feat(dash): SSL certificate

Signed-off-by: pmikus <peter.mikus@protonmail.ch>
Change-Id: Iccab2214a62d5d928d989e8e0dcb927b8ae3390f

diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
index 2e6fb44..fa33b13 100644 (file)
--- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
+++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
@@ -1,8 +1,130 @@
 locals {
   tags = {
-    "Name"        = "${var.application_name}"
     "Environment" = "${var.application_name}"
   }
+
+  # Settings for all loadbalancer types
+  generic_elb_settings = [
+    {
+      namespace = "aws:elasticbeanstalk:environment"
+      name      = "LoadBalancerType"
+      value     = var.environment_loadbalancer_type
+    }
+  ]
+
+  classic_elb_settings = [
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "CrossZone"
+      value     = var.environment_loadbalancer_crosszone
+    },
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "SecurityGroups"
+      value     = join(",", sort(var.environment_loadbalancer_security_groups))
+    },
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "ManagedSecurityGroup"
+      value     = var.environment_loadbalancer_managed_security_group
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "ListenerProtocol"
+      value     = "HTTP"
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "InstancePort"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "ListenerEnabled"
+      value     = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false"
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "ListenerProtocol"
+      value     = "HTTPS"
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "InstancePort"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "SSLCertificateId"
+      value     = var.environment_loadbalancer_ssl_certificate_id
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "ListenerEnabled"
+      value     = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true"
+    },
+    {
+      namespace = "aws:elb:policies"
+      name      = "ConnectionSettingIdleTimeout"
+      value     = var.loadbalancer_connection_settings_idle_timeout
+    },
+    {
+      namespace = "aws:elb:policies"
+      name      = "ConnectionDrainingEnabled"
+      value     = "true"
+    }
+  ]
+
+  nlb_settings = [
+    {
+      namespace = "aws:elbv2:listener:default"
+      name      = "ListenerEnabled"
+      value     = var.default_listener_enabled
+    }
+  ]
+
+  beanstalk_elb_settings = [
+    {
+      namespace = "aws:ec2:vpc"
+      name      = "ELBSubnets"
+      value     = aws_subnet.subnet.id
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "Port"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "Protocol"
+      value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
+    },
+    {
+      namespace = "aws:ec2:vpc"
+      name      = "ELBScheme"
+      value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "HealthCheckInterval"
+      value     = var.environment_process_default_healthcheck_interval
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "HealthyThresholdCount"
+      value     = var.environment_process_default_healthy_threshold_count
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "UnhealthyThresholdCount"
+      value     = var.environment_process_default_unhealthy_threshold_count
+    }
+  ]
+  elb_settings_nlb    = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
+  elb_setting_classic = var.environment_loadbalancer_type == "classic" ? concat(local.classic_elb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
+
+  # Full set of LoadBlanacer settings.
+  elb_settings = var.environment_tier == "WebServer" ? concat(local.elb_settings_nlb, local.elb_setting_classic) : []
 }
 
 # Create elastic beanstalk VPC
@@ -340,81 +462,18 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = aws_subnet.subnet.id
   }
 
-  setting {
-    namespace = "aws:ec2:vpc"
-    name      = "ELBSubnets"
-    value     = aws_subnet.subnet.id
-  }
-
-  setting {
-    namespace = "aws:ec2:vpc"
-    name      = "ELBScheme"
-    value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
-  }
-
   setting {
     namespace = "aws:ec2:vpc"
     name      = "AssociatePublicIpAddress"
     value     = var.associate_public_ip_address
   }
 
-  setting {
-    namespace = "aws:elasticbeanstalk:application"
-    name      = "Application Healthcheck URL"
-    value     = "/"
-  }
-
-  # aws:elbv2:listener:default
-  setting {
-    namespace = "aws:elbv2:listener:default"
-    name      = "ListenerEnabled"
-    value     = var.default_listener_enabled
-  }
-
-  # aws:elasticbeanstalk:environment
-  setting {
-    namespace = "aws:elasticbeanstalk:environment"
-    name      = "LoadBalancerType"
-    value     = var.environment_loadbalancer_type
-  }
-
   setting {
     namespace = "aws:elasticbeanstalk:environment"
     name      = "ServiceRole"
     value     = aws_iam_role.service.name
   }
 
-  # aws:elasticbeanstalk:environment:process:default
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "HealthCheckInterval"
-    value     = var.environment_process_default_healthcheck_interval
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "HealthyThresholdCount"
-    value     = var.environment_process_default_healthy_threshold_count
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "Port"
-    value     = var.environment_process_default_port
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "Protocol"
-    value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "UnhealthyThresholdCount"
-    value     = var.environment_process_default_unhealthy_threshold_count
-  }
-
   # aws:autoscaling:launchconfiguration
   setting {
     namespace = "aws:autoscaling:launchconfiguration"
@@ -428,6 +487,15 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = true
   }
 
+  dynamic "setting" {
+    for_each = local.elb_settings
+    content {
+      namespace = setting.value["namespace"]
+      name      = setting.value["name"]
+      value     = setting.value["value"]
+    }
+  }
+
   # aws:autoscaling:updatepolicy:rollingupdate
   setting {
     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
@@ -447,6 +515,12 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = var.autoscaling_updatepolicy_min_instance_in_service
   }
 
