-
Notifications
You must be signed in to change notification settings - Fork 3
/
alb.tf
139 lines (109 loc) · 3.93 KB
/
alb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
data "aws_subnet" "private_subnet" {
count = length(var.private_subnets) == 0 ? 0 : 1
id = var.private_subnets[0]
}
resource "aws_lb" "alb" {
count = length(var.public_subnets) == 0 ? 0 : 1
name = replace("${local.stack}_${var.name}", "_", "")
subnets = var.public_subnets
security_groups = [aws_security_group.alb_sg[0].id]
internal = var.internal
load_balancer_type = "application"
}
resource "aws_lb_target_group" "alb_target_group_blue" {
count = length(var.public_subnets) == 0 ? 0 : 1
name = replace("${local.stack}_${var.name}_blue", "_", "")
protocol = "HTTP"
target_type = "ip"
vpc_id = length(var.public_subnets) == 0 ? "" : data.aws_subnet.private_subnet[0].vpc_id
port = var.container_port
health_check {
path = var.health_check_path
}
}
resource "aws_lb_target_group" "alb_target_group_green" {
count = length(var.public_subnets) == 0 ? 0 : 1
name = replace("${local.stack}_${var.name}_green", "_", "")
protocol = "HTTP"
target_type = "ip"
vpc_id = length(var.public_subnets) == 0 ? "" : data.aws_subnet.private_subnet[0].vpc_id
port = var.container_port
health_check {
path = var.health_check_path
}
depends_on = [aws_lb.alb]
}
data "aws_acm_certificate" "app_cert" {
count = var.cert_domain != "" ? 1 : 0
domain = var.cert_domain
}
resource "aws_lb_listener" "alb_listener" {
count = length(var.public_subnets) == 0 ? 0 : 1
load_balancer_arn = aws_lb.alb[0].arn
port = var.ingress_port
protocol = "HTTPS"
ssl_policy = var.ssl_policy
default_action {
target_group_arn = aws_lb_target_group.alb_target_group_blue[0].arn
type = "forward"
}
certificate_arn = data.aws_acm_certificate.app_cert[0].arn
lifecycle {
ignore_changes = [default_action]
}
}
resource "aws_security_group" "alb_sg" {
count = length(var.public_subnets) == 0 ? 0 : 1
name = "${local.stack}-${var.name}-alb-sg"
description = "Allow HTTP from Anywhere into ALB"
vpc_id = length(var.public_subnets) == 0 ? "" : data.aws_subnet.private_subnet[0].vpc_id
ingress {
from_port = var.ingress_port
to_port = var.ingress_port
protocol = "tcp"
cidr_blocks = var.ingress_cidr_blocks
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
security_groups = length(var.security_groups) == 0 ? ["${aws_security_group.app_sg[0].id}"] : var.security_groups
}
tags = {
Name = "${local.stack}-${var.name}-alb-sg"
}
}
//allow inbound traffic only from load balancer
resource "aws_security_group" "app_sg" {
count = length(var.security_groups) == 0 ? length(var.private_subnets) == 0 ? 0 : 1 : 0
name = "${local.stack}-${var.name}-app-sg"
description = "Allow HTTP from from LB into instances"
vpc_id = length(var.public_subnets) == 0 ? "" : data.aws_subnet.private_subnet[0].vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${local.stack}-${var.name}-app-sg"
}
}
resource "aws_security_group_rule" "alb_sg_rule" {
count = length(var.security_groups) == 0 ? length(var.private_subnets) == 0 ? 0 : 1 : 0
security_group_id = aws_security_group.app_sg[0].id
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
source_security_group_id = length(aws_security_group.alb_sg) > 0 ? aws_security_group.alb_sg[0].id : ""
}
resource "aws_security_group_rule" "app_sg_rule" {
count = length(var.security_groups) == 0 ? length(var.private_subnets) == 0 ? 0 : 1 : 0
security_group_id = aws_security_group.app_sg[0].id
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
source_security_group_id = aws_security_group.app_sg[0].id
}