Adding optional internal ALB

Author: adenot

_outputs.tf

@@ -14,6 +14,22 @@ output "alb_zone_id" {
   value = aws_lb.ecs.*.zone_id
 }
 
+output "alb_internal_id" {
+  value = aws_lb.ecs_internal.*.id
+}
+
+output "alb_internal_arn" {
+  value = aws_lb.ecs_internal.*.arn
+}
+
+output "alb_internal_dns_name" {
+  value = aws_lb.ecs_internal.*.dns_name
+}
+
+output "alb_internal_zone_id" {
+  value = aws_lb.ecs_internal.*.zone_id
+}
+
 output "ecs_iam_role_arn" {
   value = aws_iam_role.ecs.arn
 }
@@ -54,10 +70,18 @@ output "alb_listener_https_arn" {
   value = aws_lb_listener.ecs_https.*.arn
 }
 
-output "test_traffic_route_listener_arn" {
+output "alb_listener_test_traffic_arn" {
   value = aws_lb_listener.ecs_test_https.*.arn
 }
 
+output "alb_internal_listener_https_arn" {
+  value = aws_lb_listener.ecs_https_internal.*.arn
+}
+
+output "alb_internal_listener_test_traffic_arn" {
+  value = aws_lb_listener.ecs_test_https_internal.*.arn
+}
+
 output "ecs_nodes_secgrp_id" {
   value = aws_security_group.ecs_nodes.id
 }

_variables.tf

@@ -32,7 +32,7 @@ variable "vpc_id" {
 
 variable "private_subnet_ids" {
   type        = list(string)
-  description = "List of private subnet IDs for ECS instances"
+  description = "List of private subnet IDs for ECS instances and Internal ALB when enabled"
 }
 
 variable "public_subnet_ids" {
@@ -70,6 +70,11 @@ variable "alb_only" {
   description = "Whether to deploy only an alb and no cloudFront or not with the cluster"
 }
 
+variable "alb_internal" {
+  default     = false
+  description = "Deploys a second internal ALB for private APIs"
+}
+
 variable "asg_min" {
   default     = 1
   description = "Min number of instances for autoscaling group"

alb-internal.tf

@@ -0,0 +1,83 @@
+resource "aws_lb" "ecs_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  load_balancer_type = "application"
+  internal           = true
+  name               = "ecs-${var.name}-internal"
+  subnets            = var.private_subnet_ids
+
+  security_groups = [
+    aws_security_group.alb_internal[0].id,
+  ]
+
+  idle_timeout = 400
+
+  dynamic "access_logs" {
+    for_each = compact([var.lb_access_logs_bucket])
+
+    content {
+      bucket  = var.lb_access_logs_bucket
+      prefix  = var.lb_access_logs_prefix
+      enabled = true
+    }
+  }
+
+  tags = {
+    Name = "ecs-${var.name}-internal"
+  }
+}
+
+resource "aws_lb_listener" "ecs_https_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  load_balancer_arn = aws_lb.ecs_internal[0].arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ecs_default_https_internal[0].arn
+  }
+}
+
+resource "aws_lb_listener" "ecs_test_https_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  load_balancer_arn = aws_lb.ecs_internal[0].arn
+  port              = "8443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type = "forward"
+    #target_group_arn = aws_lb_target_group.ecs_replacement_https[0].arn
+    target_group_arn = aws_lb_target_group.ecs_default_https_internal[0].arn
+  }
+}
+
+# Generate a random string to add it to the name of the Target Group
+resource "random_string" "alb_internal_prefix" {
+  count   = var.alb_internal ? 1 : 0
+  length  = 4
+  upper   = false
+  special = false
+}
+
+resource "aws_lb_target_group" "ecs_default_https_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  name     = substr("ecs-${var.name}-int-default-https-${random_string.alb_internal_prefix[0].result}", 0, 32)
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+
+

sg-alb-internal.tf

@@ -0,0 +1,48 @@
+resource "aws_security_group" "alb_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  name        = "ecs-${var.name}-lb-internal"
+  description = "SG for ECS Internal ALB"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "ecs-${var.name}-lb"
+  }
+}
+
+resource "aws_security_group_rule" "https_from_world_to_alb_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  description       = "HTTPS ECS Internal ALB"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb_internal[0].id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "https_test_listener_from_world_to_alb_internal" {
+  count = var.alb_internal ? 1 : 0
+
+  description       = "HTTPS ECS Internal ALB Test Listener"
+  type              = "ingress"
+  from_port         = 8443
+  to_port           = 8443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb_internal[0].id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+
+resource "aws_security_group_rule" "from_alb_internal_to_ecs_nodes" {
+  count = var.alb_internal ? 1 : 0
+
+  description              = "Traffic to ECS Nodes"
+  type                     = "egress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.alb_internal[0].id
+  source_security_group_id = aws_security_group.ecs_nodes.id
+}