Fixing issues

Author: jnonino

examples/test/main.tf

@@ -14,17 +14,6 @@ module "base-network" {
   private_subnets_cidrs_per_availability_zone = ["192.168.128.0/19", "192.168.160.0/19", "192.168.192.0/19", "192.168.224.0/19"]
 }
 
-module "load_balancer" {
-  source = "../../../terraform-aws-ecs-alb"
-
-  # source          = "cn-terraform/ecs-alb/aws"
-  # version         = "1.0.6"
-  name_prefix     = "test-alb"
-  vpc_id          = module.base-network.vpc_id
-  private_subnets = module.base-network.private_subnets_ids
-  public_subnets  = module.base-network.public_subnets_ids
-}
-
 module "td" {
   source          = "cn-terraform/ecs-fargate-task-definition/aws"
   version         = "1.0.16"
@@ -34,21 +23,13 @@ module "td" {
 }
 
 module "service" {
-  source                  = "../../"
-  name_prefix             = "test-service"
-  vpc_id                  = module.base-network.vpc_id
-  ecs_cluster_arn         = module.cluster.aws_ecs_cluster_cluster_arn
-  task_definition_arn     = module.td.aws_ecs_task_definition_td_arn
-  public_subnets          = module.base-network.public_subnets_ids
-  private_subnets         = module.base-network.private_subnets_ids
-  container_name          = "test"
-  ecs_cluster_name        = module.cluster.aws_ecs_cluster_cluster_name
-  lb_arn                  = module.load_balancer.aws_lb_lb_arn
-  lb_http_tgs_arns        = module.load_balancer.lb_http_tgs_arns
-  lb_https_tgs_arns       = module.load_balancer.lb_https_tgs_arns
-  lb_http_tgs_ports       = module.load_balancer.lb_http_tgs_ports
-  lb_https_tgs_ports      = module.load_balancer.lb_https_tgs_ports
-  lb_http_listeners_arns  = module.load_balancer.lb_http_listeners_arns
-  lb_https_listeners_arns = module.load_balancer.lb_https_listeners_arns
-  load_balancer_sg_id     = module.load_balancer.aws_security_group_lb_access_sg_id
+  source              = "../../"
+  name_prefix         = "test-service"
+  vpc_id              = module.base-network.vpc_id
+  ecs_cluster_arn     = module.cluster.aws_ecs_cluster_cluster_arn
+  task_definition_arn = module.td.aws_ecs_task_definition_td_arn
+  public_subnets      = module.base-network.public_subnets_ids
+  private_subnets     = module.base-network.private_subnets_ids
+  container_name      = "test"
+  ecs_cluster_name    = module.cluster.aws_ecs_cluster_cluster_name
 }

main.tf

@@ -1,14 +1,45 @@
 #------------------------------------------------------------------------------
 # AWS LOAD BALANCER
 #------------------------------------------------------------------------------
-data "aws_lb_target_group" "lb_http_target_groups" {
-  for_each = toset(var.lb_http_tgs_arns)
-  arn      = each.key
-}
+module "ecs-alb" {
+  source  = "cn-terraform/ecs-alb/aws"
+  version = "1.0.7"
+
+  name_prefix = "${var.name_prefix}"
+  vpc_id      = var.vpc_id
+
+  # Application Load Balancer
+  internal                         = var.lb_internal
+  security_groups                  = var.lb_security_groups
+  drop_invalid_header_fields       = var.lb_drop_invalid_header_fields
+  private_subnets                  = var.private_subnets
+  public_subnets                   = var.public_subnets
+  idle_timeout                     = var.lb_idle_timeout
+  enable_deletion_protection       = var.lb_enable_deletion_protection
+  enable_cross_zone_load_balancing = var.lb_enable_cross_zone_load_balancing
+  enable_http2                     = var.lb_enable_http2
+  ip_address_type                  = var.lb_ip_address_type
+
+  # Access Control to Application Load Balancer
+  http_ports                    = var.lb_http_ports
+  http_ingress_cidr_blocks      = var.lb_http_ingress_cidr_blocks
+  http_ingress_prefix_list_ids  = var.lb_http_ingress_prefix_list_ids
+  https_ports                   = var.lb_https_ports
+  https_ingress_cidr_blocks     = var.lb_https_ingress_cidr_blocks
+  https_ingress_prefix_list_ids = var.lb_https_ingress_prefix_list_ids
 
