Page MenuHomePhabricator
Files F3147278

D9165.diff
No OneTemporary
Actions

D9165.diff
View Options

diff --git a/services/docker-compose.yml b/services/docker-compose.yml
--- a/services/docker-compose.yml
+++ b/services/docker-compose.yml
@@ -98,7 +98,8 @@
- localstack:/tmp/localstack
# RabbitMQ
rabbitmq:
- image: rabbitmq:3-management
+ # This version matches AWS MQ version (set in Terraform)
+ image: rabbitmq:3.11.16-management
hostname: rabbitmq
ports:
- '5672:5672'
diff --git a/services/terraform/remote/service_tunnelbroker.tf b/services/terraform/remote/service_tunnelbroker.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/service_tunnelbroker.tf
@@ -0,0 +1,268 @@
+locals {
+ tunnelbroker_config = {
+ docker_image = "commapp/tunnelbroker"
+ docker_tag = local.is_staging ? "latest" : "0.5"
+
+ grpc_port = 50051
+ websocket_port = 51001
+ container_name = "tunnelbroker-server"
+ domain_name = "tunnelbroker.${local.root_domain}"
+ }
+
+ # utility locals
+ tunnelbroker_docker_image = "${local.tunnelbroker_config.docker_image}:${local.tunnelbroker_config.docker_tag}"
+ rabbitmq_password = local.secrets.amqpPassword[local.environment]
+}
+
+# RabbitMQ
+resource "aws_mq_broker" "tunnelbroker_rabbitmq" {
+ broker_name = "tunnelbroker-rabbitmq"
+
+ # Keep RabbitMQ version in sync with docker-compose.yml
+ engine_type = "RabbitMQ"
+ engine_version = "3.11.16"
+ host_instance_type = local.is_staging ? "mq.t3.micro" : "mq.m5.large"
+ apply_immediately = local.is_staging
+ deployment_mode = "SINGLE_INSTANCE"
+ # Access from outside VPC - this allows to access the RabbitMQ console from browser
+ publicly_accessible = true
+
+ user {
+ username = "comm"
+ password = local.rabbitmq_password
+ }
+}
+locals {
+ amqp_endpoint = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].endpoints[0]
+}
+
+# Task definition - defines container resources, ports,
+# environment variables, docker image etc.
+resource "aws_ecs_task_definition" "tunnelbroker" {
+ family = "tunnelbroker-task-def"
+ container_definitions = jsonencode([
+ {
+ name = local.tunnelbroker_config.container_name
+ image = local.tunnelbroker_docker_image
+ essential = true
+ portMappings = [
+ {
+ name = "tunnelbroker_ws"
+ containerPort = local.tunnelbroker_config.websocket_port
+ protocol = "tcp"
+ appProtocol = "http"
+ },
+ {
+ name = "tunnelbroker_grpc"
+ containerPort = local.tunnelbroker_config.grpc_port
+ protocol = "tcp"
+ appProtocol = "grpc"
+ }
+ ]
+ environment = [
+ {
+ name = "RUST_LOG"
+ value = "info"
+ },
+ {
+ name = "AMQP_URI",
+ value = local.amqp_endpoint
+ },
+ {
+ name = "AMQP_USERNAME"
+ value = "comm"
+ },
+ {
+ name = "AMQP_PASSWORD"
+ value = nonsensitive(local.rabbitmq_password)
+ }
+ ]
+ logConfiguration = {
+ "logDriver" = "awslogs"
+ "options" = {
+ "awslogs-create-group" = "true"
+ "awslogs-group" = "/ecs/tunnelbroker-task-def"
+ "awslogs-region" = "us-east-2"
+ "awslogs-stream-prefix" = "ecs"
+ }
+ }
+ }
+ ])
+ task_role_arn = aws_iam_role.services_ddb_full_access.arn
+ execution_role_arn = aws_iam_role.ecs_task_execution.arn
+ network_mode = "bridge"
+ cpu = "256"
+ memory = "256"
+ requires_compatibilities = ["EC2"]
+
+ # Set this to true if you want to keep old revisions
+ # when this definition is changed
+ skip_destroy = true
+}
+
+# ECS Service - defines task scaling, load balancer connection,
+# network configuration etc.
+resource "aws_ecs_service" "tunnelbroker" {
+ name = "tunnelbroker"
+ cluster = aws_ecs_cluster.comm_services.id
+ launch_type = "EC2"
+
+ task_definition = aws_ecs_task_definition.tunnelbroker.arn
+ force_new_deployment = true
+
+ desired_count = 1
+ # Allow external changes without Terraform plan difference
