Add opt-in varnish cache along standard tileserver

Author: Rikuoja

infra/acm.tf

@@ -19,6 +19,7 @@ resource "aws_acm_certificate" "tileserver" {
   # Always create the tile server certificate, no matter what the frontend domain
   count             = 1
   domain_name       = local.tileserver_dns_alias
+  subject_alternative_names = [local.tile_cache_dns_alias, local.mml_cache_dns_alias]
   validation_method = "DNS"
   tags              = merge(local.default_tags, { Name = "${var.prefix}-tileserver-acm" })
 }

infra/cloudwatch.tf

@@ -34,6 +34,12 @@ resource "aws_cloudwatch_log_group" "tarmo_tileserver" {
   tags              = local.default_tags
 }
 
+resource "aws_cloudwatch_log_group" "tarmo_tilecache" {
+  name              = "/aws/ecs/${aws_ecs_task_definition.tileserv_cache.family}"
+  retention_in_days = 30
+  tags              = local.default_tags
+}
+
 resource "aws_cloudwatch_event_rule" "lambda_lipas" {
   name        = "${var.prefix}-lambda-lipas-update"
   description = "Run lipas import every night"

infra/domain.tf

@@ -71,6 +71,32 @@ resource "aws_route53_record" "tileserver" {
   ttl     = "60"
 }
 
+resource "aws_route53_record" "tilecache" {
+  count = 1
+
+  zone_id = data.aws_route53_zone.zone[0].id
+  name    = local.tile_cache_dns_alias
+  type    = "CNAME"
+
+  records = [
+    aws_lb.tileserver.dns_name
+  ]
+  ttl     = "60"
+}
+
+resource "aws_route53_record" "mmlcache" {
+  count = 1
+
+  zone_id = data.aws_route53_zone.zone[0].id
+  name    = local.mml_cache_dns_alias
+  type    = "CNAME"
+
+  records = [
+    aws_lb.tileserver.dns_name
+  ]
+  ttl     = "60"
+}
+
 resource "aws_route53_record" "tileserver_validation" {
 
   for_each = {

infra/ecs.tf

@@ -63,6 +63,219 @@ resource "aws_ecs_task_definition" "pg_tileserv" {
   tags = merge(local.default_tags, {Name = "${var.prefix}-pg_tileserv-definition"})
 }
 
+# Now this is a handful. We need varnish, plus varnish configuration container, plus
+# ssl tunnel containers from varnish to both tarmo and mml tile servers, since
+# varnish doesn't know how to cache https requests.
+resource "aws_ecs_task_definition" "tileserv_cache" {
+  family                   = "${var.prefix}-tileserv_cache"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  # This is the IAM role that the docker daemon will use, e.g. for pulling the image from ECR (AWS's own docker repository)
+  execution_role_arn       = aws_iam_role.backend-task-execution.arn
+  # If the containers in the task definition need to access AWS services, we'd specify a role via task_role_arn.
+  # task_role_arn = ...
+  cpu                      = var.varnish_cpu
+  memory                   = var.varnish_memory
+  # https://kichik.com/2020/09/10/mounting-configuration-files-in-fargate/
+  volume {
+    name = "varnish_configuration"
+  }
+
+  container_definitions    = jsonencode(
+  [
+    {
+      name         = "tarmo-stunnel-sidecar"
+      image        = "tstrohmeier/stunnel-client"
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group = "/aws/ecs/${var.prefix}-tileserv_cache"
+          awslogs-region = var.AWS_REGION_NAME
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+      portMappings = [
+        {
+          hostPort = 8888
+          # This port is the same that the contained application also uses
+          containerPort = 8888
+          protocol      = "tcp"
+        }
+      ]
+      environment  = [
+        {
+          name = "ACCEPT"
+          value = "8888"
+        },
+        {
+          name = "CONNECT"
+          value = "${local.tileserver_dns_alias}:443"
+        }
+      ]
+    },
+    {
+      name         = "mml-stunnel-sidecar"
+      image        = "tstrohmeier/stunnel-client"
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group = "/aws/ecs/${var.prefix}-tileserv_cache"
+          awslogs-region = var.AWS_REGION_NAME
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+      portMappings = [
+        {
+          hostPort = 8889
+          # This port is the same that the contained application also uses
+          containerPort = 8889
+          protocol      = "tcp"
+        }
+      ]
+      environment  = [
+        {
+          name = "ACCEPT"
+          value = "8889"
+        },
+        {
+          name = "CONNECT"
+          value = "avoin-karttakuva.maanmittauslaitos.fi:443"
+        }
+      ]
+    },
+    {
+      # https://kichik.com/2020/09/10/mounting-configuration-files-in-fargate/
+      name         = "varnish-configuration-sidecar"
+      image        = "bash"
+      DependsOn = [
+        {
+          condition = "START"
+          containerName = "tarmo-stunnel-sidecar"
+        },
+        {
+          condition = "START"
+          containerName = "mml-stunnel-sidecar"
+        }
+      ]
+      mountPoints  = [
+        {
+          containerPath = "/etc/varnish"
+          sourceVolume = "varnish_configuration"
+        }
+      ]
+      essential = false
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group = "/aws/ecs/${var.prefix}-tileserv_cache"
+          awslogs-region = var.AWS_REGION_NAME
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+      command = ["-c", "echo $VARNISH_CONF | base64 -d - | tee /etc/varnish/default.vcl"]
+      environment  = [
+        {
+          name = "VARNISH_CONF"
+          value = base64encode(
+            <<EOF
+            # specify the VCL syntax version to use
+            vcl 4.1;
+
+            backend tarmo {
+              .host = "localhost";
+              .port = "8888";
+            }
+
+            backend mml {
+              .host = "localhost";
+              .port = "8889";
+            }
+
+            sub vcl_recv {
+              # ping endpoint for testing
+              if(req.url ~ "/ping$") {
+                return(synth(700, "Pong"));
+              }
+              if (req.http.host ~ "${local.tile_cache_dns_alias}") {
+                set req.backend_hint = tarmo;
+                set req.http.host = "${local.tileserver_dns_alias}";
+              }
+              if(req.http.host ~ "${local.mml_cache_dns_alias}") {
+                set req.backend_hint = mml;
+                set req.http.host = "avoin-karttakuva.maanmittauslaitos.fi";
+              }
+            }
+
+            sub vcl_synth {
+              # respond HTTP 200
+              if (resp.status == 700) {
+                set resp.status = 200;
+                set resp.http.Content-Type = "text/plain";
+                synthetic({"Pong"});
+                return (deliver);
+              }
+            }
+
+            sub vcl_backend_response {
+              set beresp.ttl = 1h;
+              set beresp.grace = 2h;
+            }
+
+            EOF
+          )
+        }
+      ]
+    },
+    {
+      name         = "varnish-from-dockerhub"
+      image        = var.varnish_image
+      cpu          = var.varnish_cpu
+      memory       = var.varnish_memory
+      DependsOn = [
+        {
+          condition = "COMPLETE"
+          containerName = "varnish-configuration-sidecar"
+        }
+      ]
+      mountPoints  = [
+        {
+          containerPath = "/etc/varnish"
+          sourceVolume = "varnish_configuration"
+          readOnly = true
+        }
+      ]
+      volumesFrom  = []
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group = "/aws/ecs/${var.prefix}-tileserv_cache"
+          awslogs-region = var.AWS_REGION_NAME
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+      essential    = true
+      portMappings = [
+        {
+          hostPort = var.varnish_port
+          # This port is the same that the contained application also uses
+          containerPort = var.varnish_port
+          protocol      = "tcp"
+        }
+      ]
+      # With Fargate, we use awsvpc networking, which will reserve a ENI (Elastic Network Interface) and attach it to
+      # our VPC
+      networkMode  = "awsvpc"
+      environment  = [
+        {
+          name = "VARNISH_SIZE"
+          value = "4G"
+        }
+      ]
+    }
+  ])
+  tags = merge(local.default_tags, {Name = "${var.prefix}-tileserv_cache-definition"})
+}
+
 # Service can also be attached to a load balancer for HTTP, TCP or UDP traffic
 resource "aws_ecs_service" "pg_tileserv" {
   name            = "${var.prefix}_pg_tileserv"
@@ -90,3 +303,30 @@ resource "aws_ecs_service" "pg_tileserv" {
 