-data "aws_lb_target_group" "lb_https_target_groups" {
-  for_each = toset(var.lb_https_tgs_arns)
-  arn      = each.key
+  # Target Groups
+  deregistration_delay                          = var.lb_deregistration_delay
+  slow_start                                    = var.lb_slow_start
+  load_balancing_algorithm_type                 = var.lb_load_balancing_algorithm_type
+  stickiness                                    = var.lb_stickiness
+  target_group_health_check_enabled             = var.lb_target_group_health_check_enabled
+  target_group_health_check_interval            = var.lb_target_group_health_check_interval
+  target_group_health_check_path                = var.lb_target_group_health_check_path
+  target_group_health_check_timeout             = var.lb_target_group_health_check_timeout
+  target_group_health_check_healthy_threshold   = var.lb_target_group_health_check_healthy_threshold
+  target_group_health_check_unhealthy_threshold = var.lb_target_group_health_check_unhealthy_threshold
+  target_group_health_check_matcher             = var.lb_target_group_health_check_matcher
 }
 
 #------------------------------------------------------------------------------
@@ -25,20 +56,21 @@ resource "aws_ecs_service" "service" {
   health_check_grace_period_seconds  = var.health_check_grace_period_seconds
   launch_type                        = "FARGATE"
   force_new_deployment               = var.force_new_deployment
+
   dynamic "load_balancer" {
-    for_each = data.aws_lb_target_group.lb_http_target_groups
+    for_each = module.ecs-alb.lb_http_tgs_map_arn_port
     content {
-      target_group_arn = load_balancer.value.arn
+      target_group_arn = each.key
       container_name   = var.container_name
-      container_port   = load_balancer.value.port
+      container_port   = each.value
     }
   }
   dynamic "load_balancer" {
-    for_each = data.aws_lb_target_group.lb_https_target_groups
+    for_each = module.ecs-alb.lb_https_tgs_map_arn_port
     content {
-      target_group_arn = load_balancer.value.arn
+      target_group_arn = each.key
       container_name   = var.container_name
-      container_port   = load_balancer.value.port
+      container_port   = each.value
     }
   }
   network_configuration {
@@ -84,33 +116,37 @@ resource "aws_security_group" "ecs_tasks_sg" {
   name        = "${var.name_prefix}-ecs-tasks-sg"
   description = "Allow inbound access from the LB only"
   vpc_id      = var.vpc_id
-  egress {
-    protocol    = "-1"
-    from_port   = 0
-    to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+
   tags = {
     Name = "${var.name_prefix}-ecs-tasks-sg"
   }
 }
 
+resource "aws_security_group_rule" "egress" {
+  security_group_id = aws_security_group.ecs_tasks_sg.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "ingress_through_http" {
-  for_each                 = var.lb_http_tgs_ports != null ? toset(var.lb_http_tgs_ports) : toset([])
+  for_each                 = toset(module.ecs-alb.lb_http_tgs_ports)
   security_group_id        = aws_security_group.ecs_tasks_sg.id
   type                     = "ingress"
   from_port                = each.key
   to_port                  = each.key
   protocol                 = "tcp"
-  source_security_group_id = var.load_balancer_sg_id
+  source_security_group_id = module.ecs-alb.aws_security_group_lb_access_sg_id
 }
 
 resource "aws_security_group_rule" "ingress_through_https" {
-  for_each                 = var.lb_https_tgs_ports != null ? toset(var.lb_https_tgs_ports) : toset([])
+  for_each                 = toset(module.ecs-alb.lb_https_tgs_ports)
   security_group_id        = aws_security_group.ecs_tasks_sg.id
   type                     = "ingress"
   from_port                = each.key
   to_port                  = each.key
   protocol                 = "tcp"
-  source_security_group_id = var.load_balancer_sg_id
+  source_security_group_id = module.ecs-alb.aws_security_group_lb_access_sg_id
 }

variables.tf

@@ -174,42 +174,179 @@ variable "scale_target_min_capacity" {
 #------------------------------------------------------------------------------
 # AWS LOAD BALANCER
 #------------------------------------------------------------------------------
-variable "lb_arn" {
-  description = "Load Balancer ARN"
-  type        = string
+#------------------------------------------------------------------------------
+# APPLICATION LOAD BALANCER
+#------------------------------------------------------------------------------
+variable "lb_internal" {
+  description = "(Optional) If true, the LB will be internal."
+  type        = bool
+  default     = false
 }
 
-variable "lb_http_tgs_arns" {
-  description = "List of HTTP LB Target Group ARNs"
+variable "lb_security_groups" {
+  description = "(Optional) A list of security group IDs to assign to the LB."
   type        = list(string)
+  default     = []
 }
 
-variable "lb_http_tgs_ports" {
-  description = "List of HTTP LB Target Group Ports"
-  type        = list(string)
+variable "lb_drop_invalid_header_fields" {
+  description = "(Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens."
+  type        = bool
+  default     = false
 }
 
