implementation of Application Load Balancer that can be extended to include SSL from AWS ACM

dcassanego · dcassanego · commit 7a4076c876dd · 2021-05-28T00:33:13.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
 .terraform/
+.terraform.lock.hcl
+.terraform.tfstate.lock.info
 terraform.tfstate.backup
diff --git a/api_ssl_endpoint.tf b/api_ssl_endpoint.tf
@@ -0,0 +1,74 @@
+/**
+ * This file sets up all resources necessary to accept inbound
+ * HTTPS requests to the DLE API and direct them to the DLE
+ * instance itself.
+ *
+ * It uses an AWS Application Load Balancer to terminate SSL
+ * requests and then forward HTTP traffic to the DLE instance.
+ */
+
+# Create the Load Balancer for only the main DLE API
+resource "aws_lb" "dle_api_lb" {
+  name               = "dle-api-lb"
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.dle_api_sg.id]
+
+  subnets            = data.aws_subnet_ids.dle_vpc_subnets.ids
+  tags               = "${local.common_tags}"
+}
+
+# Setup an HTTPS listener that will terminate SSL
+resource "aws_lb_listener" "dle_api_ssl_listener" {
+  load_balancer_arn = aws_lb.dle_api_lb.arn
+
+  port              = 80
+  protocol          = "HTTP"
+
+  # FIXME -- Need to have Domain and Certificate in ACM
+  # port              = 443
+  # protocol          = "HTTPS"
+  # ssl_policy        = "ELBSecurityPolicy-2016-08"
+  # certificate_arn   = aws_acm_certificate.this.arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.api_target_group.arn
+  }
+
+  tags = "${local.common_tags}"
+}
+
+# The target group defines how the Load Balancer should
+# forward incoming requests and also sets up a health
+# check on the target instance.
+resource "aws_lb_target_group" "api_target_group" {
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = aws_default_vpc.dle_vpc.id
+
+  health_check {
+    path                = "/healthz"
+    healthy_threshold   = 2
+    interval            = 30
+    protocol            = "HTTP"
+    unhealthy_threshold = 2
+  }
+
+  depends_on = [
+    aws_lb.dle_api_lb
+  ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = "${local.common_tags}"
+}
+
+# This makes the connection between the Target Group and the
+# actual DLE EC2 Instance itself.
+resource "aws_lb_target_group_attachment" "dle_instance_attachment" {
+  target_group_arn = aws_lb_target_group.api_target_group.arn
+  target_id        = aws_instance.aws_ec2.id
+  port             = 80
+}
diff --git a/instance.tf b/instance.tf
@@ -1,7 +1,7 @@
 resource "aws_instance" "aws_ec2" {
   ami             = "${data.aws_ami.ami.id}"
   instance_type   = "${var.instance_type}"
-  security_groups = ["${aws_security_group.sg.name}"]
+  security_groups = ["${aws_security_group.dle_instance_sg.name}"]
   key_name = "${var.keypair}"
   tags = "${local.common_tags}"
 }
diff --git a/main.tf b/main.tf
@@ -11,6 +11,7 @@ terraform {
 provider "aws" {
   region = "${var.aws_region}"
 }
+
 locals {
   common_tags = {
     Name = "${var.tag_name}"
diff --git a/security.tf b/security.tf
@@ -1,4 +1,4 @@
-resource "aws_security_group" "sg" {
+resource "aws_security_group" "dle_instance_sg" {
   ingress {
     cidr_blocks = "${var.allow_ssh_from_cidrs}"
 
@@ -16,3 +16,22 @@ resource "aws_security_group" "sg" {
 
   tags = "${local.common_tags}"
 }
+
+resource "aws_security_group" "dle_api_sg" {
+  ingress {
+    cidr_blocks = "${var.allow_api_from_cidrs}"
+
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${local.common_tags}"
+}
diff --git a/terraform.tfstate b/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
-  "terraform_version": "0.13.2",
-  "serial": 14,
+  "terraform_version": "0.15.3",
+  "serial": 49,
   "lineage": "60a04a52-2c24-ec3b-9ab1-dd2c08731279",
   "outputs": {},
   "resources": []
diff --git a/variables.tf b/variables.tf
@@ -27,6 +27,11 @@ variable "allow_ssh_from_cidrs" {
     default = ["0.0.0.0/0"]
 }
 
+variable "allow_api_from_cidrs" {
+    description = "List of CIDRs allowed to connect to API"
+    default = ["0.0.0.0/0"]
+}
+
 variable "tag_name" {
     description = "Value of the tags Name to apply to all resources"
     default = "DBLABserver"
diff --git a/vpc.tf b/vpc.tf
@@ -0,0 +1,18 @@
+/**
+ * Establish & Configure the AWS VPC that the DLE
+ * and other Postgres.ai products will reside within
+ */
+
+# Note that for now, we are simply adopting the default
+# VPC. Future work should establish independent and dedicated
+# VPC for Database Lab Engine.
+
+resource "aws_default_vpc" "dle_vpc" {
+  tags = {
+    Name = "Default VPC"
+  }
+}
+
+data "aws_subnet_ids" "dle_vpc_subnets" {
+  vpc_id = aws_default_vpc.dle_vpc.id
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`resource "aws_instance" "aws_ec2" {`
`2`	`2`	`ami = "${data.aws_ami.ami.id}"`
`3`	`3`	`instance_type = "${var.instance_type}"`
`4`		`- security_groups = ["${aws_security_group.sg.name}"]`
	`4`	`+ security_groups = ["${aws_security_group.dle_instance_sg.name}"]`
`5`	`5`	`key_name = "${var.keypair}"`
`6`	`6`	`tags = "${local.common_tags}"`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ terraform {`
`11`	`11`	`provider "aws" {`
`12`	`12`	`region = "${var.aws_region}"`
`13`	`13`	`}`
	`14`	`+`
`14`	`15`	`locals {`
`15`	`16`	`common_tags = {`
`16`	`17`	`Name = "${var.tag_name}"`