From 98601ceee388ad55e2d86f247eb65916fb2b3be8 Mon Sep 17 00:00:00 2001 From: Eduard Hirsch Date: Wed, 15 Nov 2023 14:50:47 +0200 Subject: [PATCH 1/3] CAT-23287 Separated private and public subnets in lb and ecs service; Added enable_cross_zone_load_balancing; Other various tweaks --- README-HEADER.md | 4 ++-- README.md | 8 ++++---- data.tf | 10 +++++----- examples/am/main.tf | 2 +- examples/am/vars.tf | 4 ++-- examples/arm/main.tf | 2 +- examples/arm/vars.tf | 4 ++-- examples/basic/main.tf | 2 +- examples/basic/vars.tf | 4 ++-- examples/efs/main.tf | 2 +- examples/efs/vars.tf | 4 ++-- examples/image/main.tf | 2 +- examples/image/vars.tf | 4 ++-- examples/nlb/main.tf | 2 +- examples/nlb/vars.tf | 4 ++-- examples/private/main.tf | 5 +++-- examples/private/vars.tf | 4 ++-- examples/sgs/main.tf | 2 +- examples/sgs/vars.tf | 4 ++-- lb.tf | 12 +++++++----- locals.tf | 11 ++++++----- main.tf | 2 +- optional.tf | 36 +++++++++++++++++++++++++--------- tests/utilities_ecs_service.go | 8 ++++---- 24 files changed, 82 insertions(+), 60 deletions(-) diff --git a/README-HEADER.md b/README-HEADER.md index 863663b..62e6151 100644 --- a/README-HEADER.md +++ b/README-HEADER.md @@ -29,7 +29,7 @@ module "service" { source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z" # Required - primary_hosted_zone = "example.com" + hosted_zone = "example.com" # Tagging Parameters organization = var.organization @@ -52,7 +52,7 @@ module "service" { source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z" # Required - primary_hosted_zone = "example.com" + hosted_zone = "example.com" # Tagging Parameters organization = var.organization diff --git a/README.md b/README.md index 5f31fb2..b930c50 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ module "service" { source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2" # Required - primary_hosted_zone = "example.com" + hosted_zone = "example.com" # Tagging Parameters organization = var.organization @@ -52,7 +52,7 @@ module "service" { source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2" # Required - primary_hosted_zone = "example.com" + hosted_zone = "example.com" # Tagging Parameters organization = var.organization @@ -160,7 +160,7 @@ Below is automatically generated documentation on this Terraform module using [t | [repo](#input\_repo) | Tag used to point to the repo using this module | `string` | n/a | yes | | [acm\_arn](#input\_acm\_arn) | ARN of the ACM certificate to use for the service. If null, one will be guessed based on the primary hosted zone of the service. | `string` | `null` | no | | [alb\_ssl\_policy](#input\_alb\_ssl\_policy) | SSL policy to use for an Application Load Balancer application. | `string` | `"ELBSecurityPolicy-2016-08"` | no | -| [aliases](#input\_aliases) | CNAME(s) that are allowed to be used for this service. Default is `product`.`primary_hosted_zone`. e.g. [product.example.com] --> [product.example.com] | `list(string)` | `null` | no | +| [aliases](#input\_aliases) | CNAME(s) that are allowed to be used for this service. Default is `product`.`hosted_zone`. e.g. [product.example.com] --> [product.example.com] | `list(string)` | `null` | no | | [alpn\_policy](#input\_alpn\_policy) | Name of the Application-Layer Protocol Negotiation (ALPN) policy. Can be set if protocol is TLS. Valid values are HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None. | `string` | `"HTTP2Preferred"` | no | | [assign\_public\_ip](#input\_assign\_public\_ip) | Assign public IP to the service | `bool` | `true` | no | | [awslogs\_driver\_mode](#input\_awslogs\_driver\_mode) | (optional) awslogs driver mode. Set this to `blocking` if you would rather have an outage than lose logs. | `string` | `"non-blocking"` | no | @@ -223,7 +223,7 @@ Below is automatically generated documentation on this Terraform module using [t | [nlb\_protocol](#input\_nlb\_protocol) | Protocol for the network load balancer used in this service. Ignored for application load balancers. | `string` | `"TLS"` | no | | [nlb\_ssl\_policy](#input\_nlb\_ssl\_policy) | SSL policy to use for a Network Load Balancer application. | `string` | `"ELBSecurityPolicy-TLS13-1-2-2021-06"` | no | | [platform\_version](#input\_platform\_version) | The platform version on which to run your service | `string` | `"LATEST"` | no | -| [primary\_hosted\_zone](#input\_primary\_hosted\_zone) | Name of the primary hosted zone for DNS. e.g. primary\_hosted\_zone = example.org --> service.example.org. If null, it is assumed that a private hosted zone will be used. | `string` | `null` | no | +| [primary\_hosted\_zone](#input\_primary\_hosted\_zone) | Name of the primary hosted zone for DNS. e.g. primary\_hosted\_zone = example.org --> service.example.org. If null, it is assumed that a private hosted zone will be used. | `string` | `null` | no | | [private\_hosted\_zone](#input\_private\_hosted\_zone) | Name of the private hosted zone for DNS. e.g. private\_hosted\_zone = example.org --> service.example.private. If null, it is assumed that a public hosted zone will be used. | `string` | `null` | no | | [propagate\_tags](#input\_propagate\_tags) | Specifies whether to propagate the tags from the task definition or the service to the tasks | `string` | `"SERVICE"` | no | | [public\_service](#input\_public\_service) | Service should be provisioned in public subnet. Ignored if subnets defined. | `bool` | `true` | no | diff --git a/data.tf b/data.tf index d7f915e..6a7579a 100644 --- a/data.tf +++ b/data.tf @@ -1,7 +1,7 @@ data "aws_route53_zone" "hosted_zone" { count = local.lookup_hosted_zone ? 1 : 0 - name = "${local.hosted_zone}." - private_zone = !var.public_service + name = "${var.hosted_zone}." + private_zone = var.is_private } data "aws_vpc" "vpc" { @@ -12,7 +12,7 @@ data "aws_vpc" "vpc" { } data "aws_subnets" "public_subnets" { - count = var.subnets == null ? 1 : 0 + count = var.public_subnets == null || var.subnets == null ? 1 : 0 filter { name = "vpc-id" values = [local.vpc_id] @@ -24,7 +24,7 @@ data "aws_subnets" "public_subnets" { } data "aws_subnets" "private_subnets" { - count = var.subnets == null ? 1 : 0 + count = var.private_subnets == null || var.subnets == null ? 1 : 0 filter { name = "vpc-id" values = [local.vpc_id] @@ -37,5 +37,5 @@ data "aws_subnets" "private_subnets" { data "aws_acm_certificate" "primary_acm_wildcard_cert" { count = local.lookup_primary_acm_wildcard_cert ? 1 : 0 - domain = "*.${var.primary_hosted_zone}" + domain = "*.${var.hosted_zone}" } diff --git a/examples/am/main.tf b/examples/am/main.tf index d615662..ecd9b43 100644 --- a/examples/am/main.tf +++ b/examples/am/main.tf @@ -14,7 +14,7 @@ module "virtual_gateway" { mesh_name = module.mesh.id - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone organization = var.organization environment = var.environment diff --git a/examples/am/vars.tf b/examples/am/vars.tf index 9724dda..ef27ec9 100644 --- a/examples/am/vars.tf +++ b/examples/am/vars.tf @@ -1,6 +1,6 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } variable "v1_weight" { diff --git a/examples/arm/main.tf b/examples/arm/main.tf index d4eb9ba..67a3a12 100644 --- a/examples/arm/main.tf +++ b/examples/arm/main.tf @@ -1,7 +1,7 @@ module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone runtime_platform = { cpu_architecture = "ARM64" diff --git a/examples/arm/vars.tf b/examples/arm/vars.tf index 9364019..1b94bc9 100644 --- a/examples/arm/vars.tf +++ b/examples/arm/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 5c6565a..41ec362 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,7 +1,7 @@ module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone organization = var.organization