Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for creating a security group along with the load balancer #273

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0
rev: v1.77.1
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand Down
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -320,13 +320,16 @@ No modules.
| [aws_lb_listener_rule.https_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
| [aws_lb_target_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
| [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_access_logs"></a> [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no |
| <a name="input_create_lb"></a> [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no |
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
| <a name="input_desync_mitigation_mode"></a> [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no |
| <a name="input_drop_invalid_header_fields"></a> [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no |
| <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no |
Expand Down Expand Up @@ -355,6 +358,11 @@ No modules.
| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no |
| <a name="input_preserve_host_header"></a> [preserve\_host\_header](#input\_preserve\_host\_header) | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | `bool` | `false` | no |
| <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
| <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | Security group rules to add to the security group created | `any` | `{}` | no |
| <a name="input_security_group_tags"></a> [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no |
| <a name="input_subnet_mapping"></a> [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no |
| <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no |
Expand All @@ -376,6 +384,8 @@ No modules.
| <a name="output_lb_dns_name"></a> [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer |
| <a name="output_lb_id"></a> [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created |
| <a name="output_lb_zone_id"></a> [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records |
| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
| <a name="output_target_group_arn_suffixes"></a> [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch |
| <a name="output_target_group_arns"></a> [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group |
| <a name="output_target_group_attachments"></a> [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs |
Expand Down
10 changes: 4 additions & 6 deletions examples/complete-alb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,13 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27 |
| <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

## Modules

Expand All @@ -41,7 +39,7 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="module_lambda_with_allowed_triggers"></a> [lambda\_with\_allowed\_triggers](#module\_lambda\_with\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 |
| <a name="module_lambda_without_allowed_triggers"></a> [lambda\_without\_allowed\_triggers](#module\_lambda\_without\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 |
| <a name="module_lb_disabled"></a> [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
| <a name="module_wildcard_cert"></a> [wildcard\_cert](#module\_wildcard\_cert) | terraform-aws-modules/acm/aws | ~> 3.0 |

## Resources
Expand All @@ -53,11 +51,9 @@ Note that this example may create resources which cost money. Run `terraform des
| [aws_cognito_user_pool_domain.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_domain) | resource |
| [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
| [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
| [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |

## Inputs

Expand All @@ -76,6 +72,8 @@ No inputs.
| <a name="output_lb_dns_name"></a> [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer. |
| <a name="output_lb_id"></a> [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created. |
| <a name="output_lb_zone_id"></a> [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records. |
| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
| <a name="output_target_group_arn_suffixes"></a> [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch. |
| <a name="output_target_group_arns"></a> [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group. |
| <a name="output_target_group_attachments"></a> [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs. |
Expand Down
206 changes: 116 additions & 90 deletions examples/complete-alb/main.tf
Original file line number Diff line number Diff line change
@@ -1,107 +1,66 @@
provider "aws" {
region = "eu-west-1"
}

locals {
domain_name = "terraform-aws-modules.modules.tf"
}

##################################################################
# Data sources to get VPC and subnets
##################################################################
data "aws_vpc" "default" {
default = true
}

data "aws_subnets" "all" {
filter {
name = "vpc-id"
values = [data.aws_vpc.default.id]
}
}

resource "random_pet" "this" {
length = 2
}

data "aws_route53_zone" "this" {
name = local.domain_name
region = local.region
}

module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4.0"

name = "alb-sg-${random_pet.this.id}"
description = "Security group for example usage with ALB"
vpc_id = data.aws_vpc.default.id

ingress_cidr_blocks = ["0.0.0.0/0"]
ingress_rules = ["http-80-tcp", "all-icmp"]
egress_rules = ["all-all"]
}
data "aws_availability_zones" "available" {}

#module "log_bucket" {
# source = "terraform-aws-modules/s3-bucket/aws"
# version = "~> 3.0"
#
# bucket = "logs-${random_pet.this.id}"
# acl = "log-delivery-write"
# force_destroy = true
# attach_elb_log_delivery_policy = true
#}

module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 3.0"

domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".")
zone_id = data.aws_route53_zone.this.id
}
locals {
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"

module "wildcard_cert" {
source = "terraform-aws-modules/acm/aws"
version = "~> 3.0"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)

domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".")
zone_id = data.aws_route53_zone.this.id
}

##################################################################
# AWS Cognito User Pool
##################################################################
resource "aws_cognito_user_pool" "this" {
name = "user-pool-${random_pet.this.id}"
}

resource "aws_cognito_user_pool_client" "this" {
name = "user-pool-client-${random_pet.this.id}"
user_pool_id = aws_cognito_user_pool.this.id
generate_secret = true
allowed_oauth_flows = ["code", "implicit"]
callback_urls = ["https://${local.domain_name}/callback"]
allowed_oauth_scopes = ["email", "openid"]
allowed_oauth_flows_user_pool_client = true
}
domain_name = "terraform-aws-modules.modules.tf"

resource "aws_cognito_user_pool_domain" "this" {
domain = random_pet.this.id
user_pool_id = aws_cognito_user_pool.this.id
tags = {
Example = local.name
GithubRepo = "terraform-aws-alb"
GithubOrg = "terraform-aws-modules"
}
}

