Code Monkey home page Code Monkey logo

terraform-aws-alb-web-containers's Introduction

Creates an ALB for serving an HTTPS web app.

Creates the following resources:

  • ALB with HTTP (redirect) and HTTPS listeners.
  • Target group for the HTTPS listener.
  • Security Groups for the ALB.

The HTTP listener redirects to HTTPS.

The HTTPS listener uses a certificate stored in ACM or IAM.

Usage

module "app_alb" {
  source = "trussworks/alb-web-containers/aws"

  name           = "app"
  environment    = "prod"
  logs_s3_bucket = "my-aws-logs"

  alb_vpc_id                  = "${module.vpc.vpc_id}"
  alb_subnet_ids              = "${module.vpc.public_subnets}"
  alb_default_certificate_arn = "${aws_acm_certificate.cert.arn}"

  container_port    = "443"
  health_check_path = "/health"
}

Requirements

Name Version
terraform >= 1.0
aws >= 3.0

Providers

Name Version
aws >= 3.0

Modules

No modules.

Resources

Name Type
aws_lb.main resource
aws_lb_listener.http resource
aws_lb_listener.https resource
aws_lb_listener_certificate.main resource
aws_lb_target_group.https resource
aws_security_group.alb_sg resource
aws_security_group_rule.app_alb_allow_http_from_world resource
aws_security_group_rule.app_alb_allow_https_from_world resource
aws_security_group_rule.app_alb_allow_outbound resource

Inputs

Name Description Type Default Required
alb_certificate_arns The ARNs of the certificates to be attached to the ALB. list(string) [] no
alb_default_certificate_arn The ARN of the default certificate to be attached to the ALB. string n/a yes
alb_idle_timeout The time in seconds that the connection is allowed to be idle. number 60 no
alb_internal If true, the ALB will be internal. Default's to false, the ALB will be public. string false no
alb_ssl_policy The SSL policy (aka security policy) for the Application Load Balancer that specifies the TLS protocols and ciphers allowed. See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. string "ELBSecurityPolicy-2016-08" no
alb_subnet_ids Subnet IDs for the ALB. Use public subnets for a public ALB and private subnets for an internal ALB. list(string) n/a yes
alb_vpc_id VPC ID to be used by the ALB. string n/a yes
allow_public_http Allow inbound access from the Internet to port 80 string true no
allow_public_https Allow inbound access from the Internet to port 443 string true no
container_port The port on which the container will receive traffic. string 443 no
container_protocol The protocol to use to connect with the container. string "HTTPS" no
container_protocol_version The protocol version to use with the container. string "HTTP1" no
deregistration_delay The amount time for the LB to wait before changing the state of a deregistering target from draining to unused. Default is 90s. string 90 no
desync_mitigation_mode Specifies how the load balancer handles security issues related to HTTP desync string "defensive" no
enable_deletion_protection If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer string false no
environment Environment tag, e.g prod. string n/a yes
health_check_interval The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds. string 30 no
health_check_path The destination for the health check requests to the container. string "/" no
health_check_success_codes The HTTP codes to use when checking for a successful response from the container. You can specify multiple values (for example, '200,202') or a range of values (for example, '200-299'). string "200" no
health_check_timeout The health check timeout. Minimum value 2 seconds, Maximum value 60 seconds. Default 5 seconds. string 5 no
healthy_threshold The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3. string 3 no
load_balancing_algorithm_type Determines how the load balancer selects targets when routing requests. Default is round_robin. string "round_robin" no
logs_s3_bucket S3 bucket for storing access logs. Set to empty string to disable logs. string n/a yes
logs_s3_prefix Overrides prefix for ALB logs string "" no
logs_s3_prefix_enabled Toggle for ALB logs S3 prefix bool true no
name The service name. string n/a yes
security_group SG for the ALB string "" no
security_group_tags A map of tags to add to the ALB's security group. map(string) {} no
slow_start The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0. number 0 no
target_group_name Override the default name of the ALB's target group. Must be less than or equal to 32 characters. Default: ecs-[name]-[environment]-[protocol]. string "" no
unhealthy_threshold The number of consecutive health check failures required before considering the target unhealthy. For Network Load Balancers, this value must be the same as the healthy_threshold. Defaults to 3. string 3 no

Outputs

Name Description
alb_arn The ARN of the ALB.
alb_arn_suffix The ARN Suffix of the ALB for use with CloudWatch Metrics.
alb_dns_name DNS name of the ALB.
alb_id The ID of the ALB.
alb_listener_arn The ARN associated with the HTTPS listener on the ALB.
alb_security_group_id Security Group ID assigned to the ALB.
alb_target_group_id ID of the target group with the HTTPS listener.
alb_zone_id Route53 hosted zone ID associated with the ALB.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks

terraform-aws-alb-web-containers's People

Contributors

avanti-joshi avatar brainsik avatar chrisgilmerproj avatar clint-truss avatar dependabot-preview[bot] avatar dependabot[bot] avatar eeeady avatar esacteksab avatar github-actions[bot] avatar jsclarridge avatar kilbergr avatar knorby avatar kodiakhq[bot] avatar mdawn avatar mdrummerboy09 avatar mr337 avatar pjdufour-truss avatar ralren avatar renovate[bot] avatar rpdelaney avatar sheenamt avatar stefanbs avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

dynamike-debug knorby bazbremner arun9theja syllogy ryanoatz99 gokatch avi202020

terraform-aws-alb-web-containers's Issues

Permissions error accessing logs bucket.

