Selleo · qbart · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024
diff --git a/modules/lb/alb/README.md b/modules/lb/alb/README.md
@@ -0,0 +1,51 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_alb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb) | resource |
+| [aws_alb_listener.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener) | resource |
+| [aws_security_group.lb_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.allow_all_outbound_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logs"></a> [access\_logs](#input\_access\_logs) | Access logs config for load balancer. | <pre>object({<br>    bucket  = string<br>    prefix  = string<br>    enabled = bool<br>  })</pre> | <pre>{<br>  "bucket": "",<br>  "enabled": false,<br>  "prefix": ""<br>}</pre> | no |
+| <a name="input_allow_all_outbound"></a> [allow\_all\_outbound](#input\_allow\_all\_outbound) | Create ingress rule for port 443. | `bool` | `true` | no |
+| <a name="input_allow_http"></a> [allow\_http](#input\_allow\_http) | Create ingress rule for port 80. | `bool` | `true` | no |
+| <a name="input_allow_https"></a> [allow\_https](#input\_allow\_https) | Create ingress rule for port 443. | `bool` | `true` | no |
+| <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | CIDR blocks used for ingress rules. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_context"></a> [context](#input\_context) | Project context. | <pre>object({<br>    namespace = string<br>    stage     = string<br>    name      = string<br>  })</pre> | n/a | yes |
+| <a name="input_force_https"></a> [force\_https](#input\_force\_https) | Creates redirection from HTTP to HTTPS. | `bool` | `true` | no |
+| <a name="input_ipv6_cidr_blocks"></a> [ipv6\_cidr\_blocks](#input\_ipv6\_cidr\_blocks) | CIDR IPv6 blocks used for ingress rules. | `list(string)` | <pre>[<br>  "::/0"<br>]</pre> | no |
+| <a name="input_name"></a> [name](#input\_name) | Load balancer name. | `string` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of AWS subent IDs for Autoscaling group. | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags attached to resources. | `map(string)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC id. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dns_name"></a> [dns\_name](#output\_dns\_name) | The DNS name of the load balancer. |
+| <a name="output_id"></a> [id](#output\_id) | The ARN of the load balancer. |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | Security Group attached to the load balancer. |
+| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record). |
+<!-- END_TF_DOCS -->
diff --git a/modules/lb/alb/main.tf b/modules/lb/alb/main.tf
@@ -0,0 +1,85 @@
+locals {
+  tags = merge({
+    "context.namespace"   = var.context.namespace
+    "context.stage"       = var.context.stage
+    "context.name"        = var.context.name
+  }, var.tags)
+}
+
+resource "aws_alb" "this" {
+  name            = var.name
+  subnets         = var.subnet_ids
+  security_groups = [aws_security_group.lb_sg.id]
+  idle_timeout    = 1800
+
+  access_logs {
+    bucket  = var.access_logs.bucket
+    prefix  = var.access_logs.prefix
+    enabled = var.access_logs.enabled
+  }
+
+  tags = merge(local.tags, { "resource.group" = "network" })
+}
+
+resource "aws_alb_listener" "this" {
+  count = var.allow_http && var.force_https ? 1 : 0
+
+  load_balancer_arn = resource.aws_alb.this.id
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+      query       = "#{query}"
+    }
+  }
+}
+
+resource "aws_security_group" "lb_sg" {
+  description = "controls access to the application ELB"
+  vpc_id      = var.vpc_id
+  name        = "lb-${var.name}"
+
+  tags = merge(local.tags, { "resource.group" = "network" })
+}
+
+resource "aws_security_group_rule" "http" {
+  count = var.allow_http ? 1 : 0
+
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = var.cidr_blocks
+  ipv6_cidr_blocks  = var.ipv6_cidr_blocks
+  security_group_id = aws_security_group.lb_sg.id
+}
+
+resource "aws_security_group_rule" "https" {
+  count = var.allow_https ? 1 : 0
+
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = var.cidr_blocks
+  ipv6_cidr_blocks  = var.ipv6_cidr_blocks
+  security_group_id = aws_security_group.lb_sg.id
+}
+
+resource "aws_security_group_rule" "allow_all_outbound_lb" {
+  count = var.allow_all_outbound ? 1 : 0
+
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "all"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+  security_group_id = aws_security_group.lb_sg.id
+}
diff --git a/modules/lb/alb/outputs.tf b/modules/lb/alb/outputs.tf
@@ -0,0 +1,19 @@
+output "id" {
+  value       = aws_alb.this.id
+  description = "The ARN of the load balancer."