environment = var.environment diff --git a/examples/basic/vars.tf b/examples/basic/vars.tf index 9364019..1b94bc9 100644 --- a/examples/basic/vars.tf +++ b/examples/basic/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/efs/main.tf b/examples/efs/main.tf index dc6976a..25db434 100644 --- a/examples/efs/main.tf +++ b/examples/efs/main.tf @@ -10,7 +10,7 @@ module "efs" { module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone efs_mounts = [ { diff --git a/examples/efs/vars.tf b/examples/efs/vars.tf index 9364019..1b94bc9 100644 --- a/examples/efs/vars.tf +++ b/examples/efs/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/image/main.tf b/examples/image/main.tf index 0b579b9..b829b1e 100644 --- a/examples/image/main.tf +++ b/examples/image/main.tf @@ -1,7 +1,7 @@ module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone image_repo = "nginx" image_tag = "latest" diff --git a/examples/image/vars.tf b/examples/image/vars.tf index 9364019..1b94bc9 100644 --- a/examples/image/vars.tf +++ b/examples/image/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/nlb/main.tf b/examples/nlb/main.tf index c890a36..4bd1e9e 100644 --- a/examples/nlb/main.tf +++ b/examples/nlb/main.tf @@ -1,7 +1,7 @@ module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone load_balancer_type = "network" diff --git a/examples/nlb/vars.tf b/examples/nlb/vars.tf index 9364019..1b94bc9 100644 --- a/examples/nlb/vars.tf +++ b/examples/nlb/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/private/main.tf b/examples/private/main.tf index 3122050..fccebe3 100644 --- a/examples/private/main.tf +++ b/examples/private/main.tf @@ -1,8 +1,9 @@ module "service" { source = "../.." - private_hosted_zone = var.private_hosted_zone - public_service = false + hosted_zone = var.hosted_zone + public_service = false + is_private = true organization = var.organization environment = var.environment diff --git a/examples/private/vars.tf b/examples/private/vars.tf index 1f6c6fa..257f946 100644 --- a/examples/private/vars.tf +++ b/examples/private/vars.tf @@ -1,4 +1,4 @@ -variable "private_hosted_zone" { +variable "hosted_zone" { type = string - description = "Private hosted zone for this service. Populate `TF_VAR_private_hosted_zone` before running any tests to have this value populated." + description = "Private hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/examples/sgs/main.tf b/examples/sgs/main.tf index 41b882b..ffe5983 100644 --- a/examples/sgs/main.tf +++ b/examples/sgs/main.tf @@ -90,7 +90,7 @@ resource "aws_security_group" "ingress_sg" { module "service" { source = "../.." - primary_hosted_zone = var.primary_hosted_zone + hosted_zone = var.hosted_zone restricted_sg = aws_security_group.ingress_sg.id diff --git a/examples/sgs/vars.tf b/examples/sgs/vars.tf index 9364019..1b94bc9 100644 --- a/examples/sgs/vars.tf +++ b/examples/sgs/vars.tf @@ -1,4 +1,4 @@ -variable "primary_hosted_zone" { +variable "hosted_zone" { type = string - description = "Primary hosted zone for this service. Populate `TF_VAR_primary_hosted_zone` before running any tests to have this value populated." + description = "Primary hosted zone for this service. Populate `TF_VAR_hosted_zone` before running any tests to have this value populated." } diff --git a/lb.tf b/lb.tf index e49cc0b..6d35876 100644 --- a/lb.tf +++ b/lb.tf @@ -1,9 +1,11 @@ resource "aws_lb" "lb" { - count = local.create_lb ? 1 : 0 - name = local.load_balancer_name - subnets = local.subnets - security_groups = local.lb_security_groups - idle_timeout = var.idle_timeout + count = local.create_lb ? 