From 79357364685e12bfd8bab79b3d80eb4af254e878 Mon Sep 17 00:00:00 2001 From: David Mattia Date: Tue, 14 Mar 2023 21:26:06 +0000 Subject: [PATCH 01/10] Allow terminating SSL on internal sombra --- main.tf | 1 + modules/sombra_load_balancers/single_alb.tf | 17 +++++++++++++++-- modules/sombra_load_balancers/variables.tf | 11 +++++++++++ variables.tf | 11 +++++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index d85db95..f8498b5 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,7 @@ module "load_balancer" { zone_id = var.zone_id certificate_arn = var.certificate_arn use_private_load_balancer = var.use_private_load_balancer + use_network_load_balancer = var.use_network_load_balancer tags = var.tags } diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index 07cdce1..5d58c55 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -24,8 +24,10 @@ module "load_balancer" { vpc_id = var.vpc_id security_groups = [module.single_security_group.this_security_group_id] - # Listeners - https_listeners = [ + load_balancer_type = var.use_network_load_balancer ? "network" : "application" + + # Listeners for ALB + https_listeners = var.use_network_load_balancer ? [] : [ # Internal Listener { certificate_arn = var.certificate_arn @@ -42,6 +44,17 @@ module "load_balancer" { }, ] + # Listeners for NLB + http_tcp_listeners = var.use_network_load_balancer ? [{ + port = var.internal_port + protocol = "TCP" + target_group_index = 0 + },{ + port = var.external_port + protocol = "TCP" + target_group_index = 1 + }] : [] + # Target groups target_groups = [ # Internal group diff --git a/modules/sombra_load_balancers/variables.tf b/modules/sombra_load_balancers/variables.tf index 981788c..a56f473 100644 --- a/modules/sombra_load_balancers/variables.tf +++ b/modules/sombra_load_balancers/variables.tf @@ -9,6 +9,17 @@ variable use_private_load_balancer { EOF } +variable use_network_load_balancer { + type = bool + description = < Date: Tue, 14 Mar 2023 23:29:29 +0000 Subject: [PATCH 02/10] use null instead of [] --- modules/sombra_load_balancers/single_alb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index 5d58c55..44895e3 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -27,7 +27,7 @@ module "load_balancer" { load_balancer_type = var.use_network_load_balancer ? "network" : "application" # Listeners for ALB - https_listeners = var.use_network_load_balancer ? [] : [ + https_listeners = var.use_network_load_balancer ? null : [ # Internal Listener { certificate_arn = var.certificate_arn @@ -53,7 +53,7 @@ module "load_balancer" { port = var.external_port protocol = "TCP" target_group_index = 1 - }] : [] + }] : null # Target groups target_groups = [ From 49e37303e09bd5c489790679be1ad5505b90c1e0 Mon Sep 17 00:00:00 2001 From: David Mattia Date: Tue, 14 Mar 2023 23:33:19 +0000 Subject: [PATCH 03/10] revert --- modules/sombra_load_balancers/single_alb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index 44895e3..bcbc8f9 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -27,7 +27,7 @@ module "load_balancer" { load_balancer_type = var.use_network_load_balancer ? "network" : "application" # Listeners for ALB - https_listeners = var.use_network_load_balancer ? null : [ + https_listeners = var.use_network_load_balancer ? [] : [ # Internal Listener { certificate_arn = var.certificate_arn From 377e590c1f2276f0c04a684669bd335d7ee44236 Mon Sep 17 00:00:00 2001 From: David Mattia Date: Tue, 14 Mar 2023 23:38:24 +0000 Subject: [PATCH 04/10] update outputs --- modules/sombra_load_balancers/outputs.tf | 4 ++-- modules/sombra_load_balancers/single_alb.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/sombra_load_balancers/outputs.tf b/modules/sombra_load_balancers/outputs.tf index a59568c..391a840 100644 --- a/modules/sombra_load_balancers/outputs.tf +++ b/modules/sombra_load_balancers/outputs.tf @@ -19,12 +19,12 @@ output private_zone_id { } output internal_listener_arn { - value = var.use_private_load_balancer ? module.internal_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[0] + value = var.use_network_load_balancer ? var.