From fadfd2fe55f8fb9fd9752099f8dcf00e039ae0f2 Mon Sep 17 00:00:00 2001
From: IrezD <dennysben@gmail.com>
Date: Thu, 28 Dec 2023 01:20:37 +0100
Subject: [PATCH] New: Initial deployment of resources

---
 .github/workflows/Production.yml | 98 ++++++++++++++++++++++++++++++++
 .github/workflows/Release.yml    | 23 ++++++++
 .github/workflows/Staging.yml    | 93 ++++++++++++++++++++++++++++++
 .gitignore                       | 28 +++++++++
 Dockerfile                       | 12 ++++
 README.md                        |  3 +-
 main.py                          | 26 +++++++++
 terraform/alb.tf                 | 26 +++++++++
 terraform/ecr.tf                 | 10 ++++
 terraform/ecs.tf                 | 67 ++++++++++++++++++++++
 terraform/env/dev.tfbackend      |  5 ++
 terraform/env/dev.tfvars         |  6 ++
 terraform/env/prod.tfbackend     |  5 ++
 terraform/env/prod.tfvars        |  6 ++
 terraform/main.tf                | 33 +++++++++++
 terraform/networking.tf          | 45 +++++++++++++++
 terraform/outputs.tf             |  8 +++
 terraform/variables.tf           | 41 +++++++++++++
 18 files changed, 534 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/Production.yml
 create mode 100644 .github/workflows/Release.yml
 create mode 100644 .github/workflows/Staging.yml
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 main.py
 create mode 100644 terraform/alb.tf
 create mode 100644 terraform/ecr.tf
 create mode 100644 terraform/ecs.tf
 create mode 100644 terraform/env/dev.tfbackend
 create mode 100644 terraform/env/dev.tfvars
 create mode 100644 terraform/env/prod.tfbackend
 create mode 100644 terraform/env/prod.tfvars
 create mode 100644 terraform/main.tf
 create mode 100644 terraform/networking.tf
 create mode 100644 terraform/outputs.tf
 create mode 100644 terraform/variables.tf

diff --git a/.github/workflows/Production.yml b/.github/workflows/Production.yml
new file mode 100644
index 0000000..8e8b324
--- /dev/null
+++ b/.github/workflows/Production.yml
@@ -0,0 +1,98 @@
+name: Production Deployment
+
+on:
+  release:
+    types: [ published]
+  
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: "What is the new version?"
+        type: string
+    
+permissions:
+  pull-requests: write
+  contents: read
+  id-token: write
+    
+env:
+   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+   Tag: ${{ github.event.release.tag_name|| inputs.version }} 
+    
+jobs:
+  
+  Terraform: 
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::806066816337:role/fastapi-image-IAM-role
+          role-session-name: fastapi-image-IAM-role
+          aws-region: eu-central-1
+
+      - name: Terraform plan
+        uses: dflook/terraform-plan@v1
+        with:
+          path: ./terraform
+          label: Staging
+          backend_config_file: ./terraform/env/prod.tfbackend
+          var_file: ./terraform/env/prod.tfvars
+          variables: |
+              image_tag = "${{ env.Tag }}"
+              vpc_id = "${{ secrets.VPC_ID }}"
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: ./terraform
+          label: Staging
+          backend_config_file: ./terraform/env/prod.tfbackend
+          var_file: ./terraform/env/prod.tfvars
+          variables: |
+              image_tag = "${{ env.Tag }}"
+              vpc_id = "${{ secrets.VPC_ID }}"
+          auto_approve: true
+
+                
+  Image-Build:
+
+    needs: Terraform
+    runs-on: ubuntu-latest
+        
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::806066816337:role/fastapi-image-IAM-role
+          role-session-name: fastapi-image-IAM-role
+          aws-region: us-east-1
+      
+      - name: Registry Alias Output
+        uses: dflook/terraform-output@v1
+        id: my-outputs
+        with:
+          path: ./terraform
+          backend_config_file: ./terraform/env/prod.tfbackend
+
+      - name: Login to Amazon ECR Public
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+              
+      - name: Build, tag, and push docker image to Amazon ECR Public
+        env:
+          REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
+          REGISTRY_ALIAS: ${{ steps.my-outputs.outputs.ecr_registry_id }}
+          REPOSITORY:  ${{ steps.my-outputs.outputs.ecr_repository_name }}
+          IMAGE_TAG: ${{ env.Tag }}
+        run: |           
+            docker build -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG  .
