Create modularized ecs services (#3322)

Create service to handle background tasks as well as create a
user-facing service (thrust). This is also used as an opportunity to
rename the existing service and move it into the module setup.
This is part of a PR chain with
#3321 as
parent

Author: TheOneFromNorway

Dockerfile

@@ -80,7 +80,9 @@ USER 1000:1000
 # Entrypoint prepares the database.
 ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 
-# Start server via Thruster by default, this can be overwritten at runtime
+# Start web server by default, this can be overwritten by environment variable
 EXPOSE 4000
 ENV HTTP_PORT=4000
-CMD ["./bin/thrust", "./bin/rails", "server"]
+ENV GOOD_JOB_PROBE_PORT=4000
+ENV SERVER_TYPE=web
+CMD ["./bin/docker-start"]

bin/docker-entrypoint

@@ -6,8 +6,8 @@ if [ -z "${LD_PRELOAD+x}" ]; then
   export LD_PRELOAD
 fi
 
-# If running the rails server then create or migrate existing database
-if [ "${@: -2:1}" == "./bin/rails" ] && [ "${@: -1:1}" == "server" ]; then
+# When starting the container then create or migrate existing database
+if [ "$1" == "./bin/docker-start" ]; then
   ./bin/rails db:prepare:ignore_concurrent_migration_exceptions
 fi
 

bin/docker-start

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+if [ "$SERVER_TYPE" == "web" ]; then
+  echo "Starting web server..."
+  exec "$SCRIPT_DIR"/thrust "$SCRIPT_DIR"/rails server
+elif [ "$SERVER_TYPE" == "good-job" ]; then
+  echo "Starting good-job server..."
+  exec "$SCRIPT_DIR"/bundle exec good_job start
+else
+  echo "SERVER_TYPE variable: '$SERVER_TYPE' unknown. Allowed values ['web','good-job']"
+exit 1
+fi

config/application.rb

@@ -75,7 +75,7 @@ class Application < Rails::Application
     config.active_model.i18n_customize_full_message = true
 
     config.active_job.queue_adapter = :good_job
-    config.good_job.execution_mode = :async
+    config.good_job.execution_mode = :external
 
     config.view_component.default_preview_layout = "component_preview"
     config.view_component.preview_controller = "ComponentPreviewsController"

config/environments/development.rb

@@ -81,6 +81,9 @@
   # Prevent health checks from clogging up the logs.
   config.silence_healthcheck_path = "/up"
 
+  # Set up GoodJob for async execution in development mode
+  config.good_job.execution_mode = :async
+
   # Enable strict loading to catch N+1 problems.
   config.active_record.strict_loading_by_default = true
   config.active_record.strict_loading_mode = :n_plus_one_only

config/puma.rb

@@ -57,7 +57,8 @@
 # processes).
 workers Settings.web_concurrency
 
-if Settings.web_concurrency > 1
+if Settings.web_concurrency > 1 &&
+     Rails.configuration.good_job.execution_mode != :external
   # Cleanly shut down GoodJob when Puma is shut down.
   # See https://github.com/bensheldon/good_job#execute-jobs-async--in-process
   MAIN_PID = Process.pid

terraform/app/autoscaling.tf

@@ -1,6 +1,6 @@
 resource "aws_appautoscaling_target" "ecs_target" {
   count              = var.enable_autoscaling ? 1 : 0
-  resource_id        = "service/${aws_ecs_cluster.cluster.name}/${aws_ecs_service.service.name}"
+  resource_id        = "service/${aws_ecs_cluster.cluster.name}/${module.web_service.service.name}"
   max_capacity       = var.maximum_replicas
   min_capacity       = var.minimum_replicas
   service_namespace  = "ecs"

terraform/app/codedeploy.tf

@@ -32,7 +32,7 @@ resource "aws_codedeploy_deployment_group" "blue_green_deployment_group" {
 
   ecs_service {
     cluster_name = aws_ecs_cluster.cluster.name
-    service_name = aws_ecs_service.service.name
+    service_name = module.web_service.service.name
   }
 
   load_balancer_info {
@@ -116,8 +116,8 @@ resource "aws_s3_object" "appspec_object" {
   key    = "appspec.yaml"
   acl    = "private"
   content = templatefile("templates/appspec.yaml.tpl", {
-    task_definition_arn = aws_ecs_task_definition.task_definition.arn
-    container_name      = jsondecode(aws_ecs_task_definition.task_definition.container_definitions)[0].name
+    task_definition_arn = module.web_service.task_definition.arn
+    container_name      = module.web_service.task_definition.arn
     container_port      = aws_lb_target_group.blue.port
   })
 

terraform/app/ecs.tf

@@ -1,3 +1,4 @@
+#TODO: Remove after release
 resource "aws_security_group" "ecs_service_sg" {
   name        = "ecs-service-sg"
   description = "Security Group for communication with ECS"
@@ -7,6 +8,7 @@ resource "aws_security_group" "ecs_service_sg" {
   }
 }
 
+#TODO: Remove after release
 resource "aws_security_group_rule" "ecs_ingress_http" {
   type                     = "ingress"
   from_port                = 4000
@@ -19,6 +21,7 @@ resource "aws_security_group_rule" "ecs_ingress_http" {
   }
 }
 
