-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathinternal.tf
184 lines (154 loc) · 5.53 KB
/
internal.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
###################################################################################################
# Traefik Internal Reverse Proxy
###################################################################################################
resource "aws_lb" "internal" {
name = var.internal_lb_name
internal = true
security_groups = [aws_security_group.internal_lb.id]
subnets = var.lb_internal_subnets
access_logs {
enabled = var.lb_internal_access_log
bucket = var.lb_internal_access_log_bucket
prefix = var.lb_internal_access_log_prefix
}
drop_invalid_header_fields = var.internal_drop_invalid_header_fields
tags = merge(var.tags, { Name = var.internal_lb_name })
}
resource "aws_security_group" "internal_lb" {
name = "${var.internal_lb_name}-lb"
description = "Security group for internal load balancer for Traefik"
vpc_id = var.vpc_id
tags = merge(var.tags, { Name = "${var.internal_lb_name}-lb" })
}
##########################
# Security Group Rules for LB
##########################
# _ -> Internal LB
resource "aws_security_group_rule" "internal_lb_http_incoming" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = concat([data.aws_vpc.traefik.cidr_block], var.internal_lb_incoming_cidr)
security_group_id = aws_security_group.internal_lb.id
}
# _ -> Internal LB
resource "aws_security_group_rule" "internal_lb_https_incoming" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = concat([data.aws_vpc.traefik.cidr_block], var.internal_lb_incoming_cidr)
security_group_id = aws_security_group.internal_lb.id
}
# Internal LB -> Traefik Internal Endpoint
resource "aws_security_group_rule" "internal_lb_http_egress" {
type = "egress"
security_group_id = aws_security_group.internal_lb.id
from_port = 81
to_port = 81
protocol = "tcp"
source_security_group_id = var.nomad_clients_internal_security_group
}
# Internal LB -> Traefik health check Endpoint
resource "aws_security_group_rule" "internal_lb_health_check_egress" {
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
source_security_group_id = var.nomad_clients_internal_security_group
security_group_id = aws_security_group.internal_lb.id
}
##########################
# Security Group Rules for Nomad Client
##########################
# Internal LB -> Traefik Internal Endpoint
resource "aws_security_group_rule" "nomad_client_internal_http" {
type = "ingress"
from_port = 81
to_port = 81
protocol = "tcp"
source_security_group_id = aws_security_group.internal_lb.id
security_group_id = var.nomad_clients_internal_security_group
}
# Internal LB -> Traefik health check
resource "aws_security_group_rule" "nomad_client_internal_health_check" {
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
source_security_group_id = aws_security_group.internal_lb.id
security_group_id = var.nomad_clients_internal_security_group
}
#####################
# Listeners and target group
#####################
resource "aws_lb_target_group" "internal" {
name_prefix = "tfk-i"
port = "81"
protocol = "HTTP"
vpc_id = var.vpc_id
deregistration_delay = var.deregistration_delay
health_check {
healthy_threshold = var.healthy_threshold
matcher = "200"
timeout = var.timeout
unhealthy_threshold = var.unhealthy_threshold
interval = var.interval
path = "/ping"
port = "8080"
}
stickiness {
enabled = true
type = "lb_cookie"
}
tags = merge(var.tags, { Name = "${var.internal_lb_name}-traefik-internal" })
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_attachment" "internal" {
autoscaling_group_name = var.internal_nomad_clients_asg
alb_target_group_arn = aws_lb_target_group.internal.arn
}
resource "aws_lb_listener" "internal_http" {
count = var.internal_enable_http ? 1 : 0
load_balancer_arn = aws_lb.internal.arn
port = "80"
protocol = "HTTP"
# Redirect to HTTPS
default_action {
type = "redirect"
redirect {
protocol = "HTTPS"
port = 443
status_code = "HTTP_301"
}
}
}
resource "aws_lb_listener" "internal_https" {
load_balancer_arn = aws_lb.internal.arn
port = "443"
protocol = "HTTPS"
ssl_policy = var.elb_ssl_policy
certificate_arn = var.internal_certificate_arn
default_action {
target_group_arn = aws_lb_target_group.internal.arn
type = "forward"
}
}
#############################
# Defines settings for Traefik internal Reverse Proxy
#############################
# DNS Record for the internal Traefik listener domain.
# Everything else deployed should alias (recommended) or CNAME this domain
resource "aws_route53_record" "internal_dns_record" {
zone_id = data.aws_route53_zone.default.zone_id
name = var.traefik_internal_base_domain
type = "A"
alias {
name = aws_lb.internal.dns_name
zone_id = aws_lb.internal.zone_id
evaluate_target_health = false
}
}