From db7e7bf804b106b1de59a3c881665929a9b3011e Mon Sep 17 00:00:00 2001 From: mamrajyadav Date: Mon, 28 Aug 2023 21:29:44 +0530 Subject: [PATCH] fix: update main.tf, version.tf and github action and add locals in example --- .editorconfig | 30 ++ .github/CODEOWNERS | 2 +- .github/workflows/auto_assignee.yml | 4 +- .github/workflows/readme.yml | 2 +- .github/workflows/tflint.yml | 4 +- .github/workflows/tfsec.yml | 2 +- README.yaml | 3 + _example/alb/{main.tf => example.tf} | 126 +++--- _example/alb/outputs.tf | 12 +- _example/alb/versions.tf | 4 +- _example/clb/{main.tf => example.tf} | 95 ++--- _example/clb/outputs.tf | 19 +- _example/clb/versions.tf | 6 +- _example/nlb/{main.tf => exampe.tf} | 133 +++--- _example/nlb/outputs.tf | 20 + _example/nlb/versions.tf | 6 +- main.tf | 597 +++++++++++++++++++++++++-- outputs.tf | 12 +- variables.tf | 185 ++++++++- versions.tf | 6 +- 20 files changed, 1003 insertions(+), 265 deletions(-) create mode 100644 .editorconfig rename _example/alb/{main.tf => example.tf} (67%) rename _example/clb/{main.tf => example.tf} (62%) rename _example/nlb/{main.tf => exampe.tf} (60%) diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..88cb251 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,30 @@ +# EditorConfig is awesome: http://EditorConfig.org +# Uses editorconfig to maintain consistent coding styles + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 80 +trim_trailing_whitespace = true + +[*.{tf,tfvars}] +indent_size = 2 +indent_style = space + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false + +[Makefile] +tab_width = 2 +indent_style = tab + +[COMMIT_EDITMSG] +max_line_length = 0 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 231c9a6..57bdcfa 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,2 @@ # These owners will be the default owners for everything in the repo. -* @anmolnagpal @clouddrove/approvers @clouddrove-ci +* @anmolnagpal @clouddrove/approvers @clouddrove-ci diff --git a/.github/workflows/auto_assignee.yml b/.github/workflows/auto_assignee.yml index 77d5fdf..a07d2fa 100644 --- a/.github/workflows/auto_assignee.yml +++ b/.github/workflows/auto_assignee.yml @@ -1,9 +1,7 @@ name: Auto Assign PRs - on: pull_request: types: [opened, reopened] - workflow_dispatch: jobs: assignee: @@ -11,4 +9,4 @@ jobs: secrets: GITHUB: ${{ secrets.GITHUB }} with: - assignees: 'clouddrove-ci' \ No newline at end of file + assignees: 'clouddrove-ci' diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml index 620e712..2ff513e 100644 --- a/.github/workflows/readme.yml +++ b/.github/workflows/readme.yml @@ -3,7 +3,6 @@ on: push: branches: - master - jobs: readme: name: 'readme-create' @@ -25,6 +24,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: 'pre-commit check errors' uses: pre-commit/action@v3.0.0 continue-on-error: true diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index d1b5a64..ee98182 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -5,7 +5,7 @@ on: pull_request: workflow_dispatch: jobs: - tflint: - uses: clouddrove/test-tfsec/.github/workflows/tflint.yaml@master + tf-lint: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@master secrets: GITHUB: ${{ secrets.GITHUB }} \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 9aaf588..c203751 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -8,4 +8,4 @@ jobs: uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master secrets: inherit with: - working_directory: '.' \ No newline at end of file + working_directory: '.' diff --git a/README.yaml b/README.yaml index e582f59..784812d 100644 --- a/README.yaml +++ b/README.yaml @@ -25,6 +25,9 @@ badges: image: "https://img.shields.io/badge/License-APACHE-blue.svg" url: "LICENSE.md" +prerequesties: + - name: Terraform 1.5.3 + url: https://learn.hashicorp.com/terraform/getting-started/install.html # description of this project description: |- This terraform module is used to create ALB on AWS. diff --git a/_example/alb/main.tf b/_example/alb/example.tf similarity index 67% rename from _example/alb/main.tf rename to _example/alb/example.tf index b42c10d..7c7ec0c 100644 --- a/_example/alb/main.tf +++ b/_example/alb/example.tf @@ -1,10 +1,12 @@ -##--------------------------------------------------------------------------------------------------------------------------- -## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. -##-------------------------------------------------------------------------------------------------------------------------- provider "aws" { region = "eu-west-1" } +locals { + name = "alb" + environment = "test" +} + ##--------------------------------------------------------------------------------------------------------------------------- ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center. ##-------------------------------------------------------------------------------------------------------------------------- @@ -12,11 +14,9 @@ module "vpc" { source = "clouddrove/vpc/aws" version = "2.0.0" - name = "vpc" - environment = "test" - label_order = ["name", "environment"] - - cidr_block = "172.16.0.0/16" + name = local.name + environment = local.environment + cidr_block = "172.16.0.0/16" } ##----------------------------------------------------- @@ -26,10 +26,8 @@ module "public_subnets" { source = "clouddrove/subnet/aws" version = "2.0.0" - name = "public-subnet" - environment = "test" - label_order = ["name", "environment"] - + name = local.name + environment = local.environment availability_zones = ["eu-west-1b", "eu-west-1c"] type = "public" vpc_id = module.vpc.vpc_id @@ -38,47 +36,14 @@ module "public_subnets" { ipv6_cidr_block = module.vpc.ipv6_cidr_block } -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with http-https. -##----------------------------------------------------- -module "http_https" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - name = "http-https" - environment = "test" - label_order = ["name", "environment"] - - vpc_id = module.vpc.vpc_id - allowed_ip = ["0.0.0.0/0"] - allowed_ports = [80, 443] -} - -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with ssh. -##----------------------------------------------------- -module "ssh" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - name = "ssh" - environment = "test" - label_order = ["name", "environment"] - vpc_id = module.vpc.vpc_id - allowed_ip = [module.vpc.vpc_cidr_block] - allowed_ports = [22] -} - ##----------------------------------------------------- ## When your trusted identities assume IAM roles, they are granted only the permissions scoped by those IAM roles. ##----------------------------------------------------- module "iam-role" { - source = "clouddrove/iam-role/aws" - version = "1.3.0" - name = "iam-role" - environment = "test" - label_order = ["name", "environment"] - + source = "clouddrove/iam-role/aws" + version = "1.3.0" + name = local.name + environment = local.environment assume_role_policy = data.aws_iam_policy_document.default.json policy_enabled = true policy = data.aws_iam_policy_document.iam-policy.json @@ -112,19 +77,19 @@ data "aws_iam_policy_document" "iam-policy" { ## Amazon EC2 provides cloud hosted virtual machines, called "instances", to run applications. ##----------------------------------------------------- module "ec2" { - source = "clouddrove/ec2/aws" - version = "1.3.0" - - name = "ec2-instance" - environment = "test" - label_order = ["name", "environment"] - + source = "git::https://github.com/clouddrove/terraform-aws-ec2.git?ref=master" + + name = local.name + environment = local.environment + vpc_id = module.vpc.vpc_id + ssh_allowed_ip = ["0.0.0.0/0"] + ssh_allowed_ports = [22] + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmPuPTJ58AMvweGBuAqKX+tkb0ylYq5k6gPQnl6+ivQ8i/jsUJ+juI7q/7vSoTpd0k9Gv7DkjGWg1527I+LJeropVSaRqwDcrnuM1IfUCu0QdRoU8e0sW7kQGnwObJhnRcxiGPa1inwnneq9zdXK8BGgV2E4POKdwbEBlmjZmW8j4JMnCsLvZ4hxBjZB/3fnvHhn7UCqd2C6FhOz9k+aK2kxXHxdDdO9BzKqtvm5dSAxHhw6nDHSU+cHupjiiY/SvmFH0QpR5Fn1kyZH7DxV4D8R9wvP9jKZe/RRTEkB2HY7FpVNz/EqO/z5bv7japQ5LZY1fFOK47S5KVo20y12XwkBcHeL5Bc8MuKt552JSRH7KKxvr2KD9QN5lCc0sOnQnlOK0INGHeIY4WnUSBvlVd4aOAJa4xE2PP0/kbDMAZfO6ET5OIlZF+X7n5VCYyxNJLWbx4opFIcpWgINz4m/GkArB4p4KeF+pc84rX5GkM4fn5SsMMpJTZmhhJYA2YW/E= mamraj@mamraj" instance_count = 2 ami = "ami-08d658f84a6d84a80" instance_type = "t2.nano" monitoring = true tenancy = "default" - vpc_security_group_ids_list = [module.ssh.security_group_ids, module.http_https.security_group_ids] subnet_ids = tolist(module.public_subnets.public_subnet_id) iam_instance_profile = module.iam-role.name assign_eip_address = true @@ -139,9 +104,8 @@ module "ec2" { module "acm" { source = "clouddrove/acm/aws" version = "1.3.0" - name = "certificate" - environment = "test" - label_order = ["name", "environment"] + name = local.name + environment = local.environment enable_aws_certificate = true domain_name = "clouddrove.ca" @@ -156,15 +120,16 @@ module "acm" { module "alb" { source = "./../../" - name = "alb" + name = local.name enable = true internal = true load_balancer_type = "application" instance_count = module.ec2.instance_count - security_groups = [module.ssh.security_group_ids, module.http_https.security_group_ids] subnets = module.public_subnets.public_subnet_id target_id = module.ec2.instance_id vpc_id = module.vpc.vpc_id + allowed_ip = [module.vpc.vpc_cidr_block] + allowed_ports = [3306] listener_certificate_arn = module.acm.arn enable_deletion_protection = false with_target_group = true @@ -173,6 +138,34 @@ module "alb" { https_port = 443 listener_type = "forward" target_group_port = 80 + + http_tcp_listeners = [ + { + port = 80 + protocol = "TCP" + target_group_index = 0 + }, + { + port = 81 + protocol = "TCP" + target_group_index = 0 + }, + ] + https_listeners = [ + { + port = 443 + protocol = "TLS" + target_group_index = 0 + certificate_arn = module.acm.arn + }, + { + port = 84 + protocol = "TLS" + target_group_index = 0 + certificate_arn = module.acm.arn + }, + ] + target_groups = [ { backend_protocol = "HTTP" @@ -192,4 +185,11 @@ module "alb" { } } ] -} \ No newline at end of file + + extra_ssl_certs = [ + { + https_listener_index = 0 + certificate_arn = module.acm.arn + } + ] +} diff --git a/_example/alb/outputs.tf b/_example/alb/outputs.tf index 50b38aa..651e7c2 100644 --- a/_example/alb/outputs.tf +++ b/_example/alb/outputs.tf @@ -11,4 +11,14 @@ output "tags" { output "main_target_group_arn" { value = module.alb[*].main_target_group_arn description = "The ARN target of the ALB" -} \ No newline at end of file +} + +output "dns_name" { + value = module.alb.dns_name + description = "The DNS name of the load balancer." +} + +output "zone_id" { + value = module.alb.zone_id + description = "The zone_id of the load balancer to assist with creating DNS records." +} diff --git a/_example/alb/versions.tf b/_example/alb/versions.tf index 5a227cd..5b25067 100644 --- a/_example/alb/versions.tf +++ b/_example/alb/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.5.5" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.9.0" + version = ">= 5.13.1" } } } \ No newline at end of file diff --git a/_example/clb/main.tf b/_example/clb/example.tf similarity index 62% rename from _example/clb/main.tf rename to _example/clb/example.tf index 0e483f1..034e29a 100644 --- a/_example/clb/main.tf +++ b/_example/clb/example.tf @@ -1,35 +1,31 @@ -##--------------------------------------------------------------------------------------------------------------------------- -## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. -##-------------------------------------------------------------------------------------------------------------------------- provider "aws" { region = "eu-west-1" } +locals { + name = "clb" + environment = "test" +} + ##--------------------------------------------------------------------------------------------------------------------------- ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center. ##-------------------------------------------------------------------------------------------------------------------------- module "vpc" { - source = "clouddrove/vpc/aws" - version = "2.0.0" - - name = "vpc" - environment = "test" - label_order = ["name", "environment"] - - cidr_block = "172.16.0.0/16" + source = "clouddrove/vpc/aws" + version = "2.0.0" + name = local.name + environment = local.environment + cidr_block = "172.16.0.0/16" } ##----------------------------------------------------- ## A subnet is a range of IP addresses in your VPC. ##----------------------------------------------------- module "public_subnets" { - source = "clouddrove/subnet/aws" - version = "2.0.0" - - name = "public-subnet" - environment = "test" - label_order = ["name", "environment"] - + source = "clouddrove/subnet/aws" + version = "2.0.0" + name = local.name + environment = local.environment availability_zones = ["eu-west-1b", "eu-west-1c"] type = "public" vpc_id = module.vpc.vpc_id @@ -38,50 +34,15 @@ module "public_subnets" { ipv6_cidr_block = module.vpc.ipv6_cidr_block } -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with http-https. -##----------------------------------------------------- -module "http_https" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - - name = "http-https" - environment = "test" - label_order = ["name", "environment"] - - vpc_id = module.vpc.vpc_id - allowed_ip = ["0.0.0.0/0"] - allowed_ports = [80, 443] -} - -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with ssh. -##----------------------------------------------------- -module "ssh" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - name = "ssh" - environment = "test" - label_order = ["name", "environment"] - - vpc_id = module.vpc.vpc_id - allowed_ip = [module.vpc.vpc_cidr_block] - allowed_ports = [22] -} ##----------------------------------------------------- ## When your trusted identities assume IAM roles, they are granted only the permissions scoped by those IAM roles. ##----------------------------------------------------- module "iam-role" { - source = "clouddrove/iam-role/aws" - version = "1.3.0" - - name = "iam-role" - environment = "test" - label_order = ["name", "environment"] - + source = "clouddrove/iam-role/aws" + version = "1.3.0" + name = local.name + environment = local.environment assume_role_policy = data.aws_iam_policy_document.default.json policy_enabled = true policy = data.aws_iam_policy_document.iam-policy.json @@ -115,19 +76,19 @@ data "aws_iam_policy_document" "iam-policy" { ## Amazon EC2 provides cloud hosted virtual machines, called "instances", to run applications. ##----------------------------------------------------- module "ec2" { - source = "clouddrove/ec2/aws" - version = "1.3.0" - - name = "ec2-instance" - environment = "test" - label_order = ["name", "environment"] + source = "git::https://github.com/clouddrove/terraform-aws-ec2.git?ref=master" + name = local.name + environment = local.environment + vpc_id = module.vpc.vpc_id + ssh_allowed_ip = ["0.0.0.0/0"] + ssh_allowed_ports = [22] instance_count = 2 ami = "ami-08d658f84a6d84a80" instance_type = "t2.nano" monitoring = false tenancy = "default" - vpc_security_group_ids_list = [module.ssh.security_group_ids, module.http_https.security_group_ids] + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmPuPTJ58AMvweGBuAqKX+tkb0ylYq5k6gPQnl6+ivQ8i/jsUJ+juI7q/7vSoTpd0k9Gv7DkjGWg1527I+LJeropVSaRqwDcrnuM1IfUCu0QdRoU8e0sW7kQGnwObJhnRcxiGPa1inwnneq9zdXK8BGgV2E4POKdwbEBlmjZmW8j4JMnCsLvZ4hxBjZB/3fnvHhn7UCqd2C6FhOz9k+aK2kxXHxdDdO9BzKqtvm5dSAxHhw6nDHSU+cHupjiiY/SvmFH0QpR5Fn1kyZH7DxV4D8R9wvP9jKZe/RRTEkB2HY7FpVNz/EqO/z5bv7japQ5LZY1fFOK47S5KVo20y12XwkBcHeL5Bc8MuKt552JSRH7KKxvr2KD9QN5lCc0sOnQnlOK0INGHeIY4WnUSBvlVd4aOAJa4xE2PP0/kbDMAZfO6ET5OIlZF+X7n5VCYyxNJLWbx4opFIcpWgINz4m/GkArB4p4KeF+pc84rX5GkM4fn5SsMMpJTZmhhJYA2YW/E= mamraj@mamraj" subnet_ids = tolist(module.public_subnets.public_subnet_id) iam_instance_profile = module.iam-role.name assign_eip_address = true @@ -146,12 +107,12 @@ module "ec2" { module "clb" { source = "./../../" - name = "clb" + name = local.name load_balancer_type = "classic" clb_enable = true internal = true + vpc_id = module.vpc.vpc_id target_id = module.ec2.instance_id - security_groups = [module.ssh.security_group_ids, module.http_https.security_group_ids] subnets = module.public_subnets.public_subnet_id with_target_group = true listeners = [ @@ -175,4 +136,4 @@ module "clb" { health_check_interval = 30 health_check_unhealthy_threshold = 5 health_check_healthy_threshold = 5 -} \ No newline at end of file +} diff --git a/_example/clb/outputs.tf b/_example/clb/outputs.tf index e7adcec..b31032a 100644 --- a/_example/clb/outputs.tf +++ b/_example/clb/outputs.tf @@ -1,9 +1,24 @@ output "arn" { - value = module.clb[*].clb_arn + value = module.clb[*].arn description = "The ARN suffix of the ALB" } output "tags" { value = module.clb.tags description = "A mapping of tags to assign to the alb." -} \ No newline at end of file +} + +output "main_target_group_arn" { + value = module.clb[*].main_target_group_arn + description = "The ARN target of the ALB" +} + +output "dns_name" { + value = module.clb.dns_name + description = "The DNS name of the load balancer." +} + +output "zone_id" { + value = module.clb.zone_id + description = "The zone_id of the load balancer to assist with creating DNS records." +} diff --git a/_example/clb/versions.tf b/_example/clb/versions.tf index 5a227cd..c95376a 100644 --- a/_example/clb/versions.tf +++ b/_example/clb/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.5.5" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.9.0" + version = ">= 5.13.1" } } -} \ No newline at end of file +} diff --git a/_example/nlb/main.tf b/_example/nlb/exampe.tf similarity index 60% rename from _example/nlb/main.tf rename to _example/nlb/exampe.tf index 0ddb8a5..2e97de4 100644 --- a/_example/nlb/main.tf +++ b/_example/nlb/exampe.tf @@ -1,35 +1,31 @@ -##--------------------------------------------------------------------------------------------------------------------------- -## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. -##-------------------------------------------------------------------------------------------------------------------------- provider "aws" { region = "eu-west-1" } +locals { + name = "nlb" + environment = "test" +} + ##--------------------------------------------------------------------------------------------------------------------------- ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center. ##-------------------------------------------------------------------------------------------------------------------------- module "vpc" { - source = "clouddrove/vpc/aws" - version = "2.0.0" - - name = "vpc" - environment = "test" - label_order = ["name", "environment"] - - cidr_block = "172.16.0.0/16" + source = "clouddrove/vpc/aws" + version = "2.0.0" + name = local.name + environment = local.environment + cidr_block = "172.16.0.0/16" } ##----------------------------------------------------- ## A subnet is a range of IP addresses in your VPC. ##----------------------------------------------------- module "public_subnets" { - source = "clouddrove/subnet/aws" - version = "2.0.0" - - name = "public-subnet" - environment = "test" - label_order = ["name", "environment"] - + source = "clouddrove/subnet/aws" + version = "2.0.0" + name = local.name + environment = local.environment availability_zones = ["eu-west-1b", "eu-west-1c"] type = "public" vpc_id = module.vpc.vpc_id @@ -38,49 +34,14 @@ module "public_subnets" { ipv6_cidr_block = module.vpc.ipv6_cidr_block } -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with http-https. -##----------------------------------------------------- -module "http-https" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - name = "http-https" - environment = "test" - label_order = ["name", "environment"] - - vpc_id = module.vpc.vpc_id - allowed_ip = ["0.0.0.0/0"] - allowed_ports = [80, 443] -} - -##----------------------------------------------------- -## An AWS security group acts as a virtual firewall for incoming and outgoing traffic with ssh. -##----------------------------------------------------- -module "ssh" { - source = "clouddrove/security-group/aws" - version = "2.0.0" - - name = "ssh" - environment = "test" - label_order = ["name", "environment"] - - vpc_id = module.vpc.vpc_id - allowed_ip = [module.vpc.vpc_cidr_block] - allowed_ports = [22] -} - ##----------------------------------------------------- ## When your trusted identities assume IAM roles, they are granted only the permissions scoped by those IAM roles. ##----------------------------------------------------- module "iam-role" { - source = "clouddrove/iam-role/aws" - version = "1.3.0" - - name = "iam-role" - environment = "test" - label_order = ["name", "environment"] - + source = "clouddrove/iam-role/aws" + version = "1.3.0" + name = local.name + environment = local.environment assume_role_policy = data.aws_iam_policy_document.default.json policy_enabled = true @@ -115,19 +76,19 @@ data "aws_iam_policy_document" "iam-policy" { ## Amazon EC2 provides cloud hosted virtual machines, called "instances", to run applications. ##----------------------------------------------------- module "ec2" { - source = "clouddrove/ec2/aws" - version = "1.3.0" - - name = "ec2-instance" - environment = "test" - label_order = ["name", "environment"] + source = "git::https://github.com/clouddrove/terraform-aws-ec2.git?ref=master" + name = local.name + environment = local.environment instance_count = 1 ami = "ami-08d658f84a6d84a80" instance_type = "t2.nano" monitoring = false + vpc_id = module.vpc.vpc_id + ssh_allowed_ip = ["0.0.0.0/0"] + ssh_allowed_ports = [22] tenancy = "default" - vpc_security_group_ids_list = [module.ssh.security_group_ids, module.http-https.security_group_ids] + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmPuPTJ58AMvweGBuAqKX+tkb0ylYq5k6gPQnl6+ivQ8i/jsUJ+juI7q/7vSoTpd0k9Gv7DkjGWg1527I+LJeropVSaRqwDcrnuM1IfUCu0QdRoU8e0sW7kQGnwObJhnRcxiGPa1inwnneq9zdXK8BGgV2E4POKdwbEBlmjZmW8j4JMnCsLvZ4hxBjZB/3fnvHhn7UCqd2C6FhOz9k+aK2kxXHxdDdO9BzKqtvm5dSAxHhw6nDHSU+cHupjiiY/SvmFH0QpR5Fn1kyZH7DxV4D8R9wvP9jKZe/RRTEkB2HY7FpVNz/EqO/z5bv7japQ5LZY1fFOK47S5KVo20y12XwkBcHeL5Bc8MuKt552JSRH7KKxvr2KD9QN5lCc0sOnQnlOK0INGHeIY4WnUSBvlVd4aOAJa4xE2PP0/kbDMAZfO6ET5OIlZF+X7n5VCYyxNJLWbx4opFIcpWgINz4m/GkArB4p4KeF+pc84rX5GkM4fn5SsMMpJTZmhhJYA2YW/E= mamraj@mamraj" subnet_ids = tolist(module.public_subnets.public_subnet_id) iam_instance_profile = module.iam-role.name assign_eip_address = true @@ -139,15 +100,29 @@ module "ec2" { ebs_volume_size = 30 } +module "acm" { + source = "clouddrove/acm/aws" + version = "1.3.0" + name = local.name + environment = local.environment + + enable_aws_certificate = true + domain_name = "clouddrove.ca" + subject_alternative_names = ["*.clouddrove.ca"] + validation_method = "DNS" + enable_dns_validation = false +} + + ##----------------------------------------------------------------------------- ## nlb module call. ##----------------------------------------------------------------------------- module "nlb" { source = "./../../" - name = "nlb" + name = local.name enable = true - internal = true + internal = false load_balancer_type = "network" instance_count = module.ec2.instance_count subnets = module.public_subnets.public_subnet_id @@ -161,6 +136,11 @@ module "nlb" { protocol = "TCP" target_group_index = 0 }, + { + port = 81 + protocol = "TCP" + target_group_index = 0 + }, ] target_groups = [ { @@ -169,9 +149,24 @@ module "nlb" { target_type = "instance" }, { - backend_protocol = "TLS" - backend_port = 443 + backend_protocol = "TCP" + backend_port = 81 target_type = "instance" }, ] -} \ No newline at end of file + + https_listeners = [ + { + port = 443 + protocol = "TLS" + target_group_index = 0 + certificate_arn = module.acm.arn + }, + { + port = 84 + protocol = "TLS" + target_group_index = 0 + certificate_arn = module.acm.arn + }, + ] +} diff --git a/_example/nlb/outputs.tf b/_example/nlb/outputs.tf index 1fdb23a..c9e8805 100644 --- a/_example/nlb/outputs.tf +++ b/_example/nlb/outputs.tf @@ -7,3 +7,23 @@ output "tags" { value = module.nlb.tags description = "A mapping of tags to assign to the alb." } + +output "dns_name" { + value = module.nlb.dns_name + description = "The DNS name of the load balancer." +} + +output "zone_id" { + value = module.nlb.zone_id + description = "The zone_id of the load balancer to assist with creating DNS records." +} + +output "http_listener_arns" { + value = module.nlb.http_listener_arn + description = "The ARN of the TCP and HTTP load balancer listeners created." +} + +output "https_listener_arns" { + value = module.nlb.https_listener_arn + description = "The ARNs of the HTTPS load balancer listeners created." +} diff --git a/_example/nlb/versions.tf b/_example/nlb/versions.tf index 5a227cd..c95376a 100644 --- a/_example/nlb/versions.tf +++ b/_example/nlb/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.5.5" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.9.0" + version = ">= 5.13.1" } } -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 4ef49dc..8e71389 100644 --- a/main.tf +++ b/main.tf @@ -2,9 +2,8 @@ ## Labels module callled that will be used for naming and tags. ##----------------------------------------------------------------------------- module "labels" { - source = "clouddrove/labels/aws" - version = "1.3.0" - + source = "clouddrove/labels/aws" + version = "1.3.0" name = var.name repository = var.repository environment = var.environment @@ -12,34 +11,101 @@ module "labels" { label_order = var.label_order } +##------------------------------------------------------------------------------ +## Below resources will create SECURITY-GROUP and its components. +##------------------------------------------------------------------------------ +resource "aws_security_group" "default" { + count = var.enable_security_group && length(var.sg_ids) < 1 ? 