+ # We can freely specify replica count in AWS Console
+ lifecycle {
+ ignore_changes = [desired_count]
+ }
+
+ # Websocket
+ load_balancer {
+ target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn
+ container_name = local.tunnelbroker_config.container_name
+ container_port = local.tunnelbroker_config.websocket_port
+ }
+
+ # gRPC
+ load_balancer {
+ target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn
+ container_name = local.tunnelbroker_config.container_name
+ container_port = local.tunnelbroker_config.grpc_port
+ }
+
+ deployment_circuit_breaker {
+ enable = true
+ rollback = true
+ }
+}
+
+# Security group to configure access to the service
+resource "aws_security_group" "tunnelbroker" {
+ name = "tunnelbroker-sg"
+ vpc_id = aws_vpc.default.id
+
+ # Websocket
+ ingress {
+ from_port = local.tunnelbroker_config.websocket_port
+ to_port = local.tunnelbroker_config.websocket_port
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Websocket port"
+ }
+
+ # gRPC
+ ingress {
+ from_port = local.tunnelbroker_config.grpc_port
+ to_port = local.tunnelbroker_config.grpc_port
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "gRPC port"
+ }
+
+ # Allow all outbound traffic
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+# Running service instances are registered here
+# to be accessed by the load balancer
+resource "aws_lb_target_group" "tunnelbroker_ws" {
+ name = "tunnelbroker-ws-tg"
+ port = local.tunnelbroker_config.websocket_port
+ protocol = "HTTP"
+ protocol_version = "HTTP1"
+ vpc_id = aws_vpc.default.id
+ target_type = "instance"
+
+ health_check {
+ enabled = true
+ healthy_threshold = 2
+ unhealthy_threshold = 3
+
+ protocol = "HTTP"
+ path = "/health"
+ matcher = "200"
+
+ }
+}
+resource "aws_lb_target_group" "tunnelbroker_grpc" {
+ name = "tunnelbroker-grpc-tg"
+ port = local.tunnelbroker_config.grpc_port
+ protocol = "HTTP"
+ protocol_version = "GRPC"
+ vpc_id = aws_vpc.default.id
+ target_type = "instance"
+
+ health_check {
+ enabled = true
+ healthy_threshold = 2
+ unhealthy_threshold = 3
+ }
+}
+
+# Load Balancer
+resource "aws_lb" "tunnelbroker" {
+ load_balancer_type = "application"
+ name = "tunnelbroker-lb"
+ internal = false
+ subnets = [
+ aws_subnet.public_a.id,
+ aws_subnet.public_b.id,
+ aws_subnet.public_c.id,
+ ]
+}
+
+resource "aws_lb_listener" "tunnelbroker_ws" {
+ load_balancer_arn = aws_lb.tunnelbroker.arn
+ port = local.tunnelbroker_config.websocket_port
+ protocol = "HTTPS"
+ ssl_policy = "ELBSecurityPolicy-2016-08"
+ certificate_arn = data.aws_acm_certificate.tunnelbroker.arn
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn
+ }
+
+ lifecycle {
+ ignore_changes = [default_action[0].forward[0].stickiness[0].duration]
+ replace_triggered_by = [aws_lb_target_group.tunnelbroker_ws]
+ }
+}
+
+resource "aws_lb_listener" "tunnelbroker_grpc" {
+ load_balancer_arn = aws_lb.tunnelbroker.arn
+ port = local.tunnelbroker_config.grpc_port
+ protocol = "HTTPS"
+ ssl_policy = "ELBSecurityPolicy-2016-08"
+ certificate_arn = data.aws_acm_certificate.tunnelbroker.arn
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn
+ }
+
+ lifecycle {
+ ignore_changes = [default_action[0].forward[0].stickiness[0].duration]
+ replace_triggered_by = [aws_lb_target_group.tunnelbroker_grpc]
+ }
+}
+
+# SSL Certificate
+data "aws_acm_certificate" "tunnelbroker" {
+ domain = local.tunnelbroker_config.domain_name
+ statuses = ["ISSUED"]
+}
+
+output "rabbitmq_console_url" {
+ value = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].console_url
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Nov 5, 6:01 AM (1 h, 23 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2424617
Default Alt Text
D9165.diff (8 KB)

Event Timeline