From 923cdad8c365db53b4c72415fd1b1db9d672e636 Mon Sep 17 00:00:00 2001 From: Vladimir Andrijevikj Date: Fri, 11 May 2018 19:02:27 +0200 Subject: [PATCH 1/3] Support access logs in application_load_balancer module --- .../__examples__/.planshots.txt | 825 +++++++++++------- .../__examples__/with_access_logs.tf | 14 + .../load_balancer/main.tf | 87 ++ .../load_balancer/outputs.tf | 11 + .../load_balancer/variables.tf | 24 + aws/application_load_balancer/main.tf | 19 +- aws/application_load_balancer/outputs.tf | 4 +- aws/application_load_balancer/variables.tf | 5 + 8 files changed, 673 insertions(+), 316 deletions(-) create mode 100644 aws/application_load_balancer/__examples__/with_access_logs.tf create mode 100644 aws/application_load_balancer/load_balancer/main.tf create mode 100644 aws/application_load_balancer/load_balancer/outputs.tf create mode 100644 aws/application_load_balancer/load_balancer/variables.tf diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt index 3984f87..a572b9f 100644 --- a/aws/application_load_balancer/__examples__/.planshots.txt +++ b/aws/application_load_balancer/__examples__/.planshots.txt @@ -6,354 +6,565 @@ Resource actions are indicated with the following symbols: Terraform will perform the following actions: -+ module.acme_staging_load_balancer.aws_alb.load_balancer -id: -access_logs.#: -arn: -arn_suffix: -dns_name: -enable_deletion_protection: "false" -enable_http2: "true" -idle_timeout: "60" -internal: "false" -ip_address_type: -load_balancer_type: "application" -name: "acme-staging" -security_groups.#: -subnet_mapping.#: -subnets.#: "2" -subnets.2108278916: "subnet-9ce530b1" -subnets.2228813381: "subnet-6fbdeeb3" -vpc_id: -zone_id: - + module.acme_staging_load_balancer.aws_alb_listener.http_listener -id: -arn: -default_action.#: "1" -default_action.0.target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -default_action.0.type: "forward" -load_balancer_arn: "${aws_alb.load_balancer.arn}" -port: "80" -protocol: "HTTP" -ssl_policy: +id: +arn: +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "80" +protocol: "HTTP" +ssl_policy: + module.acme_staging_load_balancer.aws_alb_listener.https_listener -id: -arn: -certificate_arn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" -default_action.#: "1" -default_action.0.target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -default_action.0.type: "forward" -load_balancer_arn: "${aws_alb.load_balancer.arn}" -port: "443" -protocol: "HTTPS" -ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" +id: +arn: +certificate_arn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "443" +protocol: "HTTPS" +ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" + module.acme_staging_load_balancer.aws_alb_target_group.http_target_group -id: -arn: -arn_suffix: -deregistration_delay: "30" -health_check.#: "1" -health_check.0.healthy_threshold: "3" -health_check.0.interval: "30" -health_check.0.matcher: "200,301" -health_check.0.path: "/healthz" -health_check.0.port: "80" -health_check.0.protocol: "HTTP" -health_check.0.timeout: "5" -health_check.0.unhealthy_threshold: "3" -name: "acme-staging-http" -port: "80" -protocol: "HTTP" -stickiness.#: -target_type: "instance" -vpc_id: "vpc-eed63643" +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200,301" +health_check.0.path: "/healthz" +health_check.0.port: "80" +health_check.0.protocol: "HTTP" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "acme-staging-http" +port: "80" +protocol: "HTTP" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-eed63643" + module.acme_staging_load_balancer.aws_alb_target_group.https_target_group -id: -arn: -arn_suffix: -deregistration_delay: "30" -health_check.#: "1" -health_check.0.healthy_threshold: "3" -health_check.0.interval: "30" -health_check.0.matcher: "200" -health_check.0.path: "/healthz" -health_check.0.port: "443" -health_check.0.protocol: "HTTPS" -health_check.0.timeout: "5" -health_check.0.unhealthy_threshold: "3" -name: "acme-staging-https" -port: "443" -protocol: "HTTPS" -stickiness.