+            docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG 
diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml
new file mode 100644
index 0000000..a9931c3
--- /dev/null
+++ b/.github/workflows/Release.yml
@@ -0,0 +1,23 @@
+name: New Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  Release:
+    runs-on: ubuntu-latest
+    permissions:
+        pull-requests: write
+        contents: write
+        issues: write
+        
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Creating Release
+      uses: chiemerieezechukwu/semantic-release@main
+      with:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/Staging.yml b/.github/workflows/Staging.yml
new file mode 100644
index 0000000..da45b12
--- /dev/null
+++ b/.github/workflows/Staging.yml
@@ -0,0 +1,93 @@
+name: Staging Image Build & Push
+
+on:
+  pull_request:
+    branches: [ "main" ]
+    
+permissions:
+  pull-requests: write
+  contents: read
+  id-token: write
+    
+env:
+   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    
+jobs:
+  
+  
+  Terraform: 
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::806066816337:role/fastapi-image-IAM-role
+          role-session-name: fastapi-image-IAM-role
+          aws-region: eu-central-1
+
+      - name: Terraform plan
+        uses: dflook/terraform-plan@v1
+        with:
+          path: ./terraform
+          label: Staging
+          backend_config_file: ./terraform/env/dev.tfbackend
+          var_file: ./terraform/env/dev.tfvars
+          variables: |
+              vpc_id = "${{ secrets.VPC_ID }}"
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: ./terraform
+          label: Staging
+          backend_config_file: ./terraform/env/dev.tfbackend
+          var_file: ./terraform/env/dev.tfvars
+          variables: |
+              vpc_id = "${{ secrets.VPC_ID }}"
+          auto_approve: true
+
+  
+                
+  Build_Image:
+
+    needs: Terraform  
+    runs-on: ubuntu-latest
+        
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::806066816337:role/fastapi-image-IAM-role
+          role-session-name: fastapi-image-IAM-role
+          aws-region: us-east-1
+      
+      - name: Registry Alias Output
+        uses: dflook/terraform-output@v1
+        id: my-outputs
+        with:
+          path: ./terraform
+          backend_config_file: ./terraform/env/dev.tfbackend
+
+      - name: Login to Amazon ECR Public
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+              
+      - name: Build, tag, and push docker image to Amazon ECR Public
+        env:
+          REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
+          REGISTRY_ALIAS: ${{ steps.my-outputs.outputs.ecr_registry_id }}
+          REPOSITORY:  ${{ steps.my-outputs.outputs.ecr_repository_name }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |           
+            docker build -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG  .
+            docker build -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest  .
+
+            docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG 
+            docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..631dae7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,28 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..94cb280
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM python:3.9
+
+WORKDIR /app/
+
+COPY main.py /app/
+
+EXPOSE 5000
+
+RUN pip install fastapi && \
+    pip install "uvicorn[standard]"
+
+CMD [ "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "5000" ]
\ No newline at end of file
diff --git a/README.md b/README.md
index e15d5df..1d56b9e 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,2 @@
-# python-fastAPI-docker-image-v2
\ No newline at end of file
+# python-fastAPI-docker-image-v2
+Containerizing a simple FastAPI
diff --git a/main.py b/main.py
new file mode 100644
index 0000000..9ec8485
--- /dev/null
+++ b/main.py
@@ -0,0 +1,26 @@
+from typing import Union
+
+from fastapi import FastAPI
+from pydantic import BaseModel
+
