Merge branch 'master' into ecs-agent

Author: webyneter

Readme.md

@@ -155,12 +155,16 @@ traffic in and out of the different subnets. The Stack terraform will automatica
 
 Traffic from each internal subnet to the outside world will run through the associated NAT gateway.
 
+Alternatively, setting the `use_nat_instances` VPC module variable to true, will use [EC2 NAT instances][nat-instances] instead of the NAT gateway. NAT instances cost less than the NAT gateway, can be shutdown when not in use, and may be preferred in development environments. By default, NAT instances will not use [Elastic IPs][elastic-ip] to avoid a small hourly charge if the NAT instances are not running full time. To use Elastic IPs for the NAT instances, set the `use_eip_with_nat_instances` VPC module variable to true.
+
 For further reading, check out these sources:
 
 - [Recommended Address Space](http://serverfault.com/questions/630022/what-is-the-recommended-cidr-when-creating-vpc-on-aws)
 - [Practical VPC Design](https://medium.com/aws-activate-startup-blog/practical-vpc-design-8412e1a18dcc)
 
 [nat-gateway]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
+[nat-instances]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
+[elastic-ip]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
 
 ### Instances
 

docs.md

@@ -44,6 +44,10 @@ Usage:
 | cidr | the CIDR block to provision for the VPC, if set to something other than the default, both internal_subnets and external_subnets have to be defined as well | `10.30.0.0/16` | no |
 | internal_subnets | a list of CIDRs for internal subnets in your VPC, must be set if the cidr variable is defined, needs to have as many elements as there are availability zones | `<list>` | no |
 | external_subnets | a list of CIDRs for external subnets in your VPC, must be set if the cidr variable is defined, needs to have as many elements as there are availability zones | `<list>` | no |
+| use_nat_instances | use NAT EC2 instances instead of the NAT gateway service | `false` | no |
+| use_eip_with_nat_instances | use Elastic IPs with NAT instances if `use_nat_instances` is true | `false` | no |
+| nat_instance_type | the EC2 instance type for NAT instances if `use_nat_instances` is true | `t2.nano` | no |
+| nat_instance_ssh_key_name | the name of the ssh key to use with NAT instances if `use_nat_instances` is true | "" | no |
 | availability_zones | a comma-separated list of availability zones, defaults to all AZ of the region, if set to something other than the defaults, both internal_subnets and external_subnets have to be defined as well | `<list>` | no |
 | bastion_instance_type | Instance type for the bastion | `t2.micro` | no |
 | ecs_cluster_name | the name of the cluster, if not specified the variable name will be used | `` | no |

ecs-cluster/main.tf

@@ -126,35 +126,6 @@ variable "extra_cloud_config_content" {
   default     = ""
 }
 
-resource "aws_security_group" "cluster" {
-  name        = "${var.name}-ecs-cluster"
-  vpc_id      = "${var.vpc_id}"
-  description = "Allows traffic from and to the EC2 instances of the ${var.name} ECS cluster"
-
-  ingress {
-    from_port       = 0
-    to_port         = 0
-    protocol        = -1
-    security_groups = ["${split(",", var.security_groups)}"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags {
-    Name        = "ECS cluster (${var.name})"
-    Environment = "${var.environment}"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
 resource "aws_ecs_cluster" "main" {
   name = "${var.name}"
 
@@ -198,7 +169,7 @@ resource "aws_launch_configuration" "main" {
   ebs_optimized               = "${var.instance_ebs_optimized}"
   iam_instance_profile        = "${var.iam_instance_profile}"
   key_name                    = "${var.key_name}"
-  security_groups             = ["${aws_security_group.cluster.id}"]
+  security_groups             = ["${split(",", var.security_groups)}"]
   user_data                   = "${data.template_cloudinit_config.cloud_config.rendered}"
   associate_public_ip_address = "${var.associate_public_ip_address}"
 
@@ -382,8 +353,3 @@ resource "aws_cloudwatch_metric_alarm" "memory_low" {
 output "name" {
   value = "${var.name}"
 }
-
-// The cluster security group ID.
-output "security_group_id" {
-  value = "${aws_security_group.cluster.id}"
-}

main.tf

@@ -127,6 +127,11 @@ variable "ecs_security_groups" {
   default     = ""
 }
 
+variable "ecs_extra_security_groups" {
+  description = "A comma separated list of security groups added to the default security groups of the stack"
+  default     = ""
+}
+
 variable "ecs_ami" {
   description = "The AMI that will be used to launch EC2 instances in the ECS cluster"
   default     = ""
@@ -233,7 +238,6 @@ module "s3_logs" {
   source                  = "./s3-logs"
   name                    = "${var.name}"
   environment             = "${var.environment}"
-  account_id              = "${module.defaults.s3_logs_account_id}"
   logs_expiration_enabled = "${var.logs_expiration_enabled}"
   logs_expiration_days    = "${var.logs_expiration_days}"
 }
@@ -332,3 +336,13 @@ output "internal_route_tables" {
 output "external_route_tables" {
   value = "${module.vpc.external_rtb_id}"
 }
+
+// The external ssh security group ID.
+output "external_ssh" {
+  value = "${module.security_groups.external_ssh}"
+}
+
+// The internal ssh security group ID.
+output "internal_ssh" {
+  value = "${module.security_groups.internal_ssh}"
+}

rds/main.tf

@@ -51,6 +51,16 @@ variable "maintenance_window" {
   default     = "Mon:01:00-Mon:02:00"
 }
 
+variable "monitoring_interval" {
+  description = "Seconds between enhanced monitoring metric collection. 0 disables enhanced monitoring."
+  default     = "0"
+}
+
+variable "monitoring_role_arn" {
+  description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Required if monitoring_interval > 0."
+  default     = ""
+}
+
 variable "apply_immediately" {
   description = "If false, apply changes during maintenance window"
   default     = true
@@ -97,32 +107,40 @@ variable "subnet_ids" {
   type        = "list"
 }
 
-resource "aws_security_group" "main" {
-  name        = "${var.name}-rds"
-  description = "Allows traffic to RDS from other security groups"
-  vpc_id      = "${var.vpc_id}"
+resource "aws_security_group_rule" "main-ingress-cidrs" {
+  security_group_id = "${aws_security_group.main.id}"
+  type              = "ingress"
+  cidr_blocks       = ["${var.ingress_allow_cidr_blocks}"]
+  from_port         = "${var.port}"
+  to_port           = "${var.port}"
+  protocol          = "TCP"
+}
 
-  ingress {
-    from_port       = "${var.port}"
-    to_port         = "${var.port}"
-    protocol        = "TCP"
-    security_groups = ["${var.ingress_allow_security_groups}"]
-  }
+resource "aws_security_group_rule" "main-ingress-sgs" {
+  security_group_id        = "${aws_security_group.main.id}"
+  type                     = "ingress"
+  count                    = "${length(var.ingress_allow_security_groups)}"
+  source_security_group_id = "${element(var.ingress_allow_security_groups, count.index)}"
 
-  ingress {
-    from_port   = "${var.port}"
-    to_port     = "${var.port}"
-    protocol    = "TCP"
-    cidr_blocks = ["${var.ingress_allow_cidr_blocks}"]
-  }
+  from_port                = "${var.port}"
+  to_port                  = "${var.port}"
+  protocol                 = "TCP"
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_security_group_rule" "main-egress-all" {
+  security_group_id = "${aws_security_group.main.id}"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = -1
+  cidr_blocks       = ["0.0.0.0/0"]
+}
 
+
+resource "aws_security_group" "main" {
+  name        = "${var.name}-rds"
+  description = "Allows traffic to RDS from other security groups"
+  vpc_id      = "${var.vpc_id}"
   tags {
     Name = "RDS (${var.name})"
   }
@@ -149,6 +167,8 @@ resource "aws_db_instance" "main" {
   backup_retention_period   = "${var.backup_retention_period}"
   backup_window             = "${var.backup_window}"
   maintenance_window        = "${var.maintenance_window}"
+  monitoring_interval       = "${var.monitoring_interval}"
+  monitoring_role_arn       = "${var.monitoring_role_arn}"
   apply_immediately         = "${var.apply_immediately}"
   final_snapshot_identifier = "${var.name}-finalsnapshot"
 

s3-logs/main.tf

@@ -12,12 +12,14 @@ variable "logs_expiration_days" {
   default = 30
 }
 
+data "aws_elb_service_account" "main" {}
+
 data "template_file" "policy" {
   template = "${file("${path.module}/policy.json")}"
 
   vars = {
     bucket     = "${var.name}-${var.environment}-logs"
-    account_id = "${var.account_id}"
+    elb_account_id = "${data.aws_elb_service_account.main.arn}"
   }
 }
 

s3-logs/policy.json

@@ -5,7 +5,7 @@
       "Action": "s3:PutObject",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "arn:aws:iam::${account_id}:root"
+        "AWS": "${elb_account_id}"
       },
       "Resource": "arn:aws:s3:::${bucket}/*",
       "Sid": "log-bucket-policy"