Making codedeploy and test listener optional (#60)

* Making codedeploy and test listener optional; small fixes * terraform-docs: automated update action --------- Co-authored-by: adenot <[email protected]>
DNXLabs · Oct 16, 2024 · eaef6e3 · eaef6e3
1 parent de8c916
commit eaef6e3
Show file tree

Hide file tree

Showing 9 changed files with 55 additions and 39 deletions.
diff --git a/README.md b/README.md
@@ -77,9 +77,10 @@ module "ecs_apps" {
 | alb\_internal | Deploys a second internal ALB for private APIs. | `bool` | `false` | no |
 | alb\_internal\_ssl\_policy | The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | `string` | `"ELBSecurityPolicy-TLS-1-2-Ext-2018-06"` | no |
 | alb\_only | Whether to deploy only an alb and no cloudFront or not with the cluster. | `bool` | `false` | no |
+| alb\_sg\_allow\_alb\_test\_listener | Whether to allow world access to the test listeners | `bool` | `true` | no |
 | alb\_sg\_allow\_egress\_https\_world | Whether to allow ALB to access HTTPS endpoints - needed when using OIDC authentication | `bool` | `true` | no |
-| alb\_sg\_allow\_test\_listener | Whether to allow world access to the test listeners | `bool` | `true` | no |
 | alb\_ssl\_policy | The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
+| alb\_test\_listener | Enables a second listener on ports 8080 and 8443 for a phased deploy/cutover (blue/green) | `bool` | `true` | no |
 | architecture | Architecture to select the AMI, x86\_64 or arm64 | `string` | `"x86_64"` | no |
 | asg\_capacity\_rebalance | Indicates whether capacity rebalance is enabled | `bool` | `false` | no |
 | asg\_max | Max number of instances for autoscaling group. | `number` | `4` | no |
@@ -91,6 +92,7 @@ module "ecs_apps" {
 | backup | Assing a backup tag to efs resource - Backup will be performed by AWS Backup. | `string` | `"true"` | no |
 | certificate\_arn | n/a | `any` | n/a | yes |
 | certificate\_internal\_arn | certificate arn for internal ALB. | `string` | `""` | no |
+| code\_deploy | Enables CodeDeploy role to be used for deployment | `bool` | `true` | no |
 | container\_insights | Enables CloudWatch Container Insights for a cluster. | `bool` | `false` | no |
 | create\_efs | Enables creation of EFS volume for cluster | `bool` | `true` | no |
 | create\_iam\_service\_linked\_role | Create iam\_service\_linked\_role for ECS or not. | `bool` | `false` | no |

diff --git a/_outputs.tf b/_outputs.tf
@@ -43,7 +43,7 @@ output "ecs_service_iam_role_arn" {
 }
 
 output "ecs_codedeploy_iam_role_arn" {
-  value = aws_iam_role.codedeploy_service.arn
+  value = try(aws_iam_role.codedeploy_service[0].arn, "")
 }
 
 output "ecs_service_iam_role_name" {
@@ -71,19 +71,19 @@ output "ecs_name" {
 }
 
 output "alb_listener_https_arn" {
-  value = aws_lb_listener.ecs_https.*.arn
+  value = try(aws_lb_listener.ecs_https[0].arn, "")
 }
 
 output "alb_listener_test_traffic_arn" {
-  value = aws_lb_listener.ecs_test_https.*.arn
+  value = try(aws_lb_listener.ecs_test_https[0].arn, "")
 }
 
 output "alb_internal_listener_https_arn" {
-  value = aws_lb_listener.ecs_https_internal.*.arn
+  value = try(aws_lb_listener.ecs_https_internal[0].arn, "")
 }
 
 output "alb_internal_listener_test_traffic_arn" {
-  value = aws_lb_listener.ecs_test_https_internal.*.arn
+  value = try(aws_lb_listener.ecs_test_https_internal.*.arn, "")
 }
 
 output "ecs_nodes_secgrp_id" {
@@ -100,4 +100,4 @@ output "efs_fs_id" {
 
 output "private_key_pem" {
   value = try(tls_private_key.algorithm[0].private_key_pem, "")
-}
+}
diff --git a/_variables.tf b/_variables.tf
@@ -90,7 +90,7 @@ variable "alb_http_listener" {
   description = "Whether to enable HTTP listeners"
 }
 