I'm sure I messed something up somewhere, but haven't had any luck getting passed this one.

module.alb.aws_lb.main: Still creating... [10s elapsed]
module.alb.aws_lb.main: Still creating... [20s elapsed]
module.alb.aws_lb.main: Still creating... [30s elapsed]

Error: Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: dev-example-alb-logs Please check S3bucket permission
	status code: 400, request id: 1379cdf9-8253-41cb-a844-9323808de4fe

  on .terraform/modules/alb/terraform-aws-alb-web-containers-3.0.2/main.tf line 91, in resource "aws_lb" "main":
  91: resource "aws_lb" "main" {

I have also tried with default_allow = true in module.logs

lb.tf

locals {
  zone_name          = "${var.env}.example.com"
  container_protocol = "HTTP"
  container_port     = "80"
  health_check_path  = "/"
  app_name           = "example"
  logs_bucket        = "${var.env}-${local.app_name}-alb-logs"
}

module "logs" {
  source         = "trussworks/logs/aws"
  s3_bucket_name = local.logs_bucket
  region         = var.region
  force_destroy  = true
  default_allow  = false
  allow_alb      = true
}

module "alb" {
  source  = "trussworks/alb-web-containers/aws"

  name           = "${local.app_name}-alb"
  environment    = local.environment
  logs_s3_bucket = local.logs_bucket

  alb_vpc_id                  = module.vpc.vpc_id
  alb_subnet_ids              = module.vpc.public_subnets
  alb_default_certificate_arn = module.acm.this_acm_certificate_arn

  container_port     = local.container_port
  container_protocol = local.container_protocol
  health_check_path  = local.health_check_path
}

swap name and environment?

It would be nice if we had the environment variable first rather than the name of the module because that way it would be easier to sort resources by environment when we have too many resources.

Yes, I am aware that there are tags, filters, etc; but this change would make the list of resources look neat visually not a huge jungle of names with seemingly no order.

attach more security groups to load balancer

Oftentimes, there might be some extra rules that one might want to add to the load balancers.

Since the security_groups argument for resource "aws_lb" accepts a list, we could accept another list and then merge that with what we currently have.

Use case : I want to run an application on a custom port ( other than the default 80 and 443 ).

I am aware that it would be aesthetically better to run the load balancer on the default ports and then run the application on whatever different ports I want ( using container_port ). However, I have a hard requirement from a customer that the domain for the application use a different port than the default.

Route53 support?

I found that domain support was removed in commit 4bc0a3a, but since there was no context in the commit message, I was wondering if there was some reason for removing the support for domains for the web containers ๐Ÿค”

I am assuming that the previous implementation had a specific format for the sub-domain

terraform-aws-alb-web-containers/main.tf

Line 31 in 4bc0a3a

fqdn = "${var.name}.${var.environment}.${var.zone_name}"
which did not align with generalized use of the module.

But I think it would be useful if we included a provision to use a route53 domain for a web service. It is probably a missing part of a web service module. The implementation could be similar to how the module accepts variables for the ALB certificates.

If you are open to it, I could come up with a pull request for it.

Personal wish-list : I would prefer if,

  1. we created the Amazon Certificate Manager ( ACM ) certificates for the domains as well, but I am okay with passing an Amazon Resource Name ( ARN ) too ( because my use-case uses a wildcard certificate for the whole sub-domain ๐Ÿ˜„ )
  2. we created basic cloudwatch metric alarms - HTTPCode_ELB_5xx_Count and HTTPCode_Target_5xx_Count; but I understand that different people might have their own metrics, conditions and thresholds.

PS : These are holding me back from using this module directly in my project and not having to redefine the whole module.

Dependabot can't parse your go.mod

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: github.com/gruntwork-io/[email protected] requires
	github.com/google/[email protected] requires
	github.com/vdemeester/[email protected] requires
	k8s.io/[email protected] requires
	google.golang.org/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /opt/go/gopath/pkg/mod/cache/vcs/30a5dbaa452c7ca9354df264080379bbcf24496036c60968495fa0ec4a41888c: exit status 128:
	fatal: The remote end hung up unexpectedly
	fatal: early EOF
	fatal: index-pack failed

View the update logs.

Inappropriate value for attribute "subnets" with Terraform version 0.12

Trying to use Terraform 0.12.3 with alb-web-containers/aws and ran into below errors.
Any plans to make this module compatible with 0.12.* ?

source  = "trussworks/alb-web-containers/aws"
version = "~> 2.4.0"

Error: Incorrect attribute value type

  on .terraform/modules/app_ellsworth.alb_web_containers/trussworks-terraform-aws-alb-web-containers-ac86ff1/main.tf line 90, in resource "aws_lb" "main":
  90:   subnets         = ["${var.alb_subnet_ids}"]

Inappropriate value for attribute "subnets": element 0: string required.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.