Add EC2 instance for discourse app

Author: mrkn

terraform/cert.tf

@@ -0,0 +1,4 @@
+data "aws_acm_certificate" "ruby_data_cert" {
+  domain = "ruby-data.org"
+  statuses = ["ISSUED"]
+}

terraform/discourse.tf

@@ -0,0 +1,57 @@
+variable "app_discourse_count" {
+  type = "map"
+  default = {
+    prod = 2
+    test = 1
+  }
+}
+
+variable "app_discourse_instance_type" {
+  type = "map"
+  default = {
+    prod = "t2.medium"
+    test = "t2.micro"
+  }
+}
+
+resource "aws_instance" "app_discourse" {
+  count = "${lookup(var.app_discourse_count, terraform.workspace)}"
+
+  ami = "${data.aws_ami.ubuntu_xenial.id}"
+  instance_type = "${lookup(var.app_discourse_instance_type, terraform.workspace)}"
+
+  disable_api_termination = true
+  key_name = "discourse"
+  monitoring = true
+
+  vpc_security_group_ids = [
+    "${aws_security_group.sg_app.id}"
+  ]
+
+  subnet_id = "${element(aws_subnet.subnet_main_public.*.id, count.index % length(data.aws_availability_zones.available.names))}"
+
+  associate_public_ip_address = true
+
+  user_data = "${data.template_file.discourse_user_data.rendered}"
+
+  tags {
+    Name = "${format("app-discourse-${terraform.workspace}-%03d", count.index + 1)}"
+  }
+}
+
+data "template_file" "discourse_user_data" {
+  template = "${file("templates/discourse_init.sh")}"
+
+  vars = {
+    authorized_keys = "${data.template_file.discourse_authorized_keys.rendered}"
+    sshd_config_content = "${data.template_file.sshd_config_content.rendered}"
+  }
+}
+
+data "template_file" "discourse_authorized_keys" {
+  template = "${file(format("templates/discourse-%s_authorized_keys", terraform.workspace))}"
+}
+
+data "template_file" "sshd_config_content" {
+  template = "${file("templates/sshd_config")}"
+}

terraform/elb.tf

@@ -0,0 +1,41 @@
+resource "aws_elb" "elb_app_discourse" {
+  name = "app-discourse-${terraform.workspace}"
+  subnets = [
+    "${aws_subnet.subnet_main_public.*.id}"
+  ]
+  instances = [
+    "${aws_instance.app_discourse.*.id}"
+  ]
+
+  listener {
+    instance_port = 80
+    instance_protocol = "http"
+    lb_port = 80
+    lb_protocol = "http"
+  }
+
+  listener {
+    instance_port = 80
+    instance_protocol = "http"
+    lb_port = 443
+    lb_protocol = "https"
+    ssl_certificate_id = "${data.aws_acm_certificate.ruby_data_cert.arn}"
+  }
+
+  health_check {
+    healthy_threshold = 2
+    unhealthy_threshold = 2
+    timeout = 10
+    target = "HTTP:80/"
+    interval = 30
+  }
+
+  cross_zone_load_balancing = true
+  idle_timeout = 400
+  connection_draining = true
+  connection_draining_timeout = 400
+
+  tags {
+    Name = "elb-app-discource-${terraform.workspace}"
+  }
+}

terraform/sg.tf

@@ -36,6 +36,14 @@ resource "aws_security_group" "sg_app" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  ingress {
+    description = "SSH from anywhere"
+    from_port = 9022
+    to_port = 9022
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
   egress {
     description = "Allow all outbound traffic"
     from_port = 0

terraform/templates/discourse-prod_authorized_keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIq/OTgu6p2oF7UMlaiFjAJQkOICa2yAvFcHRu5qLRgd mrkn@mrkn-mbp15-late2016.local

terraform/templates/discourse-test_authorized_keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIq/OTgu6p2oF7UMlaiFjAJQkOICa2yAvFcHRu5qLRgd mrkn@mrkn-mbp15-late2016.local

terraform/templates/discourse_init.sh

@@ -0,0 +1,38 @@
+#! /bin/bash
+
+mitamae_version=1.5.1
+
+USER_NAME=discourse
+USER_UID=900
+USER_GID=900
+USER_HOME=/home/$$USER_NAME
+
+groupadd -g $$USER_GID $$USER_NAME
+useradd -u $$USER_UID -g $$USER_GID -G adm -m -s /bin/bash $$USER_NAME
+mkdir -p $$USER_HOME/.ssh
+chmod 700 $$USER_HOME/.ssh
+echo -n "${authorized_keys}" > $$USER_HOME/.ssh/authorized_keys
+chmod 600 $$USER_HOME/.ssh/authorized_keys
+chown -R $${USER_NAME}:$${USER_NAME} $$USER_HOME
+
+cat <<SUDO > /etc/sudoers.d/$$USER_NAME
+Defaults:%infra !requiretty
+Defaults:%infra env_keep += SSH_AUTH_SOCK
+Defaults:%infra env_keep += "MITAMAE_ENVIRONMENT MITAMAE_ROLES MITAMAE_HOST MITAMAE_TEAM_NO"
+
+%$$USER_NAME ALL=(ALL) NOPASSWD: ALL
+SUDO
+
+apt-get update -y
+apt-get install -y curl ssh sudo
+
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
+cat <<SSHD_CONFIG > /etc/ssh/sshd_config
+${sshd_config_content}
+SSHD_CONFIG
+
+service ssh restart
+
+mkdir -p /usr/local/sbin
+curl -o /usr/local/sbin/mitamae https://github.com/itamae-kitchen/mitamae/releases/download/v$${mitamae_version}/mitamae-x86_64-linux
+chmod 755 /usr/local/sbin/mitamae

terraform/templates/sshd_config

@@ -0,0 +1,44 @@
+Port 22
+Port 9022
+
+Protocol 2
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+UsePrivilegeSeparation yes
+
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+SyslogFacility AUTH
+LogLevel INFO
+
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+
+X11Forwarding no
+PrintMotd yes
+PrintLastLog yes
+TCPKeepAlive yes
+
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes

terraform/ubuntu.tf

@@ -0,0 +1,15 @@
+data "aws_ami" "ubuntu_xenial" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}