Network loadbalancer

README.md

@@ -41,7 +41,8 @@ This repository contains Terraform infrastructure code which creates AWS resourc
 
 | Name | Type |
 |------|------|
-| [aws_appautoscaling_policy.auto_scaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_policy.auto_scaling_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
+| [aws_appautoscaling_policy.auto_scaling_mem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
 | [aws_appautoscaling_target.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_cloudwatch_log_group.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_ecs_service.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
@@ -52,7 +53,10 @@ This repository contains Terraform infrastructure code which creates AWS resourc
 | [aws_iam_role_policy_attachment.ecs_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_lb.nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_lb_listener.nlb_listener](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
 | [aws_lb_listener_certificate.extra_certs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate) | resource |
+| [aws_lb_target_group.nlb_tg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
 | [aws_route53_record.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_security_group.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -100,6 +104,8 @@ This repository contains Terraform infrastructure code which creates AWS resourc
 | <a name="input_asg_period"></a> [asg\_period](#input\_asg\_period) | The period in seconds over which the specified statistic is applied | `number` | `60` | no |
 | <a name="input_asg_threshold_cpu_to_scale_down"></a> [asg\_threshold\_cpu\_to\_scale\_down](#input\_asg\_threshold\_cpu\_to\_scale\_down) | The value against which the specified statistic is compared. | `number` | `40` | no |
 | <a name="input_asg_threshold_cpu_to_scale_up"></a> [asg\_threshold\_cpu\_to\_scale\_up](#input\_asg\_threshold\_cpu\_to\_scale\_up) | The value against which the specified statistic is compared. | `number` | `60` | no |
+| <a name="input_asg_threshold_mem_to_scale_down"></a> [asg\_threshold\_mem\_to\_scale\_down](#input\_asg\_threshold\_mem\_to\_scale\_down) | The value against which the specified statistic is compared. | `number` | `40` | no |
+| <a name="input_asg_threshold_mem_to_scale_up"></a> [asg\_threshold\_mem\_to\_scale\_up](#input\_asg\_threshold\_mem\_to\_scale\_up) | The value against which the specified statistic is compared. | `number` | `60` | no |
 | <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | ARN of certificate issued by AWS ACM. | `string` | `""` | no |
 | <a name="input_cloudwatch_log_retention_in_days"></a> [cloudwatch\_log\_retention\_in\_days](#input\_cloudwatch\_log\_retention\_in\_days) | Retention period of app CloudWatch logs | `number` | `7` | no |
 | <a name="input_container_memory_reservation"></a> [container\_memory\_reservation](#input\_container\_memory\_reservation) | The amount of memory (in MiB) to reserve for the container | `number` | `128` | no |
@@ -135,6 +141,7 @@ This repository contains Terraform infrastructure code which creates AWS resourc
 | <a name="input_enable_asg"></a> [enable\_asg](#input\_enable\_asg) | If autoscaling should be enabled | `bool` | `false` | no |
 | <a name="input_enable_datadog_log_forwarder"></a> [enable\_datadog\_log\_forwarder](#input\_enable\_datadog\_log\_forwarder) | Whether we create the lambda to forward logs to datadog | `bool` | `false` | no |
 | <a name="input_enable_datadog_sidecar"></a> [enable\_datadog\_sidecar](#input\_enable\_datadog\_sidecar) | Whether the datadog sidecar should be added to the task definition | `bool` | `false` | no |
+| <a name="input_enable_nlb"></a> [enable\_nlb](#input\_enable\_nlb) | IF an network load balancer should be created | `bool` | `true` | no |
 | <a name="input_enable_service_discovery"></a> [enable\_service\_discovery](#input\_enable\_service\_discovery) | Whether the service should be registered with Service Discovery. In order to use Service Disovery, an existing DNS Namespace must exist and be passed in. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment | `string` | n/a | yes |
 | <a name="input_external_iam_role"></a> [external\_iam\_role](#input\_external\_iam\_role) | The ARN of the role to be attached to the ECS container | `string` | `""` | no |

ecs.tf

@@ -58,6 +58,7 @@
     }
   }
 
+  # application load balancer
   dynamic "load_balancer" {
     for_each = module.alb
     content {
@@ -76,6 +77,16 @@
     }
   }
 
+  # network load balancer
+  dynamic "load_balancer" {
+    for_each = aws_lb_target_group.nlb_tg
+    content {
+      container_name   = local.container_name
+      container_port   = var.app_port_mapping.0.containerPort
+      target_group_arn = aws_lb_target_group.nlb_tg.0.arn
+    }
+  }
+
   tags = local.local_tags
 
   lifecycle {
@@ -84,7 +95,7 @@
 
 }
 
 module "container_definition" {
   source  = "cloudposse/ecs-container-definition/aws"
   version = "v0.58.1"
 
@@ -153,7 +164,7 @@
 
 }
 
 resource "aws_ecs_task_definition" "app" {
   #checkov:skip=CKV_AWS_97:
   family                   = local.ecs_task_definition_family_name
   execution_role_arn       = var.create_default_role ? aws_iam_role.ecs_task_execution[0].arn : var.external_iam_role

load_balancer_network.tf

@@ -0,0 +1,34 @@
+####################################
+## Internal network load balancer ##
+####################################
+
+resource "aws_lb" "nlb" {
+  count                      = var.enable_nlb ? 1 : 0
+  name                       = "${var.environment}-${var.name}-nlb"
+  internal                   = true
+  load_balancer_type         = "network"
+  subnets                    = var.private_subnet_ids
+  enable_deletion_protection = false
+  tags                       = local.local_tags
+}
+
+resource "aws_lb_target_group" "nlb_tg" {
+  count       = var.enable_nlb ? 1 : 0
+  name        = "${var.environment}-${var.name}-nlb-tg"
+  port        = var.app_port_mapping.0.containerPort
+  protocol    = "TCP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+}
+
+# Redirect all traffic from the NLB to the target group
+resource "aws_lb_listener" "nlb_listener" {
+  count             = var.enable_nlb ? 1 : 0
+  load_balancer_arn = aws_lb.nlb.0.id
+  port              = var.app_port_mapping.0.containerPort
+  protocol          = "TCP"
+  default_action {
+    target_group_arn = aws_lb_target_group.nlb_tg.0.id
+    type             = "forward"
+  }
+}

outputs.tf

@@ -8,8 +8,18 @@ output "vpc_id" {
   value       = var.vpc_id
 }
 
+output "nlb_id" {
+  description = "The ID and ARN of the network load balancer created"
+  value       = try(aws_lb.nlb.0.id, null)
+}
+
+output "nlb_dns_name" {
+  description = "Dns name of nlb"
+  value       = try(aws_lb.nlb.0.dns_name, null)
+}
+
 output "alb_id" {
-  description = "The ID and ARN of the load balancer we created"
+  description = "The ID and ARN of the application load balancer created"
   value       = try(module.alb.0.this_lb_id, null)
 }
 

variables.tf

@@ -50,6 +50,13 @@ variable "private_subnet_ids" {
   default     = []
 }
 
+# NLB
+variable "enable_nlb" {
+  description = "IF an network load balancer should be created"
+  type        = bool
+  default     = true
+}
+
 # ALB
 variable "enable_alb" {
   description = "IF an application load balancer should be created"