#: -target_type: "instance" -vpc_id: "vpc-eed63643" +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200" +health_check.0.path: "/healthz" +health_check.0.port: "443" +health_check.0.protocol: "HTTPS" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "acme-staging-https" +port: "443" +protocol: "HTTPS" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-eed63643" + module.acme_staging_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[0] -id: -target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -target_id: "i-09731747ba5296355" +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-09731747ba5296355" + module.acme_staging_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[1] -id: -target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -target_id: "i-0354a7616ba0dc1af" +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-0354a7616ba0dc1af" + module.acme_staging_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[0] -id: -target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -target_id: "i-09731747ba5296355" +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-09731747ba5296355" + module.acme_staging_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[1] -id: -target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -target_id: "i-0354a7616ba0dc1af" +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-0354a7616ba0dc1af" + module.acme_staging_load_balancer.aws_security_group.security_group_on_load_balancer -id: -arn: -description: "Managed by Terraform" -egress.#: "2" -egress.1749941629.cidr_blocks.#: "0" -egress.1749941629.description: "" -egress.1749941629.from_port: "80" -egress.1749941629.ipv6_cidr_blocks.#: "0" -egress.1749941629.prefix_list_ids.#: "0" -egress.1749941629.protocol: "tcp" -egress.1749941629.security_groups.#: "1" -egress.1749941629.security_groups.686130460: "sg-c94a8777" -egress.1749941629.self: "false" -egress.1749941629.to_port: "80" -egress.2219625915.cidr_blocks.#: "0" -egress.2219625915.description: "" -egress.2219625915.from_port: "443" -egress.2219625915.ipv6_cidr_blocks.#: "0" -egress.2219625915.prefix_list_ids.#: "0" -egress.2219625915.protocol: "tcp" -egress.2219625915.security_groups.#: "1" -egress.2219625915.security_groups.686130460: "sg-c94a8777" -egress.2219625915.self: "false" -egress.2219625915.to_port: "443" -ingress.#: "2" -ingress.2214680975.cidr_blocks.#: "1" -ingress.2214680975.cidr_blocks.0: "0.0.0.0/0" -ingress.2214680975.description: "" -ingress.2214680975.from_port: "80" -ingress.2214680975.ipv6_cidr_blocks.#: "0" -ingress.2214680975.protocol: "tcp" -ingress.2214680975.security_groups.#: "0" -ingress.2214680975.self: "false" -ingress.2214680975.to_port: "80" -ingress.2617001939.cidr_blocks.#: "1" -ingress.2617001939.cidr_blocks.0: "0.0.0.0/0" -ingress.2617001939.description: "" -ingress.2617001939.from_port: "443" -ingress.2617001939.ipv6_cidr_blocks.#: "0" -ingress.2617001939.protocol: "tcp" -ingress.2617001939.security_groups.#: "0" -ingress.2617001939.self: "false" -ingress.2617001939.to_port: "443" -name: "acme-staging-alb" -owner_id: -revoke_rules_on_delete: "false" -vpc_id: "vpc-eed63643" +id: +arn: +description: "Managed by Terraform" +egress.#: "2" +egress.1749941629.cidr_blocks.#: "0" +egress.1749941629.description: "" +egress.1749941629.from_port: "80" +egress.1749941629.ipv6_cidr_blocks.#: "0" +egress.1749941629.prefix_list_ids.#: "0" +egress.1749941629.protocol: "tcp" +egress.1749941629.security_groups.#: "1" +egress.1749941629.security_groups.686130460: "sg-c94a8777" +egress.1749941629.self: "false" +egress.1749941629.to_port: "80" +egress.2219625915.cidr_blocks.#: "0" +egress.2219625915.description: "" +egress.2219625915.from_port: "443" +egress.2219625915.ipv6_cidr_blocks.#: "0" +egress.2219625915.prefix_list_ids.#: "0" +egress.2219625915.protocol: "tcp" +egress.2219625915.security_groups.#: "1" +egress.2219625915.security_groups.686130460: "sg-c94a8777" +egress.2219625915.self: "false" +egress.2219625915.to_port: "443" +ingress.#: "2" +ingress.2214680975.cidr_blocks.#: "1" +ingress.2214680975.cidr_blocks.0: "0.0.0.0/0" +ingress.2214680975.description: "" +ingress.2214680975.from_port: "80" +ingress.2214680975.ipv6_cidr_blocks.#: "0" +ingress.2214680975.protocol: "tcp" +ingress.2214680975.security_groups.#: "0" +ingress.2214680975.self: "false" +ingress.2214680975.to_port: "80" +ingress.2617001939.cidr_blocks.#: "1" +ingress.2617001939.cidr_blocks.0: "0.0.0.0/0" +ingress.2617001939.description: "" +ingress.2617001939.from_port: "443" +ingress.2617001939.ipv6_cidr_blocks.#: "0" +ingress.2617001939.protocol: "tcp" +ingress.2617001939.security_groups.#: "0" +ingress.2617001939.self: "false" +ingress.2617001939.to_port: "443" +name: "acme-staging-alb" +owner_id: +revoke_rules_on_delete: "false" +vpc_id: "vpc-eed63643" + module.acme_staging_load_balancer.aws_security_group_rule.http_ingress_on_instances_from_load_balancer -id: -from_port: "80" -protocol: "tcp" -security_group_id: "sg-c94a8777" -self: "false" -source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" -to_port: "80" -type: "ingress" +id: +from_port: "80" +protocol: "tcp" +security_group_id: "sg-c94a8777" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "80" +type: "ingress" + module.acme_staging_load_balancer.aws_security_group_rule.https_ingress_on_instances_from_load_balancer -id: -from_port: "443" -protocol: "tcp" -security_group_id: "sg-c94a8777" -self: "false" -source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" -to_port: "443" -type: "ingress" - -+ module.globex_production_load_balancer.aws_alb.load_balancer -id: -access_logs.