##################################################################
# Application Load Balancer
##################################################################

module "alb" {
source = "../../"

name = "complete-alb-${random_pet.this.id}"
name = local.name

load_balancer_type = "application"

vpc_id = data.aws_vpc.default.id
security_groups = [module.security_group.security_group_id]
subnets = data.aws_subnets.all.ids
vpc_id = module.vpc.vpc_id
subnets = module.vpc.public_subnets
# Attach security groups
security_groups = [module.vpc.default_security_group_id]
# Attach rules to the created security group
security_group_rules = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add back the line and the call to security-group module as an example:

security_groups = [module.security_group.security_group_id]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-added in 0ad1649

ingress_all_http = {
type = "ingress"
from_port = 80
to_port = 80
protocol = "http"
description = "HTTP web traffic"
cidr_blocks = ["0.0.0.0/0"]
}
ingress_all_icmp = {
type = "ingress"
from_port = -1
to_port = -1
protocol = "icmp"
description = "ICMP"
cidr_blocks = ["0.0.0.0/0"]
}
egress_all = {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

# # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987)
# access_logs = {
Expand Down Expand Up @@ -158,7 +117,7 @@ module "alb" {
prompt = "login"
}
on_unauthenticated_request = "authenticate"
session_cookie_name = "session-${random_pet.this.id}"
session_cookie_name = "session-${local.name}"
session_timeout = 3600
user_pool_arn = aws_cognito_user_pool.this.arn
user_pool_client_id = aws_cognito_user_pool_client.this.id
Expand Down Expand Up @@ -202,7 +161,7 @@ module "alb" {
type = "authenticate-cognito"

on_unauthenticated_request = "authenticate"
session_cookie_name = "session-${random_pet.this.id}"
session_cookie_name = "session-${local.name}"
session_timeout = 3600
user_pool_arn = aws_cognito_user_pool.this.arn
user_pool_client_id = aws_cognito_user_pool_client.this.id
Expand Down Expand Up @@ -465,6 +424,7 @@ module "alb" {
#########################
# LB will not be created
#########################

module "lb_disabled" {
source = "../../"

Expand All @@ -474,6 +434,7 @@ module "lb_disabled" {
##################
# Extra resources
##################

data "aws_ami" "amazon_linux" {
most_recent = true

Expand Down Expand Up @@ -524,7 +485,7 @@ module "lambda_with_allowed_triggers" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 3.0"

function_name = "${random_pet.this.id}-with-allowed-triggers"
function_name = "${local.name}-with-allowed-triggers"
description = "My awesome lambda function (with allowed triggers)"
handler = "index.lambda_handler"
runtime = "python3.8"
Expand All @@ -548,7 +509,7 @@ module "lambda_without_allowed_triggers" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 3.0"

function_name = "${random_pet.this.id}-without-allowed-triggers"
function_name = "${local.name}-without-allowed-triggers"
description = "My awesome lambda function (without allowed triggers)"
handler = "index.lambda_handler"
runtime = "python3.8"
Expand All @@ -563,3 +524,68 @@ module "lambda_without_allowed_triggers" {

depends_on = [null_resource.download_package]
}

##################################################################
# Data sources to get VPC and subnets
##################################################################

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = local.name
cidr = local.vpc_cidr

azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]

enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true

tags = local.tags
}

data "aws_route53_zone" "this" {
name = local.domain_name
}

module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 3.0"

domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".")
zone_id = data.aws_route53_zone.this.id
}

module "wildcard_cert" {
source = "terraform-aws-modules/acm/aws"
version = "~> 3.0"

domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".")
zone_id = data.aws_route53_zone.this.id
}

##################################################################
# AWS Cognito User Pool
##################################################################

resource "aws_cognito_user_pool" "this" {
name = "user-pool-${local.name}"
}

resource "aws_cognito_user_pool_client" "this" {
name = "user-pool-client-${local.name}"
user_pool_id = aws_cognito_user_pool.this.id
generate_secret = true
allowed_oauth_flows = ["code", "implicit"]
callback_urls = ["https://${local.domain_name}/callback"]
allowed_oauth_scopes = ["email", "openid"]
allowed_oauth_flows_user_pool_client = true
}

resource "aws_cognito_user_pool_domain" "this" {
domain = local.name
user_pool_id = aws_cognito_user_pool.this.id
}
14 changes: 14 additions & 0 deletions examples/complete-alb/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,17 @@ output "target_group_attachments" {
description = "ARNs of the target group attachment IDs."
value = module.alb.target_group_attachments
}

################################################################################
# Security Group
################################################################################

output "security_group_arn" {
description = "Amazon Resource Name (ARN) of the security group"
value = module.alb.security_group_arn
}

output "security_group_id" {
description = "ID of the security group"
value = module.alb.security_group_id
}
4 changes: 0 additions & 4 deletions examples/complete-alb/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,6 @@ terraform {
source = "hashicorp/aws"
version = ">= 4.27"
}
random = {
source = "hashicorp/random"
version = ">= 2.0"
}
null = {
source = "hashicorp/null"
version = ">= 2.0"
Expand Down
Loading