-variable "lb_https_tgs_arns" {
-  description = "List of HTTPS LB Target Group ARNs"
+variable "lb_idle_timeout" {
+  description = "(Optional) The time in seconds that the connection is allowed to be idle. Default: 60."
+  type        = number
+  default     = 60
+}
+
+variable "lb_enable_deletion_protection" {
+  description = "(Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false."
+  type        = bool
+  default     = false
+}
+
+variable "lb_enable_cross_zone_load_balancing" {
+  description = "(Optional) If true, cross-zone load balancing of the load balancer will be enabled. Defaults to false."
+  type        = bool
+  default     = false
+}
+
+variable "lb_enable_http2" {
+  description = "(Optional) Indicates whether HTTP/2 is enabled in the load balancer. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "lb_ip_address_type" {
+  description = "(Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4"
+  type        = string
+  default     = "ipv4"
+}
+
+#------------------------------------------------------------------------------
+# ACCESS CONTROL TO APPLICATION LOAD BALANCER
+#------------------------------------------------------------------------------
+variable "lb_http_ports" {
+  description = "Map containing objects with two fields, listener_port and the target_group_port to redirect HTTP requests"
+  type        = map
+  default = {
+    default_http = {
+      listener_port     = 80
+      target_group_port = 80
+    }
+  }
+}
+
+variable "lb_http_ingress_cidr_blocks" {
+  description = "List of CIDR blocks to allowed to access the Load Balancer through HTTP"
   type        = list(string)
+  default     = ["0.0.0.0/0"]
 }
 
-variable "lb_https_tgs_ports" {
-  description = "List of HTTPS LB Target Group Ports"
+variable "lb_http_ingress_prefix_list_ids" {
+  description = "List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP"
   type        = list(string)
+  default     = []
+}
+
+variable "lb_https_ports" {
+  description = "Map containing objects with two fields, listener_port and the target_group_port to redirect HTTPS requests"
+  type        = map
+  default = {
+    default_http = {
+      listener_port     = 443
+      target_group_port = 443
+    }
+  }
 }
 
-variable "lb_http_listeners_arns" {
-  description = "List of HTTP LB Listeners ARNs"
+variable "lb_https_ingress_cidr_blocks" {
+  description = "List of CIDR blocks to allowed to access the Load Balancer through HTTPS"
   type        = list(string)
+  default     = ["0.0.0.0/0"]
 }
 
-variable "lb_https_listeners_arns" {
-  description = "List of HTTPS LB Listeners ARNs"
+variable "lb_https_ingress_prefix_list_ids" {
+  description = "List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS"
   type        = list(string)
+  default     = []
+}
+
+#------------------------------------------------------------------------------
+# AWS LOAD BALANCER - Target Groups
+#------------------------------------------------------------------------------
+variable "lb_deregistration_delay" {
+  description = "(Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds."
+  type        = number
+  default     = 300
+}
+
+variable "lb_slow_start" {
+  description = "(Optional) The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds."
+  type        = number
+  default     = 0
+}
+
+variable "lb_load_balancing_algorithm_type" {
+  description = "(Optional) Determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin."
+  type        = string
+  default     = "round_robin"
+}
+
+variable "lb_stickiness" {
+  description = "(Optional) A Stickiness block. Provide three fields. type, the type of sticky sessions. The only current possible value is lb_cookie. cookie_duration, the time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). enabled, boolean to enable / disable stickiness. Default is true."
+  type = object({
+    type            = string
+    cookie_duration = string
+    enabled         = bool
+  })
+  default = {
+    type            = "lb_cookie"
+    cookie_duration = 86400
+    enabled         = true
+  }
+}
+
+variable "lb_target_group_health_check_enabled" {
+  description = "(Optional) Indicates whether health checks are enabled. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "lb_target_group_health_check_interval" {
+  description = "(Optional) The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds."
+  type        = number
+  default     = 30
+}
+
+variable "lb_target_group_health_check_path" {
+  description = "The destination for the health check request."
+  type        = string
+  default     = "/"
+}
+
+variable "lb_target_group_health_check_timeout" {
+  description = "(Optional) The amount of time, in seconds, during which no response means a failed health check. The range is 2 to 120 seconds, and the default is 5 seconds."
+  type        = number
+  default     = 5
+}
+
+variable "lb_target_group_health_check_healthy_threshold" {
+  description = "(Optional) The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3."
+  type        = number
+  default     = 3
+}
+
+variable "lb_target_group_health_check_unhealthy_threshold" {
+  description = "(Optional) The number of consecutive health check failures required before considering the target unhealthy. Defaults to 3."
+  type        = number
+  default     = 3
 }
 
-variable "load_balancer_sg_id" {
-  description = "The ID of the security group of the Load Balancer. This is to allow traffic only from Load Balancer"
+variable "lb_target_group_health_check_matcher" {
+  description = "The HTTP codes to use when checking for a successful response from a target. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). Default is 200."
   type        = string
+  default     = "200"
 }