Merge pull request #93 from pbs/CAT-23287-lb-private-service

CAT-23287 Various enhancements
pbs · Nov 20, 2023 · f963882 · f963882
2 parents 9e9cdb4 + cf58f9e
commit f963882
Show file tree

Hide file tree

Showing 24 changed files with 92 additions and 67 deletions.
diff --git a/README-HEADER.md b/README-HEADER.md
@@ -29,7 +29,7 @@ module "service" {
   source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z"
 
   # Required
-  primary_hosted_zone = "example.com"
+  hosted_zone = "example.com"
 
   # Tagging Parameters
   organization = var.organization
@@ -52,7 +52,7 @@ module "service" {
   source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z"
 
   # Required
-  primary_hosted_zone = "example.com"
+  hosted_zone = "example.com"
 
   # Tagging Parameters
   organization = var.organization

diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 ### Using the Repo Source
 
 ```hcl
-github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2
+github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z
 ```
 
 ### Alternative Installation Methods
@@ -26,10 +26,10 @@ Integrate this module like so:
 
 ```hcl
 module "service" {
-  source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2"
+  source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z"
 
   # Required
-  primary_hosted_zone = "example.com"
+  hosted_zone = "example.com"
 
   # Tagging Parameters
   organization = var.organization
@@ -49,10 +49,10 @@ This module will create an ECS cluster if one is not provided. If you would like
 
 ```hcl
 module "service" {
-  source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2"
+  source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z"
 
   # Required
-  primary_hosted_zone = "example.com"
+  hosted_zone = "example.com"
 
   # Tagging Parameters
   organization = var.organization
@@ -73,7 +73,7 @@ module "service" {
 
 If this repo is added as a subtree, then the version of the module should be close to the version shown here:
 
-`4.2.2`
+`x.y.z`
 
 Note, however that subtrees can be altered as desired within repositories.
 
