jackkleeman · December 1, 2023 16:31
diff --git a/main.tf b/main.tf
 # Restate runtime
 resource "aws_cloudwatch_log_group" "restate_runtime" {
  name = "/ecs/restate-runtime-task"

  tags = {
    Name = "restate-runtime-task"
  }
 }

 resource "aws_ecs_cluster" "restate_runtime" {
  name = "restate-runtime"
 }

 data "aws_region" "current" {}

 resource "aws_iam_role" "restate_runtime_task_execution_role" {
  name = "restate-runtime-task-execution-role"

  assume_role_policy = <<EOF
 {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
     },
     "Effect": "Allow",
     "Sid": ""
   }
 ]
 }
 EOF
 }

 resource "aws_iam_role_policy_attachment" "restate_runtime_task_execution_role" {
  role       = aws_iam_role.restate_runtime_task_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }

 resource "aws_iam_role" "restate_runtime_task_role" {
  name = "restate-runtime-task-role"
  inline_policy {
    name   = "lambda"
    policy = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Action   = ["lambda:InvokeFunction"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
  inline_policy {
    name   = "exec"
    policy = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Action = [
            "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel",
            "ssmmessages:OpenDataChannel"
          ]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }

  assume_role_policy = <<EOF
 {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
     },
     "Effect": "Allow",
     "Sid": ""
   }
 ]
 }
 EOF
 }

 data "aws_availability_zones" "available" {
  state = "available"
 }

 resource "aws_efs_file_system" "restate_runtime" {
  availability_zone_name = data.aws_availability_zones.available.names[
  0
  ]
  throughput_mode = "elastic"
 }

 resource "aws_security_group" "restate_runtime_efs" {
  name        = "restate-runtime-efs"
  description = "Allow inbound traffic to EFS mount target"
  vpc_id      = data.aws_vpc.default_vpc.id

  ingress {
    description = "EFS mount target"
    from_port   = 2049
    to_port     = 2049
    protocol    = "tcp"
    cidr_blocks = [data.aws_subnet.az1.cidr_block]
  }
 }

 resource "aws_efs_mount_target" "restate_runtime" {
  file_system_id  = aws_efs_file_system.restate_runtime.id
  subnet_id       = data.aws_subnet.az1.id
  security_groups = [
    aws_security_group.restate_runtime_efs.id
  ]
 }

 resource "aws_ecs_task_definition" "restate_runtime" {
  family                   = "restate-runtime"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = 512
  memory                   = 3072
  execution_role_arn       = aws_iam_role.restate_runtime_task_execution_role.arn
  task_role_arn            = aws_iam_role.restate_runtime_task_role.arn
  runtime_platform {
    cpu_architecture        = "ARM64"
    operating_system_family = "LINUX"
  }
  container_definitions = jsonencode([
    {
      name        = "restate-runtime-container"
      image       = "ghcr.io/restatedev/restate:0.5.0"
      essential   = true
      environment = [
        {
          name  = "RUST_LOG"
          value = "info"
        },
        {
          name  = "RESTATE_OBSERVABILITY__LOG__FORMAT"
          value = "Json"
        },
      ]
      portMappings = [
        {
          protocol      = "tcp"
          containerPort = 8080
          hostPort      = 8080
        },
        {
          protocol      = "tcp"
          containerPort = 9070
          hostPort      = 9070
        },
        {
          protocol      = "tcp"
          containerPort = 9071
          hostPort      = 9071
        },
        {
          protocol      = "tcp"
          containerPort = 9072
          hostPort      = 9072
        },
      ]
      mountPoints = [
        {
          sourceVolume  = "restate-runtime-storage"
          containerPath = "/target"
          readOnly      = false
        }
      ]
      logConfiguration = {
        logDriver = "awslogs"
        options   = {
          awslogs-group         = aws_cloudwatch_log_group.restate_runtime.name
          awslogs-stream-prefix = "ecs"
          awslogs-region        = data.aws_region.current.name
        }
      }
    }
  ])

  volume {
    name = "restate-runtime-storage"
    efs_volume_configuration {
      file_system_id = aws_efs_file_system.restate_runtime.id
    }
  }
 }

 data "aws_vpc" "default_vpc" {
  default = true
 }

 data "aws_subnet" "az1" {
  vpc_id               = data.aws_vpc.default_vpc.id
  availability_zone_id = data.aws_availability_zones.available.zone_ids[0]
 }

 resource "aws_ecs_service" "restate-runtime" {
  name                               = "restate-runtime"
  cluster                            = aws_ecs_cluster.restate_runtime.name
  task_definition                    = aws_ecs_task_definition.restate_runtime.arn
  desired_count                      = 1
  deployment_minimum_healthy_percent = 0
  deployment_maximum_percent         = 100
  launch_type                        = "FARGATE"
  scheduling_strategy                = "REPLICA"
  enable_execute_command             = true

  network_configuration {
    security_groups  = [aws_security_group.restate_runtime.id]
    subnets          = [data.aws_subnet.az1.id]
    assign_public_ip = true
  }
 }

 resource "aws_security_group" "restate_runtime" {
  name        = "restate-runtime"
  description = "Allow inbound traffic to restate ports"
  vpc_id      = data.aws_vpc.default_vpc.id

  ingress {
    description = "ingress"
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "ingress"
    from_port   = 9070
    to_port     = 9072
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
 }
	# Restate runtime
	resource "aws_cloudwatch_log_group" "restate_runtime" {
	name = "/ecs/restate-runtime-task"

	tags = {
	Name = "restate-runtime-task"
	}
	}

	resource "aws_ecs_cluster" "restate_runtime" {
	name = "restate-runtime"
	}

	data "aws_region" "current" {}

	resource "aws_iam_role" "restate_runtime_task_execution_role" {
	name = "restate-runtime-task-execution-role"

