This repository has been archived by the owner on Dec 3, 2024. It is now read-only.
forked from enchant97/hasty-paste
-
Notifications
You must be signed in to change notification settings - Fork 0
/
load-balancer.tf
142 lines (120 loc) · 3.71 KB
/
load-balancer.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
## Application Load Balancer in public subnets with HTTP default listener that redirects traffic to HTTPS
resource "aws_alb" "alb" {
name = "${local.app-name}-ALB"
security_groups = [aws_security_group.alb.id]
subnets = aws_subnet.public.*.id
}
## Default HTTP listener
resource "aws_alb_listener" "alb_default_listener_http" {
load_balancer_arn = aws_alb.alb.arn
port = "80"
protocol = "HTTP"
# default_action {
# type = "redirect"
# redirect {
# port = "443"
# protocol = "HTTPS"
# status_code = "HTTP_301"
# }
# }
default_action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "Access denied"
status_code = "403"
}
}
}
# resource "aws_lb_listener" "alb_default_listener_https" {
# load_balancer_arn = aws_alb.alb.arn
# port = "443"
# protocol = "HTTPS"
# # certificate_arn = aws_acm_certificate.alb_certificate.arn
# # ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
# default_action {
# type = "fixed-response"
# fixed_response {
# content_type = "text/plain"
# message_body = "Access denied"
# status_code = "403"
# }
# }
# # depends_on = [aws_acm_certificate.alb_certificate]
# }
## HTTP Listener Rule
resource "aws_lb_listener_rule" "http_listener_rule" {
listener_arn = aws_alb_listener.alb_default_listener_http.arn
action {
type = "forward"
target_group_arn = aws_alb_target_group.service_target_group.arn
}
condition {
path_pattern {
values = ["/*"]
# host_header {
# values = ["${local.app-name}.${var.domain_name}"]
}
}
# condition {
# http_header {
# http_header_name = "X-Custom-Header"
# values = [var.custom_origin_host_header]
# }
# }
}
## Target Group for our service
resource "aws_alb_target_group" "service_target_group" {
name = "${local.app-name}-TargetGroup"
port = "8000"
protocol = "HTTP"
vpc_id = aws_vpc.default_vpc.id
deregistration_delay = 120
health_check {
healthy_threshold = "2"
unhealthy_threshold = "2"
interval = "60"
# matcher = var.healthcheck_matcher
# path = var.healthcheck_endpoint
port = "traffic-port"
protocol = "HTTP"
timeout = "30"
}
depends_on = [aws_alb.alb]
}
## SG for ALB
resource "aws_security_group" "alb" {
name = "${local.app-name}_ALB_SecurityGroup"
description = "Security group for ALB"
vpc_id = aws_vpc.default_vpc.id
ingress {
description = "Allow ingress traffic from Internet on HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "${local.admin-cidr}", "${local.aws-cidr}" ]
}
egress {
description = "Allow all egress traffic"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${local.app-name}_ALB_SecurityGroup"
}
}
# data "aws_ec2_managed_prefix_list" "cloudfront" {
# name = "com.amazonaws.global.cloudfront.origin-facing"
# }
# ## We only allow incoming traffic on HTTP and HTTPS from known CloudFront CIDR blocks
# resource "aws_security_group_rule" "alb_cloudfront_https_ingress_only" {
# security_group_id = aws_security_group.alb.id
# description = "Allow HTTPS access only from CloudFront CIDR blocks"
# from_port = 443
# protocol = "tcp"
# prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront.id]
# to_port = 443
# type = "ingress"
# }