+app = FastAPI()
+
+
+class Item(BaseModel):
+    name: str
+    price: float
+    is_offer: Union[bool, None] = None
+
+@app.get("/")
+def read_root():
+    return {"Hello World": "Merry Christmas to everyone and a happy new year!!!"}
+
+
+@app.get("/items/{item_id}")
+def read_item(item_id: int, q: Union[str, None] = None):
+    return {"item_id": item_id, "q": q}
+
+
+@app.put("/items/{item_id}")
+def update_item(item_id: int, item: Item):
+    return {"item_name": item.name, "item_id": item_id}
\ No newline at end of file
diff --git a/terraform/alb.tf b/terraform/alb.tf
new file mode 100644
index 0000000..18300ee
--- /dev/null
+++ b/terraform/alb.tf
@@ -0,0 +1,26 @@
+resource "aws_lb" "alb" {
+  name               = "fastapi-lb-${var.env}"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.internet_to_ALB]
+  subnets = var.subnets_for_ecs
+}
+
+resource "aws_lb_listener" "front_end" {
+  load_balancer_arn = aws_lb.alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.target_group_P-5000.arn
+  }
+}
+
+resource "aws_lb_target_group" "target_group_P-5000" {
+  name        = "alb-target-group"
+  port        = 5000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.vpc_id
+}
\ No newline at end of file
diff --git a/terraform/ecr.tf b/terraform/ecr.tf
new file mode 100644
index 0000000..dbf4837
--- /dev/null
+++ b/terraform/ecr.tf
@@ -0,0 +1,10 @@
+resource "aws_ecrpublic_repository" "fastapi-ecr-public" {
+  provider = aws.ecr_region
+
+  repository_name = var.repo_name
+
+  catalog_data {
+    about_text  = "A FastAPI docker image"
+    description = "This is a containerized images of FastAPI stored on ECR ${var.env} environment"
+  }
+}
\ No newline at end of file
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
new file mode 100644
index 0000000..48acae0
--- /dev/null
+++ b/terraform/ecs.tf
@@ -0,0 +1,67 @@
+# ------ ECS Cluster ------- * 
+
+resource "aws_ecs_cluster" "fastapi-cluster" {
+  name = "fastapi-cluster"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+# ------ Task definition ------- * 
+
+resource "aws_ecs_task_definition" "task_definition" {
+  family                   = "${var.env}-fastapi-container"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 1024
+  memory                   = 2048
+  container_definitions    = <<TASK_DEFINITION
+[
+  {
+    "name": "${var.env}_FastAPI_image",
+    "image": "${aws_ecrpublic_repository.fastapi-ecr-public.repository_uri}:${var.image_tag}",
+    "cpu": 1024,
+    "memory": 2048,
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": 5000,
+        "hostPort": 5000
+      }
+    ]
+  }
+]
+TASK_DEFINITION
+
+}
+
+# ------ ECS Service -------- * 
+
+resource "aws_ecs_service" "fastapi-service" {
+  name                 = var.ecs_service_name
+  cluster              = aws_ecs_cluster.fastapi-cluster.id
+  task_definition      = aws_ecs_task_definition.task_definition.arn
+  desired_count        = 1
+  launch_type          = "FARGATE"
+  force_new_deployment = true
+
+  network_configuration {
+    subnets          = var.subnets_for_ecs
+    security_groups  = [aws_security_group.ALB_to_containers]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.target_group_P-5000.arn
+    container_name   = "${var.env}_FastAPI_image"
+    container_port   = 5000
+  }
+
+  triggers = {
+    redeployment = timestamp()
+  }
+}
+
+
diff --git a/terraform/env/dev.tfbackend b/terraform/env/dev.tfbackend
new file mode 100644
index 0000000..9c2785d
--- /dev/null
+++ b/terraform/env/dev.tfbackend
@@ -0,0 +1,5 @@
+bucket         = "terraform-state-file002"
+key            = "fastapi-image/dev/terraform.tfstate"
+region         = "eu-central-1"
+encrypt        = true
+dynamodb_table = "dynamoDB_tfstate-lock"
\ No newline at end of file
diff --git a/terraform/env/dev.tfvars b/terraform/env/dev.tfvars
new file mode 100644
index 0000000..0de0a98
--- /dev/null
+++ b/terraform/env/dev.tfvars
@@ -0,0 +1,6 @@
+default_region = "eu-central-1"
+secondary_region = "us-east-1"
+env = "dev"
+repo_name = "dev/irezd/fastapi"
+security_group_name = "open_port_5000"