1 : 0 + name = local.load_balancer_name + subnets = local.subnets + security_groups = local.lb_security_groups + idle_timeout = var.idle_timeout + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + internal = local.internal diff --git a/locals.tf b/locals.tf index 2d1a12f..6167118 100644 --- a/locals.tf +++ b/locals.tf @@ -13,21 +13,22 @@ locals { task_def_arn = var.task_def_arn != null ? var.task_def_arn : one(module.task[*].arn) vpc_id = var.vpc_id != null ? var.vpc_id : one(data.aws_vpc.vpc[*].id) public_service = !local.create_virtual_node && var.public_service - subnets = var.subnets != null ? var.subnets : var.public_service ? data.aws_subnets.public_subnets[0].ids : data.aws_subnets.private_subnets[0].ids + subnets = var.subnets != null ? var.subnets : local.internal == true ? local.private_subnets : local.public_subnets + private_subnets = var.private_subnets != null ? var.private_subnets : data.aws_subnets.private_subnets[0].ids + public_subnets = var.public_subnets != null ? var.public_subnets : data.aws_subnets.public_subnets[0].ids lookup_hosted_zone = !local.create_virtual_node && local.app_dns_record_count > 0 lookup_primary_acm_wildcard_cert = local.lookup_hosted_zone && local.public_service && var.acm_arn == null acm_arn = var.acm_arn != null ? var.acm_arn : local.lookup_primary_acm_wildcard_cert ? one(data.aws_acm_certificate.primary_acm_wildcard_cert[*].arn) : null - hosted_zone = var.public_service ? var.primary_hosted_zone : var.private_hosted_zone - null_safe_hosted_zone = local.hosted_zone == null ? "" : local.hosted_zone + null_safe_hosted_zone = var.hosted_zone == null ? "" : var.hosted_zone hosted_zone_id = local.lookup_hosted_zone ? one(data.aws_route53_zone.hosted_zone[*].zone_id) : null - internal = var.internal != null ? var.internal : !var.public_service + internal = var.internal != null ? var.internal : var.is_private cnames = local.create_virtual_node ? [] : var.cnames != null ? var.cnames : [local.name] aliases = local.create_virtual_node ? [] : var.aliases != null ? var.aliases : ["${local.name}.${local.null_safe_hosted_zone}"] app_dns_record_count = local.create_lb ? length(local.cnames) : 0 domain_name = !local.create_lb ? null : local.app_dns_record_count == 0 ? one(aws_lb.lb[*].dns_name) : one(aws_route53_record.app[*].fqdn) create_lb_sg = local.create_lb && var.load_balancer_type == "application" create_http_listeners = local.create_lb && var.load_balancer_type == "application" - create_https_listeners = local.create_lb && var.load_balancer_type == "application" && var.public_service + create_https_listeners = local.create_lb && var.load_balancer_type == "application" only_create_http_listener = local.create_http_listeners && !local.create_https_listeners create_nlb_listeners = local.create_lb && !local.create_http_listeners http_application_rule_count = local.only_create_http_listener ? length(local.aliases) : 0 diff --git a/main.tf b/main.tf index 0acb41f..2050a18 100644 --- a/main.tf +++ b/main.tf @@ -28,7 +28,7 @@ resource "aws_ecs_service" "service" { } network_configuration { - subnets = local.subnets + subnets = local.public_service == true ? local.public_subnets : local.private_subnets security_groups = [aws_security_group.service_sg.id] assign_public_ip = var.assign_public_ip } diff --git a/optional.tf b/optional.tf index df7b623..4dfd873 100644 --- a/optional.tf +++ b/optional.tf @@ -236,13 +236,13 @@ variable "load_balancer_name" { } variable "aliases" { - description = "CNAME(s) that are allowed to be used for this service. Default is `product`.`primary_hosted_zone`. e.g. [product.example.com] --> [product.example.com]" + description = "CNAME(s) that are allowed to be used for this service. Default is `product`.