From a4ccb8a9e56e9e3b4db9dd13851f908196ee32a7 Mon Sep 17 00:00:00 2001 From: pmikus Date: Tue, 24 Jan 2023 12:11:36 +0000 Subject: [PATCH] fix(dash): Migrate to alb Signed-off-by: pmikus Change-Id: I315d91e68ed3f626b399cf1bb237859f7cadc9ff --- .../main.tf | 158 +++++++++++---------- .../variables.tf | 56 +++++--- .../terraform-aws-fdio-csit-dash-env/main.tf | 11 +- 3 files changed, 128 insertions(+), 97 deletions(-) diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf index fa33b13133..44373ed4de 100644 --- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf +++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf @@ -1,5 +1,6 @@ locals { tags = { + "Name" = "${var.application_name}" "Environment" = "${var.application_name}" } @@ -12,119 +13,108 @@ locals { } ] - classic_elb_settings = [ + elb_settings = [ { - namespace = "aws:elb:loadbalancer" - name = "CrossZone" - value = var.environment_loadbalancer_crosszone - }, - { - namespace = "aws:elb:loadbalancer" - name = "SecurityGroups" - value = join(",", sort(var.environment_loadbalancer_security_groups)) - }, - { - namespace = "aws:elb:loadbalancer" - name = "ManagedSecurityGroup" - value = var.environment_loadbalancer_managed_security_group - }, - { - namespace = "aws:elb:listener" - name = "ListenerProtocol" - value = "HTTP" + namespace = "aws:ec2:vpc" + name = "ELBSubnets" + value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]) }, { - namespace = "aws:elb:listener" - name = "InstancePort" + namespace = "aws:elasticbeanstalk:environment:process:default" + name = "Port" value = var.environment_process_default_port }, { - namespace = "aws:elb:listener" - name = "ListenerEnabled" - value = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false" - }, - { - namespace = "aws:elb:listener:443" - name = "ListenerProtocol" - value = "HTTPS" - }, - { - namespace = "aws:elb:listener:443" - name = "InstancePort" - value = var.environment_process_default_port + namespace = "aws:elasticbeanstalk:environment:process:default" + name = "Protocol" + value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP" }, { - namespace = "aws:elb:listener:443" - name = "SSLCertificateId" - value = var.environment_loadbalancer_ssl_certificate_id + namespace = "aws:ec2:vpc" + name = "ELBScheme" + value = var.environment_type == "LoadBalanced" ? var.elb_scheme : "" }, { - namespace = "aws:elb:listener:443" - name = "ListenerEnabled" - value = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true" + namespace = "aws:elasticbeanstalk:environment:process:default" + name = "HealthCheckInterval" + value = var.environment_process_default_healthcheck_interval }, { - namespace = "aws:elb:policies" - name = "ConnectionSettingIdleTimeout" - value = var.loadbalancer_connection_settings_idle_timeout + namespace = "aws:elasticbeanstalk:environment:process:default" + name = "HealthyThresholdCount" + value = var.environment_process_default_healthy_threshold_count }, { - namespace = "aws:elb:policies" - name = "ConnectionDrainingEnabled" - value = "true" + namespace = "aws:elasticbeanstalk:environment:process:default" + name = "UnhealthyThresholdCount" + value = var.environment_process_default_unhealthy_threshold_count } ] - nlb_settings = [ + generic_alb_settings = [ { - namespace = "aws:elbv2:listener:default" - name = "ListenerEnabled" - value = var.default_listener_enabled + namespace = "aws:elbv2:loadbalancer" + name = "SecurityGroups" + value = join(",", sort(var.environment_loadbalancer_security_groups)) } ] - beanstalk_elb_settings = [ + alb_settings = [ { - namespace = "aws:ec2:vpc" - name = "ELBSubnets" - value = aws_subnet.subnet.id + namespace = "aws:elbv2:listener:default" + name = "ListenerEnabled" + value = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false" }, { - namespace = "aws:elasticbeanstalk:environment:process:default" - name = "Port" - value = var.environment_process_default_port + namespace = "aws:elbv2:loadbalancer" + name = "ManagedSecurityGroup" + value = var.environment_loadbalancer_managed_security_group }, { - namespace = "aws:elasticbeanstalk:environment:process:default" + namespace = "aws:elbv2:listener:443" + name = "ListenerEnabled" + value = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true" + }, + { + namespace = "aws:elbv2:listener:443" name = "Protocol" - value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP" + value = "HTTPS" }, { - namespace = "aws:ec2:vpc" - name = "ELBScheme" - value = var.environment_type == "LoadBalanced" ? var.elb_scheme : "" + namespace = "aws:elbv2:listener:443" + name = "SSLCertificateArns" + value = var.environment_loadbalancer_ssl_certificate_id }, { namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthCheckInterval" - value = var.environment_process_default_healthcheck_interval + name = "HealthCheckPath" + value = var.application_healthcheck_url }, { namespace = "aws:elasticbeanstalk:environment:process:default" - name = "HealthyThresholdCount" - value = var.environment_process_default_healthy_threshold_count + name = "MatcherHTTPCode" + value = join(",", sort(var.default_matcher_http_code)) }, { namespace = "aws:elasticbeanstalk:environment:process:default" - name = "UnhealthyThresholdCount" - value = var.environment_process_default_unhealthy_threshold_count + name = "HealthCheckTimeout" + value = var.default_health_check_timeout + } + ] + + nlb_settings = [ + { + namespace = "aws:elbv2:listener:default" + name = "ListenerEnabled" + value = var.default_listener_enabled } ] - elb_settings_nlb = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : [] - elb_setting_classic = var.environment_loadbalancer_type == "classic" ? concat(local.classic_elb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : [] + + settings_nlb = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.elb_settings) : [] + settings_alb = var.environment_loadbalancer_type == "application" ? concat(local.generic_alb_settings, local.alb_settings, local.generic_elb_settings, local.elb_settings) : [] # Full set of LoadBlanacer settings. - elb_settings = var.environment_tier == "WebServer" ? concat(local.elb_settings_nlb, local.elb_setting_classic) : [] + elb = var.environment_tier == "WebServer" ? concat(local.settings_nlb, local.settings_alb) : [] } # Create elastic beanstalk VPC @@ -138,19 +128,32 @@ resource "aws_vpc" "vpc" { } # Create elastic beanstalk Subnets -resource "aws_subnet" "subnet" { +resource "aws_subnet" "subnet_a" { depends_on = [ aws_vpc.vpc ] - availability_zone = var.subnet_availability_zone + availability_zone = var.subnet_a_availability_zone assign_ipv6_address_on_creation = true - cidr_block = aws_vpc.vpc.cidr_block + cidr_block = var.subnet_a_cidr_block ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1) map_public_ip_on_launch = true vpc_id = aws_vpc.vpc.id tags = local.tags } +resource "aws_subnet" "subnet_b" { + depends_on = [ + aws_vpc.vpc + ] + availability_zone = var.subnet_b_availability_zone + assign_ipv6_address_on_creation = true + cidr_block = var.subnet_b_cidr_block + ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 2) + map_public_ip_on_launch = true + vpc_id = aws_vpc.vpc.id + tags = local.tags +} + resource "aws_internet_gateway" "internet_gateway" { depends_on = [ aws_vpc.vpc @@ -430,7 +433,8 @@ resource "aws_iam_role_policy" "default" { resource "aws_elastic_beanstalk_environment" "environment" { depends_on = [ aws_vpc.vpc, - aws_subnet.subnet, + aws_subnet.subnet_a, + aws_subnet.subnet_b, aws_ssm_activation.ec2 ] application = var.environment_application @@ -459,7 +463,7 @@ resource "aws_elastic_beanstalk_environment" "environment" { setting { namespace = "aws:ec2:vpc" name = "Subnets" - value = aws_subnet.subnet.id + value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]) } setting { @@ -488,7 +492,7 @@ resource "aws_elastic_beanstalk_environment" "environment" { } dynamic "setting" { - for_each = local.elb_settings + for_each = local.elb content { namespace = setting.value["namespace"] name = setting.value["name"] diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf index b225472aba..a442215a9e 100644 --- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf +++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf @@ -2,7 +2,7 @@ variable "vpc_cidr_block" { description = "The CIDR block for the association." type = string - default = "192.168.0.0/24" + default = "10.0.0.0/16" } variable "vpc_enable_dns_hostnames" { @@ -24,12 +24,30 @@ variable "vpc_instance_tenancy" { } # Variables for elastic beanstalk Subnet -variable "subnet_availability_zone" { - description = "AWS