_definition.api.arn
+  network_configuration {
+    subnets         = var.private_subnet_ids
+    security_groups = [aws_security_group.ecs.id]
+  }
+  load_balancer {
+    target_group_arn = aws_lb_target_group.this.arn
+    container_name   = "${var.app_name}-api-container"
+    container_port   = "80"
+  }
+  lifecycle {
+    ignore_changes = [
+      desired_count,
+    ]
+  }
+  depends_on = [aws_lb_listener_rule.this]
+}
+

infra/app/ecs/output.tf

@@ -0,0 +1,3 @@
+output "alb_dns_name" {
+  value = aws_lb.this.dns_name
+}

infra/app/ecs/variable.tf

@@ -0,0 +1,24 @@
+variable "app_name" {
+  description = "Name of the app."
+  type        = string
+}
+variable "region" {
+  description = "AWS region to deploy the network to."
+  type        = string
+}
+variable "image" {
+  description = "Image used to start the container. Should be in repository-url/image:tag format."
+  type        = string
+}
+variable "vpc_id" {
+  description = "ID of the VPC where the ECS will be hosted."
+  type        = string
+}
+variable "public_subnet_ids" {
+  description = "IDs of public subnets where the ALB will be attached to."
+  type        = list(string)
+}
+variable "private_subnet_ids" {
+  description = "IDs of private subnets where the ECS service will be deployed to."
+  type        = list(string)
+}