-
Notifications
You must be signed in to change notification settings - Fork 23
/
external.tf
183 lines (153 loc) · 5.4 KB
/
external.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
###################################################################################################
# Traefik External Reverse Proxy
###################################################################################################
resource "aws_lb" "external" {
name = var.external_lb_name
security_groups = [aws_security_group.external_lb.id]
subnets = var.lb_external_subnets
access_logs {
enabled = var.lb_external_access_log
bucket = var.lb_external_access_log_bucket
prefix = var.lb_external_access_log_prefix
}
drop_invalid_header_fields = var.external_drop_invalid_header_fields
tags = merge(var.tags, { Name = var.external_lb_name })
}
resource "aws_security_group" "external_lb" {
name = "${var.external_lb_name}-lb"
description = "Security group for external load balancer for Traefik"
vpc_id = var.vpc_id
tags = merge(var.tags, { Name = "${var.external_lb_name}-lb" })
}
##########################
# Security Group Rules for LB
##########################
# _ -> External LB
resource "aws_security_group_rule" "external_lb_http_ingress" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.external_lb_incoming_cidr
security_group_id = aws_security_group.external_lb.id
}
# _ -> External LB
resource "aws_security_group_rule" "external_lb_https_ingress" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.external_lb_incoming_cidr
security_group_id = aws_security_group.external_lb.id
}
# External LB -> Traefik External endpoint
resource "aws_security_group_rule" "external_lb_http_egress" {
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
source_security_group_id = var.nomad_clients_external_security_group
security_group_id = aws_security_group.external_lb.id
}
# External LB -> Traefik health check
resource "aws_security_group_rule" "external_lb_health_check_egress" {
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
source_security_group_id = var.nomad_clients_external_security_group
security_group_id = aws_security_group.external_lb.id
}
##########################
# Security Group Rules for Nomad Clients
##########################
# External LB -> Traefik External Endpoint
resource "aws_security_group_rule" "nomad_external_http_ingress" {
type = "ingress"
security_group_id = var.nomad_clients_external_security_group
from_port = 80
to_port = 80
protocol = "tcp"
source_security_group_id = aws_security_group.external_lb.id
}
# External LB -> Traefik health check
resource "aws_security_group_rule" "nomad_external_health_check_ingress" {
type = "ingress"
security_group_id = var.nomad_clients_external_security_group
from_port = 8080
to_port = 8080
protocol = "tcp"
source_security_group_id = aws_security_group.external_lb.id
}
#####################
# Listeners and target group
#####################
resource "aws_lb_listener" "http_external" {
count = var.external_enable_http ? 1 : 0
load_balancer_arn = aws_lb.external.arn
port = "80"
protocol = "HTTP"
# Redirect to HTTPS
default_action {
type = "redirect"
redirect {
protocol = "HTTPS"
port = 443
status_code = "HTTP_301"
}
}
}
resource "aws_lb_listener" "https_external" {
load_balancer_arn = aws_lb.external.arn
port = "443"
protocol = "HTTPS"
ssl_policy = var.elb_ssl_policy
certificate_arn = var.external_certificate_arn
default_action {
target_group_arn = aws_lb_target_group.external.arn
type = "forward"
}
}
resource "aws_lb_target_group" "external" {
name_prefix = "tfk"
port = "80"
protocol = "HTTP"
vpc_id = var.vpc_id
deregistration_delay = var.deregistration_delay
health_check {
healthy_threshold = var.healthy_threshold
matcher = "200"
timeout = var.timeout
unhealthy_threshold = var.unhealthy_threshold
interval = var.interval
path = "/ping"
port = "8080"
}
stickiness {
enabled = true
type = "lb_cookie"
}
tags = merge(var.tags, { Name = "${var.external_lb_name}-traefik" })
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_attachment" "external" {
autoscaling_group_name = var.external_nomad_clients_asg
alb_target_group_arn = aws_lb_target_group.external.arn
}
#############################
# Defines settings for Traefik Reverse Proxy
#############################
# DNS Record for the external Traefik listener domain.
# Everything else deployed should alias (recommended) or CNAME this domain
resource "aws_route53_record" "external_dns_record" {
zone_id = data.aws_route53_zone.default.zone_id
name = var.traefik_external_base_domain
type = "A"
alias {
name = aws_lb.external.dns_name
zone_id = aws_lb.external.zone_id
evaluate_target_health = false
}
}