	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"Service": "ecs-tasks.amazonaws.com"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}
	EOF
	}

	resource "aws_iam_role_policy_attachment" "restate_runtime_task_execution_role" {
	role = aws_iam_role.restate_runtime_task_execution_role.name
	policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
	}

	resource "aws_iam_role" "restate_runtime_task_role" {
	name = "restate-runtime-task-role"
	inline_policy {
	name = "lambda"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Action = ["lambda:InvokeFunction"]
	Effect = "Allow"
	Resource = "*"
	},
	]
	})
	}
	inline_policy {
	name = "exec"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Action = [
	"ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel",
	"ssmmessages:OpenDataChannel"
	]
	Effect = "Allow"
	Resource = "*"
	},
	]
	})
	}

	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"Service": "ecs-tasks.amazonaws.com"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}
	EOF
	}

	data "aws_availability_zones" "available" {
	state = "available"
	}

	resource "aws_efs_file_system" "restate_runtime" {
	availability_zone_name = data.aws_availability_zones.available.names[
	0
	]
	throughput_mode = "elastic"
	}

	resource "aws_security_group" "restate_runtime_efs" {
	name = "restate-runtime-efs"
	description = "Allow inbound traffic to EFS mount target"
	vpc_id = data.aws_vpc.default_vpc.id

	ingress {
	description = "EFS mount target"
	from_port = 2049
	to_port = 2049
	protocol = "tcp"
	cidr_blocks = [data.aws_subnet.az1.cidr_block]
	}
	}

	resource "aws_efs_mount_target" "restate_runtime" {
	file_system_id = aws_efs_file_system.restate_runtime.id
	subnet_id = data.aws_subnet.az1.id
	security_groups = [
	aws_security_group.restate_runtime_efs.id
	]
	}

	resource "aws_ecs_task_definition" "restate_runtime" {
	family = "restate-runtime"
	network_mode = "awsvpc"
	requires_compatibilities = ["FARGATE"]
	cpu = 512
	memory = 3072
	execution_role_arn = aws_iam_role.restate_runtime_task_execution_role.arn
	task_role_arn = aws_iam_role.restate_runtime_task_role.arn
	runtime_platform {
	cpu_architecture = "ARM64"
	operating_system_family = "LINUX"
	}
	container_definitions = jsonencode([
	{
	name = "restate-runtime-container"
	image = "ghcr.io/restatedev/restate:0.5.0"
	essential = true
	environment = [
	{
	name = "RUST_LOG"
	value = "info"
	},
	{
	name = "RESTATE_OBSERVABILITY__LOG__FORMAT"
	value = "Json"
	},
	]
	portMappings = [
	{
	protocol = "tcp"
	containerPort = 8080
	hostPort = 8080
	},
	{
	protocol = "tcp"
	containerPort = 9070
	hostPort = 9070
	},
	{
	protocol = "tcp"
	containerPort = 9071
	hostPort = 9071
	},
	{
	protocol = "tcp"
	containerPort = 9072
	hostPort = 9072
	},
	]
	mountPoints = [
	{
	sourceVolume = "restate-runtime-storage"
	containerPath = "/target"
	readOnly = false
	}
	]
	logConfiguration = {
	logDriver = "awslogs"
	options = {
	awslogs-group = aws_cloudwatch_log_group.restate_runtime.name
	awslogs-stream-prefix = "ecs"
	awslogs-region = data.aws_region.current.name
	}
	}
	}
	])

	volume {
	name = "restate-runtime-storage"
	efs_volume_configuration {
	file_system_id = aws_efs_file_system.restate_runtime.id
	}
	}
	}

	data "aws_vpc" "default_vpc" {
	default = true
	}

	data "aws_subnet" "az1" {
	vpc_id = data.aws_vpc.default_vpc.id
	availability_zone_id = data.aws_availability_zones.available.zone_ids[0]
	}

	resource "aws_ecs_service" "restate-runtime" {
	name = "restate-runtime"
	cluster = aws_ecs_cluster.restate_runtime.name
	task_definition = aws_ecs_task_definition.restate_runtime.arn
	desired_count = 1
	deployment_minimum_healthy_percent = 0
	deployment_maximum_percent = 100
	launch_type = "FARGATE"
	scheduling_strategy = "REPLICA"
	enable_execute_command = true

	network_configuration {
	security_groups = [aws_security_group.restate_runtime.id]
	subnets = [data.aws_subnet.az1.id]
	assign_public_ip = true
	}
	}

	resource "aws_security_group" "restate_runtime" {
	name = "restate-runtime"
	description = "Allow inbound traffic to restate ports"
	vpc_id = data.aws_vpc.default_vpc.id

	ingress {
	description = "ingress"
	from_port = 8080
	to_port = 8080
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	ingress {
	description = "ingress"
	from_port = 9070
	to_port = 9072
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	ipv6_cidr_blocks = ["::/0"]
	}
	}