#: -arn: -arn_suffix: -dns_name: -enable_deletion_protection: "false" -enable_http2: "true" -idle_timeout: "60" -internal: "true" -ip_address_type: -load_balancer_type: "application" -name: "globex-production" -security_groups.#: -subnet_mapping.#: -subnets.#: "2" -subnets.1357166935: "subnet-e3f4a330" -subnets.881182305: "subnet-9b6635ea" -vpc_id: -zone_id: +id: +from_port: "443" +protocol: "tcp" +security_group_id: "sg-c94a8777" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "443" +type: "ingress" + module.globex_production_load_balancer.aws_alb_listener.http_listener -id: -arn: -default_action.#: "1" -default_action.0.target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -default_action.0.type: "forward" -load_balancer_arn: "${aws_alb.load_balancer.arn}" -port: "80" -protocol: "HTTP" -ssl_policy: +id: +arn: +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "80" +protocol: "HTTP" +ssl_policy: + module.globex_production_load_balancer.aws_alb_listener.https_listener -id: -arn: -certificate_arn: "arn:aws:acm:us-east-1:210987654321:certificate/87654321-4321-4321-4321-210987654321" -default_action.#: "1" -default_action.0.target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -default_action.0.type: "forward" -load_balancer_arn: "${aws_alb.load_balancer.arn}" -port: "443" -protocol: "HTTPS" -ssl_policy: "ELBSecurityPolicy-TLS-1-0-2015-04" +id: +arn: +certificate_arn: "arn:aws:acm:us-east-1:210987654321:certificate/87654321-4321-4321-4321-210987654321" +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "443" +protocol: "HTTPS" +ssl_policy: "ELBSecurityPolicy-TLS-1-0-2015-04" + module.globex_production_load_balancer.aws_alb_target_group.http_target_group -id: -arn: -arn_suffix: -deregistration_delay: "30" -health_check.#: "1" -health_check.0.healthy_threshold: "3" -health_check.0.interval: "30" -health_check.0.matcher: "200,301" -health_check.0.path: "/health_check" -health_check.0.port: "80" -health_check.0.protocol: "HTTP" -health_check.0.timeout: "5" -health_check.0.unhealthy_threshold: "3" -name: "globex-production-http" -port: "80" -protocol: "HTTP" -stickiness.#: -target_type: "instance" -vpc_id: "vpc-e365d769" +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200,301" +health_check.0.path: "/health_check" +health_check.0.port: "80" +health_check.0.protocol: "HTTP" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "globex-production-http" +port: "80" +protocol: "HTTP" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-e365d769" + module.globex_production_load_balancer.aws_alb_target_group.https_target_group -id: -arn: -arn_suffix: -deregistration_delay: "30" -health_check.#: "1" -health_check.0.healthy_threshold: "3" -health_check.0.interval: "30" -health_check.0.matcher: "200" -health_check.0.path: "/health_check" -health_check.0.port: "443" -health_check.0.protocol: "HTTPS" -health_check.0.timeout: "5" -health_check.0.unhealthy_threshold: "3" -name: "globex-production-https" -port: "443" -protocol: "HTTPS" -stickiness.#: -target_type: "instance" -vpc_id: "vpc-e365d769" +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200" +health_check.0.path: "/health_check" +health_check.0.port: "443" +health_check.0.protocol: "HTTPS" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "globex-production-https" +port: "443" +protocol: "HTTPS" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-e365d769" + module.globex_production_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[0] -id: -target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -target_id: "i-088348c7b2bd8ebfd" +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-088348c7b2bd8ebfd" + module.globex_production_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[1] -id: -target_group_arn: "${aws_alb_target_group.http_target_group.arn}" -target_id: "i-04711668341adedf1" +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-04711668341adedf1" + module.globex_production_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[0] -id: -target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -target_id: "i-088348c7b2bd8ebfd" +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-088348c7b2bd8ebfd" + module.globex_production_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[1] -id: -target_group_arn: "${aws_alb_target_group.https_target_group.arn}" -target_id: "i-04711668341adedf1" +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-04711668341adedf1" + module.globex_production_load_balancer.aws_security_group.security_group_on_load_balancer -id: -arn: -description: "Managed by Terraform" -egress.