-variable "alb_sg_allow_test_listener" {
+variable "alb_sg_allow_alb_test_listener" {
   default     = true
   description = "Whether to allow world access to the test listeners"
 }
@@ -371,4 +371,16 @@ variable "container_insights" {
   type        = bool
   default     = false
   description = "Enables CloudWatch Container Insights for a cluster."
-}
+}
+
+variable "alb_test_listener" {
+  type        = bool
+  default     = true
+  description = "Enables a second listener on ports 8080 and 8443 for a phased deploy/cutover (blue/green)"
+}
+
+variable "code_deploy" {
+  type        = bool
+  default     = true
+  description = "Enables CodeDeploy role to be used for deployment"
+}
diff --git a/alb-internal.tf b/alb-internal.tf
@@ -28,7 +28,7 @@ resource "aws_lb" "ecs_internal" {
     var.tags,
     {
       "Terraform" = true,
-      Name = "ecs-${var.name}-internal"
+      Name        = "ecs-${var.name}-internal"
     },
   )
 }
@@ -47,7 +47,7 @@ resource "aws_lb_listener" "ecs_https_internal" {
     target_group_arn = aws_lb_target_group.ecs_default_https_internal[0].arn
   }
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -56,7 +56,7 @@ resource "aws_lb_listener" "ecs_https_internal" {
 }
 
 resource "aws_lb_listener" "ecs_test_https_internal" {
-  count = var.alb_internal ? 1 : 0
+  count = var.alb_internal && var.alb_test_listener ? 1 : 0
 
   load_balancer_arn = aws_lb.ecs_internal[0].arn
   port              = "8443"
@@ -69,7 +69,7 @@ resource "aws_lb_listener" "ecs_test_https_internal" {
     #target_group_arn = aws_lb_target_group.ecs_replacement_https[0].arn
     target_group_arn = aws_lb_target_group.ecs_default_https_internal[0].arn
   }
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -92,7 +92,7 @@ resource "aws_lb_target_group" "ecs_default_https_internal" {
   port     = 80
   protocol = "HTTP"
   vpc_id   = var.vpc_id
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true

diff --git a/alb.tf b/alb.tf
@@ -28,7 +28,7 @@ resource "aws_lb" "ecs" {
     var.tags,
     {
       "Terraform" = true,
-      "Name" = "ecs-${var.name}"
+      "Name"      = "ecs-${var.name}"
     },
   )
 }
@@ -47,7 +47,7 @@ resource "aws_lb_listener" "ecs_https" {
     target_group_arn = aws_lb_target_group.ecs_default_https[0].arn
   }
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -71,7 +71,7 @@ resource "aws_lb_listener" "ecs_http_redirect" {
       status_code = "HTTP_301"
     }
   }
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -80,7 +80,7 @@ resource "aws_lb_listener" "ecs_http_redirect" {
 }
 
 resource "aws_lb_listener" "ecs_test_https" {
-  count = var.alb ? 1 : 0
+  count = var.alb && var.alb_test_listener ? 1 : 0
 
   load_balancer_arn = aws_lb.ecs[0].arn
   port              = "8443"
@@ -93,7 +93,7 @@ resource "aws_lb_listener" "ecs_test_https" {
     #target_group_arn = aws_lb_target_group.ecs_replacement_https[0].arn
     target_group_arn = aws_lb_target_group.ecs_default_https[0].arn
   }
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -102,7 +102,7 @@ resource "aws_lb_listener" "ecs_test_https" {
 }
 
 resource "aws_lb_listener" "ecs_test_http_redirect" {
-  count = var.alb && var.alb_http_listener ? 1 : 0
+  count = var.alb && var.alb_http_listener && var.alb_test_listener ? 1 : 0
 
   load_balancer_arn = aws_lb.ecs[0].arn
   port              = "8080"
@@ -117,7 +117,7 @@ resource "aws_lb_listener" "ecs_test_http_redirect" {
       status_code = "HTTP_301"
     }
   }
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -140,7 +140,7 @@ resource "aws_lb_target_group" "ecs_default_http" {
   protocol = "HTTP"
   vpc_id   = var.vpc_id
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -160,7 +160,7 @@ resource "aws_lb_target_group" "ecs_default_https" {
   protocol = "HTTP"
   vpc_id   = var.vpc_id
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true

diff --git a/ec2-launch-template.tf b/ec2-launch-template.tf
@@ -23,7 +23,7 @@ resource "aws_launch_template" "ecs" {
 
   user_data = base64encode(templatefile("${path.module}/userdata.tpl", {
     tf_cluster_name = var.name
-    tf_efs_id       = aws_efs_file_system.ecs[0].id
+    tf_efs_id       = try(aws_efs_file_system.ecs[0].id, "")
     userdata_extra  = var.userdata
   }))
 
