This repository has been archived by the owner on Apr 19, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
alb.tf
116 lines (96 loc) · 2.47 KB
/
alb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#tfsec:ignore:AWS005 tfsec:ignore:AWS083 tfsec:ignore:AWS004
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "6.6.1"
name = format(
"%.32s",
lower(
replace(
var.name,
"_",
"-",
),
),
)
internal = var.alb_internal
vpc_id = local.vpc_id
subnets = length(var.vpc_alb_subnets) == 0 ? module.vpc[0].public_subnets : var.vpc_alb_subnets
security_groups = flatten([
aws_security_group.alb.id,
var.alb_additional_sgs,
])
access_logs = {
enabled = var.alb_logging_enabled
bucket = var.alb_log_bucket_name
prefix = var.alb_log_location_prefix
}
drop_invalid_header_fields = true
listener_ssl_policy_default = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
action_type = "redirect"
redirect = {
port = 443
protocol = "HTTPS"
status_code = "HTTP_301"
}
},
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = local.certificate_arn
},
]
target_groups = [
{
name = var.name
backend_protocol = "HTTP"
backend_port = 8080
target_type = "ip"
deregistration_delay = 10
},
]
tags = local.tags
}
resource "aws_security_group" "alb" {
vpc_id = local.vpc_id
name = "${var.name}-alb"
description = "ALB SG for ${var.name}"
tags = merge(
var.tags,
{
"Name" = "${var.name}-alb"
},
)
}
resource "aws_security_group_rule" "alb_in_80" {
security_group_id = aws_security_group.alb.id
description = "Allow the ALB to receive HTTP traffic from everywhere"
type = "ingress"
from_port = "0"
to_port = "80"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}
resource "aws_security_group_rule" "alb_in_443" {
security_group_id = aws_security_group.alb.id
description = "Allow the ALB to receive HTTPS traffic from everywhere"
type = "ingress"
from_port = "0"
to_port = "443"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}
resource "aws_security_group_rule" "alb_out" {
security_group_id = aws_security_group.alb.id
description = "Allow the ALB to send traffic to everywhere"
type = "egress"
from_port = "0"
to_port = "65535"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS007
}