`hosted_zone`. e.g. [product.example.com] --> [product.example.com]" default = null type = list(string) } variable "cnames" { - description = "CNAME(s) that are going to be created for this service in the primary_hosted_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com]" + description = "CNAME(s) that are going to be created for this service in the hosted_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com]" default = null type = list(string) } @@ -259,9 +259,21 @@ variable "subnets" { type = list(string) } +variable "private_subnets" { + description = "Private subnets for the service. If null, private subnets will be looked up based on environment tag and will be selected based on public_service." + default = null + type = list(string) +} + +variable "public_subnets" { + description = "Public subnets for the service. If null, public subnets will be looked up based on environment tag and will be selected based on public_service." + default = null + type = list(string) +} + variable "public_service" { description = "Service should be provisioned in public subnet. Ignored if subnets defined." - default = true + default = false type = bool } @@ -277,16 +289,16 @@ variable "vpc_id" { type = string } -variable "primary_hosted_zone" { - description = "Name of the primary hosted zone for DNS. e.g. primary_hosted_zone = example.org --> service.example.org. If null, it is assumed that a private hosted zone will be used." +variable "hosted_zone" { + description = "Name of the hosted zone for DNS. e.g. hosted_zone = example.org --> service.example.org. Based on the is_private, this is the primary or the private hosted zone." default = null type = string } -variable "private_hosted_zone" { - description = "Name of the private hosted zone for DNS. e.g. private_hosted_zone = example.org --> service.example.private. If null, it is assumed that a public hosted zone will be used." - default = null - type = string +variable "is_private" { + description = "Is the route53 zone private or not." + default = false + type = bool } variable "load_balancer_type" { @@ -407,3 +419,9 @@ variable "service_sg_name" { default = null type = string } + +variable "enable_cross_zone_load_balancing" { + description = "Enable cross-zone load balancing for NLBs. ALB have this enabled by default and cannot be disabled." + default = true + type = string +} diff --git a/tests/utilities_ecs_service.go b/tests/utilities_ecs_service.go index ae90a04..a0fca72 100644 --- a/tests/utilities_ecs_service.go +++ b/tests/utilities_ecs_service.go @@ -22,19 +22,19 @@ func testECSService(t *testing.T, variant string) { switch variant { case "private": - privateHostedZone = os.Getenv("TF_VAR_private_hosted_zone") + privateHostedZone = os.Getenv("TF_VAR_hosted_zone") if privateHostedZone == "" { - t.Fatal("TF_VAR_private_hosted_zone must be set to run tests. e.g. 'export TF_VAR_private_hosted_zone=example.private'") + t.Fatal("TF_VAR_hosted_zone must be set to run tests. e.g. 'export TF_VAR_hosted_zone=example.private'") } expectedDomainName = fmt.Sprintf("%s.%s", expectedName, privateHostedZone) case "no-lb": default: - primaryHostedZone = os.Getenv("TF_VAR_primary_hosted_zone") + primaryHostedZone = os.Getenv("TF_VAR_hosted_zone") if primaryHostedZone == "" { - t.Fatal("TF_VAR_primary_hosted_zone must be set to run tests. e.g. 'export TF_VAR_primary_hosted_zone=example.org'") + t.Fatal("TF_VAR_hosted_zone must be set to run tests. e.g. 'export TF_VAR_hosted_zone=example.org'") } expectedDomainName = fmt.Sprintf("%s.%s", expectedName, primaryHostedZone) From c9c1e64e359bcd2973c5e632b4ef3d6af5339d7f Mon Sep 17 00:00:00 2001 From: Eduard Hirsch Date: Mon, 20 Nov 2023 14:31:52 +0200 Subject: [PATCH 2/3] CAT-23287 Updated MR according to reviews --- data.tf | 2 +- examples/private/main.tf | 6 +++--- locals.tf | 4 ++-- optional.tf | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data.tf b/data.tf index 6a7579a..4ed3edd 100644 --- a/data.tf +++ b/data.tf @@ -1,7 +1,7 @@ data "aws_route53_zone" "hosted_zone" { count = local.lookup_hosted_zone ? 