From 7234067dbdab888baf7ec9f2f9090a5833527799 Mon Sep 17 00:00:00 2001
From: Cyril Feraudet <cyril@feraudet.com>
Date: Wed, 28 Dec 2022 16:22:14 +0100
Subject: [PATCH 1/4] upgrade code for terraform 1.x

---
 terraform/ecs.tf        | 32 ++++++++++++++++----------------
 terraform/iam.tf        |  8 ++++----
 terraform/main.tf       |  2 +-
 terraform/networking.tf |  8 ++++----
 terraform/nlb.tf        | 12 ++++++------
 terraform/output.tf     |  4 ++++
 terraform/variables.tf  |  2 +-
 7 files changed, 36 insertions(+), 32 deletions(-)

diff --git a/terraform/ecs.tf b/terraform/ecs.tf
index a8dde7d..40bd862 100644
--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
@@ -6,7 +6,7 @@ resource "aws_ecs_cluster" "main" {
 
   tags = merge(
     var.extra_tags,
-    map("Name", "${var.environment}-${var.app_name}"),
+    { "Name" = format("%s-%s-sg", var.environment, var.app_name) },
   )
 }
 
@@ -20,7 +20,7 @@ resource "aws_cloudwatch_log_group" "cwlog" {
 
   tags = merge(
     var.extra_tags,
-    map("Name",  format("%s-%s", var.environment, var.app_name)),
+    { "Name" = format("%s-%s-sg", var.environment, var.app_name) },
   )
 }
 
@@ -79,33 +79,33 @@ resource "aws_ecs_task_definition" "squid" {
 EOF
 
   requires_compatibilities = ["FARGATE"]
-  network_mode = "awsvpc"
-  cpu = "256"
-  memory = "512"
-  execution_role_arn = aws_iam_role.ecs_execution_role.arn
-  task_role_arn = aws_iam_role.ecs_execution_role.arn
+  network_mode             = "awsvpc"
+  cpu                      = "256"
+  memory                   = "512"
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_execution_role.arn
   tags = merge(
     var.extra_tags,
-    map("Name",  format("%s-%s-task", var.environment, var.app_name)),
+    { "Name" = format("%s-%s-sg", var.environment, var.app_name) },
   )
 }
 
 resource "aws_ecs_service" "service" {
-  name = "${var.environment}-${var.app_name}"
-  cluster = aws_ecs_cluster.main.id
+  name            = "${var.environment}-${var.app_name}"
+  cluster         = aws_ecs_cluster.main.id
   task_definition = "${aws_ecs_task_definition.squid.family}:${aws_ecs_task_definition.squid.revision}"
-  launch_type = "FARGATE"
-  desired_count = var.desired_count
+  launch_type     = "FARGATE"
+  desired_count   = var.desired_count
 
   load_balancer {
     target_group_arn = aws_lb_target_group.main.arn
-    container_name = var.app_name
-    container_port = var.app_port
+    container_name   = var.app_name
+    container_port   = var.app_port
   }
 
   network_configuration {
-    subnets = var.fargate_subnets
-    security_groups = [aws_security_group.fargate.id]
+    subnets          = var.fargate_subnets
+    security_groups  = [aws_security_group.fargate.id]
     assign_public_ip = true
   }
 
diff --git a/terraform/iam.tf b/terraform/iam.tf
index 39e127e..7332090 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -19,7 +19,7 @@ EOF
 
   tags = merge(
     var.extra_tags,
-    map("Name", format("%s-%s-fargate-role", var.environment, var.app_name)),
+    { "Name" = format("%s-%s-fargate-role", var.environment, var.app_name) },
   )
 }
 
@@ -36,12 +36,12 @@ data "aws_iam_policy_document" "app_policy" {
 }
 
 resource "aws_iam_role_policy" "app_policy_pl" {
-  name = "app_policy"
-  role = aws_iam_role.ecs_execution_role.name
+  name   = "app_policy"
+  role   = aws_iam_role.ecs_execution_role.name
   policy = data.aws_iam_policy_document.app_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_execution_policy" {
-  role = aws_iam_role.ecs_execution_role.name
+  role       = aws_iam_role.ecs_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
diff --git a/terraform/main.tf b/terraform/main.tf
index f94b61f..7117131 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12.0"
+  required_version = ">= 1.0"
 }
diff --git a/terraform/networking.tf b/terraform/networking.tf
index 72006c1..72821b9 100644
--- a/terraform/networking.tf
+++ b/terraform/networking.tf
@@ -1,7 +1,7 @@
 resource "aws_security_group" "fargate" {
   name        = format("%s-%s-sg", var.environment, var.app_name)
   description = format("%s-%s-sg", var.environment, var.app_name)
-  vpc_id      = "${var.vpc_id}"
+  vpc_id      = var.vpc_id
 
   ingress {
     from_port   = var.app_port
@@ -17,8 +17,8 @@ resource "aws_security_group" "fargate" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  tags = "${merge(
+  tags = merge(
     var.extra_tags,
-    map("Name", format("%s-%s-sg", var.environment, var.app_name)),
-  )}"
+    { "Name" = format("%s-%s-sg", var.environment, var.app_name) },
+  )
 }
diff --git a/terraform/nlb.tf b/terraform/nlb.tf
index 0a31cd6..644faa3 100644
--- a/terraform/nlb.tf
+++ b/terraform/nlb.tf
@@ -11,10 +11,10 @@ resource "aws_lb" "main" {
   subnets  = var.lb_subnets
 
