generated from CDCgov/template
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathalb.tf
268 lines (242 loc) · 8.13 KB
/
alb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
resource "aws_alb" "ecs" {
name = local.ecs_alb_name
internal = var.internal
load_balancer_type = "application"
subnets = var.internal == true ? flatten([var.private_subnet_ids]) : flatten([var.public_subnet_ids])
security_groups = [aws_security_group.alb.id]
drop_invalid_header_fields = true
enable_deletion_protection = false
tags = local.tags
}
resource "aws_alb_target_group" "this" {
for_each = {
for key, value in local.service_data : key => value
if local.service_data[key].public == true
}
name = "${local.ecs_alb_tg_name}-${each.value.short_name}"
port = each.value.container_port
protocol = "HTTP"
vpc_id = var.vpc_id
target_type = "ip"
health_check {
healthy_threshold = "3"
interval = "120"
protocol = "HTTP"
matcher = "200-499"
timeout = "3"
path = "/${each.key}"
unhealthy_threshold = "3"
}
tags = local.tags
}
resource "aws_vpc_endpoint" "endpoints" {
count = var.internal == true ? length(local.vpc_endpoints) : 0
vpc_id = var.vpc_id
vpc_endpoint_type = "Interface"
private_dns_enabled = true
service_name = local.vpc_endpoints[count.index]
security_group_ids = [aws_security_group.ecs.id]
subnet_ids = flatten([var.private_subnet_ids])
tags = local.tags
}
resource "aws_vpc_endpoint" "s3" {
count = var.internal == true ? 1 : 0
vpc_id = var.vpc_id
vpc_endpoint_type = "Gateway"
route_table_ids = [for rt in data.aws_route_table.this : rt.id]
service_name = local.s3_service_name
tags = local.tags
}
# The aws_alb_listener and aws_alb_listener_rule resources are not depended on by other resources so
# they can be implemented via a loop or hard coded depending ease of maintenance
# I've chosen the ways that reduce duplicated resource blocks: hard coded listener (i.e. http), looped listener rule (i.e. this)
# We may want to create this resource via a loop through our target groups but at the moment that seemed extra
# https://avd.aquasec.com/misconfig/aws/elb/avd-aws-0054/
# trivy:ignore:AVD-AWS-0054
resource "aws_alb_listener" "http" {
load_balancer_arn = aws_alb.ecs.arn
port = "80"
protocol = "HTTP"
default_action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "I care intently about your request but I'm afraid I don't have anything for you right now."
status_code = "404"
}
}
tags = local.tags
}
# We may want to create this resource without the loop if the path_patterns ever break the pattern of being the name of the service
resource "aws_alb_listener_rule" "http" {
for_each = {
for key, value in aws_alb_target_group.this : key => value
if local.service_data[key].public == true
}
listener_arn = aws_alb_listener.http.arn
dynamic "action" {
for_each = var.certificate_arn != "" ? [] : [each.value]
content {
type = "forward"
target_group_arn = each.value.arn
# terraform will complain that we have a redirect action and a forward action but the issue disappears on a subsequent apply
}
}
dynamic "action" {
for_each = var.certificate_arn != "" ? [each.value] : []
content {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
condition {
path_pattern {
values = ["/${each.key}", "/${each.key}/*"]
}
}
lifecycle {
replace_triggered_by = [
null_resource.target_groups
]
}
tags = local.tags
}
resource "aws_alb_listener" "https" {
count = var.certificate_arn != "" ? 1 : 0
load_balancer_arn = aws_alb.ecs.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = var.certificate_arn
default_action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "I care intently about your request but I'm afraid I don't have anything for you right now."
status_code = "404"
}
}
tags = local.tags
}
# We may want to create this resource without the loop if the path_patterns ever break the pattern of being the name of the service
resource "aws_alb_listener_rule" "https" {
for_each = {
for key, value in aws_alb_target_group.this : key => value
if local.service_data[key].public == true && var.certificate_arn != ""
}
listener_arn = aws_alb_listener.https[0].arn
action {
type = "forward"
target_group_arn = each.value.arn
}
condition {
path_pattern {
values = ["/${each.key}", "/${each.key}/*"]
}
}
lifecycle {
replace_triggered_by = [
null_resource.target_groups
]
}
tags = local.tags
}
resource "null_resource" "target_groups" {
for_each = aws_alb_target_group.this
triggers = {
target_group = each.value.id
}
}
resource "aws_security_group" "ecs" {
vpc_id = var.vpc_id
name = "${local.ecs_cluster_name}-ecs"
description = "Security group for ECS"
revoke_rules_on_delete = true
lifecycle {
create_before_destroy = true
}
tags = local.tags
}
# ECS Security Group Rules - INBOUND
resource "aws_security_group_rule" "ecs_alb_ingress" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
description = "Allow inbound traffic from ALB"
security_group_id = aws_security_group.ecs.id
source_security_group_id = aws_security_group.alb.id
}
# ECS Security Group Rules - INBOUND
resource "aws_security_group_rule" "ecs_ecs_ingress" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
description = "Allow inbound traffic from ECS"
security_group_id = aws_security_group.ecs.id
source_security_group_id = aws_security_group.ecs.id
}
# ECS Security Group Rules - OUTBOUND
# https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0104/
# trivy:ignore:AVD-AWS-0104
resource "aws_security_group_rule" "ecs_all_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
description = "Allow outbound traffic from ECS"
security_group_id = aws_security_group.ecs.id
cidr_blocks = ["0.0.0.0/0"]
}
# Security Group for alb
resource "aws_security_group" "alb" {
vpc_id = var.vpc_id
name = "${local.ecs_alb_name}-alb"
description = "Security group for ALB"
revoke_rules_on_delete = true
lifecycle {
create_before_destroy = true
}
tags = local.tags
}
# Alb Security Group Rules - INBOUND
# https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0107/
# trivy:ignore:AVD-AWS-0107
resource "aws_security_group_rule" "alb_http_ingress" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "TCP"
description = "Allow http inbound traffic from internet"
security_group_id = aws_security_group.alb.id
cidr_blocks = ["0.0.0.0/0"]
}
# Alb Security Group Rules - INBOUND
# https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0107/
# trivy:ignore:AVD-AWS-0107
resource "aws_security_group_rule" "alb_https_ingress" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "TCP"
description = "Allow https inbound traffic from internet"
security_group_id = aws_security_group.alb.id
cidr_blocks = ["0.0.0.0/0"]
}
# Alb Security Group Rules - OUTBOUND
# https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0104/
# trivy:ignore:AVD-AWS-0104
resource "aws_security_group_rule" "alb_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
description = "Allow outbound traffic from alb"
security_group_id = aws_security_group.alb.id
cidr_blocks = ["0.0.0.0/0"]
}