1 : 0 name = "${var.hosted_zone}." - private_zone = var.is_private + private_zone = var.is_hosted_zone_private } data "aws_vpc" "vpc" { diff --git a/examples/private/main.tf b/examples/private/main.tf index fccebe3..6adc066 100644 --- a/examples/private/main.tf +++ b/examples/private/main.tf @@ -1,9 +1,9 @@ module "service" { source = "../.." - hosted_zone = var.hosted_zone - public_service = false - is_private = true + hosted_zone = var.hosted_zone + public_service = false + is_hosted_zone_private = true organization = var.organization environment = var.environment diff --git a/locals.tf b/locals.tf index 6167118..1e8c9fe 100644 --- a/locals.tf +++ b/locals.tf @@ -21,14 +21,14 @@ locals { acm_arn = var.acm_arn != null ? var.acm_arn : local.lookup_primary_acm_wildcard_cert ? one(data.aws_acm_certificate.primary_acm_wildcard_cert[*].arn) : null null_safe_hosted_zone = var.hosted_zone == null ? "" : var.hosted_zone hosted_zone_id = local.lookup_hosted_zone ? one(data.aws_route53_zone.hosted_zone[*].zone_id) : null - internal = var.internal != null ? var.internal : var.is_private + internal = var.internal != null ? var.internal : var.is_hosted_zone_private cnames = local.create_virtual_node ? [] : var.cnames != null ? var.cnames : [local.name] aliases = local.create_virtual_node ? [] : var.aliases != null ? var.aliases : ["${local.name}.${local.null_safe_hosted_zone}"] app_dns_record_count = local.create_lb ? length(local.cnames) : 0 domain_name = !local.create_lb ? null : local.app_dns_record_count == 0 ? one(aws_lb.lb[*].dns_name) : one(aws_route53_record.app[*].fqdn) create_lb_sg = local.create_lb && var.load_balancer_type == "application" create_http_listeners = local.create_lb && var.load_balancer_type == "application" - create_https_listeners = local.create_lb && var.load_balancer_type == "application" + create_https_listeners = local.create_lb && var.load_balancer_type == "application" && !var.is_hosted_zone_private only_create_http_listener = local.create_http_listeners && !local.create_https_listeners create_nlb_listeners = local.create_lb && !local.create_http_listeners http_application_rule_count = local.only_create_http_listener ? length(local.aliases) : 0 diff --git a/optional.tf b/optional.tf index 4dfd873..5042155 100644 --- a/optional.tf +++ b/optional.tf @@ -290,12 +290,12 @@ variable "vpc_id" { } variable "hosted_zone" { - description = "Name of the hosted zone for DNS. e.g. hosted_zone = example.org --> service.example.org. Based on the is_private, this is the primary or the private hosted zone." + description = "Name of the hosted zone for DNS. e.g. hosted_zone = example.org --> service.example.org. Based on the is_hosted_zone_private, this is the primary or the private hosted zone." default = null type = string } -variable "is_private" { +variable "is_hosted_zone_private" { description = "Is the route53 zone private or not." default = false type = bool From cf58f9e022bf84c815083ea8aa6845c569e7de70 Mon Sep 17 00:00:00 2001 From: ehirsch-3pg Date: Mon, 20 Nov 2023 12:36:44 +0000 Subject: [PATCH 3/3] Running document script --- README.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b930c50..95fbfd2 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ ### Using the Repo Source ```hcl -github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2 +github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z ``` ### Alternative Installation Methods @@ -26,7 +26,7 @@ Integrate this module like so: ```hcl module "service" { - source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2" + source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z" # Required hosted_zone = "example.com" @@ -49,7 +49,7 @@ This module will create an ECS cluster if one is not provided. If you would like ```hcl module "service" { - source = "github.com/pbs/terraform-aws-ecs-service-module?ref=4.2.2" + source = "github.com/pbs/terraform-aws-ecs-service-module?ref=x.y.z" # Required hosted_zone = "example.com" @@ -73,7 +73,7 @@ module "service" { If this repo is added as a subtree, then the version of the module should be close to the version shown here: -`4.2.2` +`x.y.z` Note, however that subtrees can be altered as desired within repositories. @@ -177,7 +177,7 @@ Below is automatically generated documentation on this Terraform module using [t | [cluster\_protect\_from\_scale\_in](#input\_cluster\_protect\_from\_scale\_in) | Allow ECS to protect instances running tasks from being terminated while tasks are running on them. Must be false when destroying cluster | `bool` | `true` | no | | [cluster\_role\_policy\_json](#input\_cluster\_role\_policy\_json) | (optional) IAM policy to attach to role used for the instance profile of instances in this cluster | `string` | `null` | no | | [cluster\_target\_capacity](#input\_cluster\_target\_capacity) | Capacity provider target capacity | `number` | `75` | no | -| [cnames](#input\_cnames) | CNAME(s) that are going to be created for this service in the primary\_hosted\_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com] | `list(string)` | `null` | no | +| [cnames](#input\_cnames) | CNAME(s) that are going to be created for this service in the hosted\_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is `product`. e.g. [product] --> [product.example.com] | `list(string)` | `null` | no | | [command](#input\_command) | (optional) command to run in the container as an array. e.g. ["sleep", "10"]. If null, does not set a command in the task definition. | `list(string)` | `null` | no | | [container\_definitions](#input\_container\_definitions) | (optional) JSON container definitions for task | `string` | `null` | no | | [container\_name](#input\_container\_name) | (optional) name for the container to have | `string` | `null` | no | @@ -191,6 +191,7 @@ Below is automatically generated documentation on this Terraform module using [t | [efs\_mounts](#input\_efs\_mounts) | (optional) efs mount set of objects. Components should include dns\_name, container\_mount\_point, efs\_mount\_point | 
set(object({
    file_system_id = string
    efs_path       = string
    container_path = string
  }))
| `[]` | no | | [enable\_circuit\_breaker](#input\_enable\_circuit\_breaker) | Enables ECS circuit breaker | `bool` | `true` | no | | [enable\_circuit\_breaker\_rollback](#input\_enable\_circuit\_breaker\_rollback) | Enables ECS circuit breaker rollback | `bool` | `true` | no | +| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Enable cross-zone load balancing for NLBs. ALB have this enabled by default and cannot be disabled. | `string` | `true` | no | | [enable\_execute\_command](#input\_enable\_execute\_command) | Enables `ecs exec`. If null, will enable if not on prod | `bool` | `null` | no | | [entrypoint](#input\_entrypoint) | (optional) entrypoint to run in the container as an array. e.g. ["sleep", "10"]. If null, does not set an entrypoint in the task definition. | `list(string)` | `null` | no | | [env\_vars](#input\_env\_vars) | (optional) environment variables to be passed to the container. By default, only passes SSM\_PATH | `set(map(any))` | `null` | no | @@ -202,10 +203,12 @@ Below is automatically generated documentation on this Terraform module using [t | [healthcheck\_protocol](#input\_healthcheck\_protocol) | The protocol to use to connect with the target | `string` | `null` | no | | [healthcheck\_timeout](#input\_healthcheck\_timeout) | The amount of time, in seconds, during which no response means a failed health check | `number` | `6` | no | | [healthcheck\_unhealthy\_threshold](#input\_healthcheck\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `3` | no | +| [hosted\_zone](#input\_hosted\_zone) | Name of the hosted zone for DNS. e.g. hosted\_zone = example.org --> service.example.org. Based on the