Fix 6 P1 infrastructure issues from code review (FRE-4574)

- ALB: deploy to public subnets instead of private (adds public_subnet_ids var) - ECS: fix launch_desired_count → launch_type = FARGATE - Secrets: accept actual RDS/ElastiCache endpoints from parent module - Deploy: fix circular dependency (needs.detect → steps.detect) - Health check: dynamic ALB DNS lookup via aws elbv2 CLI - Health check: exit 1 on failure so rollback triggers Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-10 02:28:48 -04:00
parent c7df40ac26
commit 4ddd24fd72
4 changed files with 62 additions and 35 deletions
--- a/infra/modules/ecs/main.tf
+++ b/infra/modules/ecs/main.tf
@@ -14,7 +14,12 @@ variable "vpc_id" {
 }

 variable "subnet_ids" {
-  description = "Private subnet IDs"
+  description = "Private subnet IDs for ECS tasks"
+  type        = list(string)
+}
+
+variable "public_subnet_ids" {
+  description = "Public subnet IDs for ALB"
  type        = list(string)
 }

@@ -273,7 +278,7 @@ resource "aws_ecs_service" "services" {
  task_definition = aws_ecs_task_definition.services[each.key].arn
  desired_count   = var.environment == "production" ? 3 : 1

-  launch_desired_count = "FARGATE"
+  launch_type = "FARGATE"

  network_configuration {
    subnets          = var.subnet_ids
@@ -307,7 +312,7 @@ resource "aws_lb" "main" {
  internal           = false
  load_balancer_type = "application"
  security_groups    = var.security_group_ids
-  subnets            = var.subnet_ids
+  subnets            = var.public_subnet_ids

  tags = {
    Name = "${var.cluster_name}-alb"
--- a/infra/modules/secrets/main.tf
+++ b/infra/modules/secrets/main.tf
@@ -8,6 +8,16 @@ variable "project_name" {
  type        = string
 }

+variable "rds_endpoint" {
+  description = "RDS instance endpoint"
+  type        = string
+}
+
+variable "elasticache_endpoint" {
+  description = "ElastiCache primary endpoint"
+  type        = string
+}
+
 variable "secrets" {
  description = "Secrets to store"
  type        = map(string)
@@ -29,15 +39,13 @@ resource "aws_secretsmanager_secret_version" "main" {
  secret_id = aws_secretsmanager_secret.main.id

  secret_string = jsonencode(merge({
-    DATABASE_URL = "postgresql://shieldai:${var.project_name}@${var.project_name}-${var.environment}-db.${data.aws_caller_identity.current.account_id}.us-east-1.rds.amazonaws.com:5432/shieldai"
-    REDIS_URL    = "redis://${var.project_name}-${var.environment}-redis.${data.aws_caller_identity.current.account_id}.us-east-1.cache.amazonaws.com:6379"
+    DATABASE_URL = "postgresql://shieldai:${var.project_name}@${var.rds_endpoint}:5432/shieldai"
+    REDIS_URL    = "redis://${var.elasticache_endpoint}:6379"
    NODE_ENV     = var.environment
    LOG_LEVEL    = var.environment == "production" ? "info" : "debug"
  }, var.secrets))
 }

-data "aws_caller_identity" "current" {}
-
 output "secrets_manager_arn" {
  description = "Secrets Manager ARN"
  value       = aws_secretsmanager_secret.main.arn