@@ -33,7 +33,7 @@ resource "aws_launch_template" "ecs" {
     create_before_destroy = true
   }
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
@@ -45,18 +45,18 @@ resource "tls_private_key" "algorithm" {
   count     = var.ec2_key_enabled ? 1 : 0
   algorithm = "RSA"
   rsa_bits  = 4096
-  
+
 }
 
 resource "aws_key_pair" "generated_key" {
   count      = var.ec2_key_enabled ? 1 : 0
   key_name   = "${var.name}-key"
   public_key = tls_private_key.algorithm[0].public_key_openssh
 
-    tags = merge(
+  tags = merge(
     var.tags,
     {
       "Terraform" = true
     },
   )
-}
+}
diff --git a/iam-codedeploy.tf b/iam-codedeploy.tf
@@ -1,5 +1,6 @@
 resource "aws_iam_role" "codedeploy_service" {
-  name = "codedeploy-service-${var.name}-${data.aws_region.current.name}"
+  count = var.code_deploy ? 1 : 0
+  name  = "codedeploy-service-${var.name}-${data.aws_region.current.name}"
   tags = merge(
     var.tags,
     {
@@ -24,6 +25,7 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "codedeploy_service" {
-  role       = aws_iam_role.codedeploy_service.name
+  count      = var.code_deploy ? 1 : 0
+  role       = aws_iam_role.codedeploy_service[0].name
   policy_arn = "arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS"
-}
+}
diff --git a/sg-alb-internal.tf b/sg-alb-internal.tf
@@ -5,11 +5,11 @@ resource "aws_security_group" "alb_internal" {
   description = "SG for ECS Internal ALB"
   vpc_id      = var.vpc_id
 
-   tags = merge(
+  tags = merge(
     var.tags,
     {
       terraform = "true"
-      Name = "ecs-${var.name}-lb"
+      Name      = "ecs-${var.name}-lb"
     },
   )
 }
@@ -26,8 +26,8 @@ resource "aws_security_group_rule" "https_from_world_to_alb_internal" {
   cidr_blocks       = data.aws_subnet.private_subnets[*].cidr_block
 }
 
-resource "aws_security_group_rule" "https_test_listener_from_world_to_alb_internal" {
-  count = var.alb_internal ? 1 : 0
+resource "aws_security_group_rule" "https_alb_test_listener_from_world_to_alb_internal" {
+  count = var.alb_internal && var.alb_test_listener ? 1 : 0
 
   description       = "HTTPS ECS Internal ALB Test Listener"
   type              = "ingress"

diff --git a/sg-alb.tf b/sg-alb.tf
@@ -5,11 +5,11 @@ resource "aws_security_group" "alb" {
   description = "SG for ECS ALB"
   vpc_id      = var.vpc_id
 
-   tags = merge(
+  tags = merge(
     var.tags,
     {
       terraform = "true"
-      Name = "ecs-${var.name}-lb"
+      Name      = "ecs-${var.name}-lb"
     },
   )
 }
@@ -38,8 +38,8 @@ resource "aws_security_group_rule" "https_from_world_to_alb" {
   cidr_blocks       = ["0.0.0.0/0"]
 }
 
-resource "aws_security_group_rule" "https_test_listener_from_world_to_alb" {
-  count = var.alb && var.alb_sg_allow_test_listener ? 1 : 0
+resource "aws_security_group_rule" "https_alb_test_listener_from_world_to_alb" {
+  count = var.alb && var.alb_sg_allow_alb_test_listener && var.alb_test_listener ? 1 : 0
 
   description       = "HTTPS ECS ALB Test Listener"
   type              = "ingress"