+}
+
+output "security_group_id" {
+  value       = aws_security_group.lb_sg.id
+  description = "Security Group attached to the load balancer."
+}
+
+output "dns_name" {
+  value       = aws_alb.this.dns_name
+  description = "The DNS name of the load balancer."
+}
+
+output "zone_id" {
+  value       = aws_alb.this.zone_id
+  description = "The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record)."
+}
diff --git a/modules/lb/alb/variables.tf b/modules/lb/alb/variables.tf
@@ -0,0 +1,86 @@
+# required
+
+variable "context" {
+  description = "Project context."
+
+  type = object({
+    namespace = string
+    stage     = string
+    name      = string
+  })
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "VPC id."
+}
+
+variable "name" {
+  type        = string
+  description = "Load balancer name."
+}
+
+variable "subnet_ids" {
+  type        = list(string)
+  description = "List of AWS subent IDs for Autoscaling group."
+}
+
+# optional
+
+variable "force_https" {
+  type        = bool
+  description = "Creates redirection from HTTP to HTTPS."
+  default     = true
+}
+
+variable "allow_http" {
+  type        = bool
+  description = "Create ingress rule for port 80."
+  default     = true
+}
+
+variable "allow_https" {
+  type        = bool
+  description = "Create ingress rule for port 443."
+  default     = true
+}
+
+variable "allow_all_outbound" {
+  type        = bool
+  description = "Create ingress rule for port 443."
+  default     = true
+}
+
+variable "cidr_blocks" {
+  type        = list(string)
+  description = "CIDR blocks used for ingress rules."
+  default     = ["0.0.0.0/0"]
+}
+
+variable "ipv6_cidr_blocks" {
+  type        = list(string)
+  description = "CIDR IPv6 blocks used for ingress rules."
+  default     = ["::/0"]
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Additional tags attached to resources."
+  default     = {}
+}
+
+variable "access_logs" {
+  description = "Access logs config for load balancer."
+
+  type = object({
+    bucket  = string
+    prefix  = string
+    enabled = bool
+  })
+
+  default = {
+    bucket  = ""
+    prefix  = ""
+    enabled = false
+  }
+}
diff --git a/modules/lb/alb/versions.tf b/modules/lb/alb/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
diff --git a/modules/lb/https-listener/README.md b/modules/lb/https-listener/README.md
@@ -0,0 +1,29 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_alb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | ACM certificate ARN | `string` | n/a | yes |
+| <a name="input_load_balancer_arn"></a> [load\_balancer\_arn](#input\_load\_balancer\_arn) | Load balancer ARN | `string` | n/a | yes |
+| <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | SSL policy.<br>[Available policies here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html) | `string` | `"ELBSecurityPolicy-TLS-1-2-Ext-2018-06"` | no |
+| <a name="input_target_group_arn"></a> [target\_group\_arn](#input\_target\_group\_arn) | Target group ARN from ECS service | `string` | n/a | yes |
+<!-- END_TF_DOCS -->
diff --git a/modules/lb/https-listener/main.tf b/modules/lb/https-listener/main.tf
@@ -0,0 +1,12 @@
+resource "aws_alb_listener" "https" {
+  load_balancer_arn = var.load_balancer_arn
+  port              = 443
+  protocol          = "HTTPS"
+  certificate_arn   = var.certificate_arn
+  ssl_policy        = var.ssl_policy
+
+  default_action {
+    target_group_arn = var.target_group_arn
+    type             = "forward"
+  }
+}
diff --git a/modules/lb/https-listener/variables.tf b/modules/lb/https-listener/variables.tf
@@ -0,0 +1,23 @@
+variable "load_balancer_arn" {
+  description = "Load balancer ARN"
+  type = string
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN"
+  type = string
+}
+
+variable "target_group_arn" {
+  description = "Target group ARN from ECS service"
+  type = string
+}
+
+variable "ssl_policy" {
+  description = <<-EOS
+  SSL policy.
+  [Available policies here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)
+  EOS
+  default = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
+  type = string
+}
diff --git a/modules/lb/https-listener/versions.tf b/modules/lb/https-listener/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}