Merge pull request #5 from comet-ml/cleanup-ec2-alb

Cleanup ec2 alb

Author: burmek

comet-infrastructure/main.tf

@@ -36,7 +36,8 @@ module "comet_ec2" {
   comet_ec2_volume_size    = var.comet_ec2_volume_size
   comet_ec2_key            = var.comet_ec2_key
 
-  alb_enabled = var.enable_ec2_alb
+  alb_enabled      = var.enable_ec2_alb
+  comet_ec2_alb_sg = var.enable_ec2_alb ? module.comet_ec2_alb[0].comet_alb_sg : null
 
   s3_enabled              = var.enable_s3
   comet_ml_s3_bucket      = var.s3_bucket_name

comet-infrastructure/modules/comet_ec2/main.tf

@@ -173,7 +173,6 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_ssh" {
   from_port   = local.ssh_port
   to_port     = local.ssh_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -183,7 +182,6 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_http" {
   from_port   = local.http_port
   to_port     = local.http_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -193,20 +191,18 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_https" {
   from_port   = local.https_port
   to_port     = local.https_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
-/*
 resource "aws_vpc_security_group_ingress_rule" "comet_ec2_alb_http" {
+  count             = var.alb_enabled ? 1 : 0
   security_group_id = aws_security_group.comet_ec2_sg.id
 
-  from_port   = local.http_port
-  to_port     = local.http_port
-  ip_protocol    = "tcp"
-  security_groups = [var.comet_ec2_alb_sg.id]
+  from_port                    = local.http_port
+  to_port                      = local.http_port
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.comet_ec2_alb_sg
 }
-*/
 
 resource "aws_vpc_security_group_egress_rule" "comet_ec2_egress_any" {
   security_group_id = aws_security_group.comet_ec2_sg.id

comet-infrastructure/modules/comet_ec2/variables.tf

@@ -65,4 +65,9 @@ variable "comet_ml_s3_bucket" {
 variable "comet_ec2_s3_iam_policy" {
   description = "Policy granting access to Comet S3 bucket"
   type        = string
+}
+
+variable "comet_ec2_alb_sg" {
+  description = "ID of the security group attached to an associated application load balancer, for creating ingress EC2 SG rule"
+  type        = string
 }

comet-infrastructure/modules/comet_ec2_alb/outputs.tf

@@ -1,4 +1,9 @@
 output "alb_dns_name" {
   description = "DNS name of the ALB"
   value       = module.alb.lb_dns_name
+}
+
+output "comet_alb_sg" {
+  description = "ID of the security group created for the ALB"
+  value       = aws_security_group.comet_alb_sg.id
 }

comet-infrastructure/terraform.tfvars

@@ -15,12 +15,14 @@ availability_zones    = ["us-east-1a", "us-east-1b", "us-east-1c"]
 comet_public_subnets  = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 comet_private_subnets = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 
+# if provisioning comet_ec2_alb, specify the following for the HTTPS listener
+#ssl_certificate_arn = ""
+
 # if provisioning comet_elasticache for use with existing compute, set the variable below to specify an SG that connections will be allowed from
 elasticache_allow_from_sg = "sg-012345abcdefghijkl"
 
 # if provisioning comet_rds for use with existing compute, set the variable below to specify an SG that connections will be allowed from
 rds_allow_from_sg = "sg-012345abcdefghijkl"
 
 s3_bucket_name      = "comet-use2-bucket"
-rds_root_password   = "CHANGE-ME"
-ssl_certificate_arn = ""
+rds_root_password   = "CHANGE-ME"

comet-infrastructure/variables.tf

@@ -122,7 +122,7 @@ variable "comet_ec2_key" {
 variable "ssl_certificate_arn" {
   description = "ARN of the ACM certificate to use for the ALB"
   type        = string
-  default     = ""
+  default     = null
 }
 
 #comet_eks