feat: Implement Terraform module for Mediamtx Relay service with EC2 deployment and configuration

Author: 02loveslollipop

.github/workflows/deploy.yaml

@@ -1,4 +1,4 @@
-name: Deploy to Elastic Beanstalk
+name: Deploy Infrastructure and Services
 
 on:
   push:
@@ -21,18 +21,20 @@ jobs:
             path: control_broker
             application: "controll server"
             environment: "Controllserver-env"
+            deployer: elasticbeanstalk
           - service: stream-cleaner
             path: stream_cleaner
             application: "Stream-cleaner"
             environment: "Stream-cleaner-env"
+            deployer: elasticbeanstalk
           - service: visual-controller
             path: visual_controller
             application: "visual-controller"
             environment: "Visual-controller-env"
+            deployer: elasticbeanstalk
           - service: media-relay
-            path: media_relay
-            application: "media-relay"
-            environment: "Media-relay-env"
+            path: infra/terraform/media_relay
+            deployer: terraform
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -50,6 +52,12 @@ jobs:
         env:
           AWS_SHARED_CREDENTIALS_FILE: ~/.aws/credentials
 
+      - name: Set up Terraform
+        if: ${{ matrix.deployer == 'terraform' }}
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.7.5
+
       - name: Build visual controller frontend
         if: ${{ matrix.service == 'visual-controller' }}
         shell: bash
@@ -68,25 +76,19 @@ jobs:
         id: package
         working-directory: ${{ matrix.path }}
         shell: bash
+        if: ${{ matrix.deployer == 'elasticbeanstalk' }}
         run: |
           ZIP_NAME="${{ matrix.service }}-${{ steps.suffix.outputs.value }}.zip"
           shopt -s dotglob
           zip -r "../${ZIP_NAME}" . -x "*/__pycache__/*" -x "*.pyc"
           echo "zip-name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
 
-      - name: Validate media relay package contents
-        if: ${{ matrix.service == 'media-relay' }}
-        env:
-          ZIP_NAME: ${{ steps.package.outputs.zip-name }}
-        shell: bash
-        run: |
-          unzip -l "${ZIP_NAME}" | grep '.platform/elasticbeanstalk/docker/container-configuration.json'
-
       - name: Upload package to S3
         id: upload
         env:
           ZIP_NAME: ${{ steps.package.outputs.zip-name }}
         shell: bash
+        if: ${{ matrix.deployer == 'elasticbeanstalk' }}
         run: |
           S3_KEY="deployments/${{ matrix.service }}/${ZIP_NAME}"
           aws s3 cp "${ZIP_NAME}" "s3://${{ env.S3_BUCKET }}/${S3_KEY}"
@@ -97,6 +99,7 @@ jobs:
         env:
           VERSION_LABEL: ${{ matrix.service }}-${{ steps.suffix.outputs.value }}
         shell: bash
+        if: ${{ matrix.deployer == 'elasticbeanstalk' }}
         run: |
           aws elasticbeanstalk create-application-version \
             --application-name "${{ matrix.application }}" \
@@ -107,7 +110,40 @@ jobs:
 
       - name: Update Elastic Beanstalk environment
         shell: bash
+        if: ${{ matrix.deployer == 'elasticbeanstalk' }}
         run: |
           aws elasticbeanstalk update-environment \
             --environment-name "${{ matrix.environment }}" \
             --version-label "${{ steps.version.outputs.version-label }}"
+
+      - name: Write terraform.tfvars from secret
+        if: ${{ matrix.deployer == 'terraform' }}
+        working-directory: ${{ matrix.path }}
+        env:
+          TFVARS_B64: ${{ secrets.MEDIA_RELAY_TFVARS_B64 }}
+        shell: bash
+        run: |
+          if [[ -z "$TFVARS_B64" ]]; then
+            echo "MEDIA_RELAY_TFVARS_B64 secret is not set" >&2
+            exit 1
+          fi
+          echo "$TFVARS_B64" | base64 -d > terraform.tfvars
+
+      - name: Terraform init
+        if: ${{ matrix.deployer == 'terraform' }}
+        working-directory: ${{ matrix.path }}
+        shell: bash
+        env:
+          TF_IN_AUTOMATION: 1
+        run: |
+          terraform init -input=false
+
+      - name: Terraform apply
+        if: ${{ matrix.deployer == 'terraform' }}
+        working-directory: ${{ matrix.path }}
+        shell: bash
+        env:
+          TF_IN_AUTOMATION: 1
+        run: |
+          terraform apply -input=false -auto-approve
+

