Created
December 19, 2021 13:14
-
-
Save leegilmorecode/1dd4f72f7b73004b701217e8c88257bf to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // create an internal application load balancer | |
| this.stockLoadBalancer = new elbv2.ApplicationLoadBalancer( | |
| this, | |
| "stock-internal-elb", | |
| { | |
| vpc, | |
| http2Enabled: false, | |
| loadBalancerName: "stock-internal-elb", | |
| vpcSubnets: vpc.selectSubnets({ | |
| subnetType: ec2.SubnetType.PRIVATE_ISOLATED, | |
| }), | |
| internetFacing: false, | |
| } | |
| ); | |
| // ensure the vpc endpoint only accepts connections from the load balancer | |
| this.vpcEndpoint.connections.allowFrom( | |
| this.stockLoadBalancer, | |
| ec2.Port.tcp(443) | |
| ); | |
| // create the application target group | |
| const targetGroup: elbv2.ApplicationTargetGroup = | |
| new elbv2.ApplicationTargetGroup(this, "TargetGroup", { | |
| vpc: vpc, | |
| targetType: elbv2.TargetType.IP, | |
| port: 443, | |
| }); | |
| // use a custom resource to get the private ip addresses based on the vpc endpoints | |
| for (let index = 0; index < vpc.availabilityZones.length; index++) { | |
| const getEndpointIp: customResources.AwsCustomResource = | |
| new customResources.AwsCustomResource(this, `GetEndpointIp${index}`, { | |
| onUpdate: { | |
| service: "EC2", | |
| action: "describeNetworkInterfaces", | |
| physicalResourceId: customResources.PhysicalResourceId.fromResponse( | |
| `NetworkInterfaces.${index}.PrivateIpAddress` | |
| ), | |
| parameters: { | |
| NetworkInterfaceIds: | |
| this.vpcEndpoint.vpcEndpointNetworkInterfaceIds, | |
| }, | |
| }, | |
| policy: customResources.AwsCustomResourcePolicy.fromSdkCalls({ | |
| resources: customResources.AwsCustomResourcePolicy.ANY_RESOURCE, | |
| }), | |
| }); | |
| targetGroup.addTarget( | |
| new elbTargets.IpTarget( | |
| cdk.Token.asString( | |
| getEndpointIp.getResponseField( | |
| `NetworkInterfaces.${index}.PrivateIpAddress` | |
| ) | |
| ) | |
| ) | |
| ); | |
| } | |
| // add a listener with the correct cert | |
| this.stockLoadBalancer.addListener("Listener", { | |
| certificateArns: [props.certificateArn], | |
| port: 443, | |
| defaultTargetGroups: [targetGroup], | |
| }); | |
| // add a healthcheck for 403 | |
| targetGroup.configureHealthCheck({ | |
| healthyHttpCodes: "403", | |
| healthyThresholdCount: 2, | |
| unhealthyThresholdCount: 2, | |
| interval: cdk.Duration.seconds(30), | |
| timeout: cdk.Duration.seconds(5), | |
| path: "/", | |
| protocol: elbv2.Protocol.HTTPS, | |
| }); | |
| // create a private hosted zone | |
| const zone: route53.PrivateHostedZone = new route53.PrivateHostedZone( | |
| this, | |
| "stock-private-hosted-zone", | |
| { | |
| zoneName: props.customDomainName, | |
| vpc, | |
| comment: "private hosted zone for stock internally", | |
| } | |
| ); | |
| // add a record set to the private hosted zone | |
| new route53.RecordSet(this, "stock-record-set", { | |
| recordType: route53.RecordType.A, | |
| zone: zone, | |
| target: route53.RecordTarget.fromAlias( | |
| new targets.LoadBalancerTarget(this.stockLoadBalancer) | |
| ), | |
| comment: "stock internal api", | |
| recordName: props.customDomainName, | |
| ttl: cdk.Duration.minutes(0), | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment