ad provider config

Alexander Wiechert · Alexander Wiechert · commit a8d8f1368a73 · 2025-06-20T14:00:26.000+02:00
diff --git a/main.tf b/main.tf
@@ -1,99 +1,80 @@
-resource "aws_s3_bucket" "cur_bucket" {
-  count  = var.use_fake_data ? 0 : 1
-  bucket = var.s3_bucket_name
+resource "aws_ecs_cluster" "this" {
+  name = var.cluster_name
 }
 
-resource "aws_s3_bucket_policy" "cur_bucket_policy" {
-  count  = var.use_fake_data ? 0 : 1
-  bucket = aws_s3_bucket.cur_bucket[0].id
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Sid       = "AWSBillingPermissions",
-        Effect    = "Allow",
-        Principal = { Service = "billingreports.amazonaws.com" },
-        Action    = "s3:GetBucketAcl",
-        Resource  = aws_s3_bucket.cur_bucket[0].arn
-      },
-      {
-        Sid       = "AWSBillingPutObject",
-        Effect    = "Allow",
-        Principal = { Service = "billingreports.amazonaws.com" },
-        Action    = "s3:PutObject",
-        Resource  = "${aws_s3_bucket.cur_bucket[0].arn}/*"
-      }
-    ]
-  })
+# --- Load Balancer + Target Group ---
+resource "aws_lb" "grafana" {
+  name               = "${var.name}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.grafana_sg.id]
+  subnets            = var.subnet_ids
 }
 
-resource "aws_cur_report_definition" "ebs_report" {
-  count                      = var.use_fake_data ? 0 : 1
-  report_name                = var.report_name
-  time_unit                  = "DAILY"
-  format                     = "Parquet"
-  compression                = "Parquet"
-  additional_schema_elements = ["RESOURCES"]
-  s3_bucket                  = var.s3_bucket_name
-  s3_region                  = var.aws_region
-  s3_prefix                  = var.report_prefix
-  report_versioning          = "CREATE_NEW_REPORT"
-}
+resource "aws_lb_target_group" "grafana_tg" {
+  name        = "${var.name}-tg"
+  port        = 3000
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = var.vpc_id
 
-resource "aws_athena_database" "cur_database" {
-  count   = var.use_fake_data ? 0 : 1
-  name    = var.athena_database_name
-  bucket  = var.s3_bucket_name
-  comment = "Athena CUR Database"
+  health_check {
+    path                = "/"
+    port                = "3000"
+    protocol            = "HTTP"
+    matcher             = "200-399"
+    interval            = 30
+    timeout             = 5
+    healthy_threshold   = 2
+    unhealthy_threshold = 3
+  }
 }
 
-resource "aws_iam_role" "glue_crawler_role" {
-  count = var.use_fake_data ? 0 : 1
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.grafana.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.certificate_arn
 
-  name = "glue-crawler-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [{
-      Effect    = "Allow",
-      Principal = { Service = "glue.amazonaws.com" },
-      Action    = "sts:AssumeRole"
-    }]
-  })
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.grafana_tg.arn
+  }
 }
 
-resource "aws_iam_role_policy" "glue_crawler_policy" {
-  count = var.use_fake_data ? 0 : 1
-  role  = aws_iam_role.glue_crawler_role[0].id
+# --- ECS Service ---
+resource "aws_ecs_service" "grafana" {
+  name            = "${var.name}-service"
+  cluster         = aws_ecs_cluster.this.id
+  task_definition = aws_ecs_task_definition.grafana.arn
+  launch_type     = "FARGATE"
+  desired_count   = 1
+
+  network_configuration {
+    subnets         = var.subnet_ids
+    security_groups = [aws_security_group.grafana_sg.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.grafana_tg.arn
+    container_name   = "grafana"
+    container_port   = 3000
+  }
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = ["s3:GetObject", "s3:ListBucket"],
-        Resource = [
-          "arn:aws:s3:::${var.s3_bucket_name}",
-          "arn:aws:s3:::${var.s3_bucket_name}/*"
-        ]
-      },
-      {
-        Effect   = "Allow",
-        Action   = ["glue:*"],
-        Resource = "*"
-      }
-    ]
-  })
+  depends_on = [aws_iam_role_policy_attachment.ecs_task_exec_policy]
 }
 
-resource "aws_glue_crawler" "cur_crawler" {
-  count         = var.use_fake_data ? 0 : 1
-  name          = var.crawler_name
-  role          = aws_iam_role.glue_crawler_role[0].arn
-  database_name = var.athena_database_name
+# --- DNS (optional) ---
+resource "aws_route53_record" "grafana_dns" {
+  zone_id = var.zone_id
+  name    = var.domain_name
+  type    = "A"
 
