The module creates resources to run an HTTP service in an autoscaling group. It creates a load balancer that terminates SSL on the TCP port 443. It also issues the SSL certificate in ACM.
Note: Starting from version 2.0 the module separates the main aws provider and a provider for Route53 resources. If you don't need to separate them, just pass the same provider for
awsandaws.dnsproviders = { aws = aws aws.dns = aws }
module "website" {
providers = {
aws = aws.aws-uw1
aws.dns = aws.aws-uw1
}
source = "infrahouse/website-pod/aws"
version = "~> 2.6"
environment = var.environment
ami = data.aws_ami.ubuntu_22.image_id
backend_subnets = module.website-vpc.subnet_private_ids
zone_id = "Z07662251LH3YRF2ERM3G"
dns_a_records = ["", "www"]
internet_gateway_id = module.website-vpc.internet_gateway_id
key_pair_name = data.aws_key_pair.aleks.key_name
subnets = module.website-vpc.subnet_public_ids
userdata = module.webserver_userdata.userdata
webserver_permissions = data.aws_iam_policy_document.webserver_permissions.json
stickiness_enabled = true
}
### Security groups
The module used default security groups up until version 2.5.0.
Starting from the version 2.6.0 the behavior changes, however in a backward-compatible manner.
The module creates two security groups. One for the load balancer, another - for the backend instances.
The load balancer security group allows traffic to TCP ports 443 and `var.alb_listener_port` (80 by default).
The backend security group allows user traffic and health checks coming from the load balancer.
Also, the security group allows SSH from the VPC wehere the backend instances reside and from `var.ssh_cidr_block`.
It is 0.0.0.0/0 by default, but the goal is allow user restrict access let's say to anyone but the management VPC.
Both security groups allow incoming ICMP traffic.
Additionally, the user can specify additional security groups via `var.extra_security_groups_backend`.
They will be added to the backend instance alongside with the created backend security group.
| Name | Version |
|---|---|
| terraform | ~> 1.5 |
| aws | ~> 5.11 |
| Name | Version |
|---|---|
| aws | ~> 5.11 |
| aws.dns | ~> 5.11 |
| Name | Source | Version |
|---|---|---|
| webserver_profile | registry.infrahouse.com/infrahouse/instance-profile/aws | 1.3.3 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_access_log_enabled | Whether to maintain the access log. | bool |
false |
no |
| alb_healthcheck_enabled | Whether health checks are enabled. | bool |
true |
no |
| alb_healthcheck_healthy_threshold | Number of times the host have to pass the test to be considered healthy | number |
2 |
no |
| alb_healthcheck_interval | Number of seconds between checks | number |
5 |
no |
| alb_healthcheck_path | Path on the webserver that the elb will check to determine whether the instance is healthy or not | string |
"/index.html" |
no |
| alb_healthcheck_port | Port of the webserver that the elb will check to determine whether the instance is healthy or not | any |
80 |
no |
| alb_healthcheck_protocol | Protocol to use with the webserver that the elb will check to determine whether the instance is healthy or not | string |
"HTTP" |
no |
| alb_healthcheck_response_code_matcher | Range of http return codes that can match | string |
"200-299" |
no |
| alb_healthcheck_timeout | Number of seconds to timeout a check | number |
4 |
no |
| alb_healthcheck_uhealthy_threshold | Number of times the host have to pass the test to be considered UNhealthy | number |
2 |
no |
| alb_idle_timeout | The time in seconds that the connection is allowed to be idle. | number |
60 |
no |
| alb_internal | If true, the LB will be internal. | bool |
false |
no |
| alb_listener_port | TCP port that a load balancer listens to to serve client HTTP requests. The load balancer redirects this port to 443 and HTTPS. | number |
80 |
no |
| alb_name_prefix | Name prefix for the load balancer | string |
"web" |
no |
| ami | Image for EC2 instances | string |
n/a | yes |
| asg_max_size | Maximum number of instances in ASG | number |
10 |
no |
| asg_min_elb_capacity | Terraform will wait until this many EC2 instances in the autoscaling group become healthy. By default, it's equal to var.asg_min_size. | number |
null |
no |
| asg_min_size | Minimum number of instances in ASG | number |
2 |
no |
| asg_name | Autoscaling group name, if provided. | string |
null |
no |
| asg_scale_in_protected_instances | Behavior when encountering instances protected from scale in are found. Available behaviors are Refresh, Ignore, and Wait. | string |
"Ignore" |
no |
| attach_tagret_group_to_asg | By default we want to register all ASG instances in the target group. However ECS registers targets itself. Disable it if using website-pod for ECS. | bool |
true |
no |
| autoscaling_target_cpu_load | Target CPU load for autoscaling | number |
60 |
no |
| backend_subnets | Subnet ids where EC2 instances should be present | list(string) |
n/a | yes |
| dns_a_records | List of A records in the zone_id that will resolve to the ALB dns name. | list(string) |
[ |
no |
| enable_deletion_protection | Prevent load balancer from destroying | bool |
false |
no |
| environment | Name of environment | string |
"development" |
no |
| extra_security_groups_backend | A list of security group ids to assign to backend instances | list(string) |
[] |
no |
| health_check_grace_period | ASG will wait up to this number of seconds for instance to become healthy | number |
300 |
no |
| health_check_type | Type of healthcheck the ASG uses. Can be EC2 or ELB. | string |
"ELB" |
no |
| instance_profile | IAM profile name to be created for the webserver instances. | string |
"webserver" |
no |
| instance_type | EC2 instances type | string |
"t3.micro" |
no |
| internet_gateway_id | Not used, but AWS Internet Gateway must be present. Ensure by passing its id. | string |
n/a | yes |
| key_pair_name | SSH keypair name to be deployed in EC2 instances | string |
n/a | yes |
| max_instance_lifetime_days | The maximum amount of time, in _days_, that an instance can be in service, values must be either equal to 0 or between 7 and 365 days. | number |
30 |
no |
| min_healthy_percentage | Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group. | number |
100 |
no |
| protect_from_scale_in | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. | bool |
false |
no |
| root_volume_size | Root volume size in EC2 instance in Gigabytes | number |
30 |
no |
| service_name | Descriptive name of a service that will use this VPC | string |
"website" |
no |
| ssh_cidr_block | CIDR range that is allowed to SSH into the backend instances | string |
"0.0.0.0/0" |
no |
| stickiness_enabled | If true, enable stickiness on the target group ensuring a clients is forwarded to the same target. | bool |
false |
no |
| subnets | Subnet ids where load balancer should be present | list(string) |
n/a | yes |
| tags | Tags to apply to instances in the autoscaling group. | map(string) |
{ |
no |
| target_group_port | TCP port that a target listens to to serve requests from the load balancer. | number |
80 |
no |
| userdata | userdata for cloud-init to provision EC2 instances | string |
n/a | yes |
| wait_for_capacity_timeout | How much time to wait until all instances are healthy | string |
"20m" |
no |
| webserver_permissions | A JSON with a permissions policy document. The policy will be attached to the webserver instance profile. | string |
n/a | yes |
| zone_id | Domain name zone ID where the website will be available | string |
n/a | yes |
| Name | Description |
|---|---|
| asg_arn | ARN of the created autoscaling group |
| asg_name | Name of the created autoscaling group |
| dns_name | DNA namae of the load balancer. |
| target_group_arn | Target group ARN that listens to the service port. |
| zone_id | Zone id where A records are created for the service. |