Skip to content

Commit

Permalink
Add load balancer
Browse files Browse the repository at this point in the history
  • Loading branch information
vertism committed Dec 1, 2023
1 parent 21df0b5 commit 496f44b
Show file tree
Hide file tree
Showing 3 changed files with 140 additions and 3 deletions.
2 changes: 1 addition & 1 deletion terraform/environments/cdpt-chaps/ecs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,5 @@ module "windows-ecs" {
ec2_egress_rules = {}#local.ec2_egress_rules
tags_common = local.tags

# depends_on = [aws_lb_listener.listener]
depends_on = [aws_lb_listener.listener]
}
125 changes: 125 additions & 0 deletions terraform/environments/cdpt-chaps/loadbalancer.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
#------------------------------------------------------------------------------
# Load Balancer
#------------------------------------------------------------------------------
#tfsec:ignore:AWS005 tfsec:ignore:AWS083
resource "aws_lb" "external" {
#checkov:skip=CKV_AWS_91
#checkov:skip=CKV_AWS_131
#checkov:skip=CKV2_AWS_20
#checkov:skip=CKV2_AWS_28
name = "${local.application_name}-loadbalancer"
load_balancer_type = "application"
subnets = data.aws_subnets.shared-public.ids
enable_deletion_protection = true
# allow 60*4 seconds before 504 gateway timeout for long-running DB operations
idle_timeout = 240

security_groups = [aws_security_group.load_balancer_security_group.id]

tags = merge(
local.tags,
{
Name = "${local.application_name}-external-loadbalancer"
}
)
}

resource "aws_lb_target_group" "target_group" {
name = "${local.application_name}-tg-${local.environment}"
port = local.app_data.accounts[local.environment].server_port
protocol = "HTTP"
vpc_id = data.aws_vpc.shared.id
target_type = "instance"
deregistration_delay = 30

stickiness {
type = "lb_cookie"
}

health_check {
# path = "/"
healthy_threshold = "5"
interval = "120"
protocol = "HTTP"
unhealthy_threshold = "2"
matcher = "200-499"
timeout = "5"
}

tags = merge(
local.tags,
{
Name = "${local.application_name}-tg-${local.environment}"
}
)
}

#tfsec:ignore:AWS004
resource "aws_lb_listener" "listener" {
#checkov:skip=CKV_AWS_2
#checkov:skip=CKV_AWS_103
load_balancer_arn = aws_lb.external.id
port = local.app_data.accounts[local.environment].server_port
protocol = "HTTP"

default_action {
target_group_arn = aws_lb_target_group.target_group.id
type = "forward"
}
}

resource "aws_lb_listener" "https_listener" {
# depends_on = [aws_acm_certificate_validation.external]

load_balancer_arn = aws_lb.external.id
port = "443"
protocol = "HTTPS"
# certificate_arn = format("arn:aws:acm:eu-west-2:%s:certificate/%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].cert_arn)

default_action {
target_group_arn = aws_lb_target_group.target_group.id
type = "forward"
}
}

resource "aws_security_group" "load_balancer_security_group" {
name_prefix = "${local.application_name}-loadbalancer-security-group"
description = "controls access to lb"
vpc_id = data.aws_vpc.shared.id

ingress {
protocol = "tcp"
description = "Open the server port"
from_port = local.app_data.accounts[local.environment].server_port
to_port = local.app_data.accounts[local.environment].server_port
#tfsec:ignore:AWS008
cidr_blocks = ["0.0.0.0/0", ]
}

ingress {
protocol = "tcp"
description = "Open the SSL port"
from_port = 443
to_port = 443
#tfsec:ignore:AWS008
cidr_blocks = ["0.0.0.0/0", ]
}

egress {
protocol = "-1"
description = "Open all outbound ports"
from_port = 0
to_port = 0
#tfsec:ignore:AWS009
cidr_blocks = [
"0.0.0.0/0",
]
}

tags = merge(
local.tags,
{
Name = "${local.application_name}-loadbalancer-security-group"
}
)
}
16 changes: 14 additions & 2 deletions terraform/environments/cdpt-chaps/modules/ecs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ data "aws_subnets" "shared-private" {
}
}

data "aws_lb_target_group" "target_group" {
tags = {
"Name" = "${var.app_name}-tg-${var.environment}"
}
}

resource "aws_autoscaling_group" "cluster-scaling-group" {
vpc_zone_identifier = sort(data.aws_subnets.shared-private.ids)
desired_capacity = var.ec2_desired_capacity
Expand Down Expand Up @@ -291,18 +297,24 @@ resource "aws_ecs_service" "ecs_service" {
task_definition = data.aws_ecs_task_definition.task_definition.id
desired_count = var.app_count

# health_check_grace_period_seconds = 300

capacity_provider_strategy {
capacity_provider = aws_ecs_capacity_provider.capacity_provider.name
weight = 1
}

health_check_grace_period_seconds = 300

ordered_placement_strategy {
field = "attribute:ecs.availability-zone"
type = "spread"
}

load_balancer {
target_group_arn = data.aws_lb_target_group.target_group.arn
container_name = var.app_name
container_port = var.server_port
}

depends_on = [
aws_iam_role_policy_attachment.ecs_task_execution_role, aws_ecs_task_definition.windows_ecs_task_definition, aws_ecs_task_definition.linux_ecs_task_definition
]
Expand Down

0 comments on commit 496f44b

Please sign in to comment.