infra/terraform/media_relay/.gitignore

@@ -0,0 +1,5 @@
+.terraform/
+.terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.*
+terraform.tfvars

infra/terraform/media_relay/README.md

@@ -0,0 +1,60 @@
+# Mediamtx Relay Terraform Stack
+
+This module provisions everything required to host the relay on a single EC2 instance with an attached Elastic IP. The instance boots Amazon Linux 2023, installs Docker, writes the Mediamtx configuration, and launches the upstream `bluenviron/mediamtx` container with all required TCP and UDP ports published.
+
+## What gets created
+
+- Security group exposing TCP `8554`, `1935`, `8888`, `8889`, `9998`, `9999` and UDP `8200` to the CIDR list you supply.
+- EC2 instance (default `t3.small`) running in the chosen subnet/VPC.
+- User data script that installs Docker and runs Mediamtx with the configuration rendered from Terraform inputs.
+- Elastic IP associated with the instance for a stable ingress point.
+	- If you supply `existing_eip_allocation_id`, the module reuses that Elastic IP instead of allocating a new one.
+
+You can optionally set `vpc_id`, `subnet_id`, or `key_name` to place the instance in a specific network or enable SSH access.
+
+Key variables:
+
+| Name | Description | Default |
+| --- | --- | --- |
+| `region` | AWS region to deploy into | `us-east-1` |
+| `instance_type` | EC2 instance type | `t3.small` |
+| `publish_user` / `publish_pass` | Credentials the SBC uses to publish | **required** |
+| `viewer_user` / `viewer_pass` | Playback credentials (`viewer_user=any` allows anonymous access) | `any` / empty |
+| `allowed_cidrs` | List of CIDR blocks allowed to reach the relay | `["0.0.0.0/0"]` |
+| `existing_eip_allocation_id` | Allocation ID of an existing Elastic IP to reuse | `null` |
+| `mediamtx_version` | Container tag pulled from Docker Hub | `1.15.3` |
+| `tags` | Extra tags applied to every resource | `{}` |
+
+## Scaling & updates
+
+- **Scale vertically:** change `instance_type` and re-apply.
+- **Rotate credentials or config:** update the related variables and run `terraform apply`; the user data script re-renders the config and restarts the container on the next reboot. To force an immediate restart, use `terraform taint aws_instance.mediamtx` followed by `terraform apply`.
+- **Tear down:** run `terraform destroy` to remove the EC2 instance, security group, and Elastic IP.
+
+## GitHub Actions automation
+
+The `Deploy Infrastructure and Services` workflow expects a base64-encoded `terraform.tfvars` stored in the repository secret `MEDIA_RELAY_TFVARS_B64`. To generate it locally:
+
+```bash
+cd infra/terraform/media_relay
+terraform fmt
+cat terraform.tfvars | base64 -w0   # on macOS: cat terraform.tfvars | base64 | tr -d '\n'
+```
+
+Copy the output into the GitHub secret. The workflow decodes the file into `terraform.tfvars` before running `terraform init` and `terraform apply`.
+
+## terraform.tfvars example
+
+Create a `terraform.tfvars` (or copy `terraform.tfvars.example` if you create one) to store sensitive values locally:
+
+```hcl
+region        = "us-east-1"
+publish_user  = "robot"
+publish_pass  = "change-me"
+viewer_user   = "any"
+viewer_pass   = ""
+allowed_cidrs = ["203.0.113.0/24", "198.51.100.10/32"]
+#existing_eip_allocation_id = "eipalloc-0123456789abcdef0"
+```
+
+Never commit files that contain secrets.