@@ -160,7 +160,7 @@ Below is automatically generated documentation on this Terraform module using [t
 | <a name="input_repo"></a> [repo](#input\_repo) | Tag used to point to the repo using this module | `string` | n/a | yes |
 | <a name="input_acm_arn"></a> [acm\_arn](#input\_acm\_arn) | ARN of the ACM certificate to use for the service. If null, one will be guessed based on the primary hosted zone of the service. | `string` | `null` | no |
 | <a name="input_alb_ssl_policy"></a> [alb\_ssl\_policy](#input\_alb\_ssl\_policy) | SSL policy to use for an Application Load Balancer application. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
-| <a name="input_aliases"></a> [aliases](#input\_aliases) | CNAME(s) that are allowed to be used for this service. Default is `product`.`primary_hosted_zone`. e.g. [product.example.com] --> [product.example.com] | `list(string)` | `null` | no |
+| <a name="input_aliases"></a> [aliases](#input\_aliases) | CNAME(s) that are allowed to be used for this service. Default is `product`.`hosted_zone`. e.g. [product.example.com] --> [product.example.com] | `list(string)` | `null` | no |
 | <a name="input_alpn_policy"></a> [alpn\_policy](#input\_alpn\_policy) | Name of the Application-Layer Protocol Negotiation (ALPN) policy. Can be set if protocol is TLS. Valid values are HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None. | `string` | `"HTTP2Preferred"` | no |
 | <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Assign public IP to the service | `bool` | `true` | no |
 | <a name="input_awslogs_driver_mode"></a> [awslogs\_driver\_mode](#input\_awslogs\_driver\_mode) | (optional) awslogs driver mode. Set this to `blocking` if you would rather have an outage than lose logs. | `string` | `"non-blocking"` | no |
@@ -177,7 +177,7 @@ Below is automatically generated documentation on this Terraform module using [t
 | <a name="input_cluster_protect_from_scale_in"></a> [cluster\_protect\_from\_scale\_in](#input\_cluster\_protect\_from\_scale\_in) | Allow ECS to protect instances running tasks from being terminated while tasks are running on them. Must be false when destroying cluster | `bool` | `true` | no |
 | <a name="input_cluster_role_policy_json"></a> [cluster\_role\_policy\_json](#input\_cluster\_role\_policy\_json) | (optional) IAM policy to attach to role used for the instance profile of instances in this cluster | `string` | `null` | no |
 | <a name="input_cluster_target_capacity"></a> [cluster\_target\_capacity](#input\_cluster\_target\_capacity) | Capacity provider target capacity | `number` | `75` | no |
-| <a name="input_cnames"></a> [cnames](#input\_cnames) | CNAME(s) that are going to be created for this service in the primary\_hosted\_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com] | `list(string)` | `null` | no |
+| <a name="input_cnames"></a> [cnames](#input\_cnames) | CNAME(s) that are going to be created for this service in the hosted\_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com] | `list(string)` | `null` | no |
 | <a name="input_command"></a> [command](#input\_command) | (optional) command to run in the container as an array. e.g. ["sleep", "10"]. If null, does not set a command in the task definition. | `list(string)` | `null` | no |
 | <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | (optional) JSON container definitions for task | `string` | `null` | no |
 | <a name="input_container_name"></a> [container\_name](#input\_container\_name) | (optional) name for the container to have | `string` | `null` | no |
@@ -191,6 +191,7 @@ Below is automatically generated documentation on this Terraform module using [t
 | <a name="input_efs_mounts"></a> [efs\_mounts](#input\_efs\_mounts) | (optional) efs mount set of objects. Components should include dns\_name, container\_mount\_point, efs\_mount\_point | <pre>set(object({<br>    file_system_id = string<br>    efs_path       = string<br>    container_path = string<br>  }))</pre> | `[]` | no |
 | <a name="input_enable_circuit_breaker"></a> [enable\_circuit\_breaker](#input\_enable\_circuit\_breaker) | Enables ECS circuit breaker | `bool` | `true` | no |
 | <a name="input_enable_circuit_breaker_rollback"></a> [enable\_circuit\_breaker\_rollback](#input\_enable\_circuit\_breaker\_rollback) | Enables ECS circuit breaker rollback | `bool` | `true` | no |
+| <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Enable cross-zone load balancing for NLBs. ALB have this enabled by default and cannot be disabled. | `string` | `true` | no |
 | <a name="input_enable_execute_command"></a> [enable\_execute\_command](#input\_enable\_execute\_command) | Enables `ecs exec`. If null, will enable if not on prod | `bool` | `null` | no |
 | <a name="input_entrypoint"></a> [entrypoint](#input\_entrypoint) | (optional) entrypoint to run in the container as an array. e.g. ["sleep", "10"]. If null, does not set an entrypoint in the task definition. | `list(string)` | `null` | no |
 | <a name="input_env_vars"></a> [env\_vars](#input\_env\_vars) | (optional) environment variables to be passed to the container. By default, only passes SSM\_PATH | `set(map(any))` | `null` | no |
@@ -202,10 +203,12 @@ Below is automatically generated documentation on this Terraform module using [t
