Merge pull request #6766 from ministryofjustice/ifs-lb-with-logging

use lb with logging module
ministryofjustice · Jun 27, 2024 · 14f90f9 · 14f90f9
2 parents 6fa268b + 89a44dd
commit 14f90f9
Show file tree

Hide file tree

Showing 4 changed files with 165 additions and 8 deletions.
diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf
@@ -1,6 +1,9 @@
-data "aws_ecs_task_definition" "task_definition" {
+data "aws_ecs_task_definition" "task_definitions" {
   task_definition = aws_ecs_task_definition.ifs_task_definition.family
-  depends_on      = [aws_ecs_task_definition.ifs_task_definition]
+}
+
+data "aws_ecs_task_definition" "latest_task_definition" {
+  task_definition = "${aws_ecs_task_definition.ifs_task_definition.family}:${data.aws_ecs_task_definition.task_definitions.revision}"
 }
 
 resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
@@ -356,17 +359,21 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" {
 }
 
 resource "aws_ecs_service" "ecs_service" {
-  depends_on                        = [aws_lb_listener.https_listener]
   name                              = var.networking[0].application
   cluster                           = aws_ecs_cluster.ecs_cluster.id
-  task_definition                   = aws_ecs_task_definition.ifs_task_definition.arn
+  task_definition                   = data.aws_ecs_task_definition.latest_task_definition.arn
   desired_count                     = local.application_data.accounts[local.environment].app_count
   health_check_grace_period_seconds = 60
   capacity_provider_strategy {
     capacity_provider = aws_ecs_capacity_provider.ifs.name
     weight            = 1
   }
 
+  depends_on = [
+    aws_lb_listener.https_listener,
+    aws_ecs_task_definition.ifs_task_definition
+  ]
+
   ordered_placement_strategy {
     field = "attribute:ecs.availability-zone"
     type  = "spread"

diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf
@@ -41,11 +41,18 @@ resource "aws_lb_target_group" "ifs_target_group" {
   }
 