-  s3_target {
-    path = "s3://${var.s3_bucket_name}/${var.report_prefix}"
+  alias {
+    name                   = aws_lb.grafana.dns_name
+    zone_id                = aws_lb.grafana.zone_id
+    evaluate_target_health = true
   }
 }
diff --git a/modules/grafana/README.md b/modules/grafana/README.md
@@ -0,0 +1,52 @@
+# Grafana ECS Task Submodule
+
+This submodule defines the ECS task definition and execution role required to run Grafana in AWS Fargate. It is designed to be used in combination with infrastructure components (like ALB, Route53, ECS service) defined in the parent module.
+
+## Features
+
+- Creates an ECS-compatible task definition for Grafana
+- Defines execution role with appropriate permissions
+- Configurable CPU, memory, log group and admin credentials
+- Outputs task and role ARNs for use in a parent module
+
+## Usage
+
+```hcl
+module "grafana" {
+  source = "./modules/grafana"
+
+  grafana_image       = "grafana/grafana-oss:latest"
+  admin_user          = "admin"
+  admin_password      = "changeme123"
+  cpu                 = 256
+  memory              = 512
+  log_group_name      = "/ecs/grafana"
+  execution_role_name = "grafana-exec-role"
+}
+```
+
+## Inputs
+
+| Name                  | Description                              | Type   | Default                |
+|-----------------------|------------------------------------------|--------|------------------------|
+| `grafana_image`       | Docker image to use                      | string | `grafana/grafana:latest` |
+| `admin_user`          | Grafana admin username                   | string | `admin`                |
+| `admin_password`      | Grafana admin password                   | string | `admin123`             |
+| `cpu`                 | CPU units for ECS task                   | number | 256                    |
+| `memory`              | Memory (MiB) for ECS task                | number | 512                    |
+| `container_port`      | Port exposed by Grafana container        | number | 3000                   |
+| `log_group_name`      | CloudWatch log group name                | string | `/ecs/grafana`         |
+| `execution_role_name` | Name of the IAM execution role          | string | `ecsTaskExecutionRole` |
+
+## Outputs
+
+| Name                  | Description                                |
+|-----------------------|--------------------------------------------|
+| `task_definition_arn` | ARN of the ECS task definition             |
+| `execution_role_arn`  | ARN of the execution role                 |
+| `container_name`      | Name of the Grafana container              |
+| `container_port`      | Port exposed by Grafana                    |
+
+---
+
+> **Note:** This module is intended to be used within a larger Terraform setup. It does not include networking or service-level configuration. See the root module for complete deployment.
diff --git a/modules/grafana/main.tf b/modules/grafana/main.tf
@@ -0,0 +1,72 @@
+# --- IAM Role for Fargate Task Execution ---
+resource "aws_iam_role" "grafana_task_execution" {
+  name = "${var.name}-task-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Principal = {
+        Service = "ecs-tasks.amazonaws.com"
+      },
+      Effect = "Allow",
+      Sid    = ""
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_exec_policy" {
+  role       = aws_iam_role.grafana_task_execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# --- Security Group ---
+resource "aws_security_group" "grafana_sg" {
+  name        = "${var.name}-sg"
+  description = "Allow HTTP/HTTPS access to Grafana"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.allowed_cidr_blocks
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# --- Task Definition ---
+resource "aws_ecs_task_definition" "grafana" {
+  family                   = "${var.name}-task"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "256"
+  memory                   = "512"
+  execution_role_arn       = aws_iam_role.grafana_task_execution.arn
+
+  container_definitions = jsonencode([
+    {
+      name      = "grafana"
+      image     = "grafana/grafana-oss:latest"
+      portMappings = [{
+        containerPort = 3000
+        protocol      = "tcp"
+      }]
+      environment = [
+        {
+          name  = "GF_SECURITY_ADMIN_PASSWORD"
+          value = var.admin_password
+        }
+      ]
+    }
+  ])
+}
+
+
+
diff --git a/modules/grafana/variables.tf b/modules/grafana/variables.tf
@@ -0,0 +1,48 @@
+variable "grafana_image" {
+  description = "Docker image for Grafana"
+  type        = string
+  default     = "grafana/grafana:latest"
+}
+
+variable "admin_user" {
+  description = "Grafana admin username"
+  type        = string
+  default     = "admin"
+}
+
+variable "admin_password" {
+  description = "Grafana admin password"
+  type        = string
+  default     = "admin123"
+  sensitive   = true
+}
+
+variable "cpu" {
+  description = "CPU units for the task (e.g. 256 = 0.25 vCPU)"
+  type        = number
+  default     = 256
+}
+
+variable "memory" {
+  description = "Memory in MiB for the task (e.g. 512 = 0.5 GB)"
+  type        = number
+  default     = 512
+}
+
+variable "container_port" {
+  description = "Port exposed by Grafana container"
+  type        = number
+  default     = 3000
+}
+
+variable "log_group_name" {
+  description = "CloudWatch log group for Grafana logs"
+  type        = string
+  default     = "/ecs/grafana"
+}
+
+variable "execution_role_name" {
+  description = "IAM role name for ECS task execution"
+  type        = string
+  default     = "ecsTaskExecutionRole"
+}
diff --git a/modules/outputs.tf b/modules/outputs.tf
@@ -0,0 +1,19 @@
+output "task_definition_arn" {
+  description = "ARN of the Grafana ECS task definition"
+  value       = aws_ecs_task_definition.grafana.arn
+}
+
+output "execution_role_arn" {
+  description = "ARN of the ECS execution IAM role"
+  value       = aws_iam_role.grafana_task_execution.arn
+}
+
+output "container_name" {
+  description = "Name of the Grafana container in the task definition"
+  value       = "grafana"
+}
+
+output "container_port" {
+  description = "Port exposed by Grafana container"
+  value       = var.container_port
+}