1 : 0 + + name = format("%s-sg", module.labels.id) + vpc_id = var.vpc_id + description = var.sg_description + tags = module.labels.tags + lifecycle { + create_before_destroy = true + } +} + +##------------------------------------------------------------------------------ +## Below resources will create SECURITY-GROUP-RULE and its components. +##------------------------------------------------------------------------------ +#tfsec:ignore:aws-ec2-no-public-egress-sgr +resource "aws_security_group_rule" "egress" { + count = (var.enable_security_group == true && length(var.sg_ids) < 1 && var.is_external == false && var.egress_rule == true) ? 1 : 0 + + description = var.sg_egress_description + type = "egress" + from_port = var.from_port + to_port = var.to_port + protocol = var.egress_protocol + cidr_blocks = var.cidr_blocks + security_group_id = join("", aws_security_group.default[*].id) +} +#tfsec:ignore:aws-ec2-no-public-egress-sgr +resource "aws_security_group_rule" "egress_ipv6" { + count = (var.enable_security_group == true && length(var.sg_ids) < 1 && var.is_external == false) && var.egress_rule == true ? 1 : 0 + + description = var.sg_egress_ipv6_description + type = "egress" + from_port = var.from_port + to_port = var.to_port + protocol = var.egress_protocol + ipv6_cidr_blocks = var.ipv6_cidr_blocks + security_group_id = join("", aws_security_group.default[*].id) +} + +resource "aws_security_group_rule" "ingress" { + count = length(var.allowed_ip) > 0 == true && length(var.sg_ids) < 1 ? length(compact(var.allowed_ports)) : 0 + + description = var.sg_ingress_description + type = "ingress" + from_port = element(var.allowed_ports, count.index) + to_port = element(var.allowed_ports, count.index) + protocol = var.protocol + cidr_blocks = var.allowed_ip + security_group_id = join("", aws_security_group.default[*].id) +} + ##----------------------------------------------------------------------------- ## A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets. ##----------------------------------------------------------------------------- resource "aws_lb" "main" { - count = var.enable ? 1 : 0 - name = module.labels.id - internal = var.internal - load_balancer_type = var.load_balancer_type - security_groups = var.security_groups - subnets = var.subnets - enable_deletion_protection = var.enable_deletion_protection - idle_timeout = var.idle_timeout - enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing - enable_http2 = var.enable_http2 - ip_address_type = var.ip_address_type - tags = module.labels.tags - drop_invalid_header_fields = true + count = var.enable ? 1 : 0 + name = module.labels.id + internal = var.internal + load_balancer_type = var.load_balancer_type + security_groups = length(var.sg_ids) < 1 ? aws_security_group.default[*].id : var.sg_ids + subnets = var.subnets + enable_deletion_protection = var.enable_deletion_protection + idle_timeout = var.idle_timeout + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + enable_http2 = var.enable_http2 + enable_tls_version_and_cipher_suite_headers = var.enable_tls_version_and_cipher_suite_headers + enable_xff_client_port = var.enable_xff_client_port + preserve_host_header = var.preserve_host_header + enable_waf_fail_open = var.enable_waf_fail_open + desync_mitigation_mode = var.desync_mitigation_mode + xff_header_processing_mode = var.xff_header_processing_mode + ip_address_type = var.ip_address_type + tags = module.labels.tags + drop_invalid_header_fields = true timeouts { create = var.load_balancer_create_timeout delete = var.load_balancer_delete_timeout update = var.load_balancer_update_timeout } - access_logs { - enabled = var.access_logs - bucket = var.log_bucket_name - prefix = module.labels.id + + dynamic "access_logs" { + for_each = length(var.access_logs) > 0 ? [var.access_logs] : [] + + content { + enabled = try(access_logs.value.enabled, try(access_logs.value.bucket, null) != null) + bucket = try(access_logs.value.bucket, null) + prefix = try(access_logs.value.prefix, null) + } } + dynamic "subnet_mapping" { for_each = var.subnet_mapping @@ -62,14 +128,42 @@ resource "aws_lb_listener" "https" { load_balancer_arn = element(aws_lb.main[*].arn, count.index) port = var.https_port protocol = var.listener_protocol - ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + ssl_policy = var.ssl_policy certificate_arn = var.listener_certificate_arn default_action { target_group_arn = join("", aws_lb_target_group.main[*].arn) type = var.listener_type + dynamic "redirect" { + for_each = var.listener_https_fixed_response != null ? [var.listener_https_fixed_response] : [] + + content { + path = lookup(redirect.value, "path", null) + host = lookup(redirect.value, "host", null) + port = lookup(redirect.value, "port", null) + protocol = lookup(redirect.value, "protocol", null) + query = lookup(redirect.value, "query", null) + status_code = redirect.value["status_code"] + } + } + + dynamic "forward" { + for_each = var.listener_https_fixed_response != null ? [var.listener_https_fixed_response] : [] + + content { + dynamic "target_group" { + for_each = forward.value["target_groups"] + + content { + arn = aws_lb_target_group.main[target_group.value["target_group_index"]].id + weight = lookup(target_group.value, "weight", null) + } + } + } + } dynamic "fixed_response" { for_each = var.listener_https_fixed_response != null ? [var.listener_https_fixed_response] : [] + content { content_type = fixed_response.value["content_type"] message_body = fixed_response.value["message_body"] @@ -111,7 +205,7 @@ resource "aws_lb_listener" "nhttps" { port = var.https_listeners[count.index]["port"] protocol = lookup(var.https_listeners[count.index], "protocol", "HTTPS") certificate_arn = var.https_listeners[count.index]["certificate_arn"] - ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + ssl_policy = var.ssl_policy default_action { target_group_arn = aws_lb_target_group.main[lookup(var.https_listeners[count.index], "target_group_index", count.index)].id type = "forward" @@ -150,6 +244,10 @@ resource "aws_lb_target_group" "main" { lambda_multi_value_headers_enabled = lookup(var.target_groups[count.index], "lambda_multi_value_headers_enabled", null) preserve_client_ip = lookup(var.target_groups[count.index], "preserve_client_ip", null) load_balancing_algorithm_type = lookup(var.target_groups[count.index], "load_balancing_algorithm_type", null) + connection_termination = lookup(var.target_groups[count.index], "connection_termination", null) + ip_address_type = lookup(var.target_groups[count.index], "ip_address_type", null) + load_balancing_cross_zone_enabled = lookup(var.target_groups[count.index], "load_balancing_cross_zone_enabled", null) + dynamic "health_check" { for_each = length(keys(lookup(var.target_groups[count.index], "health_check", {}))) == 0 ? [] : [lookup(var.target_groups[count.index], "health_check", {})] @@ -180,7 +278,8 @@ resource "aws_lb_target_group" "main" { ## For attaching resources with Elastic Load Balancer (ELB), see the aws_elb_attachment resource. ##----------------------------------------------------------------------------- resource "aws_lb_target_group_attachment" "attachment" { - count = var.enable && var.with_target_group && var.load_balancer_type == "application" && var.target_type == "" ? var.instance_count : 0 +# count = var.enable && var.with_target_group && var.load_balancer_type == "application" && var.target_type == "" ? var.instance_count : 0 + count = var.enable && var.with_target_group && var.load_balancer_type == "application" ? length(var.https_listeners) : 0 target_group_arn = element(aws_lb_target_group.main[*].arn, count.index) target_id = element(var.target_id, count.index) @@ -208,7 +307,7 @@ resource "aws_elb" "main" { idle_timeout = var.idle_timeout connection_draining = var.connection_draining connection_draining_timeout = var.connection_draining_timeout - security_groups = var.security_groups + security_groups = length(var.sg_ids) < 1 ? aws_security_group.default[*].id : var.sg_ids subnets = var.subnets dynamic "listener" { for_each = var.listeners @@ -229,4 +328,452 @@ resource "aws_elb" "main" { healthy_threshold = var.health_check_healthy_threshold } tags = module.labels.tags -} \ No newline at end of file +} + +##----------------------------------------------------------------------------- +## aws_lb_listener_rule. Provides a Load Balancer Listener Rule resource. +##----------------------------------------------------------------------------- +resource "aws_lb_listener_rule" "http_tcp_listener_rule" { + count = var.enable ? length(var.http_tcp_listener_rules) : 0 + + listener_arn = aws_lb_listener.nhttp[lookup(var.http_tcp_listener_rules[count.index], "http_tcp_listener_index", count.index)].arn + priority = lookup(var.http_tcp_listener_rules[count.index], "priority", null) + + # redirect actions + dynamic "action" { + for_each = [ + for action_rule in var.http_tcp_listener_rules[count.index].actions : + action_rule + if action_rule.type == "redirect" + ] + + content { + type = action.value["type"] + redirect { + host = lookup(action.value, "host", null) + path = lookup(action.value, "path", null) + port = lookup(action.value, "port", null) + protocol = lookup(action.value, "protocol", null) + query = lookup(action.value, "query", null) + status_code = action.value["status_code"] + } + } + } + + # fixed-response actions + dynamic "action" { + for_each = [ + for action_rule in var.http_tcp_listener_rules[count.index].actions : + action_rule + if action_rule.type == "fixed-response" + ] + + content { + type = action.value["type"] + fixed_response { + message_body = lookup(action.value, "message_body", null) + status_code = lookup(action.value, "status_code", null) + content_type = action.value["content_type"] + } + } + } + + # forward actions + dynamic "action" { + for_each = [ + for action_rule in var.http_tcp_listener_rules[count.index].actions : + action_rule + if action_rule.type == "forward" + ] + + content { + type = action.value["type"] + target_group_arn = aws_lb_target_group.main[lookup(action.value, "target_group_index", count.index)].id + } + } + + # weighted forward actions + dynamic "action" { + for_each = [ + for action_rule in var.http_tcp_listener_rules[count.index].actions : + action_rule + if action_rule.type == "weighted-forward" + ] + + content { + type = "forward" + forward { + dynamic "target_group" { + for_each = action.value["target_groups"] + + content { + arn = aws_lb_target_group.main[target_group.value["target_group_index"]].id + weight = target_group.value["weight"] + } + } + dynamic "stickiness" { + for_each = [lookup(action.value, "stickiness", {})] + + content { + enabled = try(stickiness.value["enabled"], false) + duration = try(stickiness.value["duration"], 1) + } + } + } + } + } + + # Path Pattern condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "path_patterns", [])) > 0 + ] + + content { + path_pattern { + values = condition.value["path_patterns"] + } + } + } + + # Host header condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "host_headers", [])) > 0 + ] + + content { + host_header { + values = condition.value["host_headers"] + } + } + } + + # Http header condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "http_headers", [])) > 0 + ] + + content { + dynamic "http_header" { + for_each = condition.value["http_headers"] + + content { + http_header_name = http_header.value["http_header_name"] + values = http_header.value["values"] + } + } + } + } + + # Http request method condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "http_request_methods", [])) > 0 + ] + + content { + http_request_method { + values = condition.value["http_request_methods"] + } + } + } + + # Query string condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "query_strings", [])) > 0 + ] + + content { + dynamic "query_string" { + for_each = condition.value["query_strings"] + + content { + key = lookup(query_string.value, "key", null) + value = query_string.value["value"] + } + } + } + } + + # Source IP address condition + dynamic "condition" { + for_each = [ + for condition_rule in var.http_tcp_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "source_ips", [])) > 0 + ] + + content { + source_ip { + values = condition.value["source_ips"] + } + } + } + + tags = module.labels.tags +} + +resource "aws_lb_listener_rule" "https_listener_rule" { + count = var.enable ? length(var.https_listener_rules) : 0 + + listener_arn = aws_lb_listener.nhttps[lookup(var.https_listener_rules[count.index], "https_listener_index", count.index)].arn + priority = lookup(var.https_listener_rules[count.index], "priority", null) + + # authenticate-cognito actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "authenticate-cognito" + ] + + content { + type = action.value["type"] + authenticate_cognito { + authentication_request_extra_params = lookup(action.value, "authentication_request_extra_params", null) + on_unauthenticated_request = lookup(action.value, "on_authenticated_request", null) + scope = lookup(action.value, "scope", null) + session_cookie_name = lookup(action.value, "session_cookie_name", null) + session_timeout = lookup(action.value, "session_timeout", null) + user_pool_arn = action.value["user_pool_arn"] + user_pool_client_id = action.value["user_pool_client_id"] + user_pool_domain = action.value["user_pool_domain"] + } + } + } + + # authenticate-oidc actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "authenticate-oidc" + ] + + content { + type = action.value["type"] + authenticate_oidc { + # Max 10 extra params + authentication_request_extra_params = lookup(action.value, "authentication_request_extra_params", null) + authorization_endpoint = action.value["authorization_endpoint"] + client_id = action.value["client_id"] + client_secret = action.value["client_secret"] + issuer = action.value["issuer"] + on_unauthenticated_request = lookup(action.value, "on_unauthenticated_request", null) + scope = lookup(action.value, "scope", null) + session_cookie_name = lookup(action.value, "session_cookie_name", null) + session_timeout = lookup(action.value, "session_timeout", null) + token_endpoint = action.value["token_endpoint"] + user_info_endpoint = action.value["user_info_endpoint"] + } + } + } + + # redirect actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "redirect" + ] + + content { + type = action.value["type"] + redirect { + host = lookup(action.value, "host", null) + path = lookup(action.value, "path", null) + port = lookup(action.value, "port", null) + protocol = lookup(action.value, "protocol", null) + query = lookup(action.value, "query", null) + status_code = action.value["status_code"] + } + } + } + + # fixed-response actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "fixed-response" + ] + + content { + type = action.value["type"] + fixed_response { + message_body = lookup(action.value, "message_body", null) + status_code = lookup(action.value, "status_code", null) + content_type = action.value["content_type"] + } + } + } + + # forward actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "forward" + ] + + content { + type = action.value["type"] + target_group_arn = aws_lb_target_group.main[lookup(action.value, "target_group_index", count.index)].id + } + } + + # weighted forward actions + dynamic "action" { + for_each = [ + for action_rule in var.https_listener_rules[count.index].actions : + action_rule + if action_rule.type == "weighted-forward" + ] + + content { + type = "forward" + forward { + dynamic "target_group" { + for_each = action.value["target_groups"] + + content { + arn = aws_lb_target_group.main[target_group.value["target_group_index"]].id + weight = target_group.value["weight"] + } + } + dynamic "stickiness" { + for_each = [lookup(action.value, "stickiness", {})] + + content { + enabled = try(stickiness.value["enabled"], false) + duration = try(stickiness.value["duration"], 1) + } + } + } + } + } + + # Path Pattern condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "path_patterns", [])) > 0 + ] + + content { + path_pattern { + values = condition.value["path_patterns"] + } + } + } + + # Host header condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "host_headers", [])) > 0 + ] + + content { + host_header { + values = condition.value["host_headers"] + } + } + } + + # Http header condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "http_headers", [])) > 0 + ] + + content { + dynamic "http_header" { + for_each = condition.value["http_headers"] + + content { + http_header_name = http_header.value["http_header_name"] + values = http_header.value["values"] + } + } + } + } + + # Http request method condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "http_request_methods", [])) > 0 + ] + + content { + http_request_method { + values = condition.value["http_request_methods"] + } + } + } + + # Query string condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "query_strings", [])) > 0 + ] + + content { + dynamic "query_string" { + for_each = condition.value["query_strings"] + + content { + key = lookup(query_string.value, "key", null) + value = query_string.value["value"] + } + } + } + } + + # Source IP address condition + dynamic "condition" { + for_each = [ + for condition_rule in var.https_listener_rules[count.index].conditions : + condition_rule + if length(lookup(condition_rule, "source_ips", [])) > 0 + ] + + content { + source_ip { + values = condition.value["source_ips"] + } + } + } + + tags = module.labels.tags +} + +##----------------------------------------------------------------------------- +## Terraform comes with aws_lb_listener_certificate that allows you to attach a certificate to any aws_lb_listerner. +##----------------------------------------------------------------------------- +resource "aws_lb_listener_certificate" "https_listener" { + count = var.enable ? length(var.extra_ssl_certs) : 0 + listener_arn = aws_lb_listener.https[var.extra_ssl_certs[count.index]["https_listener_index"]].arn + certificate_arn = var.extra_ssl_certs[count.index]["certificate_arn"] +} diff --git a/outputs.tf b/outputs.tf index 21e0bce..7108d0e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -60,4 +60,14 @@ output "listener_arns" { output "tags" { value = module.labels.tags description = "A mapping of tags to assign to the resource." -} \ No newline at end of file +} + +output "security_group_arn" { + description = "Amazon Resource Name (ARN) of the security group" + value = try(aws_security_group.default[0].arn, null) +} + +output "security_group_id" { + description = "ID of the security