#: "2" -egress.337077692.cidr_blocks.#: "0" -egress.337077692.description: "" -egress.337077692.from_port: "443" -egress.337077692.ipv6_cidr_blocks.#: "0" -egress.337077692.prefix_list_ids.#: "0" -egress.337077692.protocol: "tcp" -egress.337077692.security_groups.#: "1" -egress.337077692.security_groups.3427799827: "sg-264269ad" -egress.337077692.self: "false" -egress.337077692.to_port: "443" -egress.4162213242.cidr_blocks.#: "0" -egress.4162213242.description: "" -egress.4162213242.from_port: "80" -egress.4162213242.ipv6_cidr_blocks.#: "0" -egress.4162213242.prefix_list_ids.#: "0" -egress.4162213242.protocol: "tcp" -egress.4162213242.security_groups.#: "1" -egress.4162213242.security_groups.3427799827: "sg-264269ad" -egress.4162213242.self: "false" -egress.4162213242.to_port: "80" -ingress.#: "2" -ingress.2214680975.cidr_blocks.#: "1" -ingress.2214680975.cidr_blocks.0: "0.0.0.0/0" -ingress.2214680975.description: "" -ingress.2214680975.from_port: "80" -ingress.2214680975.ipv6_cidr_blocks.#: "0" -ingress.2214680975.protocol: "tcp" -ingress.2214680975.security_groups.#: "0" -ingress.2214680975.self: "false" -ingress.2214680975.to_port: "80" -ingress.2617001939.cidr_blocks.#: "1" -ingress.2617001939.cidr_blocks.0: "0.0.0.0/0" -ingress.2617001939.description: "" -ingress.2617001939.from_port: "443" -ingress.2617001939.ipv6_cidr_blocks.#: "0" -ingress.2617001939.protocol: "tcp" -ingress.2617001939.security_groups.#: "0" -ingress.2617001939.self: "false" -ingress.2617001939.to_port: "443" -name: "globex-production-alb" -owner_id: -revoke_rules_on_delete: "false" -vpc_id: "vpc-e365d769" +id: +arn: +description: "Managed by Terraform" +egress.#: "2" +egress.337077692.cidr_blocks.#: "0" +egress.337077692.description: "" +egress.337077692.from_port: "443" +egress.337077692.ipv6_cidr_blocks.#: "0" +egress.337077692.prefix_list_ids.#: "0" +egress.337077692.protocol: "tcp" +egress.337077692.security_groups.#: "1" +egress.337077692.security_groups.3427799827: "sg-264269ad" +egress.337077692.self: "false" +egress.337077692.to_port: "443" +egress.4162213242.cidr_blocks.#: "0" +egress.4162213242.description: "" +egress.4162213242.from_port: "80" +egress.4162213242.ipv6_cidr_blocks.#: "0" +egress.4162213242.prefix_list_ids.#: "0" +egress.4162213242.protocol: "tcp" +egress.4162213242.security_groups.#: "1" +egress.4162213242.security_groups.3427799827: "sg-264269ad" +egress.4162213242.self: "false" +egress.4162213242.to_port: "80" +ingress.#: "2" +ingress.2214680975.cidr_blocks.#: "1" +ingress.2214680975.cidr_blocks.0: "0.0.0.0/0" +ingress.2214680975.description: "" +ingress.2214680975.from_port: "80" +ingress.2214680975.ipv6_cidr_blocks.#: "0" +ingress.2214680975.protocol: "tcp" +ingress.2214680975.security_groups.#: "0" +ingress.2214680975.self: "false" +ingress.2214680975.to_port: "80" +ingress.2617001939.cidr_blocks.#: "1" +ingress.2617001939.cidr_blocks.0: "0.0.0.0/0" +ingress.2617001939.description: "" +ingress.2617001939.from_port: "443" +ingress.2617001939.ipv6_cidr_blocks.#: "0" +ingress.2617001939.protocol: "tcp" +ingress.2617001939.security_groups.#: "0" +ingress.2617001939.self: "false" +ingress.2617001939.to_port: "443" +name: "globex-production-alb" +owner_id: +revoke_rules_on_delete: "false" +vpc_id: "vpc-e365d769" + module.globex_production_load_balancer.aws_security_group_rule.http_ingress_on_instances_from_load_balancer -id: -from_port: "80" -protocol: "tcp" -security_group_id: "sg-264269ad" -self: "false" -source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" -to_port: "80" -type: "ingress" +id: +from_port: "80" +protocol: "tcp" +security_group_id: "sg-264269ad" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "80" +type: "ingress" + module.globex_production_load_balancer.aws_security_group_rule.https_ingress_on_instances_from_load_balancer -id: -from_port: "443" -protocol: "tcp" -security_group_id: "sg-264269ad" -self: "false" -source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" -to_port: "443" -type: "ingress" -Plan: 24 to add, 0 to change, 0 to destroy. +id: +from_port: "443" +protocol: "tcp" +security_group_id: "sg-264269ad" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "443" +type: "ingress" + ++ module.initech_production_load_balancer.aws_alb_listener.http_listener +id: +arn: +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "80" +protocol: "HTTP" +ssl_policy: + ++ module.initech_production_load_balancer.aws_alb_listener.https_listener +id: +arn: +certificate_arn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" +default_action.