vanrysss · October 30, 2019 00:19
diff --git a/terraform.tf b/terraform.tf
 ## NLB FOR FRONTEND
 resource "aws_lb" "cistern-frontend" {
  name               = "${local.name_prefix}-nlb"
  internal           = true
  load_balancer_type = "network"
  subnets            = flatten([module.vpc.public_subnets])
  enable_cross_zone_load_balancing = true

  tags = {
    Environment = "${var.environment}"
    Application        = "${local.name_prefix}"
  }
 }

 resource "aws_lb_target_group" "cistern-frontend" {
  name        = "${local.name_prefix}-frontend-target"
  port        = 80
  protocol    = "TCP"
  vpc_id      = "${module.vpc.vpc_id}"
  target_type = "ip"

  stickiness {
    enabled = false
    type = "lb_cookie"
  }

  health_check {
    healthy_threshold   = 3
    interval            = 30
    protocol            = "HTTP"
    matcher             = "200-399"
    path                = "/healthcheck"
    unhealthy_threshold = 3
  }
 }

 # Redirect all traffic from the NLB to the target group
 resource "aws_lb_listener" "cistern-frontend" {
  load_balancer_arn = "${aws_lb.cistern-frontend.id}"
  port              = 80
  protocol          = "TCP"

  default_action {
    target_group_arn = "${aws_lb_target_group.cistern-frontend.id}"
    type             = "forward"
  }
 }

 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "${local.name_prefix}-vpc"

  cidr = "10.0.0.0/16"

  azs                 = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets      = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
  elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24","10.0.33.0/24"]

  enable_dns_hostnames   = true
  enable_dns_support     = true
  enable_nat_gateway     = true
  single_nat_gateway     = false
  one_nat_gateway_per_az = true

  tags = {
    Environment = "${var.environment}"
    Application        = "${local.name_prefix}"
  }
 }

 # NLB Security group
 resource "aws_security_group" "frontend-lb" {
  name        = "${local.name_prefix}-fronten-lb-security-group"
  description = "controls access to the cistern frontend lb"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress {
    protocol    = "tcp"
    from_port   = 80
    to_port     = 80
    cidr_blocks = ["0.0.0.0/0"]
  }

    ingress {
    protocol    = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
 }

 # Traffic to the frontend should only come from the NLB
 resource "aws_security_group" "frontend-tasks" {
  name        = "${local.name_prefix}-frontend-tasks-security-group"
  description = "allow inbound access from the NLB only"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress {
    protocol        = "tcp"
    from_port       = 80
    to_port         = 80
    security_groups = ["${aws_security_group.frontend-lb.id}"]
  }

  egress {
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
 }
	## NLB FOR FRONTEND
	resource "aws_lb" "cistern-frontend" {
	name = "${local.name_prefix}-nlb"
	internal = true
	load_balancer_type = "network"
	subnets = flatten([module.vpc.public_subnets])
	enable_cross_zone_load_balancing = true

	tags = {
	Environment = "${var.environment}"
	Application = "${local.name_prefix}"
	}
	}

	resource "aws_lb_target_group" "cistern-frontend" {
	name = "${local.name_prefix}-frontend-target"
	port = 80
	protocol = "TCP"
	vpc_id = "${module.vpc.vpc_id}"
	target_type = "ip"

	stickiness {
	enabled = false
	type = "lb_cookie"
	}

	health_check {
	healthy_threshold = 3
	interval = 30
	protocol = "HTTP"
	matcher = "200-399"
	path = "/healthcheck"
	unhealthy_threshold = 3
	}
	}

	# Redirect all traffic from the NLB to the target group
	resource "aws_lb_listener" "cistern-frontend" {
	load_balancer_arn = "${aws_lb.cistern-frontend.id}"
	port = 80
	protocol = "TCP"

	default_action {
	target_group_arn = "${aws_lb_target_group.cistern-frontend.id}"
	type = "forward"
	}
	}

	module "vpc" {
	source = "terraform-aws-modules/vpc/aws"

	name = "${local.name_prefix}-vpc"

	cidr = "10.0.0.0/16"

	azs = ["us-west-2a", "us-west-2b", "us-west-2c"]
	private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
	public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
	elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24","10.0.33.0/24"]

	enable_dns_hostnames = true
	enable_dns_support = true
	enable_nat_gateway = true
	single_nat_gateway = false
	one_nat_gateway_per_az = true

	tags = {
	Environment = "${var.environment}"
	Application = "${local.name_prefix}"
	}
	}

	# NLB Security group
	resource "aws_security_group" "frontend-lb" {
	name = "${local.name_prefix}-fronten-lb-security-group"
	description = "controls access to the cistern frontend lb"
	vpc_id = "${module.vpc.vpc_id}"

	ingress {
	protocol = "tcp"
	from_port = 80
	to_port = 80
	cidr_blocks = ["0.0.0.0/0"]
	}

	ingress {
	protocol = "tcp"
	from_port = 443
	to_port = 443
	cidr_blocks = ["0.0.0.0/0"]
	}

	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	# Traffic to the frontend should only come from the NLB
	resource "aws_security_group" "frontend-tasks" {
	name = "${local.name_prefix}-frontend-tasks-security-group"
	description = "allow inbound access from the NLB only"
	vpc_id = "${module.vpc.vpc_id}"

	ingress {
	protocol = "tcp"
	from_port = 80
	to_port = 80
	security_groups = ["${aws_security_group.frontend-lb.id}"]
	}

	egress {
	protocol = "-1"
	from_port = 0
	to_port = 0
	cidr_blocks = ["0.0.0.0/0"]
	}
	}