feat(dash): SSL certificate

Signed-off-by: pmikus <peter.mikus@protonmail.ch> Change-Id: Iccab2214a62d5d928d989e8e0dcb927b8ae3390f
author: pmikus <peter.mikus@protonmail.ch> 2023-01-17 13:37:45 +0000
committer: Peter Mikus <peter.mikus@protonmail.ch> 2023-01-18 13:54:36 +0000
commit: e31069553a47428fa4ec1920fe6519bba8a876d2 (patch)
tree: c133db37a13cbc7aea29c3b7393e20eb39c44fa4 /fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment
parent: e0eb07f2ec67405abf621bcbe845598de92a0803 (diff)
2 files changed, 187 insertions, 65 deletions
diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
index 2e6fb44e36..fa33b13133 100644
--- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
+++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf
@@ -1,8 +1,130 @@
 locals {
   tags = {
-    "Name"        = "${var.application_name}"
     "Environment" = "${var.application_name}"
   }
+
+  # Settings for all loadbalancer types
+  generic_elb_settings = [
+    {
+      namespace = "aws:elasticbeanstalk:environment"
+      name      = "LoadBalancerType"
+      value     = var.environment_loadbalancer_type
+    }
+  ]
+
+  classic_elb_settings = [
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "CrossZone"
+      value     = var.environment_loadbalancer_crosszone
+    },
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "SecurityGroups"
+      value     = join(",", sort(var.environment_loadbalancer_security_groups))
+    },
+    {
+      namespace = "aws:elb:loadbalancer"
+      name      = "ManagedSecurityGroup"
+      value     = var.environment_loadbalancer_managed_security_group
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "ListenerProtocol"
+      value     = "HTTP"
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "InstancePort"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elb:listener"
+      name      = "ListenerEnabled"
+      value     = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false"
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "ListenerProtocol"
+      value     = "HTTPS"
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "InstancePort"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "SSLCertificateId"
+      value     = var.environment_loadbalancer_ssl_certificate_id
+    },
+    {
+      namespace = "aws:elb:listener:443"
+      name      = "ListenerEnabled"
+      value     = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true"
+    },
+    {
+      namespace = "aws:elb:policies"
+      name      = "ConnectionSettingIdleTimeout"
+      value     = var.loadbalancer_connection_settings_idle_timeout
+    },
+    {
+      namespace = "aws:elb:policies"
+      name      = "ConnectionDrainingEnabled"
+      value     = "true"
+    }
+  ]
+
+  nlb_settings = [
+    {
+      namespace = "aws:elbv2:listener:default"
+      name      = "ListenerEnabled"
+      value     = var.default_listener_enabled
+    }
+  ]
+
+  beanstalk_elb_settings = [
+    {
+      namespace = "aws:ec2:vpc"
+      name      = "ELBSubnets"
+      value     = aws_subnet.subnet.id
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "Port"
+      value     = var.environment_process_default_port
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "Protocol"
+      value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
+    },
+    {
+      namespace = "aws:ec2:vpc"
+      name      = "ELBScheme"
+      value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "HealthCheckInterval"
+      value     = var.environment_process_default_healthcheck_interval
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "HealthyThresholdCount"
+      value     = var.environment_process_default_healthy_threshold_count
+    },
+    {
+      namespace = "aws:elasticbeanstalk:environment:process:default"
+      name      = "UnhealthyThresholdCount"
+      value     = var.environment_process_default_unhealthy_threshold_count
+    }
+  ]
+  elb_settings_nlb    = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
+  elb_setting_classic = var.environment_loadbalancer_type == "classic" ? concat(local.classic_elb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
+
+  # Full set of LoadBlanacer settings.
+  elb_settings = var.environment_tier == "WebServer" ? concat(local.elb_settings_nlb, local.elb_setting_classic) : []
 }
 
 # Create elastic beanstalk VPC
@@ -342,79 +464,16 @@ resource "aws_elastic_beanstalk_environment" "environment" {
 
   setting {
     namespace = "aws:ec2:vpc"
-    name      = "ELBSubnets"
-    value     = aws_subnet.subnet.id
-  }
-
-  setting {
-    namespace = "aws:ec2:vpc"
-    name      = "ELBScheme"
-    value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
-  }
-
-  setting {
-    namespace = "aws:ec2:vpc"
     name      = "AssociatePublicIpAddress"
     value     = var.associate_public_ip_address
   }
 
   setting {
-    namespace = "aws:elasticbeanstalk:application"
-    name      = "Application Healthcheck URL"
-    value     = "/"
-  }
-
-  # aws:elbv2:listener:default
-  setting {
-    namespace = "aws:elbv2:listener:default"
-    name      = "ListenerEnabled"
-    value     = var.default_listener_enabled
-  }
-
-  # aws:elasticbeanstalk:environment
-  setting {
-    namespace = "aws:elasticbeanstalk:environment"
-    name      = "LoadBalancerType"
-    value     = var.environment_loadbalancer_type
-  }
-
-  setting {
     namespace = "aws:elasticbeanstalk:environment"
     name      = "ServiceRole"
     value     = aws_iam_role.service.name
   }
 
-  # aws:elasticbeanstalk:environment:process:default
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "HealthCheckInterval"
-    value     = var.environment_process_default_healthcheck_interval
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "HealthyThresholdCount"
-    value     = var.environment_process_default_healthy_threshold_count
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "Port"
-    value     = var.environment_process_default_port
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "Protocol"
-    value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
-  }
-
-  setting {
-    namespace = "aws:elasticbeanstalk:environment:process:default"
-    name      = "UnhealthyThresholdCount"
-    value     = var.environment_process_default_unhealthy_threshold_count
-  }
-
   # aws:autoscaling:launchconfiguration
   setting {
     namespace = "aws:autoscaling:launchconfiguration"
@@ -428,6 +487,15 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = true
   }
 
+  dynamic "setting" {
+    for_each = local.elb_settings
+    content {
+      namespace = setting.value["namespace"]
+      name      = setting.value["name"]
+      value     = setting.value["value"]
+    }
+  }
+
   # aws:autoscaling:updatepolicy:rollingupdate
   setting {
     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
@@ -447,6 +515,12 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = var.autoscaling_updatepolicy_min_instance_in_service
   }
 
+  setting {
+    namespace = "aws:elasticbeanstalk:application"
+    name      = "Application Healthcheck URL"
+    value     = var.application_healthcheck_url
+  }
+
   # aws:elasticbeanstalk:command
   setting {
     namespace = "aws:elasticbeanstalk:command"
@@ -494,6 +568,12 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = var.managedactions_platformupdate_instance_refresh_enabled
   }
 
+  setting {
+    namespace = "aws:elasticbeanstalk:command"
+    name      = "IgnoreHealthCheck"
+    value     = var.command_ignore_health_check
+  }
+
   # aws:autoscaling:asg
   setting {
     namespace = "aws:autoscaling:asg"
diff --git a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
index b0c41899b7..b225472aba 100644
--- a/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
+++ b/fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/variables.tf
@@ -135,7 +135,37 @@ variable "default_listener_enabled" {
 variable "environment_loadbalancer_type" {
   description = "Load Balancer type, e.g. 'application' or 'classic'."
   type        = string
-  default     = "network"
+  default     = "classic"
+}
+
+variable "environment_loadbalancer_crosszone" {
+  description = "Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone."
+  type        = bool
+  default     = true
+}
+
+variable "environment_loadbalancer_security_groups" {
+  description = "Load balancer security groups"
+  type        = list(string)
+  default     = []
+}
+
+variable "environment_loadbalancer_managed_security_group" {
+  description = "Load balancer managed security group"
+  type        = string
+  default     = ""
+}
+
+variable "environment_loadbalancer_ssl_certificate_id" {
+  type        = string
+  default     = ""
+  description = "Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager"
+}
+
+variable "loadbalancer_connection_settings_idle_timeout" {
+  description = "Classic load balancer only: Number of seconds that the load balancer waits for any data to be sent or received over the connection. If no data has been sent or received after this time period elapses, the load balancer closes the connection."
+  type        = number
+  default     = 60
 }
 
 # aws:elasticbeanstalk:environment:process:default
@@ -182,6 +212,12 @@ variable "autoscaling_updatepolicy_min_instance_in_service" {
   default     = 1
 }
 
+variable "application_healthcheck_url" {
+  description = "The path where health check requests are sent to."
+  type        = string
+  default     = "HTTP:5000/"
+}
+
 # aws:elasticbeanstalk:command
 variable "command_deployment_policy" {
   description = "Use the DeploymentPolicy option to set the deployment type. The following values are supported: `AllAtOnce`, `Rolling`, `RollingWithAdditionalBatch`, `Immutable`, `TrafficSplitting`."
@@ -229,6 +265,12 @@ variable "managedactions_platformupdate_instance_refresh_enabled" {
   default     = true
 }
 
+variable "command_ignore_health_check" {
+  description = "Do not cancel a deployment due to failed health checks"
+  type        = bool
+  default     = true
+}
+
 # aws:autoscaling:asg
 variable "autoscaling_asg_minsize" {
   description = "Minumum instances to launch"
author	pmikus <peter.mikus@protonmail.ch>	2023-01-17 13:37:45 +0000
committer	Peter Mikus <peter.mikus@protonmail.ch>	2023-01-18 13:54:36 +0000
commit	e31069553a47428fa4ec1920fe6519bba8a876d2 (patch)
tree	c133db37a13cbc7aea29c3b7393e20eb39c44fa4 /fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment
parent	e0eb07f2ec67405abf621bcbe845598de92a0803 (diff)