#: "1" +default_action.0.target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +default_action.0.type: "forward" +load_balancer_arn: "${module.load_balancer.arn}" +port: "443" +protocol: "HTTPS" +ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01" + ++ module.initech_production_load_balancer.aws_alb_target_group.http_target_group +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200,301" +health_check.0.path: "/healthz" +health_check.0.port: "80" +health_check.0.protocol: "HTTP" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "initech-production-http" +port: "80" +protocol: "HTTP" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-eed63643" + ++ module.initech_production_load_balancer.aws_alb_target_group.https_target_group +id: +arn: +arn_suffix: +deregistration_delay: "30" +health_check.#: "1" +health_check.0.healthy_threshold: "3" +health_check.0.interval: "30" +health_check.0.matcher: "200" +health_check.0.path: "/healthz" +health_check.0.port: "443" +health_check.0.protocol: "HTTPS" +health_check.0.timeout: "5" +health_check.0.unhealthy_threshold: "3" +name: "initech-production-https" +port: "443" +protocol: "HTTPS" +proxy_protocol_v2: "false" +stickiness.#: +target_type: "instance" +vpc_id: "vpc-eed63643" + ++ module.initech_production_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[0] +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-09731747ba5296355" + ++ module.initech_production_load_balancer.aws_alb_target_group_attachment.http_target_group_attachments[1] +id: +target_group_arn: "${aws_alb_target_group.http_target_group.arn}" +target_id: "i-0354a7616ba0dc1af" + ++ module.initech_production_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[0] +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-09731747ba5296355" + ++ module.initech_production_load_balancer.aws_alb_target_group_attachment.https_target_group_attachments[1] +id: +target_group_arn: "${aws_alb_target_group.https_target_group.arn}" +target_id: "i-0354a7616ba0dc1af" + ++ module.initech_production_load_balancer.aws_security_group.security_group_on_load_balancer +id: +arn: +description: "Managed by Terraform" +egress.#: "2" +egress.1749941629.cidr_blocks.#: "0" +egress.1749941629.description: "" +egress.1749941629.from_port: "80" +egress.1749941629.ipv6_cidr_blocks.#: "0" +egress.1749941629.prefix_list_ids.#: "0" +egress.1749941629.protocol: "tcp" +egress.1749941629.security_groups.#: "1" +egress.1749941629.security_groups.686130460: "sg-c94a8777" +egress.1749941629.self: "false" +egress.1749941629.to_port: "80" +egress.2219625915.cidr_blocks.#: "0" +egress.2219625915.description: "" +egress.2219625915.from_port: "443" +egress.2219625915.ipv6_cidr_blocks.#: "0" +egress.2219625915.prefix_list_ids.#: "0" +egress.2219625915.protocol: "tcp" +egress.2219625915.security_groups.#: "1" +egress.2219625915.security_groups.686130460: "sg-c94a8777" +egress.2219625915.self: "false" +egress.2219625915.to_port: "443" +ingress.#: "2" +ingress.2214680975.cidr_blocks.#: "1" +ingress.2214680975.cidr_blocks.0: "0.0.0.0/0" +ingress.2214680975.description: "" +ingress.2214680975.from_port: "80" +ingress.2214680975.ipv6_cidr_blocks.#: "0" +ingress.2214680975.protocol: "tcp" +ingress.2214680975.security_groups.#: "0" +ingress.2214680975.self: "false" +ingress.2214680975.to_port: "80" +ingress.2617001939.cidr_blocks.#: "1" +ingress.2617001939.cidr_blocks.0: "0.0.0.0/0" +ingress.2617001939.description: "" +ingress.2617001939.from_port: "443" +ingress.2617001939.ipv6_cidr_blocks.#: "0" +ingress.2617001939.protocol: "tcp" +ingress.2617001939.security_groups.#: "0" +ingress.2617001939.self: "false" +ingress.2617001939.to_port: "443" +name: "initech-production-alb" +owner_id: +revoke_rules_on_delete: "false" +vpc_id: "vpc-eed63643" + ++ module.initech_production_load_balancer.aws_security_group_rule.http_ingress_on_instances_from_load_balancer +id: +from_port: "80" +protocol: "tcp" +security_group_id: "sg-c94a8777" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "80" +type: "ingress" + ++ module.initech_production_load_balancer.aws_security_group_rule.https_ingress_on_instances_from_load_balancer +id: +from_port: "443" +protocol: "tcp" +security_group_id: "sg-c94a8777" +self: "false" +source_security_group_id: "${aws_security_group.security_group_on_load_balancer.id}" +to_port: "443" +type: "ingress" + ++ module.acme_staging_load_balancer.module.load_balancer.aws_alb.load_balancer +id: +access_logs.