Deploying Rust App with Terraform on AWS Fargate
Posted December 20, 2023 by Antonio Souza ‐ 8 min read
In today's rapidly evolving technological landscape, Infrastructure as Code (IaC) has become a cornerstone for efficient, scalable, and maintainable cloud infrastructure deployment. IaC involves managing and provisioning computing infrastructure through machine-readable script files, rather than through physical hardware configuration or interactive configuration tools. This allows for the automation of infrastructure deployment and management, which in turn reduces the risk of human error and increases the speed of deployment.
In this article, we will explore how to deploy a Rust app built with loco on AWS Fargate using Terraform. We will start by creating a new project and selecting the Rest API template:
Prerequisites
To deploy our app on AWS Fargate, we will need to have the following tools installed:
- Docker - Docker is a containerization platform that allows you to package your application and all of its dependencies into a standardized unit for software development.
- Terraform - Terraform is an open-source infrastructure as code software tool that enables you to safely and predictably create, change, and improve infrastructure.
- AWS CLI - The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services.
Creating the Docker Image
To create the Docker image for our app, we will use the loco CLI. The cargo loco generate deployment command will create a Docker image for our app. It will also create a Dockerfile for us, which we can use to build the image.
Now, we can build the Docker image which will be used to deploy our app on AWS Fargate.
)
=> [internal]
=> => transferring
=> => writing
=> => naming
Setting up AWS
To deploy our app on AWS Fargate, we will need to create an AWS account and set up the AWS CLI. You can create an AWS account here.
You will also need to install the AWS CLI. You can find instructions on how to do this here.
Finally, you need to create an IAM user to use with the AWS CLI. You can find instructions on how to do this here.
Now, we can configure the AWS CLI with the credentials of the IAM user we just created.
Creating the repository on ECR
To deploy our app on AWS Fargate, we will need to create a repository on ECR. You can do this by running the following command:
{
}
Pushing the Docker image to ECR
Now, we can push the Docker image to ECR. You can do this by running the following commands:
-1. Log in to ECR
|
-2. Tag the Docker image
-3. Push the Docker image to ECR
Creating the main.tf file for Terraform
This is the main Terraform file that will be used to deploy our app on AWS Fargate. It will create the following resources:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
archive = {
source = "hashicorp/archive"
version = "~> 2.2.0"
}
}
required_version = "~> 1.0"
}
# Configure the AWS Provider
provider "aws" {
region = "us-east-1" // Change this to your region
access_key = "<your access key>" // Change this to your access key
secret_key = "your secret key" // Change this to your secret key
}
resource "aws_ecr_repository" "myapp" {
name = "myapp"
}
resource "aws_ecs_cluster" "myapp_cluster" {
name = "myapp_cluster"
}
resource "aws_cloudwatch_log_group" "myapp" {
name = "/ecs/myapp"
}
resource "aws_ecs_task_definition" "myapp_task" {
family = "myapp-task"
container_definitions = <<DEFINITION
[
{
"name": "myapp-task",
"image": "${aws_ecr_repository.myapp.repository_url}",
"essential": true,
"portMappings": [
{
"containerPort": 3000
}
],
"command": ["start"],
"memory": 512,
"cpu": 256,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-region": "us-east-2",
"awslogs-group": "/ecs/myapp",
"awslogs-stream-prefix": "ecs"
}
}
}
]
DEFINITION
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
memory = 512
cpu = 256
execution_role_arn = aws_iam_role.ecsTaskExecutionRole.arn
}
resource "aws_iam_role" "ecsTaskExecutionRole" {
name = "ecsTaskExecutionRoleMyapp"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
role = aws_iam_role.ecsTaskExecutionRole.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_alb" "myapp" {
name = "myapp-lb"
internal = false
load_balancer_type = "application"
enable_deletion_protection = true
subnets = [
aws_subnet.public_d.id,
aws_subnet.public_e.id,
]
security_groups = [
aws_security_group.http.id,
aws_security_group.https.id,
aws_security_group.egress_all.id,
]
depends_on = [aws_internet_gateway.igw]
}
resource "aws_security_group" "load_balancer_security_group" {
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_lb_target_group" "myapp" {
name = "myapp-tg"
port = 3000
protocol = "HTTP"
target_type = "ip"
vpc_id = aws_vpc.myapp_vpc.id
health_check {
enabled = true
path = "/_health"
matcher = "200,202"
}
depends_on = [aws_alb.myapp]
}
resource "aws_alb_listener" "myapp_http" {
load_balancer_arn = aws_alb.myapp.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
resource "aws_alb_listener" "myapp_https" {
load_balancer_arn = aws_alb.myapp.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "<your arn for the certificate>" // Change this to your certificate ARN
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.myapp.arn
}
}
output "alb_url" {
value = "https://${aws_alb.myapp.dns_name}"
}
resource "aws_ecs_service" "myapp" {
name = "myapp-service"
cluster = aws_ecs_cluster.myapp_cluster.id
task_definition = aws_ecs_task_definition.myapp_task.arn
launch_type = "FARGATE"
desired_count = 1
load_balancer {
target_group_arn = aws_lb_target_group.myapp.arn
container_name = aws_ecs_task_definition.myapp_task.family
container_port = 3000
}
network_configuration {
assign_public_ip = false
security_groups = [
aws_security_group.egress_all.id,
aws_security_group.ingress_api.id,
]
subnets = [
aws_subnet.private_d.id,
aws_subnet.private_e.id,
]
}
}
resource "aws_security_group" "service_security_group" {
ingress {
from_port = 0
to_port = 0
protocol = "-1"
security_groups = ["${aws_security_group.load_balancer_security_group.id}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
This file will create the following resources:
- An ECR repository for our app
- An ECS cluster for our app
- An ECS task definition for our app
- An ECS service for our app
Now, we need to create a network.tf file to define the network configuration for our app. This file will create the following resources:
resource "aws_vpc" "myapp_vpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public_d" {
vpc_id = aws_vpc.myapp_vpc.id
cidr_block = "10.0.1.0/25"
availability_zone = "us-east-2a"
tags = {
"Name" = "public | us-east-2a"
}
}
resource "aws_subnet" "private_d" {
vpc_id = aws_vpc.myapp_vpc.id
cidr_block = "10.0.2.0/25"
availability_zone = "us-east-2b"
tags = {
"Name" = "private | us-east-2b"
}
}
resource "aws_subnet" "public_e" {
vpc_id = aws_vpc.myapp_vpc.id
cidr_block = "10.0.1.128/25"
availability_zone = "us-east-2c"
tags = {
"Name" = "public | us-east-2c"
}
}
resource "aws_subnet" "private_e" {
vpc_id = aws_vpc.myapp_vpc.id
cidr_block = "10.0.2.128/25"
availability_zone = "us-east-2c"
tags = {
"Name" = "private | us-east-2c"
}
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.myapp_vpc.id
tags = {
"Name" = "public"
}
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.myapp_vpc.id
tags = {
"Name" = "private"
}
}
resource "aws_route_table_association" "public_d_subnet" {
subnet_id = aws_subnet.public_d.id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "private_d_subnet" {
subnet_id = aws_subnet.private_d.id
route_table_id = aws_route_table.private.id
}
resource "aws_route_table_association" "public_e_subnet" {
subnet_id = aws_subnet.public_e.id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "private_e_subnet" {
subnet_id = aws_subnet.private_e.id
route_table_id = aws_route_table.private.id
}
resource "aws_eip" "nat" {
vpc = true
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.myapp_vpc.id
}
resource "aws_nat_gateway" "ngw" {
subnet_id = aws_subnet.public_d.id
allocation_id = aws_eip.nat.id
depends_on = [aws_internet_gateway.igw]
}
resource "aws_route" "public_igw" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
resource "aws_route" "private_ngw" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.ngw.id
}
resource "aws_security_group" "http" {
name = "http"
description = "HTTP traffic"
vpc_id = aws_vpc.myapp_vpc.id
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "https" {
name = "https"
description = "HTTPS traffic"
vpc_id = aws_vpc.myapp_vpc.id
ingress {
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "egress_all" {
name = "egress-all"
description = "Allow outbound traffic"
vpc_id = aws_vpc.myapp_vpc.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "ingress_api" {
name = "ingress-api"
description = "Allow ingress to App"
vpc_id = aws_vpc.myapp_vpc.id
ingress {
from_port = 3000
to_port = 3000
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
}
The network configuration will be responsible for creating all the infrastructure needed to deploy our app on AWS Fargate in terms of networking. I recommend you to read the AWS Fargate documentation to understand how it works, also you can read the Terraform documentation for AWS Fargate and AWS VPC.
So, now we have the main Terraform file and the network configuration file for our app. We can now deploy our app on AWS Fargate.
Deploying the app on AWS Fargate
To deploy our app on AWS Fargate, we will need to run the following commands:
-1. Initialize Terraform
-2. Plan the deployment
-3. Apply the deployment
Now, we can access our app by going to the url from our alb_url output.
Conclusion
In this article, we explored how to deploy a Rust app built with loco on AWS Fargate using Terraform. We started by creating a new project and selecting the Rest API template. Then, we created the Docker image for our app and pushed it to ECR. Finally, we created the main Terraform file and the network configuration file for our app and deployed it on AWS Fargate.
This approach allows us to deploy our app on AWS Fargate in a fast and reliable way. It also allows us to easily scale our app by adding more instances of it.