Skip to content

Commit

Permalink
Added support for using a private lb for the internal sombra
Browse files Browse the repository at this point in the history
  • Loading branch information
dmattia committed Feb 27, 2020
1 parent 53fdf91 commit 1862710
Show file tree
Hide file tree
Showing 7 changed files with 480 additions and 132 deletions.
148 changes: 27 additions & 121 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,109 +3,31 @@
#################

module load_balancer {
source = "terraform-aws-modules/alb/aws"
version = "~> 5.0"
source = "./modules/sombra_load_balancers"

# General Settings
name = "${var.deploy_env}-sombra-${var.project_id}-alb"
enable_deletion_protection = false
access_logs = var.alb_access_logs

# VPC Settings
subnets = var.public_subnet_ids
vpc_id = var.vpc_id
security_groups = [aws_security_group.alb.id]

# Listeners
https_listeners = [
# Internal Listener
{
certificate_arn = var.certificate_arn
port = var.internal_port
ssl_policy = "ELBSecurityPolicy-2016-08"
target_group_index = 0
},
# External Listener
{
certificate_arn = var.certificate_arn
port = var.external_port
ssl_policy = "ELBSecurityPolicy-FS-2018-06"
target_group_index = 1
},
]

# Target groups
target_groups = [
# Internal group
{
name = "${var.deploy_env}-${var.project_id}-internal"
backend_protocol = "HTTPS"
target_type = "ip"
backend_port = var.internal_port
health_check = {
enabled = true
interval = 30
port = var.internal_port
path = "/health"
protocol = "HTTPS"
}
},
# External group
{
name = "${var.deploy_env}-${var.project_id}-external"
backend_protocol = "HTTPS"
target_type = "ip"
backend_port = var.external_port
health_check = {
enabled = true
interval = 30
port = var.external_port
path = "/health"
protocol = "HTTPS"
}
},
]
}

resource "aws_security_group" "alb" {
name = "${var.deploy_env}-${var.project_id}-sombra-alb-security-group"
description = "Security group for sombra alb"
vpc_id = var.vpc_id

# Allow external port
ingress {
protocol = "tcp"
from_port = var.external_port
to_port = var.external_port
cidr_blocks = var.transcend_backend_ips
}

# Allow internal port from the calling companies IP range
ingress {
protocol = "tcp"
from_port = var.internal_port
to_port = var.internal_port
cidr_blocks = var.incoming_cidr_ranges
}

egress {
protocol = "tcp"
from_port = var.internal_port
to_port = var.internal_port
cidr_blocks = var.private_subnets_cidr_blocks
}

egress {
protocol = "tcp"
from_port = var.external_port
to_port = var.external_port
cidr_blocks = var.private_subnets_cidr_blocks
}

timeouts {
create = "45m"
delete = "45m"
}
deploy_env = var.deploy_env
project_id = var.project_id
alb_access_logs = var.alb_access_logs

# Ports and Firewall settings
internal_port = var.internal_port
external_port = var.external_port
transcend_backend_ips = var.transcend_backend_ips
incoming_cidr_ranges = var.incoming_cidr_ranges

# VPC settings
vpc_id = var.vpc_id
public_subnet_ids = var.public_subnet_ids
private_subnet_ids = var.private_subnet_ids
private_subnets_cidr_blocks = var.private_subnets_cidr_blocks

# DNS Settings
subdomain = var.subdomain
root_domain = var.root_domain
zone_id = var.zone_id
certificate_arn = var.certificate_arn
use_private_load_balancer = var.use_private_load_balancer
}

############
Expand Down Expand Up @@ -209,7 +131,7 @@ module service {
cluster_id = local.cluster_id
vpc_id = var.vpc_id
subnet_ids = var.private_subnet_ids
alb_security_group_ids = [aws_security_group.alb.id]
alb_security_group_ids = module.load_balancer.security_group_ids
container_definitions = format(
"[%s]",
join(",", setunion(
Expand All @@ -227,13 +149,13 @@ module service {
load_balancers = [
# Internal target group manager
{
target_group_arn = module.load_balancer.target_group_arns[0]
target_group_arn = module.load_balancer.internal_target_group_arn
container_name = module.container_definition.container_name
container_port = var.internal_port
},
# External target group manager
{
target_group_arn = module.load_balancer.target_group_arns[1]
target_group_arn = module.load_balancer.external_target_group_arn
container_name = module.container_definition.container_name
container_port = var.external_port
}
Expand Down Expand Up @@ -281,20 +203,4 @@ resource "aws_iam_policy" "kms_policy" {
name = "${var.deploy_env}-${var.project_id}-sombra-kms-policy"
description = "Allows Sombra instances to get the KMS key"
policy = data.aws_iam_policy_document.kms_policy_doc.json
}

