The module creates resources to run an HTTP service in an autoscaling group. It creates a load balancer that terminates SSL on the TCP port 443. It also issues the SSL certificate in ACM.
Note: Starting from version 2.0 the module separates the main aws provider and a provider for Route53 resources. If you don't need to separate them, just pass the same provider for
awsandaws.dnsproviders = { aws = aws aws.dns = aws }
module "website" {
providers = {
aws = aws.aws-uw1
aws.dns = aws.aws-uw1
}
source = "infrahouse/website-pod/aws"
version = "~> 3.0"
environment = var.environment
ami = data.aws_ami.ubuntu_22.image_id
backend_subnets = module.website-vpc.subnet_private_ids
zone_id = "Z07662251LH3YRF2ERM3G"
dns_a_records = ["", "www"]
internet_gateway_id = module.website-vpc.internet_gateway_id
key_pair_name = data.aws_key_pair.aleks.key_name
subnets = module.website-vpc.subnet_public_ids
userdata = module.webserver_userdata.userdata
stickiness_enabled = true
}The module used default security groups up until version 2.5.0.
Starting from the version 2.6.0 the behavior changes, however in a backward-compatible manner. The module creates two security groups. One for the load balancer, another - for the backend instances.
The load balancer security group allows traffic to TCP ports 443 and var.alb_listener_port (80 by default).
The backend security group allows user traffic and health checks coming from the load balancer.
Also, the security group allows SSH from the VPC where the backend instances reside and from var.ssh_cidr_block.
It is 0.0.0.0/0 by default, but the goal is allow user restrict access let's say to anyone but the management VPC.
Both security groups allow incoming ICMP traffic.
Additionally, the user can specify additional security groups via var.extra_security_groups_backend.
They will be added to the backend instance alongside with the created backend security group.
By default, the module launches on-demand instances only. However, if you specify var.on_demand_base_capacity,
the ASG will fulfill its capacity by as many on-demand instances as var.on_demand_base_capacity and the rest will
be spot instances.
| Name | Version |
|---|---|
| terraform | ~> 1.5 |
| aws | ~> 5.11 |
| random | ~> 3.6 |
| Name | Version |
|---|---|
| aws | ~> 5.11 |
| aws.dns | ~> 5.11 |
| random | ~> 3.6 |
| Name | Source | Version |
|---|---|---|
| instance_profile | registry.infrahouse.com/infrahouse/instance-profile/aws | 1.5.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_access_log_enabled | Whether to maintain the access log. | bool |
false |
no |
| alb_access_log_force_destroy | Destroy S3 bucket with access logs even if non-empty | bool |
false |
no |
| alb_healthcheck_enabled | Whether health checks are enabled. | bool |
true |
no |
| alb_healthcheck_healthy_threshold | Number of times the host have to pass the test to be considered healthy | number |
2 |
no |
| alb_healthcheck_interval | Number of seconds between checks | number |
5 |
no |
| alb_healthcheck_path | Path on the webserver that the elb will check to determine whether the instance is healthy or not | string |
"/index.html" |
no |
| alb_healthcheck_port | Port of the webserver that the elb will check to determine whether the instance is healthy or not | any |
80 |
no |
| alb_healthcheck_protocol | Protocol to use with the webserver that the elb will check to determine whether the instance is healthy or not | string |
"HTTP" |
no |
| alb_healthcheck_response_code_matcher | Range of http return codes that can match | string |
"200-299" |
no |
| alb_healthcheck_timeout | Number of seconds to timeout a check | number |
4 |
no |
| alb_healthcheck_uhealthy_threshold | Number of times the host have to pass the test to be considered UNhealthy | number |
2 |
no |
| alb_idle_timeout | The time in seconds that the connection is allowed to be idle. | number |
60 |
no |
| alb_listener_port | TCP port that a load balancer listens to to serve client HTTP requests. The load balancer redirects this port to 443 and HTTPS. | number |
80 |
no |
| alb_name_prefix | Name prefix for the load balancer | string |
"web" |
no |
| ami | Image for EC2 instances | string |
n/a | yes |
| asg_lifecycle_hook_heartbeat_timeout | How much time in seconds to wait until the hook is completed before proceeding with the default action. | number |
3600 |
no |
| asg_lifecycle_hook_launching | Create a LAUNCHING lifecycle hook, if True. | bool |
false |
no |
| asg_lifecycle_hook_terminating | Create a TERMINATING lifecycle hook, if True. | bool |
false |
no |
| asg_max_healthy_percentage | Specifies the upper limit on the number of instances that are in the InService or Pending state with a healthy status during an instance replacement activity. | number |
200 |
no |
| asg_max_size | Maximum number of instances in ASG | number |
10 |
no |