is\_hosted\_zone\_private, this is the primary or the private hosted zone. | `string` | `null` | no | | [idle\_timeout](#input\_idle\_timeout) | Idle timeout for the load balancer. If null, will use whatever the default is for the load balancer type. | `number` | `null` | no | | [image\_repo](#input\_image\_repo) | (optional) image repo. e.g. image\_repo = nginx --> nginx:image\_tag | `string` | `"nginx"` | no | | [image\_tag](#input\_image\_tag) | (optional) tag of the image. e.g. image\_tag = latest --> image\_repo:latest | `string` | `"alpine"` | no | | [internal](#input\_internal) | Use an internal load balancer. If null, will be internal when the service is private. | `bool` | `null` | no | +| [is\_hosted\_zone\_private](#input\_is\_hosted\_zone\_private) | Is the route53 zone private or not. | `bool` | `false` | no | | [launch\_type](#input\_launch\_type) | The launch type on which to run your service | `string` | `"FARGATE"` | no | | [load\_balancer\_name](#input\_load\_balancer\_name) | Load balancer name. Will default to product if not defined. | `string` | `null` | no | | [load\_balancer\_sg\_name](#input\_load\_balancer\_sg\_name) | Prefix for the name of the load balancer security group. If null, will use `${local.load_balancer_name}-sg-`. | `string` | `null` | no | @@ -223,10 +226,10 @@ Below is automatically generated documentation on this Terraform module using [t | [nlb\_protocol](#input\_nlb\_protocol) | Protocol for the network load balancer used in this service. Ignored for application load balancers. | `string` | `"TLS"` | no | | [nlb\_ssl\_policy](#input\_nlb\_ssl\_policy) | SSL policy to use for a Network Load Balancer application. | `string` | `"ELBSecurityPolicy-TLS13-1-2-2021-06"` | no | | [platform\_version](#input\_platform\_version) | The platform version on which to run your service | `string` | `"LATEST"` | no | -| [primary\_hosted\_zone](#input\_primary\_hosted\_zone) | Name of the primary hosted zone for DNS. e.g. primary\_hosted\_zone = example.org --> service.example.org. If null, it is assumed that a private hosted zone will be used. | `string` | `null` | no | -| [private\_hosted\_zone](#input\_private\_hosted\_zone) | Name of the private hosted zone for DNS. e.g. private\_hosted\_zone = example.org --> service.example.private. If null, it is assumed that a public hosted zone will be used. | `string` | `null` | no | +| [private\_subnets](#input\_private\_subnets) | Private subnets for the service. If null, private subnets will be looked up based on environment tag and will be selected based on public\_service. | `list(string)` | `null` | no | | [propagate\_tags](#input\_propagate\_tags) | Specifies whether to propagate the tags from the task definition or the service to the tasks | `string` | `"SERVICE"` | no | -| [public\_service](#input\_public\_service) | Service should be provisioned in public subnet. Ignored if subnets defined. | `bool` | `true` | no | +| [public\_service](#input\_public\_service) | Service should be provisioned in public subnet. Ignored if subnets defined. | `bool` | `false` | no | +| [public\_subnets](#input\_public\_subnets) | Public subnets for the service. If null, public subnets will be looked up based on environment tag and will be selected based on public\_service. | `list(string)` | `null` | no | | [requires\_compatibilities](#input\_requires\_compatibilities) | (optional) capabilities that the task requires | `set(string)` | 
[
  "FARGATE"
]
| no | | [restricted\_cidr\_blocks](#input\_restricted\_cidr\_blocks) | CIDR blocks to receive restricted service access. If empty, no CIDRs will be allowed to connect. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [restricted\_sg](#input\_restricted\_sg) | SG to receive restricted service access. If null, no sg will be configured to connect | `string` | `null` | no |