-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added support for using a private lb for the internal sombra
- Loading branch information
Showing
7 changed files
with
480 additions
and
132 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
output internal_target_group_arn { | ||
value = var.use_private_load_balancer ? module.internal_load_balancer.target_group_arns[0] : module.load_balancer.target_group_arns[0] | ||
description = "ARN of the internal sombra load balancer target group" | ||
} | ||
|
||
output external_target_group_arn { | ||
value = var.use_private_load_balancer ? module.external_load_balancer.target_group_arns[0] : module.load_balancer.target_group_arns[1] | ||
description = "ARN of the external sombra load balancer target group" | ||
} | ||
|
||
output security_group_ids { | ||
value = var.use_private_load_balancer ? [module.internal_security_group.this_security_group_id, module.external_security_group.this_security_group_id] : [module.single_security_group.this_security_group_id] | ||
description = "The ids of all security groups set on the ALB. We require that the tasks can only talk to the ALB" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,186 @@ | ||
################################### | ||
# Internal, Private Load Balancer # | ||
################################### | ||
|
||
module internal_load_balancer { | ||
source = "terraform-aws-modules/alb/aws" | ||
version = "~> 5.0" | ||
|
||
create_lb = var.use_private_load_balancer | ||
|
||
# General Settings | ||
name = "${var.project_id}-sombra-internal" | ||
enable_deletion_protection = false | ||
access_logs = var.alb_access_logs | ||
|
||
# VPC Settings | ||
subnets = var.private_subnet_ids | ||
vpc_id = var.vpc_id | ||
security_groups = [module.internal_security_group.this_security_group_id] | ||
|
||
# Make this only internal to the VPC | ||
internal = true | ||
ip_address_type = "ipv4" | ||
|
||
# Listeners | ||
https_listeners = [{ | ||
certificate_arn = var.certificate_arn | ||
port = var.internal_port | ||
ssl_policy = "ELBSecurityPolicy-2016-08" | ||
}] | ||
|
||
# Target groups | ||
target_groups = [{ | ||
name = "${var.deploy_env}-${var.project_id}-internal" | ||
backend_protocol = "HTTPS" | ||
target_type = "ip" | ||
backend_port = var.internal_port | ||
health_check = { | ||
enabled = true | ||
interval = 30 | ||
port = var.internal_port | ||
path = "/health" | ||
protocol = "HTTPS" | ||
} | ||
}] | ||
} | ||
|
||
module "internal_security_group" { | ||
source = "terraform-aws-modules/security-group/aws" | ||
version = "3.4.0" | ||
|
||
create = var.use_private_load_balancer | ||
|
||
name = "${var.project_id}-internal-alb" | ||
description = "Security group for the internal, private sombra alb" | ||
vpc_id = var.vpc_id | ||
|
||
ingress_with_cidr_blocks = [{ | ||
protocol = "tcp" | ||
from_port = var.internal_port | ||
to_port = var.internal_port | ||
cidr_blocks = join(",", var.incoming_cidr_ranges) | ||
description = "Allow private communications to internal load balancer" | ||
}] | ||
|
||
egress_with_cidr_blocks = [{ | ||
protocol = "tcp" | ||
from_port = var.internal_port | ||
to_port = var.internal_port | ||
cidr_blocks = join(",", var.private_subnets_cidr_blocks) | ||
description = "Allow the ALB to talk to the internal service" | ||
}] | ||
} | ||
|
||
############################################# | ||
# Make a private zone for the load balancer # | ||
############################################# | ||
|
||
resource "aws_route53_zone" "private" { | ||
count = var.use_private_load_balancer ? 1 : 0 | ||
|
||
name = var.root_domain | ||
vpc { vpc_id = var.vpc_id } | ||
} | ||
|
||
resource "aws_route53_record" "alb_alias" { | ||
count = var.use_private_load_balancer ? 1 : 0 | ||
|
||
zone_id = aws_route53_zone.private[0].zone_id | ||
name = "${var.subdomain}.${var.root_domain}" | ||
type = "A" | ||
|
||
alias { | ||
name = module.internal_load_balancer.this_lb_dns_name | ||
zone_id = module.internal_load_balancer.this_lb_zone_id | ||
evaluate_target_health = false | ||
} | ||
} | ||
|
||
############################################ | ||
# External, Transcend Facing Load Balancer # | ||
############################################ | ||
|
||
module external_load_balancer { | ||
source = "terraform-aws-modules/alb/aws" | ||
version = "~> 5.0" | ||
|
||
create_lb = var.use_private_load_balancer | ||
|
||
# General Settings | ||
name = "${var.project_id}-sombra-external" | ||
enable_deletion_protection = false | ||
access_logs = var.alb_access_logs | ||
|
||
# VPC Settings | ||
subnets = var.public_subnet_ids | ||
vpc_id = var.vpc_id | ||
security_groups = [module.external_security_group.this_security_group_id] | ||
|
||
# Listeners | ||
https_listeners = [{ | ||
certificate_arn = var.certificate_arn | ||
port = var.external_port | ||
ssl_policy = "ELBSecurityPolicy-FS-2018-06" | ||
}] | ||
|
||
# Target groups | ||
target_groups = [{ | ||
name = "${var.deploy_env}-${var.project_id}-external" | ||
backend_protocol = "HTTPS" | ||
target_type = "ip" | ||
backend_port = var.external_port | ||
health_check = { | ||
enabled = true | ||
interval = 30 | ||
port = var.external_port | ||
path = "/health" | ||
protocol = "HTTPS" | ||
} | ||
}] | ||
} | ||
|
||
module "external_security_group" { | ||
source = "terraform-aws-modules/security-group/aws" | ||
version = "3.4.0" | ||
|
||
create = var.use_private_load_balancer | ||
|
||
name = "${var.project_id}-external-alb" | ||
description = "Security group for the external, public sombra alb" | ||
vpc_id = var.vpc_id | ||
|
||
ingress_with_cidr_blocks = [{ | ||
protocol = "tcp" | ||
from_port = var.external_port | ||
to_port = var.external_port | ||
cidr_blocks = join(",", var.transcend_backend_ips) | ||
description = "Allow communications to external ALB from Transcend IPs over public DNS" | ||
}] | ||
|
||
egress_with_cidr_blocks = [{ | ||
protocol = "tcp" | ||
from_port = var.external_port | ||
to_port = var.external_port | ||
cidr_blocks = join(",", var.private_subnets_cidr_blocks) | ||
description = "Allow the ALB to talk to the external service" | ||
}] | ||
} | ||
|
||
########################################################### | ||
# Make a public DNS record for the external load balancer # | ||
########################################################### | ||
|
||
resource "aws_route53_record" "external_alb_alias" { | ||
count = var.use_private_load_balancer ? 1 : 0 | ||
|
||
zone_id = var.zone_id | ||
name = "${var.subdomain}.${var.root_domain}" | ||
type = "A" | ||
|
||
alias { | ||
name = module.external_load_balancer.this_lb_dns_name | ||
zone_id = module.external_load_balancer.this_lb_zone_id | ||
evaluate_target_health = false | ||
} | ||
} |
Oops, something went wrong.