 | <a name="input_healthcheck_protocol"></a> [healthcheck\_protocol](#input\_healthcheck\_protocol) | The protocol to use to connect with the target | `string` | `null` | no |
 | <a name="input_healthcheck_timeout"></a> [healthcheck\_timeout](#input\_healthcheck\_timeout) | The amount of time, in seconds, during which no response means a failed health check | `number` | `6` | no |
 | <a name="input_healthcheck_unhealthy_threshold"></a> [healthcheck\_unhealthy\_threshold](#input\_healthcheck\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `3` | no |
+| <a name="input_hosted_zone"></a> [hosted\_zone](#input\_hosted\_zone) | Name of the hosted zone for DNS. e.g. hosted\_zone = example.org --> service.example.org. Based on the is\_hosted\_zone\_private, this is the primary or the private hosted zone. | `string` | `null` | no |
 | <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | Idle timeout for the load balancer. If null, will use whatever the default is for the load balancer type. | `number` | `null` | no |
 | <a name="input_image_repo"></a> [image\_repo](#input\_image\_repo) | (optional) image repo. e.g. image\_repo = nginx --> nginx:image\_tag | `string` | `"nginx"` | no |
 | <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | (optional) tag of the image. e.g. image\_tag = latest --> image\_repo:latest | `string` | `"alpine"` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | Use an internal load balancer. If null, will be internal when the service is private. | `bool` | `null` | no |
+| <a name="input_is_hosted_zone_private"></a> [is\_hosted\_zone\_private](#input\_is\_hosted\_zone\_private) | Is the route53 zone private or not. | `bool` | `false` | no |
 | <a name="input_launch_type"></a> [launch\_type](#input\_launch\_type) | The launch type on which to run your service | `string` | `"FARGATE"` | no |
 | <a name="input_load_balancer_name"></a> [load\_balancer\_name](#input\_load\_balancer\_name) | Load balancer name. Will default to product if not defined. | `string` | `null` | no |
 | <a name="input_load_balancer_sg_name"></a> [load\_balancer\_sg\_name](#input\_load\_balancer\_sg\_name) | Prefix for the name of the load balancer security group. If null, will use `${local.load_balancer_name}-sg-`. | `string` | `null` | no |
@@ -223,10 +226,10 @@ Below is automatically generated documentation on this Terraform module using [t
 | <a name="input_nlb_protocol"></a> [nlb\_protocol](#input\_nlb\_protocol) | Protocol for the network load balancer used in this service. Ignored for application load balancers. | `string` | `"TLS"` | no |
 | <a name="input_nlb_ssl_policy"></a> [nlb\_ssl\_policy](#input\_nlb\_ssl\_policy) | SSL policy to use for a Network Load Balancer application. | `string` | `"ELBSecurityPolicy-TLS13-1-2-2021-06"` | no |
 | <a name="input_platform_version"></a> [platform\_version](#input\_platform\_version) | The platform version on which to run your service | `string` | `"LATEST"` | no |
-| <a name="input_primary_hosted_zone"></a> [primary\_hosted\_zone](#input\_primary\_hosted\_zone) | Name of the primary hosted zone for DNS. e.g. primary\_hosted\_zone = example.org --> service.example.org. If null, it is assumed that a private hosted zone will be used. | `string` | `null` | no |
-| <a name="input_private_hosted_zone"></a> [private\_hosted\_zone](#input\_private\_hosted\_zone) | Name of the private hosted zone for DNS. e.g. private\_hosted\_zone = example.org --> service.example.private. If null, it is assumed that a public hosted zone will be used. | `string` | `null` | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | Private subnets for the service. If null, private subnets will be looked up based on environment tag and will be selected based on public\_service. | `list(string)` | `null` | no |
 | <a name="input_propagate_tags"></a> [propagate\_tags](#input\_propagate\_tags) | Specifies whether to propagate the tags from the task definition or the service to the tasks | `string` | `"SERVICE"` | no |
-| <a name="input_public_service"></a> [public\_service](#input\_public\_service) | Service should be provisioned in public subnet. Ignored if subnets defined. | `bool` | `true` | no |
+| <a name="input_public_service"></a> [public\_service](#input\_public\_service) | Service should be provisioned in public subnet. Ignored if subnets defined. | `bool` | `false` | no |
+| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public subnets for the service. If null, public subnets will be looked up based on environment tag and will be selected based on public\_service. | `list(string)` | `null` | no |
 | <a name="input_requires_compatibilities"></a> [requires\_compatibilities](#input\_requires\_compatibilities) | (optional) capabilities that the task requires | `set(string)` | <pre>[<br>  "FARGATE"<br>]</pre> | no |
 | <a name="input_restricted_cidr_blocks"></a> [restricted\_cidr\_blocks](#input\_restricted\_cidr\_blocks) | CIDR blocks to receive restricted service access. If empty, no CIDRs will be allowed to connect. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_restricted_sg"></a> [restricted\_sg](#input\_restricted\_sg) | SG to receive restricted service access. If null, no sg will be configured to connect | `string` | `null` | no |

