SRE-3022-make-alb-creation-optional-in-terraform-aws-ecs-service-modu…

…le (#44)

* Optional alb

* Create target group in module itself

alb.tf

@@ -1,5 +1,5 @@
 resource "aws_alb" "service" {
-  count           = var.alb_enable_https || var.alb_enable_http ? 1 : 0
+  count           = var.create_alb && (var.alb_enable_https || var.alb_enable_http) ? 1 : 0
   name            = "${var.service_identifier}-${var.task_identifier}"
   internal        = var.alb_internal
   security_groups = [aws_security_group.alb[0].id]
@@ -15,7 +15,7 @@ resource "aws_alb" "service" {
 }
 
 resource "aws_alb_listener" "service_https" {
-  count             = var.alb_enable_https ? 1 : 0
+  count             = var.create_alb && var.alb_enable_https ? 1 : 0
   load_balancer_arn = aws_alb.service[0].arn
   port              = "443"
   protocol          = "HTTPS"
@@ -29,7 +29,7 @@ resource "aws_alb_listener" "service_https" {
 }
 
 resource "aws_alb_listener" "service_http" {
-  count             = var.alb_enable_http ? 1 : 0
+  count             = var.create_alb && var.alb_enable_http ? 1 : 0
   load_balancer_arn = aws_alb.service[0].arn
   port              = "80"
   protocol          = "HTTP"
@@ -69,7 +69,7 @@ resource "aws_alb_target_group" "service" {
 }
 
 resource "aws_security_group" "alb" {
-  count       = var.alb_enable_https || var.alb_enable_http ? 1 : 0
+  count       = var.create_alb ? 1 : 0
   name_prefix = "alb-${var.service_identifier}-${var.task_identifier}-"
   description = "Security group for ${var.service_identifier}-${var.task_identifier} ALB"
   vpc_id      = data.aws_vpc.vpc.id
@@ -78,7 +78,7 @@ resource "aws_security_group" "alb" {
 }
 
 resource "aws_security_group_rule" "alb_ingress_https" {
-  count             = var.alb_enable_https ? 1 : 0
+  count             = var.create_alb && var.alb_enable_https ? 1 : 0
   type              = "ingress"
   from_port         = 443
   to_port           = 443
@@ -88,7 +88,7 @@ resource "aws_security_group_rule" "alb_ingress_https" {
 }
 
 resource "aws_security_group_rule" "alb_ingress_http" {
-  count             = var.alb_enable_http ? 1 : 0
+  count             = var.create_alb && var.alb_enable_http ? 1 : 0
   type              = "ingress"
   from_port         = 80
   to_port           = 80
@@ -98,7 +98,7 @@ resource "aws_security_group_rule" "alb_ingress_http" {
 }
 
 resource "aws_security_group_rule" "alb_egress" {
-  count             = var.alb_enable_https || var.alb_enable_http ? 1 : 0
+  count             = var.create_alb ? 1 : 0
   type              = "egress"
   from_port         = 0
   to_port           = 65535

ecs.tf

@@ -87,7 +87,7 @@ resource "aws_ecs_service" "service" {
   }
 
   load_balancer {
-    target_group_arn = aws_alb_target_group.service.arn
+    target_group_arn = aws_alb_target_group.service.arn 
     container_name   = "${var.service_identifier}-${var.task_identifier}"
     container_port   = var.app_port
   }

outputs.tf

@@ -15,7 +15,7 @@ output "alb_zone_id" {
 
 output "alb_https_listener_arn" {
   description = "ARN of the HTTPS Listener (if present)"
-  value       = var.alb_enable_https ? aws_alb_listener.service_https[0].arn : "not created"
+  value       = var.create_alb && var.alb_enable_https ? aws_alb_listener.service_https[0].arn : "not created"
 }
 
 output "target_group_arn" {
@@ -55,5 +55,5 @@ output "log_group_arn" {
 
 output "alb_sg_id" {
   description = "Load balancer security group id"
-  value       = aws_security_group.alb.0.id
+  value       = var.create_alb ? aws_security_group.alb.0.id : "not created by module"
 }

variables.tf

@@ -337,3 +337,9 @@ variable "ssm_param_arns" {
   type        = list(string)
   default     = []
 }
+
+variable "create_alb" {
+  description = "Whether to create ALB and related resources"
+  type        = bool
+  default     = true
+}