Garmin MCP Server

terraform { required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = var.aws_region } module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.0" name = "${var.app_name}-vpc" cidr = "10.0.0.0/16" azs = ["${var.aws_region}a", "${var.aws_region}b"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] enable_nat_gateway = false enable_vpn_gateway = false tags = var.common_tags } resource "aws_security_group" "app" { name_prefix = "${var.app_name}-app-" vpc_id = module.vpc.vpc_id # No inbound rules - all traffic blocked for security # Cloudflare Tunnel will provide outbound-only access egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = var.common_tags } resource "aws_ecs_cluster" "main" { name = "${var.app_name}-cluster" setting { name = "containerInsights" value = "enabled" } tags = var.common_tags } resource "aws_ecs_task_definition" "app" { family = "${var.app_name}-task" network_mode = "awsvpc" requires_compatibilities = ["FARGATE"] cpu = 256 memory = 512 execution_role_arn = aws_iam_role.ecs_execution_role.arn task_role_arn = aws_iam_role.ecs_task_role.arn container_definitions = jsonencode([ { name = "${var.app_name}-container" image = "${aws_ecr_repository.app.repository_url}:latest" portMappings = [ { containerPort = 8080 protocol = "tcp" } ] environment = [ { name = "PORT" value = "8080" }, { name = "MCP_API_TOKEN" value = random_password.mcp_token.result } ] logConfiguration = { logDriver = "awslogs" options = { awslogs-group = aws_cloudwatch_log_group.app.name awslogs-region = var.aws_region awslogs-stream-prefix = "ecs" } } healthCheck = { command = ["CMD-SHELL", "curl -f http://localhost:8080/healthz || exit 1"] interval = 30 timeout = 5 retries = 3 startPeriod = 60 } }, { name = "cloudflared" image = "cloudflare/cloudflared:latest" command = [ "tunnel", "--no-autoupdate", "run", "--token", var.cloudflare_tunnel_token ] logConfiguration = { logDriver = "awslogs" options = { awslogs-group = aws_cloudwatch_log_group.app.name awslogs-region = var.aws_region awslogs-stream-prefix = "cloudflared" } } essential = false } ]) tags = var.common_tags } resource "aws_ecs_service" "app" { name = "${var.app_name}-service" cluster = aws_ecs_cluster.main.id task_definition = aws_ecs_task_definition.app.arn desired_count = 1 launch_type = "FARGATE" network_configuration { subnets = module.vpc.public_subnets security_groups = [aws_security_group.app.id] assign_public_ip = true } tags = var.common_tags } resource "aws_ecr_repository" "app" { name = var.app_name image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } tags = var.common_tags } resource "aws_cloudwatch_log_group" "app" { name = "/ecs/${var.app_name}" retention_in_days = 7 tags = var.common_tags } resource "aws_iam_role" "ecs_execution_role" { name = "${var.app_name}-ecs-execution-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ecs-tasks.amazonaws.com" } } ] }) } resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" { role = aws_iam_role.ecs_execution_role.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } resource "aws_iam_role" "ecs_task_role" { name = "${var.app_name}-ecs-task-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ecs-tasks.amazonaws.com" } } ] }) } resource "random_password" "mcp_token" { length = 32 special = false } output "ecs_service_public_ip" { description = "The public IP of the ECS service" value = "Use ECS service public IP directly" } output "mcp_api_token" { description = "The MCP API token for ChatGPT integration" value = random_password.mcp_token.result sensitive = true }