Issue when I try to share the same target group with an ALB load balancer that supports HTTP and HTTPS

[jonathandemoor]

Hi,

The current situation when using the terraform-aws-ecs-fargate-service module:

• 1 ALB with 2 listeners: one for HTTP (80) and one for HTTPS (443)
• 2 Target groups: one is used in HTTP listener and one is used for the HTTPS listener
• 1 Fargate service that links to an ECS Cluster and Task Definition

Is it possible to point both ALB listeners (HTTP and HTTPS) to the same HTTP Target Group?
The app (Node.js) that is running in the ECS Task Definition only supports HTTP, that why I would like to point both ALB listeners to the same Target Group.

At this moment when you define lb_http_ports and lb_https_ports the module automatically created 2 separate target groups.

Another question, what is the main reason why you moved the ALB module into the terraform-aws-ecs-fargate-service module? It would give us more flexibility when the ALB module was defined outside the Fargate Service module or could be optional.

Thanks in advance,
Jonathan

[amontalban]

@jonathandemoor I would recommend using a redirect rule for HTTP -> HTTPS.

I submitted a PR that will give that possibility.

Check cn-terraform/terraform-aws-ecs-alb#6

[jonathandemoor]

Wouldn't it be easier to make the Load Balancer part optional in the terraform-aws-ecs-fargate-service module? Because you will probably never cover all edge cases for everyone?

In the case I described we just want to use the same target group (with HTTP protocol) for both HTTP en HTTPS listeners, that's it 😉

[mo-hit]

any update on this? TLS termination seems like a pretty standard thing to do with ALB no? I can take a look at this in a bit

[aco711]

In the case I described we just want to use the same target group (with HTTP protocol) for both HTTP en HTTPS listeners, that's it

I also have this use case. The redirect is helpful for HTTP -> HTTPS, however, with the current setup both health checks and the target group use HTTPS, however my task definition only supports HTTP

[MartinPaulEve]

OK, I hit exactly this problem.

Basically I wanted

HTTP ALB -> HTTP TARGET GROUP
HTTPS ALB -> HTTP TARGET GROUP

But you can't do this at present, AFAICS.

The workaround/"fix" (although a real fix will need to distinguish that this is desired behavior) is:

In ecs-fargate-service.ecs-alb/main.tf to change the section under resource "aws_lb_listener" "lb_https_listeners" to change:

target_group_arn = aws_lb_target_group.lb_http_tgs[each.key].arn
to

target_group_arn = aws_lb_target_group.lb_http_tgs[each.key].arn
On line 335.

[MartinPaulEve]

Further: the tweaked versions that I made are in this repo https://github.com/MartinPaulEve/django-fargate

[jnonino]

Hi @MartinPaulEve, thanks for your comments. If it's not too much to ask, will you be able to create a PR to fix the issue in this module? Any contribution you'd like to make to any module is more than welcome!
If you can't, I'll pick this up when I'm available, again, thanks for your comments.
Regards

[MartinPaulEve]

Hi @jnonino - thanks for this.

I think the challenge is that what I have done, in my slightly hacky solution, is to remove the HTTPS target group entirely, which may or may not be what the user wants. Some users will want the HTTPS LB listener to go to an HTTPS target group, while others will want HTTPS LB listener to go to the HTTP target group.

I'm afraid my terraform isn't good enough to work out quite how to give that kind of optionality. I just encountered a challenge, myself, in getting the HTTPS->HTTP bit working and so removed the HTTPS target group.

[Atry]

The following settings work for HTTPS only services

module "ecs-fargate" {
  ...
  lb_http_ports = {}
  lb_https_ports = {
    forward_https_to_http = {
      listener_port         = 443
      target_group_port     = 80
      target_group_protocol = "HTTP"
    }
  }
}

[jnonino]

@Atry's PR is now merged and released in version 2.0.30