availability zone" +variable "subnet_a_availability_zone" { + description = "AZ for the subnet." type = string default = "us-east-1a" } +variable "subnet_a_cidr_block" { + description = "The IPv4 CIDR block for the subnet." + type = string + default = "10.0.0.0/20" +} + +variable "subnet_b_availability_zone" { + description = "AZ for the subnet." + type = string + default = "us-east-1b" +} + +variable "subnet_b_cidr_block" { + description = "The IPv4 CIDR block for the subnet." + type = string + default = "10.0.16.0/20" +} + # Variables for elastic beanstalk Application variable "environment_application" { description = "The name of the application, must be unique within account." @@ -138,12 +156,6 @@ variable "environment_loadbalancer_type" { default = "classic" } -variable "environment_loadbalancer_crosszone" { - description = "Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone." - type = bool - default = true -} - variable "environment_loadbalancer_security_groups" { description = "Load balancer security groups" type = list(string) @@ -162,12 +174,6 @@ variable "environment_loadbalancer_ssl_certificate_id" { description = "Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager" } -variable "loadbalancer_connection_settings_idle_timeout" { - description = "Classic load balancer only: Number of seconds that the load balancer waits for any data to be sent or received over the connection. If no data has been sent or received after this time period elapses, the load balancer closes the connection." - type = number - default = 60 -} - # aws:elasticbeanstalk:environment:process:default variable "environment_process_default_healthcheck_interval" { description = "The interval of time, in seconds, that Elastic Load Balancing checks the health of the Amazon EC2 instances of your application." @@ -215,7 +221,25 @@ variable "autoscaling_updatepolicy_min_instance_in_service" { variable "application_healthcheck_url" { description = "The path where health check requests are sent to." type = string - default = "HTTP:5000/" + default = "/" +} + +variable "environment_listener_ssl_policy" { + description = "Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer." + type = string + default = "" +} + +variable "default_matcher_http_code" { + description = "List of HTTP codes that indicate that an instance is healthy. Note that this option is only applicable to environments with a network or application load balancer." + type = list(string) + default = ["200"] +} + +variable "default_health_check_timeout" { + description = "The amount of time, in seconds, to wait for a response during a health check. Note that this option is only applicable to environments with an application load balancer" + type = number + default = 5 } # aws:elasticbeanstalk:command diff --git a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf index 0fad2d99b0..7c4cc9dfe4 100644 --- a/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf +++ b/fdio.infra.terraform/terraform-aws-fdio-csit-dash-env/main.tf @@ -22,13 +22,16 @@ module "elastic_beanstalk_environment" { source = "../terraform-aws-elastic-beanstalk-environment" # vpc - vpc_cidr_block = "192.168.0.0/24" + vpc_cidr_block = "10.0.0.0/16" vpc_enable_dns_hostnames = true vpc_enable_dns_support = true vpc_instance_tenancy = "default" # subnet - subnet_availability_zone = "eu-central-1a" + subnet_a_availability_zone = "eu-central-1a" + subnet_a_cidr_block = "10.0.0.0/20" + subnet_b_availability_zone = "eu-central-1b" + subnet_b_cidr_block = "10.0.16.0/20" # environment environment_application = module.elastic_beanstalk_application.application_name @@ -40,7 +43,7 @@ module "elastic_beanstalk_environment" { environment_version_label = "" # aws:ec2:instances - instances_instance_types = "t3a.large" + instances_instance_types = "t3a.2xlarge" # aws:ec2:vpc associate_public_ip_address = true @@ -50,7 +53,7 @@ module "elastic_beanstalk_environment" { default_listener_enabled = true # aws:elasticbeanstalk:environment - environment_loadbalancer_type = "classic" + environment_loadbalancer_type = "application" environment_loadbalancer_ssl_certificate_id = "arn:aws:acm:eu-central-1:407116685360:certificate/737ad419-36f1-460d-919a-9110b0aac26a" # aws:elasticbeanstalk:environment:process:default -- 2.16.6