#: +arn: +arn_suffix: +dns_name: +enable_deletion_protection: "false" +enable_http2: "true" +idle_timeout: "60" +internal: "false" +ip_address_type: +load_balancer_type: "application" +name: "acme-staging" +security_groups.#: +subnet_mapping.#: +subnets.#: "2" +subnets.2108278916: "subnet-9ce530b1" +subnets.2228813381: "subnet-6fbdeeb3" +vpc_id: +zone_id: + ++ module.globex_production_load_balancer.module.load_balancer.aws_alb.load_balancer +id: +access_logs.#: +arn: +arn_suffix: +dns_name: +enable_deletion_protection: "false" +enable_http2: "true" +idle_timeout: "60" +internal: "true" +ip_address_type: +load_balancer_type: "application" +name: "globex-production" +security_groups.#: +subnet_mapping.#: +subnets.#: "2" +subnets.1357166935: "subnet-e3f4a330" +subnets.881182305: "subnet-9b6635ea" +vpc_id: +zone_id: + ++ module.initech_production_load_balancer.module.load_balancer.aws_alb.load_balancer_with_access_logs +id: +access_logs.#: "1" +access_logs.0.bucket: "${aws_s3_bucket.load_balancer_access_logs.id}" +access_logs.0.enabled: "true" +access_logs.0.prefix: +arn: +arn_suffix: +dns_name: +enable_deletion_protection: "false" +enable_http2: "true" +idle_timeout: "60" +internal: "false" +ip_address_type: +load_balancer_type: "application" +name: "initech-production" +security_groups.#: +subnet_mapping.#: +subnets.#: "2" +subnets.2108278916: "subnet-9ce530b1" +subnets.2228813381: "subnet-6fbdeeb3" +vpc_id: +zone_id: + ++ module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket.load_balancer_access_logs +id: +acceleration_status: +acl: "private" +arn: +bucket: "initech-production-logs" +bucket_domain_name: +force_destroy: "false" +hosted_zone_id: +lifecycle_rule.#: "1" +lifecycle_rule.0.enabled: "true" +lifecycle_rule.0.id: +lifecycle_rule.0.transition.#: "1" +lifecycle_rule.0.transition.2207330492.date: "" +lifecycle_rule.0.transition.2207330492.days: "365" +lifecycle_rule.0.transition.2207330492.storage_class: "GLACIER" +region: +request_payer: +versioning.#: +website_domain: +website_endpoint: + ++ module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket_policy.load_balancer_access_logs +id: +bucket: "${aws_s3_bucket.load_balancer_access_logs.id}" +policy: "{\n \"Version\": \"2018-05-11\",\n \"Statement\": [\n {\n \"Action\": [\n \"s3:PutObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n \"Principal\": {\n \"AWS\": [\n \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n ]\n }\n }\n ]\n}\n" +Plan: 38 to add, 0 to change, 0 to destroy. diff --git a/aws/application_load_balancer/__examples__/with_access_logs.tf b/aws/application_load_balancer/__examples__/with_access_logs.tf new file mode 100644 index 0000000..a710b5c --- /dev/null +++ b/aws/application_load_balancer/__examples__/with_access_logs.tf @@ -0,0 +1,14 @@ +module "initech_production_load_balancer" { + source = "../" + + environment = "production" + name = "initech" + + access_logs_enabled = true + certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" + instances = ["i-09731747ba5296355", "i-0354a7616ba0dc1af"] + instances_count = 2 + security_group_for_instances = "sg-c94a8777" + subnets = ["subnet-6fbdeeb3", "subnet-9ce530b1"] + vpc_id = "vpc-eed63643" +} diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf new file mode 100644 index 0000000..5d69d4a --- /dev/null +++ b/aws/application_load_balancer/load_balancer/main.tf @@ -0,0 +1,87 @@ +locals { + # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions + elastic_load_balancing_account_ids = { + ap-northeast-1 = "582318560864" + ap-northeast-2 = "600734575887" + ap-northeast-3 = "383597477331" + ap-south-1 = "718504428378" + ap-southeast-1 = "114774131450" + ap-southeast-2 = "783225319266" + ca-central-1 = "985666609251" + eu-central-1 = "054676820928" + eu-west-1 = "156460612806" + eu-west-2 = "652711504416" + eu-west-3 = "009996457667" + sa-east-1 = "507241528517" + us-east-1 = "127311923021" + us-east-2 = "033677994240" + us-west-1 = "027434742980" + us-west-2 = "797873946194" + } + + access_logs_glacier_transition_days = 365 +} + +resource "aws_alb" "load_balancer" { + count = "${var.access_logs_enabled ? 0 : 1}" + name = "${var.name}" + internal = "${var.internal}" + security_groups = ["${var.security_groups}"] + subnets = ["${var.subnets}"] +} + +resource "aws_alb" "load_balancer_with_access_logs" { + count = "${var.access_logs_enabled ? 