+  setting {
+    namespace = "aws:elasticbeanstalk:application"
+    name      = "Application Healthcheck URL"
+    value     = var.application_healthcheck_url
+  }
+
   # aws:elasticbeanstalk:command
   setting {
     namespace = "aws:elasticbeanstalk:command"
@@ -494,6 +568,12 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = var.managedactions_platformupdate_instance_refresh_enabled
   }
 
+  setting {
+    namespace = "aws:elasticbeanstalk:command"
+    name      = "IgnoreHealthCheck"
+    value     = var.command_ignore_health_check
+  }
+
   # aws:autoscaling:asg
   setting {
     namespace = "aws:autoscaling:asg"

diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
index b0c4189..b225472 100644 (file)
--- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
+++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
@@ -135,7 +135,37 @@ variable "default_listener_enabled" {
 variable "environment_loadbalancer_type" {
   description = "Load Balancer type, e.g. 'application' or 'classic'."
   type        = string
-  default     = "network"
+  default     = "classic"
+}
+
+variable "environment_loadbalancer_crosszone" {
+  description = "Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone."
+  type        = bool
+  default     = true
+}
+
+variable "environment_loadbalancer_security_groups" {
+  description = "Load balancer security groups"
+  type        = list(string)
+  default     = []
+}
+
+variable "environment_loadbalancer_managed_security_group" {
+  description = "Load balancer managed security group"
+  type        = string
+  default     = ""
+}
+
+variable "environment_loadbalancer_ssl_certificate_id" {
+  type        = string
+  default     = ""
+  description = "Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager"
+}
+
+variable "loadbalancer_connection_settings_idle_timeout" {
+  description = "Classic load balancer only: Number of seconds that the load balancer waits for any data to be sent or received over the connection. If no data has been sent or received after this time period elapses, the load balancer closes the connection."
+  type        = number
+  default     = 60
 }
 
 # aws:elasticbeanstalk:environment:process:default
@@ -182,6 +212,12 @@ variable "autoscaling_updatepolicy_min_instance_in_service" {
   default     = 1
 }
 
+variable "application_healthcheck_url" {
+  description = "The path where health check requests are sent to."
+  type        = string
+  default     = "HTTP:5000/"
+}
+
 # aws:elasticbeanstalk:command
 variable "command_deployment_policy" {
   description = "Use the DeploymentPolicy option to set the deployment type. The following values are supported: `AllAtOnce`, `Rolling`, `RollingWithAdditionalBatch`, `Immutable`, `TrafficSplitting`."
@@ -229,6 +265,12 @@ variable "managedactions_platformupdate_instance_refresh_enabled" {
   default     = true
 }
 
+variable "command_ignore_health_check" {
+  description = "Do not cancel a deployment due to failed health checks"
+  type        = bool
+  default     = true
+}
+
 # aws:autoscaling:asg
 variable "autoscaling_asg_minsize" {
   description = "Minumum instances to launch"

diff --git a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf
index 62fed9d..0fad2d9 100644 (file)
--- a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf
+++ b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf
@@ -34,7 +34,7 @@ module "elastic_beanstalk_environment" {
   environment_application            = module.elastic_beanstalk_application.application_name
   environment_description            = module.elastic_beanstalk_application.application_description
   environment_name                   = "fdio-csit-dash-env"
-  environment_solution_stack_name    = "64bit Amazon Linux 2 v3.4.2 running Python 3.8"
+  environment_solution_stack_name    = "64bit Amazon Linux 2 v3.4.3 running Python 3.8"
   environment_tier                   = "WebServer"
   environment_wait_for_ready_timeout = "25m"
   environment_version_label          = ""
@@ -50,7 +50,8 @@ module "elastic_beanstalk_environment" {
   default_listener_enabled = true
 
   # aws:elasticbeanstalk:environment
-  environment_loadbalancer_type = "network"
+  environment_loadbalancer_type               = "classic"
+  environment_loadbalancer_ssl_certificate_id = "arn:aws:acm:eu-central-1:407116685360:certificate/737ad419-36f1-460d-919a-9110b0aac26a"
 
   # aws:elasticbeanstalk:environment:process:default
   environment_process_default_healthcheck_interval      = 10

diff --git a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/variables.tf b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/variables.tf
index a18b043..a107571 100644 (file)
--- a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/variables.tf
+++ b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/variables.tf
@@ -7,7 +7,7 @@ variable "region" {
 variable "vault_provider_address" {
   description = "Vault cluster address."
   type        = string
-  default     = "http://10.30.51.24:8200"
+  default     = "http://vault.service.consul:8200"
 }
 
 variable "vault_provider_skip_tls_verify" {

diff --git a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/versions.tf b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/versions.tf
index 7143823..cce47fa 100644 (file)
--- a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/versions.tf
+++ b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/versions.tf
@@ -1,6 +1,6 @@
 terraform {
   backend "consul" {
-    address = "consul.service.consul:8500"
+    address = "10.30.51.21:8500"
     scheme  = "http"
     path    = "terraform/dash"
   }
@@ -10,8 +10,8 @@ terraform {
       version = ">= 4.3.0"
     }
     vault = {
-      version = ">= 3.2.1"
+      version = ">= 3.12.0"
     }
   }
-  required_version = ">= 1.1.4"
+  required_version = ">= 1.3.7"
 }