| asg_min_elb_capacity | Terraform will wait until this many EC2 instances in the autoscaling group become healthy. By default, it's equal to var.asg_min_size. | number |
null |
no |
| asg_min_healthy_percentage | Specifies the lower limit on the number of instances that must be in the InService state with a healthy status during an instance replacement activity. | number |
100 |
no |
| asg_min_size | Minimum number of instances in ASG | number |
2 |
no |
| asg_name | Autoscaling group name, if provided. | string |
null |
no |
| asg_scale_in_protected_instances | Behavior when encountering instances protected from scale in are found. Available behaviors are Refresh, Ignore, and Wait. | string |
"Ignore" |
no |
| assume_dns | If True, create DNS records provided by var.dns_a_records. | bool |
true |
no |
| attach_tagret_group_to_asg | By default we want to register all ASG instances in the target group. However ECS registers targets itself. Disable it if using website-pod for ECS. | bool |
true |
no |
| autoscaling_target_cpu_load | Target CPU load for autoscaling | number |
60 |
no |
| backend_subnets | Subnet ids where EC2 instances should be present | list(string) |
n/a | yes |
| dns_a_records | List of A records in the zone_id that will resolve to the ALB dns name. | list(string) |
[ |
no |
| enable_deletion_protection | Prevent load balancer from destroying | bool |
false |
no |
| environment | Name of environment | string |
"development" |
no |
| extra_security_groups_backend | A list of security group ids to assign to backend instances | list(string) |
[] |
no |
| health_check_grace_period | ASG will wait up to this number of seconds for instance to become healthy | number |
600 |
no |
| health_check_type | Type of healthcheck the ASG uses. Can be EC2 or ELB. | string |
"ELB" |
no |
| instance_profile_permissions | A JSON with a permissions policy document. The policy will be attached to the instance profile. | string |
null |
no |
| instance_role_name | If specified, the instance profile role will have this name. Otherwise, the role name will be generated. | string |
null |
no |
| instance_type | EC2 instances type | string |
"t3.micro" |
no |
| internet_gateway_id | Not used, but AWS Internet Gateway must be present. Ensure by passing its id. | string |
n/a | yes |
| key_pair_name | SSH keypair name to be deployed in EC2 instances | string |
n/a | yes |
| max_instance_lifetime_days | The maximum amount of time, in _days_, that an instance can be in service, values must be either equal to 0 or between 7 and 365 days. | number |
30 |
no |
| min_healthy_percentage | Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group. | number |
100 |
no |
| on_demand_base_capacity | If specified, the ASG will request spot instances and this will be the minimal number of on-demand instances. | number |
null |
no |
| protect_from_scale_in | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. | bool |
false |
no |
| root_volume_size | Root volume size in EC2 instance in Gigabytes | number |
30 |
no |
| service_name | Descriptive name of a service that will use this VPC | string |
"website" |
no |
| ssh_cidr_block | CIDR range that is allowed to SSH into the backend instances. Format is a.b.c.d/. | string |
null |
no |
| stickiness_enabled | If true, enable stickiness on the target group ensuring a clients is forwarded to the same target. | bool |
false |
no |
| subnets | Subnet ids where load balancer should be present | list(string) |
n/a | yes |
| tags | Tags to apply to instances in the autoscaling group. | map(string) |
{ |
no |
| target_group_port | TCP port that a target listens to to serve requests from the load balancer. | number |
80 |
no |
| target_group_type | Target group type: instance, ip, alb. Default is instance. | string |
"instance" |
no |
| userdata | userdata for cloud-init to provision EC2 instances | string |
n/a | yes |
| wait_for_capacity_timeout | How much time to wait until all instances are healthy | string |
"20m" |
no |
| zone_id | Domain name zone ID where the website will be available | string |
n/a | yes |
| Name | Description |
|---|---|
| asg_arn | ARN of the created autoscaling group |
| asg_name | Name of the created autoscaling group |
| backend_security_group | Map with security group id and rules |
| dns_name | DNS name of the load balancer. |
| instance_profile_name | EC2 instance profile name. |
| instance_role_policy_arn | Policy ARN attached to EC2 instance profile. |
| instance_role_policy_attachment | Policy attachment id. |
| instance_role_policy_name | Policy name attached to EC2 instance profile. |
| load_balancer_arn | Load Balancer ARN |
| load_balancer_dns_name | Load balancer DNS name. |
| target_group_arn | Target group ARN that listens to the service port. |
| zone_id | Zone id where A records are created for the service. |