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.internal_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[0] description = "ARN of the internal sombra load balancer listener" } output external_listener_arn { - value = var.use_private_load_balancer ? module.external_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[1] + value = var.use_network_load_balancer ? var.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.external_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[1] description = "ARN of the external sombra load balancer listener" } diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index bcbc8f9..5d58c55 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -53,7 +53,7 @@ module "load_balancer" { port = var.external_port protocol = "TCP" target_group_index = 1 - }] : null + }] : [] # Target groups target_groups = [ From ce0d2c1a324da4d3cab7882b542d7ed6e92c3fbf Mon Sep 17 00:00:00 2001 From: David Mattia Date: Tue, 14 Mar 2023 23:39:42 +0000 Subject: [PATCH 05/10] fix output --- modules/sombra_load_balancers/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sombra_load_balancers/outputs.tf b/modules/sombra_load_balancers/outputs.tf index 391a840..e836d63 100644 --- a/modules/sombra_load_balancers/outputs.tf +++ b/modules/sombra_load_balancers/outputs.tf @@ -19,12 +19,12 @@ output private_zone_id { } output internal_listener_arn { - value = var.use_network_load_balancer ? var.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.internal_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[0] + value = var.use_network_load_balancer ? module.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.internal_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[0] description = "ARN of the internal sombra load balancer listener" } output external_listener_arn { - value = var.use_network_load_balancer ? var.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.external_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[1] + value = var.use_network_load_balancer ? module.load_balancer.http_tcp_listener_arns[0] : var.use_private_load_balancer ? module.external_load_balancer.https_listener_arns[0] : module.load_balancer.https_listener_arns[1] description = "ARN of the external sombra load balancer listener" } From 715ef51d97f8417e242f10a0a1929771369c4790 Mon Sep 17 00:00:00 2001 From: David Mattia Date: Tue, 14 Mar 2023 23:47:09 +0000 Subject: [PATCH 06/10] no sgs on nlb --- modules/sombra_load_balancers/single_alb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index 5d58c55..08896f4 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -22,7 +22,7 @@ module "load_balancer" { # VPC Settings subnets = var.public_subnet_ids vpc_id = var.vpc_id - security_groups = [module.single_security_group.this_security_group_id] + security_groups = var.use_network_load_balancer ? [] : [module.single_security_group.this_security_group_id] load_balancer_type = var.use_network_load_balancer ? "network" : "application" @@ -94,7 +94,7 @@ module "single_security_group" { source = "terraform-aws-modules/security-group/aws" version = "3.17.0" - create = !var.use_private_load_balancer + create = !var.use_private_load_balancer && !var.use_network_load_balancer name = "${var.project_id}-sombra-alb" description = "Security group for sombra alb" From d846f4223d4db12767937ee6fe81c8662caa7e7e Mon Sep 17 00:00:00 2001 From: David Mattia Date: Wed, 15 Mar 2023 00:01:42 +0000 Subject: [PATCH 07/10] update listener backend protocol --- modules/sombra_load_balancers/outputs.tf | 2 +- modules/sombra_load_balancers/single_alb.