infra/terraform/media_relay/main.tf

@@ -0,0 +1,157 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+data "aws_vpc" "default" {
+  count   = var.vpc_id == null ? 1 : 0
+  default = true
+}
+
+locals {
+  vpc_id = var.vpc_id != null ? var.vpc_id : data.aws_vpc.default[0].id
+}
+
+data "aws_subnet_ids" "selected" {
+  vpc_id = local.vpc_id
+}
+
+data "aws_eip" "existing" {
+  count = var.existing_eip_allocation_id != null ? 1 : 0
+  id    = var.existing_eip_allocation_id
+}
+
+locals {
+  subnet_id = var.subnet_id != null ? var.subnet_id : data.aws_subnet_ids.selected.ids[0]
+  tcp_ports = [8554, 1935, 8888, 8889, 9998, 9999]
+  udp_ports = [8200]
+  port_rules = concat(
+    [for p in local.tcp_ports : {
+      port     = p
+      protocol = "tcp"
+    }],
+    [for p in local.udp_ports : {
+      port     = p
+      protocol = "udp"
+    }]
+  )
+  merged_tags = merge({
+    Name = var.name
+  }, var.tags)
+}
+
+data "aws_ami" "al2023" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-*-x86_64"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+locals {
+  mediamtx_config = templatefile("${path.module}/templates/mediamtx.yaml.tpl", {
+    log_level   = var.log_level
+    publish_user = var.publish_user
+    publish_pass = var.publish_pass
+    viewer_user  = var.viewer_user
+    viewer_pass  = var.viewer_pass
+  })
+
+  user_data = templatefile("${path.module}/templates/user_data.sh.tpl", {
+    mediamtx_config = local.mediamtx_config
+    mediamtx_version = var.mediamtx_version
+  })
+}
+
+resource "aws_security_group" "mediamtx" {
+  name        = "${var.name}-sg"
+  description = "Network rules for the Mediamtx relay"
+  vpc_id      = local.vpc_id
+
+  dynamic "ingress" {
+    for_each = local.port_rules
+    content {
+      description = "Allow ${ingress.value.protocol} port ${ingress.value.port}"
+      from_port   = ingress.value.port
+      to_port     = ingress.value.port
+      protocol    = ingress.value.protocol
+      cidr_blocks = var.allowed_cidrs
+    }
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = local.merged_tags
+}
+
+resource "aws_instance" "mediamtx" {
+  ami           = data.aws_ami.al2023.id
+  instance_type = var.instance_type
+  subnet_id     = local.subnet_id
+
+  associate_public_ip_address = true
+  key_name                   = var.key_name
+  vpc_security_group_ids     = [aws_security_group.mediamtx.id]
+
+  user_data = local.user_data
+
+  tags = local.merged_tags
+}
+
+resource "aws_eip" "mediamtx" {
+  count    = var.existing_eip_allocation_id == null ? 1 : 0
+  domain   = "vpc"
+  instance = aws_instance.mediamtx.id
+  tags     = local.merged_tags
+}
+
+resource "aws_eip_association" "mediamtx" {
+  count         = var.existing_eip_allocation_id != null ? 1 : 0
+  allocation_id = var.existing_eip_allocation_id
+  instance_id   = aws_instance.mediamtx.id
+}
+
+output "instance_id" {
+  description = "ID of the EC2 instance running Mediamtx"
+  value       = aws_instance.mediamtx.id
+}
+
+output "elastic_ip" {
+  description = "Elastic IP address associated with the relay"
+  value = var.existing_eip_allocation_id != null
+    ? data.aws_eip.existing[0].public_ip
+    : aws_eip.mediamtx[0].public_ip
+}
+
+output "public_dns" {
+  description = "Public DNS name of the instance"
+  value       = aws_instance.mediamtx.public_dns
+}
+
+output "security_group_id" {
+  description = "Security group controlling relay ingress"
+  value       = aws_security_group.mediamtx.id
+}