VA-411 add hakija load balancer

Opetushallitus · May 31, 2024 · d3579f6 · d3579f6
1 parent 1b8a092
commit d3579f6
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 11 deletions.
diff --git a/cdk/lib/security-group-stack.ts b/cdk/lib/security-group-stack.ts
@@ -1,7 +1,7 @@
 import * as cdk from 'aws-cdk-lib'
 import { Environment } from './va-env-stage'
 import { Peer, Port, SecurityGroup, IVpc } from 'aws-cdk-lib/aws-ec2'
-import { VIRKAILIJA_PORT } from './va-service-stack'
+import { HAKIJA_PORT, VIRKAILIJA_PORT } from './va-service-stack'
 
 export interface VaSecurityGroups {
   vaServiceSecurityGroup: SecurityGroup
@@ -64,12 +64,23 @@ export class SecurityGroupStack extends cdk.Stack {
     this.securityGroups.albSecurityGroup.addEgressRule(
       this.securityGroups.vaServiceSecurityGroup,
       Port.tcp(VIRKAILIJA_PORT),
-      'Allow egress to VA service'
+      'Allow egress to VA virkailija service'
     )
     this.securityGroups.vaServiceSecurityGroup.addIngressRule(
       this.securityGroups.albSecurityGroup,
       Port.tcp(VIRKAILIJA_PORT),
-      'Allow access from ALB'
+      'Allow access to virkailija from ALB'
+    )
+
+    this.securityGroups.albSecurityGroup.addEgressRule(
+      this.securityGroups.vaServiceSecurityGroup,
+      Port.tcp(HAKIJA_PORT),
+      'Allow egress to VA hakija service'
+    )
+    this.securityGroups.vaServiceSecurityGroup.addIngressRule(
+      this.securityGroups.albSecurityGroup,
+      Port.tcp(HAKIJA_PORT),
+      'Allow access to hakija from ALB'
     )
   }
 }
diff --git a/cdk/lib/va-service-stack.ts b/cdk/lib/va-service-stack.ts
@@ -103,7 +103,7 @@ export class VaServiceStack extends cdk.Stack {
       }),
       portMappings: [
         {
-          name: 'http',
+          name: 'virkailija',
           containerPort: VIRKAILIJA_PORT,
           hostPort: VIRKAILIJA_PORT,
           appProtocol: AppProtocol.http,
@@ -139,9 +139,9 @@ export class VaServiceStack extends cdk.Stack {
       healthCheckGracePeriod: Duration.minutes(10),
     })
 
-    /* ---------- LOAD BALANCER ---------- */
+    /* ---------- VIRKAILIJA LOAD BALANCER ---------- */
 
-    const virkailijaTargetGroup = new ApplicationTargetGroup(this, 'va-service-target-group', {
+    const virkailijaTargetGroup = new ApplicationTargetGroup(this, 'va-virkailija-target-group', {
       vpc: vpc,
       targets: [vaService],
       protocol: ApplicationProtocol.HTTP,
@@ -154,7 +154,29 @@ export class VaServiceStack extends cdk.Stack {
       },
     })
 
-    const hakijaTargetGroup = new ApplicationTargetGroup(this, 'hakija-target-group', {
+    const virkailijaLoadBalancer = new ApplicationLoadBalancer(
+      this,
+      'va-virkailija-load-balancer',
+      {
+        loadBalancerName: 'va-virkailija-service',
+        securityGroup: albSecurityGroup,
+        xffHeaderProcessingMode: XffHeaderProcessingMode.APPEND,
+        internetFacing: true,
+        vpc: vpc,
+        preserveHostHeader: true,
+      }
+    )
+
+    const virkailijaListener = virkailijaLoadBalancer.addListener('lb-http', {
+      protocol: ApplicationProtocol.HTTP,
+      port: 80,
+      defaultTargetGroups: [virkailijaTargetGroup],
+      open: false, // Allow only Reaktor office for now, app is not configured properly yet
+    })
+
+    /* ---------- HAKIJA LOAD BALANCER ---------- */
+
+    const hakijaTargetGroup = new ApplicationTargetGroup(this, 'va-hakija-target-group', {
       vpc: vpc,
       targets: [vaService],
       protocol: ApplicationProtocol.HTTP,
@@ -167,19 +189,19 @@ export class VaServiceStack extends cdk.Stack {
       },
     })
 
-    const lb = new ApplicationLoadBalancer(this, 'va-service-load-balancer', {
-      loadBalancerName: 'valtionavustukset-service',
+    const hakijaLoadBalancer = new ApplicationLoadBalancer(this, 'va-hakija-load-balancer', {
+      loadBalancerName: 'va-hakija-service',
       securityGroup: albSecurityGroup,
       xffHeaderProcessingMode: XffHeaderProcessingMode.APPEND,
       internetFacing: true,
       vpc: vpc,
       preserveHostHeader: true,
     })
 
-    const httpListener = lb.addListener('lb-http', {
+    const hakijaListener = hakijaLoadBalancer.addListener('lb-http', {
       protocol: ApplicationProtocol.HTTP,
       port: 80,
-      defaultTargetGroups: [virkailijaTargetGroup, hakijaTargetGroup],
+      defaultTargetGroups: [hakijaTargetGroup],
       open: false, // Allow only Reaktor office for now, app is not configured properly yet
     })
   }