diff --git a/data.tf b/data.tf
@@ -1,7 +1,7 @@
 data "aws_route53_zone" "hosted_zone" {
   count        = local.lookup_hosted_zone ? 1 : 0
-  name         = "${local.hosted_zone}."
-  private_zone = !var.public_service
+  name         = "${var.hosted_zone}."
+  private_zone = var.is_hosted_zone_private
 }
 
 data "aws_vpc" "vpc" {
@@ -12,7 +12,7 @@ data "aws_vpc" "vpc" {
 }
 
 data "aws_subnets" "public_subnets" {
-  count = var.subnets == null ? 1 : 0
+  count = var.public_subnets == null || var.subnets == null ? 1 : 0
   filter {
     name   = "vpc-id"
     values = [local.vpc_id]
@@ -24,7 +24,7 @@ data "aws_subnets" "public_subnets" {
 }
 
 data "aws_subnets" "private_subnets" {
-  count = var.subnets == null ? 1 : 0
+  count = var.private_subnets == null || var.subnets == null ? 1 : 0
   filter {
     name   = "vpc-id"
     values = [local.vpc_id]
@@ -37,5 +37,5 @@ data "aws_subnets" "private_subnets" {
 
 data "aws_acm_certificate" "primary_acm_wildcard_cert" {
   count  = local.lookup_primary_acm_wildcard_cert ? 1 : 0
-  domain = "*.${var.primary_hosted_zone}"
+  domain = "*.${var.hosted_zone}"
 }
diff --git a/examples/am/main.tf b/examples/am/main.tf
@@ -14,7 +14,7 @@ module "virtual_gateway" {
 
   mesh_name = module.mesh.id
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   organization = var.organization
   environment  = var.environment

diff --git a/examples/am/vars.tf b/examples/am/vars.tf
@@ -1,6 +1,6 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
 
 variable "v1_weight" {

diff --git a/examples/arm/main.tf b/examples/arm/main.tf
@@ -1,7 +1,7 @@
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   runtime_platform = {
     cpu_architecture = "ARM64"

diff --git a/examples/arm/vars.tf b/examples/arm/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -1,7 +1,7 @@
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   organization = var.organization
   environment  = var.environment

diff --git a/examples/basic/vars.tf b/examples/basic/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/efs/main.tf b/examples/efs/main.tf
@@ -10,7 +10,7 @@ module "efs" {
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   efs_mounts = [
     {

diff --git a/examples/efs/vars.tf b/examples/efs/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/image/main.tf b/examples/image/main.tf
@@ -1,7 +1,7 @@
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   image_repo = "nginx"
   image_tag  = "latest"

diff --git a/examples/image/vars.tf b/examples/image/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/nlb/main.tf b/examples/nlb/main.tf
@@ -1,7 +1,7 @@
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   load_balancer_type = "network"
 

diff --git a/examples/nlb/vars.tf b/examples/nlb/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/private/main.tf b/examples/private/main.tf
@@ -1,8 +1,9 @@
 module "service" {
   source = "../.."
 
-  private_hosted_zone = var.private_hosted_zone
-  public_service      = false
+  hosted_zone            = var.hosted_zone
+  public_service         = false
+  is_hosted_zone_private = true
 
   organization = var.organization
   environment  = var.environment

diff --git a/examples/private/vars.tf b/examples/private/vars.tf
@@ -1,4 +1,4 @@
-variable "private_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Private hosted zone for this service. Populate `TF_VAR_private_hosted_zone` before running any tests to have this value populated."
+  description = "Private hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/examples/sgs/main.tf b/examples/sgs/main.tf
@@ -90,7 +90,7 @@ resource "aws_security_group" "ingress_sg" {
 module "service" {
   source = "../.."
 
-  primary_hosted_zone = var.primary_hosted_zone
+  hosted_zone = var.hosted_zone
 
   restricted_sg = aws_security_group.ingress_sg.id
 

diff --git a/examples/sgs/vars.tf b/examples/sgs/vars.tf
@@ -1,4 +1,4 @@
-variable "primary_hosted_zone" {
+variable "hosted_zone" {
   type        = string
-  description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated."
+  description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated."
 }
diff --git a/lb.tf b/lb.tf
@@ -1,9 +1,11 @@
 resource "aws_lb" "lb" {
-  count           = local.create_lb ? 1 : 0
-  name            = local.load_balancer_name
-  subnets         = local.subnets
-  security_groups = local.lb_security_groups
-  idle_timeout    = var.idle_timeout
+  count                            = local.create_lb ? 1 : 0
+  name                             = local.load_balancer_name
+  subnets                          = local.subnets
+  security_groups                  = local.lb_security_groups
+  idle_timeout                     = var.idle_timeout
+  enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
 
   internal = local.internal