forked from lean-delivery/terraform-module-aws-eks
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathalb.tf
139 lines (112 loc) · 3.7 KB
/
alb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
data "aws_route53_zone" "hosted_zone" {
name = "${var.root_domain}"
private_zone = false
}
module "acm-cert" {
source = "github.com/lean-delivery/tf-module-aws-acm?ref=v0.3"
module_enabled = "${var.create_acm_certificate}"
domain = "${var.alb_route53_record}"
zone_id = "${data.aws_route53_zone.hosted_zone.id}"
alternative_domains_count = "${var.alternative_domains_count}"
alternative_domains = "${var.alternative_domains}"
}
module "alb-waf" {
source = "github.com/lean-delivery/tf-module-aws-lb-waf?ref=v0.1"
module_enabled = "${var.enable_waf}"
project = "${var.project}"
environment = "${var.environment}"
load_balancer_arn = "${aws_lb.alb.arn}"
whitelist = "${var.cidr_whitelist}"
}
resource "aws_lb_target_group" "alb" {
name = "${var.project}-${var.environment}-alb"
port = "${var.target_group_port}"
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
target_type = "instance"
health_check {
path = "/healthz"
}
}
resource "aws_security_group" "alb-security-group" {
name = "${var.project}-${var.environment}-alb-securiry-group"
description = "Allow inbound traffic"
vpc_id = "${var.vpc_id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Environment = "${var.environment}"
Project = "${var.project}"
}
}
resource "aws_security_group_rule" "this" {
count = "${length(var.alb_ingress_rules)}"
type = "ingress"
from_port = "${lookup(var.alb_ingress_rules[count.index], "from_port")}"
to_port = "${lookup(var.alb_ingress_rules[count.index], "to_port")}"
protocol = "${lookup(var.alb_ingress_rules[count.index], "protocol")}"
cidr_blocks = ["${lookup(var.alb_ingress_rules[count.index], "cidr_blocks")}"]
security_group_id = "${aws_security_group.alb-security-group.id}"
}
resource "aws_lb" "alb" {
name = "${var.project}-${var.environment}-alb"
internal = false
load_balancer_type = "application"
security_groups = ["${aws_security_group.alb-security-group.id}", "${module.eks.worker_security_group_id}"]
subnets = ["${var.public_subnets}",]
enable_deletion_protection = false
tags = {
Environment = "${var.environment}"
Project = "${var.project}"
}
}
resource "aws_route53_record" "alb-route53-record" {
zone_id = "${data.aws_route53_zone.hosted_zone.id}"
name = "${var.alb_route53_record}"
type = "A"
alias {
name = "${aws_lb.alb.dns_name}"
zone_id = "${aws_lb.alb.zone_id}"
evaluate_target_health = true
}
}
resource "aws_lb_listener" "redirect_to_https" {
count = "${var.create_acm_certificate}"
load_balancer_arn = "${aws_lb.alb.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
resource "aws_lb_listener" "https" {
count = "${var.create_acm_certificate}"
load_balancer_arn = "${aws_lb.alb.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "${module.acm-cert.certificate_arn}"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.alb.arn}"
}
}
resource "aws_lb_listener" "http" {
count = "${var.create_acm_certificate ? 0 : 1}"
load_balancer_arn = "${aws_lb.alb.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.alb.arn}"
}
}