-
Notifications
You must be signed in to change notification settings - Fork 6
/
lb.tf
106 lines (95 loc) · 2.74 KB
/
lb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/*
Module: ECS-Fargate-Appmesh
Version: 2.0.0
This file will create following:
- elastic load balancer
- target group
- lb listeners for port 80,443
*/
// add application load balancer
#tfsec:ignore:aws-elb-alb-not-public
resource "aws_lb" "main" {
// lb is public to provide access to service
// create lb if virtual_gateway is enabled
count = var.virtual_gateway_arn == "none" ? 0 : 1
// name for lb
name = "${var.env}-${var.app_name}-lb"
// putting it in public subnet
subnets = var.vpc.public_subnets
// type of load balancer
load_balancer_type = "network"
// enable_cross_zone_load_balancing default fase
enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
// access logs
dynamic "access_logs" {
for_each = [var.lb_access_logs_s3_bucket]
content {
bucket = var.lb_access_logs_s3_bucket
prefix = "logs-${var.env}-${var.app_name}-lb"
enabled = var.lb_access_logs_s3_bucket != "" ? true : false
}
}
// add tags
tags = var.tags
}
// create target group for fargate service
resource "aws_lb_target_group" "main" {
// create lb if virtual_gateway is enabled
count = var.virtual_gateway_arn == "none" ? 0 : 1
// set name for target group
name = "${var.prefix}-${var.env}-${var.app_name}-tg"
// set port for lb
port = 80
// set protocol
protocol = "TCP"
// add vpc id
vpc_id = var.vpc.vpc_id
// set target type is ip
target_type = "ip"
// stickiness of cookies
stickiness {
type = "source_ip"
enabled = var.nlb_stickiness
}
// add tags
tags = var.tags
depends_on = [aws_lb.main]
}
/// http listener if no certificate provided
resource "aws_lb_listener" "front_end_http_without_cert" {
// create lb if virtual_gateway is enabled
count = var.virtual_gateway_arn == "none" ? 0 : 1
// set lb arn to listener
load_balancer_arn = aws_lb.main[count.index].id
// set port
port = 80
// set protocol
protocol = "TCP"
default_action {
// type of action
type = "forward"
// add target arn
target_group_arn = aws_lb_target_group.main[count.index].id
}
}
// redirect all traffic from lb to target groups
resource "aws_lb_listener" "front_end_https" {
// create only if certificate is provided
count = (var.virtual_gateway_arn != "none" && var.certificate) ? 1 : 0
// set lb arn to listener
load_balancer_arn = aws_lb.main[count.index].id
// set port
port = 443
// set protocol
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
protocol = "TLS"
// set the certificate defined in variable
certificate_arn = var.certificate_arn
// set the default action
default_action {
// add target arn
target_group_arn = aws_lb_target_group.main[count.index].id
// type of action
type = "forward"
}
}