   health_check {
-    healthy_threshold   = "2"
-    interval            = "30"
-    unhealthy_threshold = "3"
+    # healthy_threshold   = "2"
+    # interval            = "30"
+    # unhealthy_threshold = "3"
+    # matcher             = "200-499"
+    # timeout             = "20"
+    # path                = "/health"
+    healthy_threshold   = "5"
+    interval            = "60"
+    protocol            = "HTTP"
+    unhealthy_threshold = "2"
     matcher             = "200-499"
-    timeout             = "20"
+    timeout             = "15"
     path                = "/health"
   }
 }
@@ -64,3 +71,120 @@ resource "aws_lb_listener" "https_listener" {
     type             = "forward"
   }
 }
+
+#=================================================================
+
+
+# module "lb_access_logs_enabled" {
+#   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee"
+#   providers = {
+#     aws.bucket-replication = aws
+#   }
+#   vpc_all                    = "${local.vpc_name}-${local.environment}"
+#   force_destroy_bucket       = true
+#   application_name           = local.application_name
+#   public_subnets             = data.aws_subnets.shared-public.ids
+#   loadbalancer_ingress_rules = local.loadbalancer_ingress_rules
+#   loadbalancer_egress_rules  = local.loadbalancer_egress_rules
+#   account_number             = local.environment_management.account_ids[terraform.workspace]
+#   region                     = "eu-west-2"
+#   enable_deletion_protection = false
+#   idle_timeout               = 60
+#   tags                       = { Name = "lb_module" }
+
+# }
+
+# resource "random_string" "ifs_target_group_name" {
+#   length  = 8
+#   special = false
+# }
+
+# resource "aws_lb_target_group" "ifs_target_group" {
+#   name                 = "ifs-target-group"
+#   port                 = 80
+#   protocol             = "HTTP"
+#   vpc_id               = data.aws_vpc.shared.id
+#   target_type          = "ip"
+#   deregistration_delay = 30
+
+#   stickiness {
+#     type = "lb_cookie"
+#   }
+
+#   health_check {
+#     healthy_threshold   = "5"
+#     interval            = "60"
+#     protocol            = "HTTP"
+#     unhealthy_threshold = "2"
+#     matcher             = "200-499"
+#     timeout             = "15"
+#     path                = "/health"
+#   }
+
+#   lifecycle {
+#     create_before_destroy = true
+#     ignore_changes        = [name]
+#   }
+
+#   tags = {
+#     Name = "ifs-target-group-${random_string.ifs_target_group_name.result}"
+#   }
+# }
+
+# resource "aws_security_group" "ifs_lb_sc" {
+#   name        = "load balancer security group"
+#   description = "control access to the load balancer"
+#   vpc_id      = data.aws_vpc.shared.id
+
+#   ingress {
+#     description = "allow access on HTTPS"
+#     from_port   = 443
+#     to_port     = 443
+#     protocol    = "tcp"
+#     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
+#   }
+
+#   egress {
+#     description = "Open all outbound ports"
+#     from_port   = 0
+#     to_port     = 0
+#     protocol    = "-1"
+#     cidr_blocks = ["0.0.0.0/0"]
+#   }
+# }
+
+# resource "aws_security_group" "ifs_target_sc" {
+#   name        = "target security group"
+#   description = "allow health check traffic from load balancer"
+#   vpc_id      = data.aws_vpc.shared.id
+
+#   ingress {
+#     description     = "allow traffic from load balancer"
+#     from_port       = 80
+#     to_port         = 80
+#     protocol        = "tcp"
+#     security_groups = [module.lb_access_logs_enabled.security_group.id]
+#   }
+
+#   egress {
+#     description = "Open all outbound ports"
+#     from_port   = 0
+#     to_port     = 0
+#     protocol    = "-1"
+#     cidr_blocks = ["0.0.0.0/0"]
+#   }
+# }
+
+# resource "aws_lb_listener" "https_listener" {
+#   #checkov:skip=CKV_AWS_103
+#   depends_on        = [aws_acm_certificate_validation.external]
+#   load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn
+#   port              = 443
+#   protocol          = "HTTPS"
+#   certificate_arn   = aws_acm_certificate.external.arn
+
+#   default_action {
+#     target_group_arn = aws_lb_target_group.ifs_target_group.id
+#     type             = "forward"
+#   }
+# }
diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf
@@ -20,4 +20,26 @@ locals {
     cluster_name = "${local.application_name}-ecs-cluster"
   }))
 
+  # loadbalancer_ingress_rules = {
+  #     "cluster_ec2_lb_ingress" = {
+  #       description     = "allow access on HTTPS"
+  #       from_port       = 443
+  #       to_port         = 443
+  #       protocol        = "tcp"
+  #       cidr_blocks     = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
+  #       security_groups = []
+  #     }
+  #   }
+
+  # loadbalancer_egress_rules = {
+  #   "cluster_ec2_lb_egress" = {
+  #     description     = "Open all outbound ports"
+  #     from_port       = 0
+  #     to_port         = 0
+  #     protocol        = "-1"
+  #     cidr_blocks     = ["0.0.0.0/0"]
+  #     security_groups = []
+  #   }
+  # }
+
 }
diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf
@@ -54,6 +54,8 @@ resource "aws_route53_record" "external" {
   alias {
     name                   = aws_lb.ifs_lb.dns_name
     zone_id                = aws_lb.ifs_lb.zone_id
+    # name                   = module.lb_access_logs_enabled.load_balancer.dns_name
+    # zone_id                = module.lb_access_logs_enabled.load_balancer.zone_id
     evaluate_target_health = true
   }
 }
@@ -108,6 +110,8 @@ resource "aws_route53_record" "external_prod" {
   alias {
     name                   = aws_lb.ifs_lb.dns_name
     zone_id                = aws_lb.ifs_lb.zone_id
+    # name                   = module.lb_access_logs_enabled.load_balancer.dns_name
+    # zone_id                = module.lb_access_logs_enabled.load_balancer.zone_id
     evaluate_target_health = true
   }
 }