forked from ovotech/terraform-module-fargate-app
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlb.tf
143 lines (117 loc) · 3.7 KB
/
lb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# note that this creates the alb, target group, and access logs
# the listeners are defined in lb-http.tf and lb-https.tf
# delete either of these if your app doesn't need them
# but you need at least one
# The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused
variable "deregistration_delay" {
default = "30"
}
# The path to the health check for the load balancer to know if the container(s) are ready
variable "health_check" {
}
# How often to check the liveliness of the container
variable "health_check_interval" {
default = "30"
}
# How long to wait for the response on the health check path
variable "health_check_timeout" {
default = "10"
}
# What HTTP response code to listen for
variable "health_check_matcher" {
default = "200"
}
variable "lb_access_logs_expiration_days" {
default = "3"
}
variable "lb_internal" {
default = false
}
variable "lb_logs_bucket_policy_override" {
default = ""
}
resource "aws_alb" "main" {
count = 1
name = "${var.app}-${var.environment}"
# launch lbs in the public subnet
subnets = split(",", var.lb_subnets)
security_groups = [aws_security_group.nsg_lb.id]
internal = var.lb_internal
tags = var.tags
drop_invalid_header_fields = var.lb_drop_invalid_header_fields
# enable access logs in order to get support from aws
access_logs {
enabled = true
bucket = var.alb_access_log_bucket == null ? element(aws_s3_bucket.lb_access_logs, 0).bucket : var.alb_access_log_bucket
}
}
resource "aws_alb_target_group" "main" {
name = "${var.app}-${var.environment}"
port = var.lb_port
protocol = var.lb_protocol
vpc_id = var.vpc
target_type = "ip"
deregistration_delay = var.deregistration_delay
health_check {
path = var.health_check
matcher = var.health_check_matcher
interval = var.health_check_interval
timeout = var.health_check_timeout
healthy_threshold = 5
unhealthy_threshold = 5
}
tags = var.tags
}
data "aws_elb_service_account" "main" {
}
# bucket for storing ALB access logs
resource "aws_s3_bucket" "lb_access_logs" {
count = var.alb_access_log_bucket == null ? 1 : 0
bucket = "${var.app}-${var.environment}-lb-access-logs"
acl = "private"
tags = var.tags
force_destroy = true
lifecycle_rule {
id = "cleanup"
enabled = true
abort_incomplete_multipart_upload_days = 1
prefix = ""
expiration {
days = var.lb_access_logs_expiration_days
}
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
# give load balancing service access to the bucket
resource "aws_s3_bucket_policy" "lb_access_logs" {
count = var.alb_access_log_bucket == null ? 1 : 0
bucket = aws_s3_bucket.lb_access_logs[0].id
policy = data.aws_iam_policy_document.lb_access_logs[0].json
}
data "aws_iam_policy_document" "lb_access_logs" {
count = var.alb_access_log_bucket == null ? 1 : 0
policy_id = "Policy"
override_json = var.lb_logs_bucket_policy_override
statement {
actions = ["s3:PutObject"]
effect = "Allow"
resources = [
aws_s3_bucket.lb_access_logs[0].arn,
"${aws_s3_bucket.lb_access_logs[0].arn}/*"
]
principals {
identifiers = [data.aws_elb_service_account.main.arn]
type = "AWS"
}
}
}
# The load balancer DNS name
output "lb_dns" {
value = aws_alb.main[0].dns_name
}