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/sombra_load_balancers/outputs.tf b/modules/sombra_load_balancers/outputs.tf index e836d63..963c876 100644 --- a/modules/sombra_load_balancers/outputs.tf +++ b/modules/sombra_load_balancers/outputs.tf @@ -9,7 +9,7 @@ output external_target_group_arn { } output security_group_ids { - value = var.use_private_load_balancer ? [module.internal_security_group.this_security_group_id, module.external_security_group.this_security_group_id] : [module.single_security_group.this_security_group_id] + value = var.use_network_load_balancer ? [] : var.use_private_load_balancer ? [module.internal_security_group.this_security_group_id, module.external_security_group.this_security_group_id] : [module.single_security_group.this_security_group_id] description = "The ids of all security groups set on the ALB. We require that the tasks can only talk to the ALB" } diff --git a/modules/sombra_load_balancers/single_alb.tf b/modules/sombra_load_balancers/single_alb.tf index 08896f4..8fd8304 100644 --- a/modules/sombra_load_balancers/single_alb.tf +++ b/modules/sombra_load_balancers/single_alb.tf @@ -60,7 +60,7 @@ module "load_balancer" { # Internal group { name = "${var.deploy_env}-${var.project_id}-internal" - backend_protocol = var.health_check_protocol + backend_protocol = var.use_network_load_balancer ? "TCP" : var.health_check_protocol target_type = "ip" backend_port = var.internal_port health_check = { @@ -74,7 +74,7 @@ module "load_balancer" { # External group { name = "${var.deploy_env}-${var.project_id}-external" - backend_protocol = var.health_check_protocol + backend_protocol = var.use_network_load_balancer ? "TCP" : var.health_check_protocol target_type = "ip" backend_port = var.external_port health_check = { From d3a1dededb001a02feebdac11b7cd77c33e185bc Mon Sep 17 00:00:00 2001 From: David Mattia Date: Wed, 15 Mar 2023 20:14:38 +0000 Subject: [PATCH 08/10] Open up ECS tasks to have ingress with NLBs --- main.tf | 9 ++++++--- variables.tf | 6 ++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index f8498b5..bc8790c 100644 --- a/main.tf +++ b/main.tf @@ -137,8 +137,10 @@ locals { } module "service" { - source = "transcend-io/fargate-service/aws" - version = "0.6.2" + # DO NOT SUBMIT + # source = "transcend-io/fargate-service/aws" + # version = "0.6.2" + source = "github.com/transcend-io/fargate-service?ref=dmattia/ingress_cidr" name = "${var.deploy_env}-${var.project_id}-sombra-service" cpu = var.cpu @@ -148,7 +150,8 @@ module "service" { vpc_id = var.vpc_id subnet_ids = var.private_subnet_ids - alb_security_group_ids = module.load_balancer.security_group_ids + alb_security_group_ids = var.use_network_load_balancer ? null : module.load_balancer.security_group_ids + ingress_cidr_blocks = var.use_network_load_balancer ? var.network_load_balancer_ingress_cidr_blocks : null container_definitions = format( "[%s]", join(",", distinct(concat( diff --git a/variables.tf b/variables.tf index aeada07..3bdbff3 100644 --- a/variables.tf +++ b/variables.tf @@ -408,6 +408,12 @@ variable use_network_load_balancer { default = false } +variable network_load_balancer_ingress_cidr_blocks { + type = list(string) + description = "CIDR blocks that can talk to sombra when using an NLB" + default = ["0.0.0.0/0"] +} + variable "tags" { type = map(string) description = "Tags to apply to all resources that support them" From 48f03268cd378bec9b79fa578326319426a79243 Mon Sep 17 00:00:00 2001 From: David Mattia Date: Wed, 15 Mar 2023 20:24:00 +0000 Subject: [PATCH 09/10] fix source formatting --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index bc8790c..919f430 100644 --- a/main.tf +++ b/main.tf @@ -140,7 +140,7 @@ module "service" { # DO NOT SUBMIT # source = "transcend-io/fargate-service/aws" # version = "0.6.2" - source = "github.com/transcend-io/fargate-service?ref=dmattia/ingress_cidr" + source = "git::https://github.com/transcend-io/terraform-aws-fargate-service?ref=dmattia/ingress_cidr" name = "${var.deploy_env}-${var.project_id}-sombra-service" cpu = var.cpu From a1e6d70f30578c0b3d0c024c936d94b611a1cb7b Mon Sep 17 00:00:00 2001 From: David Mattia Date: Wed, 15 Mar 2023 21:26:56 +0000 Subject: [PATCH 10/10] remove DO NOT SUBMIT --- main.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 919f430..c974249 100644 --- a/main.tf +++ b/main.tf @@ -137,10 +137,8 @@ locals { } module "service" { - # DO NOT SUBMIT - # source = "transcend-io/fargate-service/aws" - # version = "0.6.2" - source = "git::https://github.com/transcend-io/terraform-aws-fargate-service?ref=dmattia/ingress_cidr" + source = "transcend-io/fargate-service/aws" + version = "0.7.0" name = "${var.deploy_env}-${var.project_id}-sombra-service" cpu = var.cpu