1 : 0}" + name = "${var.name}" + internal = "${var.internal}" + security_groups = ["${var.security_groups}"] + subnets = ["${var.subnets}"] + + access_logs { + bucket = "${aws_s3_bucket.load_balancer_access_logs.id}" + enabled = true + } +} + +data "aws_caller_identity" "aws_account" { + count = "${var.access_logs_enabled ? 1 : 0}" +} + +resource "aws_s3_bucket" "load_balancer_access_logs" { + bucket = "${var.name}-logs" + count = "${var.access_logs_enabled ? 1 : 0}" + + lifecycle_rule { + enabled = true + + transition { + days = "${local.access_logs_glacier_transition_days}" + storage_class = "GLACIER" + } + } +} + +resource "aws_s3_bucket_policy" "load_balancer_access_logs" { + bucket = "${aws_s3_bucket.load_balancer_access_logs.id}" + count = "${var.access_logs_enabled ? 1 : 0}" + + policy = <<-JSON + { + "Version": "2018-05-11", + "Statement": [ + { + "Action": [ + "s3:PutObject" + ], + "Effect": "Allow", + "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*", + "Principal": { + "AWS": [ + "${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}" + ] + } + } + ] + } + JSON +} diff --git a/aws/application_load_balancer/load_balancer/outputs.tf b/aws/application_load_balancer/load_balancer/outputs.tf new file mode 100644 index 0000000..a04a754 --- /dev/null +++ b/aws/application_load_balancer/load_balancer/outputs.tf @@ -0,0 +1,11 @@ +output "arn" { + value = "${element(coalescelist(aws_alb.load_balancer.*.arn, aws_alb.load_balancer_with_access_logs.*.arn), 0)}" +} + +output "dns_name" { + value = "${element(coalescelist(aws_alb.load_balancer.*.dns_name, aws_alb.load_balancer_with_access_logs.*.dns_name), 0)}" +} + +output "zone_id" { + value = "${element(coalescelist(aws_alb.load_balancer.*.zone_id, aws_alb.load_balancer_with_access_logs.*.zone_id), 0)}" +} diff --git a/aws/application_load_balancer/load_balancer/variables.tf b/aws/application_load_balancer/load_balancer/variables.tf new file mode 100644 index 0000000..d335ce2 --- /dev/null +++ b/aws/application_load_balancer/load_balancer/variables.tf @@ -0,0 +1,24 @@ +variable "name" { + description = "(Required) The name of this load balancer." + type = "string" +} + +variable "security_groups" { + description = "(Required) A list of security group IDs to attach to the load balancer." + type = "list" +} + +variable "subnets" { + description = "(Required) A list of subnet IDs to attach to the load balancer." + type = "list" +} + +variable "access_logs_enabled" { + description = "(Optional) Boolean to enable / disable access_logs. Defaults to false." + default = false +} + +variable "internal" { + description = "(Optional) If true, the LB will be internal. Default false." + default = false +} diff --git a/aws/application_load_balancer/main.tf b/aws/application_load_balancer/main.tf index 3811127..52d7477 100644 --- a/aws/application_load_balancer/main.tf +++ b/aws/application_load_balancer/main.tf @@ -1,4 +1,6 @@ locals { + access_logs_glacier_transition_days = 365 + http_deregistration_delay = 30 http_health_check_matcher = "200,301" http_health_check_timeout = 5 @@ -14,11 +16,14 @@ locals { name_prefix = "${var.name}-${var.environment}" } -resource "aws_alb" "load_balancer" { - name = "${local.name_prefix}" - internal = "${var.internal}" - security_groups = ["${aws_security_group.security_group_on_load_balancer.id}"] - subnets = ["${var.subnets}"] +module "load_balancer" { + source = "./load_balancer" + + access_logs_enabled = "${var.access_logs_enabled}" + name = "${local.name_prefix}" + internal = "${var.internal}" + security_groups = ["${aws_security_group.security_group_on_load_balancer.id}"] + subnets = ["${var.subnets}"] } resource "aws_security_group" "security_group_on_load_balancer" { @@ -55,7 +60,7 @@ resource "aws_security_group" "security_group_on_load_balancer" { } resource "aws_alb_listener" "http_listener" { - load_balancer_arn = "${aws_alb.load_balancer.arn}" + load_balancer_arn = "${module.load_balancer.arn}" port = "${local.http_port_for_listener}" protocol = "HTTP" @@ -98,7 +103,7 @@ resource "aws_security_group_rule" "http_ingress_on_instances_from_load_balancer resource "aws_alb_listener" "https_listener" { certificate_arn = "${var.certificate_arn}" - load_balancer_arn = "${aws_alb.load_balancer.arn}" + load_balancer_arn = "${module.load_balancer.arn}" port = "${local.https_port_for_listener}" protocol = "HTTPS" ssl_policy = "${var.ssl_policy}" diff --git a/aws/application_load_balancer/outputs.tf b/aws/application_load_balancer/outputs.tf