   tags = merge(local.default_tags, {Name = "${var.prefix}-pg_tileserv-service"})
 }
+
+resource "aws_ecs_service" "varnish" {
+  name            = "${var.prefix}_varnish"
+  cluster         = aws_ecs_cluster.pg_tileserv.id
+  task_definition = aws_ecs_task_definition.tileserv_cache.arn
+  desired_count   = 1
+
+  # We run containers with the Fargate launch type. The other alternative is EC2, in which case we'd provision EC2
+  # instances and attach them to the cluster.
+  launch_type = "FARGATE"
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.tilecache.arn
+    container_name   = "varnish-from-dockerhub"
+    container_port   = var.varnish_port
+  }
+
+  network_configuration {
+    # Fargate uses awspvc networking, we tell here into what subnets to attach the service
+    subnets          = aws_subnet.public.*.id
+    # Ditto for security groups
+    security_groups  = [aws_security_group.backend.id]
+    assign_public_ip = true
+  }
+
+  tags = merge(local.default_tags, {Name = "${var.prefix}-varnish-service"})
+}

infra/load_balancer.tf

@@ -42,7 +42,37 @@ resource "aws_lb_target_group" "tileserver" {
   ]
 
   tags = merge(local.default_tags, {
-    Name = "${var.prefix}-lb-target-group"
+    Name = "${var.prefix}-lb-tileserver-target-group"
+  })
+
+}
+
+resource "aws_lb_target_group" "tilecache" {
+  name                 = "${var.prefix}-tilecache"
+  port                 = var.varnish_port
+  protocol             = "HTTP"
+  deregistration_delay = 30
+  vpc_id               = aws_vpc.main.id
+  target_type          = "ip"
+
+  health_check {
+    enabled             = true
+    healthy_threshold   = 2
+    interval            = 30
+    matcher             = "200"
+    path                = "/ping"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    timeout             = 5
+    unhealthy_threshold = 10
+  }
+
+  depends_on = [
+    aws_lb.tileserver
+  ]
+
+  tags = merge(local.default_tags, {
+    Name = "${var.prefix}-lb-tilecache-target-group"
   })
 
 }
@@ -63,6 +93,23 @@ resource "aws_lb_listener" "tileserver" {
   tags = merge(local.default_tags, { Name = "${var.prefix}-lb-default-listener" })
 }
 
+# The extra rule will point cache requests to cache target group
+resource "aws_lb_listener_rule" "tilecache" {
+  listener_arn = aws_lb_listener.tileserver.arn
+  priority     = 100
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.tilecache.arn
+  }
+
+  condition {
+    host_header {
+      values = [local.tile_cache_dns_alias, local.mml_cache_dns_alias]
+    }
+  }
+}
+
 resource "aws_lb_listener" "http" {
   # we want a listener even if we don't use route53
   count             = 1