group" + value = try(aws_security_group.default[0].id, null) +} diff --git a/variables.tf b/variables.tf index f22d801..1de68ac 100644 --- a/variables.tf +++ b/variables.tf @@ -73,10 +73,9 @@ variable "https_listeners" { } variable "http_tcp_listeners" { - description = "A list of maps describing the HTTP listeners for this ALB. Required key/values: port, protocol. Optional key/values: target_group_index (defaults to 0)" - type = list(map(string)) + type = any default = [] - sensitive = true + description = "A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target_group_index (defaults to http_tcp_listeners[count.index])" } variable "target_groups" { @@ -86,12 +85,6 @@ variable "target_groups" { default = [] } -variable "security_groups" { - type = list(any) - default = [] - description = "A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application." -} - variable "subnets" { type = list(any) default = [] @@ -196,12 +189,6 @@ variable "ip_address_type" { description = "The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack." } -variable "log_bucket_name" { - type = string - default = "" - description = "S3 bucket (externally created) for storing load balancer access logs. Required if logging_enabled is true." -} - variable "load_balancer_create_timeout" { type = string default = "10m" @@ -305,10 +292,16 @@ variable "target_type" { description = "The type of target that you must specify when registering targets with this target group." } +#variable "access_logs" { +# type = bool +# default = false +# description = "Access logs Enable or Disable." +#} + variable "access_logs" { - type = bool - default = false - description = "Access logs Enable or Disable." + type = map(string) + default = {} + description = "Map containing access logging configuration for load balancer." } variable "listener_https_fixed_response" { @@ -326,3 +319,159 @@ variable "with_target_group" { default = true description = "Create LoadBlancer without target group" } + +variable "enable_security_group" { + type = bool + default = true + description = "Enable default Security Group with only Egress traffic allowed." +} + +variable "sg_ids" { + type = list(any) + default = [] + description = "of the security group id." +} + +variable "sg_description" { + type = string + default = "Instance default security group (only egress access is allowed)." + description = "The security group description." +} + +variable "is_external" { + type = bool + default = false + description = "enable to udated existing security Group" +} + +variable "egress_rule" { + type = bool + default = true + description = "Enable to create egress rule" +} + +variable "sg_egress_description" { + type = string + default = "Description of the rule." + description = "Description of the egress and ingress rule" +} + +variable "sg_egress_ipv6_description" { + type = string + default = "Description of the rule." + description = "Description of the egress_ipv6 rule" +} + +variable "allowed_ip" { + type = list(any) + default = [] + description = "List of allowed ip." +} + +variable "allowed_ports" { + type = list(any) + default = [] + description = "List of allowed ingress ports" +} + +variable "sg_ingress_description" { + type = string + default = "Description of the ingress rule use elasticache." + description = "Description of the ingress rule" +} + +variable "protocol" { + type = string + default = "tcp" + description = "The protocol. If not icmp, tcp, udp, or all use the." +} + +variable "enable_tls_version_and_cipher_suite_headers" { + type = bool + default = false + description = "Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target." +} + +variable "enable_xff_client_port" { + type = bool + default = true + description = "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in application load balancers." +} + +variable "preserve_host_header" { + type = bool + default = false + description = "Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false." +} + +variable "enable_waf_fail_open" { + type = bool + default = false + description = "Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF" +} + +variable "desync_mitigation_mode" { + type = string + default = "defensive" + description = "Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync." +} + +variable "xff_header_processing_mode" { + type = string + default = "append" + description = "Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target." +} + +variable "http_tcp_listener_rules" { + type = any + default = [] + description = "A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http_tcp_listener_index (default to http_tcp_listeners[count.index])" +} + +variable "https_listener_rules" { + type = any + default = [] + description = "A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https_listener_index (default to https_listeners[count.index])" +} + +variable "ssl_policy" { + type = string + default = "ELBSecurityPolicy-TLS-1-2-2017-01" + description = "Name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS." +} + +variable "extra_ssl_certs" { + description = "A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate_arn, https_listener_index (the index of the listener within https_listeners which the cert applies toward)." + type = list(map(string)) + default = [] +} + +variable "from_port" { + type = number + default = 0 + description = " (Required) Start port (or ICMP type number if protocol is icmp or icmpv6)." +} + +variable "to_port" { + type = number + default = 65535 + description = "equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference" +} + +variable "egress_protocol" { + type = number + default = -1 + description = "equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference" +} + +variable "cidr_blocks" { + type = list(string) + default = ["0.0.0.0/0"] + description = "equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference" +} + +variable "ipv6_cidr_blocks" { + type = list(string) + default = ["::/0"] + description = "Enable to create egress rule" +} diff --git a/versions.tf b/versions.tf index 5a227cd..c95376a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,11 +1,11 @@ # Terraform version terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.5.5" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.9.0" + version = ">= 5.13.1" } } -} \ No newline at end of file +}