index 45eb634..fa1716a 100644 --- a/aws/application_load_balancer/outputs.tf +++ b/aws/application_load_balancer/outputs.tf @@ -1,7 +1,7 @@ output "dns_name" { - value = "${aws_alb.load_balancer.dns_name}" + value = "${module.load_balancer.dns_name}" } output "zone_id" { - value = "${aws_alb.load_balancer.zone_id}" + value = "${module.load_balancer.zone_id}" } diff --git a/aws/application_load_balancer/variables.tf b/aws/application_load_balancer/variables.tf index 11d49e8..328bda2 100644 --- a/aws/application_load_balancer/variables.tf +++ b/aws/application_load_balancer/variables.tf @@ -38,6 +38,11 @@ variable "vpc_id" { type = "string" } +variable "access_logs_enabled" { + description = "(Optional) Boolean to enable / disable access_logs. Defaults to false." + default = false +} + variable "health_check_path" { description = "(Optional) The destination for the health check request. Default /healthz." default = "/healthz" From 2afc8ded1cd7cd0a6ddee9c95f67a6a2efed2a11 Mon Sep 17 00:00:00 2001 From: Vladimir Andrijevikj Date: Tue, 15 May 2018 16:35:45 +0200 Subject: [PATCH 2/3] Use Version "2012-10-17" for S3 policy --- aws/application_load_balancer/__examples__/.planshots.txt | 2 +- aws/application_load_balancer/load_balancer/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt index a572b9f..7cfa395 100644 --- a/aws/application_load_balancer/__examples__/.planshots.txt +++ b/aws/application_load_balancer/__examples__/.planshots.txt @@ -565,6 +565,6 @@ website_endpoint: + module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket_policy.load_balancer_access_logs id: bucket: "${aws_s3_bucket.load_balancer_access_logs.id}" -policy: "{\n \"Version\": \"2018-05-11\",\n \"Statement\": [\n {\n \"Action\": [\n \"s3:PutObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n \"Principal\": {\n \"AWS\": [\n \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n ]\n }\n }\n ]\n}\n" +policy: "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"s3:PutObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n \"Principal\": {\n \"AWS\": [\n \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n ]\n }\n }\n ]\n}\n" Plan: 38 to add, 0 to change, 0 to destroy. diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf index 5d69d4a..2a59571 100644 --- a/aws/application_load_balancer/load_balancer/main.tf +++ b/aws/application_load_balancer/load_balancer/main.tf @@ -67,7 +67,7 @@ resource "aws_s3_bucket_policy" "load_balancer_access_logs" { policy = <<-JSON { - "Version": "2018-05-11", + "Version": "2012-10-17", "Statement": [ { "Action": [ From 1b68eee213beef442d100734a15b3d8c4c086917 Mon Sep 17 00:00:00 2001 From: Vladimir Andrijevikj Date: Wed, 16 May 2018 12:39:48 +0200 Subject: [PATCH 3/3] =?UTF-8?q?Use=20ARN=20instead=20of=20account=20ID=20i?= =?UTF-8?q?n=20S3=20policy=E2=80=99s=20Principal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Due to a Terraform bug (https://github.com/hashicorp/terraform/issues/4948), if Principal is set to an account id, Terraform always reports the resource as if it needs changing (because the AWS API accepts the value, but turns it into an ARN). --- aws/application_load_balancer/__examples__/.planshots.txt | 2 +- aws/application_load_balancer/load_balancer/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt index 7cfa395..47ea069 100644 --- a/aws/application_load_balancer/__examples__/.planshots.txt +++ b/aws/application_load_balancer/__examples__/.planshots.txt @@ -565,6 +565,6 @@ website_endpoint: + module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket_policy.load_balancer_access_logs id: bucket: "${aws_s3_bucket.load_balancer_access_logs.id}" -policy: "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"s3:PutObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n \"Principal\": {\n \"AWS\": [\n \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n ]\n }\n }\n ]\n}\n" +policy: "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"s3:PutObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root\"\n ]\n }\n }\n ]\n}\n" Plan: 38 to add, 0 to change, 0 to destroy. diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf index 2a59571..9bddd1f 100644 --- a/aws/application_load_balancer/load_balancer/main.tf +++ b/aws/application_load_balancer/load_balancer/main.tf @@ -77,7 +77,7 @@ resource "aws_s3_bucket_policy" "load_balancer_access_logs" { "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*", "Principal": { "AWS": [ - "${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}" + "arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root" ] } }