 
-  tags = "${merge(
+  tags = merge(
     var.extra_tags,
-    map("Name", format("%s-%s-nlb", var.environment, var.app_name)),
-  )}"
+    { "Name" = format("%s-%s-fargate-role", var.environment, var.app_name) },
+  )
 }
 
 # adds a tcp listener to the load balancer and allows ingress
@@ -45,8 +45,8 @@ resource "aws_lb_target_group" "main" {
     unhealthy_threshold = 2
   }
 
-  tags = "${merge(
+  tags = merge(
     var.extra_tags,
-    map("Name", format("%s-%s-tg", var.environment, var.app_name)),
-  )}"
+    { "Name" = format("%s-%s-fargate-role", var.environment, var.app_name) },
+  )
 }
diff --git a/terraform/output.tf b/terraform/output.tf
index b92c9e3..6d1aca7 100644
--- a/terraform/output.tf
+++ b/terraform/output.tf
@@ -13,3 +13,7 @@ output "nlb_arn" {
 output "nlb_hostname" {
   value = aws_lb.main.dns_name
 }
+
+output "nlb_zone_id" {
+  value = aws_lb.main.zone_id
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index dc0c348..74dff7c 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -27,7 +27,7 @@ variable "fargate_image" {
 
 # Additional tags to apply to all tagged resources.
 variable "extra_tags" {
-  type = "map"
+  type = map(any)
 }
 
 variable "internal" {

From 8eb259170aa1f38cd1594e3485142b9ac4eb923d Mon Sep 17 00:00:00 2001
From: Cyril Feraudet <cyril@feraudet.com>
Date: Thu, 22 Jun 2023 11:36:10 +0200
Subject: [PATCH 2/4] Restrict SG

---
 terraform/networking.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/networking.tf b/terraform/networking.tf
index 72821b9..c343637 100644
--- a/terraform/networking.tf
+++ b/terraform/networking.tf
@@ -7,7 +7,7 @@ resource "aws_security_group" "fargate" {
     from_port   = var.app_port
     to_port     = var.app_port
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["10.0.0.0/8"]
   }
 
   egress {

From e80e9040400be0d51a24c5a8a033511bc1f8eefd Mon Sep 17 00:00:00 2001
From: Cyril Feraudet <cyril@feraudet.com>
Date: Thu, 22 Jun 2023 11:41:22 +0200
Subject: [PATCH 3/4] Add log_retention_in_days

---
 terraform/ecs.tf       | 2 +-
 terraform/variables.tf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/terraform/ecs.tf b/terraform/ecs.tf
index 40bd862..503f228 100644
--- a/terraform/ecs.tf
+++ b/terraform/ecs.tf
@@ -16,7 +16,7 @@ ECS task definitions
 
 resource "aws_cloudwatch_log_group" "cwlog" {
   name              = "/ecs/${var.environment}-${var.app_name}"
-  retention_in_days = 30
+  retention_in_days = var.log_retention_in_days
 
   tags = merge(
     var.extra_tags,
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 74dff7c..5ec1d73 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -69,6 +69,11 @@ variable "deregistration_delay" {
   type    = number
 }
 
+variable "log_retention_in_days" {
+  default = 30
+  type    = number
+}
+
 variable "whitelist_aws_region" {
   description = "URL filter for AWS region"
   default     = "eu-west-1,eu-west-2,eu-central-1"

From c214edae77e25cd370d447a5e7fae2910b758c5d Mon Sep 17 00:00:00 2001
From: Julien Duvoux <julien.duvoux@nuagic.com>
Date: Wed, 15 May 2024 16:55:32 +0200
Subject: [PATCH 4/4] ignore change on tags on aws_appautoscaling_target
 resource

---
 terraform/autoscaling.tf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/terraform/autoscaling.tf b/terraform/autoscaling.tf
index 4c34864..b151481 100644
--- a/terraform/autoscaling.tf
+++ b/terraform/autoscaling.tf
@@ -2,8 +2,11 @@ resource "aws_appautoscaling_target" "target" {
   service_namespace  = "ecs"
   resource_id        = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.service.name}"
   scalable_dimension = "ecs:service:DesiredCount"
-  min_capacity       = "${var.desired_count}"
-  max_capacity       = "${var.max_count}"
+  min_capacity       = var.desired_count
+  max_capacity       = var.max_count
+  lifecycle {
+    ignore_changes = [tags_all]
+  }
 }
 
 # Automatically scale capacity up by one