-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmain.tf
149 lines (128 loc) · 4.61 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
resource "aws_security_group" "lb" {
name = "${var.resource_prefix}-lb-${terraform.workspace}"
description = "LB for ${var.resource_prefix} - ${terraform.workspace}"
vpc_id = var.vpc_id
tags = {
Name = "${var.resource_prefix}-lb-${terraform.workspace}"
}
}
resource "aws_security_group_rule" "lb_ingress" {
security_group_id = aws_security_group.lb.id
type = "ingress"
protocol = "TCP"
from_port = var.app_port
to_port = var.app_port
cidr_blocks = var.alb_allowed_ingress_cidr_blocks
}
# Need to leave it open to allow it to talk to Cognito (for authentication) & ECS control plane
resource "aws_security_group_rule" "lb_egress" {
security_group_id = aws_security_group.lb.id
type = "egress"
protocol = "TCP"
from_port = var.app_port
to_port = var.app_port
source_security_group_id = aws_security_group.ecs_task.id
}
resource "aws_lb" "main" {
name = trim(substr("${var.resource_prefix}-${terraform.workspace}", 0, 32), "-") # 32 character max-length
load_balancer_type = "application"
internal = var.alb_internal
subnets = local.alb_subnets
security_groups = [aws_security_group.lb.id]
depends_on = [var.service_depends_on]
}
resource "aws_lb_target_group" "app" {
name = trim(substr("${var.resource_prefix}-${terraform.workspace}", 0, 32), "-") # 32 character max-length
port = var.app_port
protocol = "HTTPS"
vpc_id = var.vpc_id
target_type = "ip"
slow_start = var.target_group_slow_start
health_check {
path = var.app_healthcheck_endpoint
protocol = "HTTPS"
interval = 60
}
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = aws_lb.main.id
port = var.app_port
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = data.aws_acm_certificate.main.arn
dynamic "default_action" {
for_each = var.alb_listener_default_action == "forward" ? [{}] : []
content {
target_group_arn = var.alb_default_target_group_arn == "" ? aws_lb_target_group.app.id : var.alb_default_target_group_arn
type = "forward"
}
}
dynamic "default_action" {
for_each = var.alb_listener_default_action == "redirect" ? [{}] : []
content {
type = "redirect"
redirect {
host = var.alb_listener_default_redirect_host
port = var.alb_listener_default_redirect_port
path = var.alb_listener_default_redirect_path
protocol = var.alb_listener_default_redirect_protocol
query = var.alb_listener_default_redirect_query
status_code = var.alb_listener_default_redirect_status_code
}
}
}
}
resource "aws_route53_record" "www" {
zone_id = var.route53_hosted_zone_id
name = var.app_domain
type = "A"
alias {
name = "dualstack.${aws_lb.main.dns_name}"
zone_id = aws_lb.main.zone_id
evaluate_target_health = true
}
}
resource "aws_ecs_service" "main" {
name = "${var.resource_prefix}-${terraform.workspace}"
cluster = var.ecs_cluster_id
task_definition = var.ecs_task_definition_arn
desired_count = var.task_count
launch_type = "FARGATE"
network_configuration {
security_groups = [aws_security_group.ecs_task.id]
subnets = var.alb_subnets_private
}
load_balancer {
target_group_arn = aws_lb_target_group.app.id
container_name = "reverse_proxy"
container_port = var.app_port
}
depends_on = [
aws_lb_listener.front_end,
]
}
resource "aws_security_group" "ecs_task" {
name = "${var.resource_prefix}-${terraform.workspace}-common-ecstask"
description = "${var.resource_prefix} ECS Tasks"
vpc_id = var.vpc_id
tags = {
Name = "${var.resource_prefix}-${terraform.workspace}-common-ecstask"
}
}
resource "aws_security_group_rule" "ecs_task_ingress" {
security_group_id = aws_security_group.ecs_task.id
type = "ingress"
protocol = "tcp"
from_port = var.app_port
to_port = var.app_port
source_security_group_id = aws_security_group.lb.id
}
# Need to leave it open to allow it to talk to Cognito (for authentication) & ECS control plane
resource "aws_security_group_rule" "ecs_task_egress" {
security_group_id = aws_security_group.ecs_task.id
type = "egress"
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}