#######
# DNS #
#######

resource "aws_route53_record" "alb_alias" {
zone_id = var.zone_id
name = "${var.subdomain}.${var.root_domain}"
type = "A"

alias {
name = module.load_balancer.this_lb_dns_name
zone_id = module.load_balancer.this_lb_zone_id
evaluate_target_health = false
}
}
}
14 changes: 14 additions & 0 deletions modules/sombra_load_balancers/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output internal_target_group_arn {
value = var.use_private_load_balancer ? module.internal_load_balancer.target_group_arns[0] : module.load_balancer.target_group_arns[0]
description = "ARN of the internal sombra load balancer target group"
}

output external_target_group_arn {
value = var.use_private_load_balancer ? module.external_load_balancer.target_group_arns[0] : module.load_balancer.target_group_arns[1]
description = "ARN of the external sombra load balancer target group"
}

output security_group_ids {
value = var.use_private_load_balancer ? [module.internal_security_group.this_security_group_id, module.external_security_group.this_security_group_id] : [module.single_security_group.this_security_group_id]
description = "The ids of all security groups set on the ALB. We require that the tasks can only talk to the ALB"
}
186 changes: 186 additions & 0 deletions modules/sombra_load_balancers/separate_albs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
###################################
# Internal, Private Load Balancer #
###################################

module internal_load_balancer {
source = "terraform-aws-modules/alb/aws"
version = "~> 5.0"

create_lb = var.use_private_load_balancer

# General Settings
name = "${var.project_id}-sombra-internal"
enable_deletion_protection = false
access_logs = var.alb_access_logs

# VPC Settings
subnets = var.private_subnet_ids
vpc_id = var.vpc_id
security_groups = [module.internal_security_group.this_security_group_id]

# Make this only internal to the VPC
internal = true
ip_address_type = "ipv4"

# Listeners
https_listeners = [{
certificate_arn = var.certificate_arn
port = var.internal_port
ssl_policy = "ELBSecurityPolicy-2016-08"
}]

# Target groups
target_groups = [{
name = "${var.deploy_env}-${var.project_id}-internal"
backend_protocol = "HTTPS"
target_type = "ip"
backend_port = var.internal_port
health_check = {
enabled = true
interval = 30
port = var.internal_port
path = "/health"
protocol = "HTTPS"
}
}]
}

module "internal_security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "3.4.0"

create = var.use_private_load_balancer

name = "${var.project_id}-internal-alb"
description = "Security group for the internal, private sombra alb"
vpc_id = var.vpc_id

ingress_with_cidr_blocks = [{
protocol = "tcp"
from_port = var.internal_port
to_port = var.internal_port
cidr_blocks = join(",", var.incoming_cidr_ranges)
description = "Allow private communications to internal load balancer"
}]

egress_with_cidr_blocks = [{
protocol = "tcp"
from_port = var.internal_port
to_port = var.internal_port
cidr_blocks = join(",", var.private_subnets_cidr_blocks)
description = "Allow the ALB to talk to the internal service"
}]
}

#############################################
# Make a private zone for the load balancer #
#############################################

resource "aws_route53_zone" "private" {
count = var.use_private_load_balancer ? 1 : 0

name = var.root_domain
vpc { vpc_id = var.vpc_id }
}

resource "aws_route53_record" "alb_alias" {
count = var.use_private_load_balancer ? 1 : 0

zone_id = aws_route53_zone.private[0].zone_id
name = "${var.subdomain}.${var.root_domain}"
type = "A"

alias {
name = module.internal_load_balancer.this_lb_dns_name
zone_id = module.internal_load_balancer.this_lb_zone_id
evaluate_target_health = false
}
}

############################################
# External, Transcend Facing Load Balancer #
############################################

module external_load_balancer {
source = "terraform-aws-modules/alb/aws"
version = "~> 5.0"

create_lb = var.use_private_load_balancer

# General Settings
name = "${var.project_id}-sombra-external"
enable_deletion_protection = false
access_logs = var.alb_access_logs

# VPC Settings
subnets = var.public_subnet_ids
vpc_id = var.vpc_id
security_groups = [module.external_security_group.this_security_group_id]

# Listeners
https_listeners = [{
certificate_arn = var.certificate_arn
port = var.external_port
ssl_policy = "ELBSecurityPolicy-FS-2018-06"
}]

# Target groups
target_groups = [{
name = "${var.deploy_env}-${var.project_id}-external"
backend_protocol = "HTTPS"
target_type = "ip"
backend_port = var.external_port
health_check = {
enabled = true
interval = 30
port = var.external_port
path = "/health"
protocol = "HTTPS"
}
}]
}

module "external_security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "3.4.0"

create = var.use_private_load_balancer

name = "${var.project_id}-external-alb"
description = "Security group for the external, public sombra alb"
vpc_id = var.vpc_id

ingress_with_cidr_blocks = [{
protocol = "tcp"
from_port = var.external_port
to_port = var.external_port
cidr_blocks = join(",", var.transcend_backend_ips)
description = "Allow communications to external ALB from Transcend IPs over public DNS"
}]

egress_with_cidr_blocks = [{
protocol = "tcp"
from_port = var.external_port
to_port = var.external_port
cidr_blocks = join(",", var.private_subnets_cidr_blocks)
description = "Allow the ALB to talk to the external service"
}]
}

###########################################################
# Make a public DNS record for the external load balancer #
###########################################################

resource "aws_route53_record" "external_alb_alias" {
count = var.use_private_load_balancer ? 1 : 0

zone_id = var.zone_id
name = "${var.subdomain}.${var.root_domain}"
type = "A"

alias {
name = module.external_load_balancer.this_lb_dns_name
zone_id = module.external_load_balancer.this_lb_zone_id
evaluate_target_health = false
}
}
Loading

0 comments on commit 1862710

Please sign in to comment.