fixing base variables

Author: Alexander Wiechert

main.tf

@@ -1,18 +1,24 @@
+module "grafana" {
+  source = "./modules/grafana"
+  vpc_id = var.vpc_id
+  project_name = var.project_name
+}
+
 resource "aws_ecs_cluster" "this" {
-  name = var.cluster_name
+  name = var.project_name
 }
 
 # --- Load Balancer + Target Group ---
 resource "aws_lb" "grafana" {
-  name               = "${var.name}-alb"
+  name               = "${var.project_name}-alb"
   internal           = false
   load_balancer_type = "application"
   security_groups    = [aws_security_group.grafana_sg.id]
   subnets            = var.subnet_ids
 }
 
 resource "aws_lb_target_group" "grafana_tg" {
-  name        = "${var.name}-tg"
+  name        = "${var.project_name}-tg"
   port        = 3000
   protocol    = "HTTP"
   target_type = "ip"
@@ -32,10 +38,8 @@ resource "aws_lb_target_group" "grafana_tg" {
 
 resource "aws_lb_listener" "https" {
   load_balancer_arn = aws_lb.grafana.arn
-  port              = 443
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = var.certificate_arn
+  port              = 3000
+  protocol          = "HTTP"
 
   default_action {
     type             = "forward"
@@ -45,9 +49,9 @@ resource "aws_lb_listener" "https" {
 
 # --- ECS Service ---
 resource "aws_ecs_service" "grafana" {
-  name            = "${var.name}-service"
+  name            = "${var.project_name}-service"
   cluster         = aws_ecs_cluster.this.id
-  task_definition = aws_ecs_task_definition.grafana.arn
+  task_definition = module.grafana.task_definition_arn
   launch_type     = "FARGATE"
   desired_count   = 1
 
@@ -62,19 +66,44 @@ resource "aws_ecs_service" "grafana" {
     container_name   = "grafana"
     container_port   = 3000
   }
-
-  depends_on = [aws_iam_role_policy_attachment.ecs_task_exec_policy]
 }
 
 # --- DNS (optional) ---
-resource "aws_route53_record" "grafana_dns" {
-  zone_id = var.zone_id
-  name    = var.domain_name
-  type    = "A"
+# resource "aws_route53_record" "grafana_dns" {
+#   zone_id = var.zone_id
+#   name    = var.domain_name
+#   type    = "A"
+#
+#   alias {
+#     name                   = aws_lb.grafana.dns_name
+#     zone_id                = aws_lb.grafana.zone_id
+#     evaluate_target_health = true
+#   }
+# }
+
+resource "aws_security_group" "grafana_sg" {
+  name        = "${var.project_name}-grafana-sg"
+  description = "Security Group for Grafana"
+  vpc_id      = var.vpc_id
 
-  alias {
-    name                   = aws_lb.grafana.dns_name
-    zone_id                = aws_lb.grafana.zone_id
-    evaluate_target_health = true
+  ingress {
+    description = "Allow ALB to Grafana on port 3000"
+    from_port   = 3000
+    to_port     = 3000
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"] # Nur für Tests – später auf ALB Security Group einschränken!
+    # security_groups = [var.alb_security_group_id] # Besser: explizite SG, siehe oben
   }
-}
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.project_name}-grafana-sg"
+  }
+}

modules/grafana/main.tf

@@ -1,6 +1,6 @@
 # --- IAM Role for Fargate Task Execution ---
 resource "aws_iam_role" "grafana_task_execution" {
-  name = "${var.name}-task-execution-role"
+  name = "${var.project_name}-task-execution-role"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -22,15 +22,15 @@ resource "aws_iam_role_policy_attachment" "ecs_task_exec_policy" {
 
 # --- Security Group ---
 resource "aws_security_group" "grafana_sg" {
-  name        = "${var.name}-sg"
-  description = "Allow HTTP/HTTPS access to Grafana"
+  name        = "${var.project_name}-sg"
+  description = "Allow HTTP 3000 access to Grafana"
   vpc_id      = var.vpc_id
 
   ingress {
-    from_port   = 443
-    to_port     = 443
+    from_port   = 3000
+    to_port     = 3000
     protocol    = "tcp"
-    cidr_blocks = var.allowed_cidr_blocks
+    cidr_blocks = var.subnet_ids // muss auf öffentlich gesetzt werden sobald SSL verfübar ist.
   }
 
   egress {
@@ -43,7 +43,7 @@ resource "aws_security_group" "grafana_sg" {
 
 # --- Task Definition ---
 resource "aws_ecs_task_definition" "grafana" {
-  family                   = "${var.name}-task"
+  family                   = "${var.project_name}-task"
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   cpu                      = "256"

modules/outputs.tf renamed to modules/grafana/outputs.tf

@@ -46,3 +46,19 @@ variable "execution_role_name" {
   type        = string
   default     = "ecsTaskExecutionRole"
 }
+
+variable "vpc_id" {
+  description = "The id of the VPC"
+  type = string
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  default     = []
+  description = "A list of subnet ids."
+}
+
+variable "project_name" {
+  type = string
+  default = "FinOPS-reporting"
+}

modules/grafana/variables.tf

@@ -0,0 +1,4 @@
+output "vpc_id" {
+  value = var.vpc_id
+}
+

outputs.tf

@@ -1,3 +1,8 @@
+variable "project_name" {
+  type = string
+  default = "FinOPS-reporting"
+}
+
 variable "use_fake_data" {
   description = "Enable fake/test mode (no AWS resources created)"
   type        = bool
@@ -55,4 +60,15 @@ variable "tag_filter_value" {
   description = "Tag value used to filter for ENV"
   type        = string
   default     = "Production"
+}
+
+variable "vpc_id" {
+  description = "The id of the VPC"
+  type = string
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  default     = []
+  description = "A list of subnet ids."
 }