CC-2163: Creation of EBSApps Instances

ministryofjustice · Nov 21, 2023 · 362bf4c · 362bf4c
1 parent 10cfee4
commit 362bf4c
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 0 deletions.
diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf
@@ -0,0 +1,42 @@
+# Security Group for EBSAPP LB
+resource "aws_security_group" "sg_ebsapps_lb" {
+  name        = "sg_ebsapps_lb"
+  description = "Inbound traffic control for EBSAPPS loadbalancer"
+  vpc_id      = data.aws_vpc.shared.id
+
+  tags = merge(local.tags,
+    { Name = lower(format("sg-%s-%s-loadbalancer", local.application_name, local.environment)) }
+  )
+}
+
+# INGRESS Rules
+
+### HTTPS
+
+resource "aws_security_group_rule" "ingress_traffic_ebslb_443" {
+  security_group_id = aws_security_group.sg_ebsapps_lb.id
+  type              = "ingress"
+  description       = "HTTPS"
+  protocol          = "TCP"
+  from_port         = 443
+  to_port           = 443
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+    local.application_data.accounts[local.environment].lz_aws_subnet_env,
+    local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env,
+  local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env]
+}
+
+
+# EGRESS Rules
+
+### All
+
+resource "aws_security_group_rule" "egress_traffic_ebslb_80" {
+  security_group_id = aws_security_group.ec2_sg_ebsapps.id
+  type              = "egress"
+  description       = "All"
+  protocol          = "TCP"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf
@@ -0,0 +1,60 @@
+resource "aws_lb" "ebsapps_lb" {
+  name               = lower(format("lb-%s-ebsapp", local.application_name))
+  internal           = true
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.sg_ebsapps_lb.id]
+  subnets            = data.aws_subnets.shared-private.ids
+
+  enable_deletion_protection = true
+
+  access_logs {
+    bucket  = module.s3-bucket-logging.bucket.id
+    prefix  = local.lb_log_prefix_ebsapp
+    enabled = true
+  }
+
+  tags = merge(local.tags,
+    { Name = lower(format("lb-%s-ebsapp", local.application_name)) }
+  )
+}
+
+resource "aws_lb_listener" "ebsapps_listener" {
+  depends_on = [
+    aws_acm_certificate_validation.external
+  ]
+
+  load_balancer_arn = aws_lb.ebsapps_lb.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = "arn:aws:acm:eu-west-2:295992623913:certificate/2a9438fc-7d0a-4dae-a8d0-05f846793a15"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ebsapp_tg.id
+  }
+}
+
+resource "aws_lb_target_group" "ebsapp_tg" {
+  name     = lower(format("tg-%s-ebsapp", local.application_name))
+  port     = local.application_data.accounts[local.environment].tg_apps_port
+  protocol = "HTTP"
+  vpc_id   = data.aws_vpc.shared.id
+  health_check {
+    port     = local.application_data.accounts[local.environment].tg_apps_port
+    protocol = "HTTP"
+  }
+
+  stickiness {
+    enabled         = true
+    type            = "lb_cookie"
+    cookie_duration = 3600
+  }
+}
+
+resource "aws_lb_target_group_attachment" "ebsapps" {
+  count            = local.application_data.accounts[local.environment].ebsapps_no_instances
+  target_group_arn = aws_lb_target_group.ebsapp_tg.arn
+  target_id        = element(aws_instance.ec2_ebsapps.*.id, count.index)
+  port             = local.application_data.accounts[local.environment].tg_apps_port
+}