+#TODO: Remove after release
 resource "aws_security_group_rule" "ecs_talk_to_internet" {
   type              = "egress"
   from_port         = 0
@@ -28,15 +31,7 @@ resource "aws_security_group_rule" "ecs_talk_to_internet" {
   security_group_id = aws_security_group.ecs_service_sg.id
 }
 
-resource "aws_ecs_cluster" "cluster" {
-  name = "mavis-${var.environment}"
-
-  setting {
-    name  = "containerInsights"
-    value = "enabled"
-  }
-}
-
+#TODO: Remove after release
 resource "aws_ecs_service" "service" {
   name                              = "mavis-${var.environment}"
   cluster                           = aws_ecs_cluster.cluster.id
@@ -53,7 +48,7 @@ resource "aws_ecs_service" "service" {
 
   load_balancer {
     target_group_arn = aws_lb_target_group.blue.arn
-    container_name   = local.container_name
+    container_name   = "mavis-${var.environment}"
     container_port   = 4000
   }
   deployment_controller {
@@ -69,6 +64,7 @@ resource "aws_ecs_service" "service" {
   }
 }
 
+#TODO: Remove after release
 resource "aws_ecs_task_definition" "task_definition" {
   family                   = "task-definition-${var.environment}"
   requires_compatibilities = ["FARGATE"]
@@ -79,7 +75,7 @@ resource "aws_ecs_task_definition" "task_definition" {
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   container_definitions = jsonencode([
     {
-      name      = local.container_name
+      name      = "mavis-${var.environment}"
       image     = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
       essential = true
       portMappings = [
@@ -88,7 +84,7 @@ resource "aws_ecs_task_definition" "task_definition" {
           hostPort      = 4000
         }
       ]
-      environment = local.task_envs
+      environment = concat(local.task_envs, [{ name = "SERVER_TYPE", value = "web" }])
       secrets     = local.task_secrets
       logConfiguration = {
         logDriver = "awslogs"
@@ -109,3 +105,77 @@ resource "aws_ecs_task_definition" "task_definition" {
   ])
   depends_on = [aws_cloudwatch_log_group.ecs_log_group]
 }
+
+resource "aws_security_group_rule" "web_service_alb_ingress" {
+  type                     = "ingress"
+  from_port                = 4000
+  to_port                  = 4000
+  protocol                 = "tcp"
+  security_group_id        = module.web_service.security_group_id
+  source_security_group_id = aws_security_group.lb_service_sg.id
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ecs_cluster" "cluster" {
+  name = "mavis-${var.environment}"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+module "web_service" {
+  source = "./modules/ecs_service"
+  task_config = {
+    environment          = local.task_envs
+    secrets              = local.task_secrets
+    cpu                  = 1024
+    memory               = 2048
+    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
+    execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
+    task_role_arn        = aws_iam_role.ecs_task_role.arn
+    log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
+    region               = var.region
+    health_check_command = ["CMD-SHELL", "curl -f http://localhost:4000/up || exit 1"]
+  }
+  network_params = {
+    subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
+    vpc_id  = aws_vpc.application_vpc.id
+  }
+  loadbalancer = {
+    target_group_arn = aws_lb_target_group.green.arn
+    container_port   = 4000
+  }
+  cluster_id            = aws_ecs_cluster.cluster.id
+  environment           = var.environment
+  server_type           = "web"
+  desired_count         = var.minimum_replicas
+  deployment_controller = "CODE_DEPLOY"
+}
+
+module "good_job_service" {
+  source = "./modules/ecs_service"
+  task_config = {
+    environment          = local.task_envs
+    secrets              = local.task_secrets
+    cpu                  = 1024
+    memory               = 2048
+    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
+    execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
+    task_role_arn        = aws_iam_role.ecs_task_role.arn
+    log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
+    region               = var.region
+    health_check_command = ["CMD-SHELL", "curl -f http://localhost:4000 || exit 1"]
+  }
+  network_params = {
+    subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
+    vpc_id  = aws_vpc.application_vpc.id
+  }
+  cluster_id    = aws_ecs_cluster.cluster.id
+  environment   = var.environment
+  server_type   = "good-job"
+  desired_count = 1
+}

terraform/app/iam_policy_documents.tf

@@ -3,12 +3,12 @@
 data "aws_iam_policy_document" "codedeploy" {
   statement {
     actions   = ["ecs:DescribeServices", "ecs:UpdateServicePrimaryTaskSet"]
-    resources = [aws_ecs_service.service.id]
+    resources = [module.web_service.service.id]
     effect    = "Allow"
   }
   statement {
     actions   = ["ecs:CreateTaskSet", "ecs:DeleteTaskSet"]
-    resources = ["arn:aws:ecs:*:*:task-set/${aws_ecs_cluster.cluster.name}/${aws_ecs_service.service.name}/*"]
+    resources = ["arn:aws:ecs:*:*:task-set/${aws_ecs_cluster.cluster.name}/${module.web_service.service.name}/*"]
     effect    = "Allow"
   }
   statement {