+ecs_service_name = "dev-fastapi-service"
\ No newline at end of file
diff --git a/terraform/env/prod.tfbackend b/terraform/env/prod.tfbackend
new file mode 100644
index 0000000..7a30f21
--- /dev/null
+++ b/terraform/env/prod.tfbackend
@@ -0,0 +1,5 @@
+bucket         = "terraform-state-file002"
+key            = "fastapi-image/prod/terraform.tfstate"
+region         = "eu-central-1"
+encrypt        = true
+dynamodb_table = "dynamoDB_tfstate-lock"
\ No newline at end of file
diff --git a/terraform/env/prod.tfvars b/terraform/env/prod.tfvars
new file mode 100644
index 0000000..78857e2
--- /dev/null
+++ b/terraform/env/prod.tfvars
@@ -0,0 +1,6 @@
+default_region = "eu-central-1"
+secondary_region = "us-east-1"
+env = "prod"
+repo_name = "irezd/fastapi"
+security_group_name = "open_port_5000_prod"
+ecs_service_name = "fastapi-service"
\ No newline at end of file
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..7892be9
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,33 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+  backend "s3" {}
+}
+
+provider "aws" {
+  region = var.default_region
+
+  default_tags {
+    tags = {
+      Environment = "${title(var.env)} Environment"
+    }
+  }
+}
+
+provider "aws" {
+  alias  = "ecr_region"
+  region = var.secondary_region
+
+  default_tags {
+    tags = {
+      Environment = "${title(var.env)} Environment"
+    }
+  }
+}
diff --git a/terraform/networking.tf b/terraform/networking.tf
new file mode 100644
index 0000000..f85e1f1
--- /dev/null
+++ b/terraform/networking.tf
@@ -0,0 +1,45 @@
+resource "aws_security_group" "internet_to_ALB" {
+  name        = "internet-to-alb"
+  description = "Inbound traffic from the internet into ALB for ${var.env} FastAPI environment"
+
+  ingress {
+    description = "Inbound from Internet to ALB"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+}
+
+resource "aws_security_group" "ALB_to_containers" {
+  name        = "alb-to-containers"
+  description = "Allowing traffic from ALB to containers for ${var.env} FastAPI environment"
+
+  ingress {
+    description = "Inbound ALB to ECS containers"
+    from_port   = 5000
+    to_port     = 5000
+    protocol    = "tcp"
+    cidr_blocks = [aws_security_group.internet_to_ALB]
+    ipv6_cidr_blocks = [aws_security_group.internet_to_ALB]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+}
\ No newline at end of file
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
new file mode 100644
index 0000000..1a3325b
--- /dev/null
+++ b/terraform/outputs.tf
@@ -0,0 +1,8 @@
+
+output "ecr_registry_id" {
+  value = aws_ecrpublic_repository.fastapi-ecr-public.registry_id
+}
+
+output "ecr_repository_name" {
+  value = aws_ecrpublic_repository.fastapi-ecr-public.repository_name
+}
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..6679801
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,41 @@
+variable "default_region" {
+  description = "The is the primary region for all deployed resources"
+}
+
+variable "secondary_region" {
+  description = "This is the second region for all deployed resources"
+}
+
+variable "env" {
+  description = "Describe the environment"
+}
+
+variable "repo_name" {
+  description = "Elastic Container Registry (ECR) repository name"
+}
+
+variable "image_tag" {
+  description = "Image tag to be entered at runtime for production while staging can use the default value"
+  default     = "latest"
+}
+
+variable "vpc_id" {
+  description = "ID number for default VPC"
+}
+
+variable "subnets_for_ecs" {
+  description = "list of subnets in Frankfurt region for ecs"
+  sensitive   = true
+  default     = ["subnet-0dac9ab248dbb9596", "subnet-0a933dc6606abaeb0", "subnet-0ed459ed9dbe8e041"]
+}
+
+variable "ipv4_cidr_for_ecs" {
+  description = "CIDR block for Security group"
+  sensitive   = true
+  default     = ["172.31.32.0/20", "172.31.0.0/20", "172.31.16.0/20"]
+}
+
+variable "ecs_service_name" {
+  description = "Corresponds to the name of the ECS service which will be different for both environments"
+}
+