From aa858827d1040e56ea147411e7bb28afa488b810 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 11:17:44 +0100 Subject: [PATCH 01/13] use lb with logging module --- terraform/environments/cdpt-ifs/ecs.tf | 13 ++++++++++--- terraform/environments/cdpt-ifs/locals.tf | 22 ++++++++++++++++++++++ terraform/environments/cdpt-ifs/route53.tf | 12 ++++++++---- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index d2f4bc1d90c..5dd357e384f 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -1,6 +1,9 @@ -data "aws_ecs_task_definition" "task_definition" { +data "aws_ecs_task_definition" "task_definitions" { task_definition = aws_ecs_task_definition.ifs_task_definition.family - depends_on = [aws_ecs_task_definition.ifs_task_definition] +} + +data "aws_ecs_task_definition" "latest_task_definition" { + task_definition = "${aws_ecs_task_definition.ifs_task_definition.family}:${data.aws_ecs_task_definition.task_definitions.revision}" } resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards @@ -356,7 +359,6 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { } resource "aws_ecs_service" "ecs_service" { - depends_on = [aws_lb_listener.https_listener] name = var.networking[0].application cluster = aws_ecs_cluster.ecs_cluster.id task_definition = aws_ecs_task_definition.ifs_task_definition.arn @@ -367,6 +369,11 @@ resource "aws_ecs_service" "ecs_service" { weight = 1 } + depends_on = [ + aws_lb_listener.https_listener, + aws_ecs_task_definition.ifs_task_definition + ] + ordered_placement_strategy { field = "attribute:ecs.availability-zone" type = "spread" diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index d50c701409c..eed297a9185 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -20,4 +20,26 @@ locals { cluster_name = "${local.application_name}-ecs-cluster" })) + loadbalancer_ingress_rules = { + "cluster_ec2_lb_ingress" = { + description = "allow access on HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] + security_groups = [] + } + } + + loadbalancer_egress_rules = { + "cluster_ec2_lb_egress" = { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_groups = [] + } + } + } \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf index 6e184a2eca2..40b7b8f0d81 100644 --- a/terraform/environments/cdpt-ifs/route53.tf +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -52,8 +52,10 @@ resource "aws_route53_record" "external" { type = "A" alias { - name = aws_lb.ifs_lb.dns_name - zone_id = aws_lb.ifs_lb.zone_id + #name = aws_lb.ifs_lb.dns_name + #zone_id = aws_lb.ifs_lb.zone_id + name = module.lb_access_logs_enabled.load_balancer.dns_name + zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } @@ -106,8 +108,10 @@ resource "aws_route53_record" "external_prod" { type = "A" alias { - name = aws_lb.ifs_lb.dns_name - zone_id = aws_lb.ifs_lb.zone_id + #name = aws_lb.ifs_lb.dns_name + #zone_id = aws_lb.ifs_lb.zone_id + name = module.lb_access_logs_enabled.load_balancer.dns_name + zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } From 90b2cd307efc85492f078f778082881b0e141285 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 11:19:45 +0100 Subject: [PATCH 02/13] add lb changes --- .../environments/cdpt-ifs/loadbalancer.tf | 171 +++++++++++++++--- 1 file changed, 144 insertions(+), 27 deletions(-) diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf index 041f75ef892..ccf668a1c39 100644 --- a/terraform/environments/cdpt-ifs/loadbalancer.tf +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -1,3 +1,129 @@ +# resource "aws_security_group" "ifs_lb_sc" { +# name = "load balancer security group" +# description = "control access to the load balancer" +# vpc_id = data.aws_vpc.shared.id + +# ingress { +# description = "allow access on HTTPS" +# from_port = 443 +# to_port = 443 +# protocol = "tcp" +# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] +# } + +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } + +# resource "aws_lb" "ifs_lb" { +# name = "ifs-load-balancer" +# load_balancer_type = "application" +# security_groups = [aws_security_group.ifs_lb_sc.id] +# subnets = data.aws_subnets.shared-public.ids +# drop_invalid_header_fields = false +# } + +# resource "aws_lb_target_group" "ifs_target_group" { +# name = "ifs-target-group" +# port = 80 +# protocol = "HTTP" +# vpc_id = data.aws_vpc.shared.id +# target_type = "ip" +# deregistration_delay = 30 + +# stickiness { +# type = "lb_cookie" +# } + +# health_check { +# healthy_threshold = "2" +# interval = "30" +# unhealthy_threshold = "3" +# matcher = "200-499" +# timeout = "20" +# path = "/health" +# } +# } + +# resource "aws_lb_listener" "https_listener" { +# #checkov:skip=CKV_AWS_103 +# depends_on = [aws_acm_certificate_validation.external] + +# load_balancer_arn = aws_lb.ifs_lb.arn +# port = 443 +# protocol = "HTTPS" +# certificate_arn = aws_acm_certificate.external.arn + +# default_action { +# target_group_arn = aws_lb_target_group.ifs_target_group.id +# type = "forward" +# } +# } + +#================================================================= + + +module "lb_access_logs_enabled" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" + providers = { + aws.bucket-replication = aws + } + vpc_all = "${local.vpc_name}-${local.environment}" + force_destroy_bucket = true + application_name = local.application_name + public_subnets = data.aws_subnets.shared-public.ids + loadbalancer_ingress_rules = local.loadbalancer_ingress_rules + loadbalancer_egress_rules = local.loadbalancer_egress_rules + account_number = local.environment_management.account_ids[terraform.workspace] + region = "eu-west-2" + enable_deletion_protection = false + idle_timeout = 60 + tags = { Name = "lb_module" } + +} + +resource "random_string" "ifs_target_group_name" { + length = 8 + special = false +} + +resource "aws_lb_target_group" "ifs_target_group" { + name = "ifs-target-group" + port = 80 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "ip" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" + } + + health_check { + healthy_threshold = "5" + interval = "60" + protocol = "HTTP" + unhealthy_threshold = "2" + matcher = "200-499" + timeout = "15" + path = "/health" + } + + lifecycle { + create_before_destroy = true + ignore_changes = [name] + } + + tags = { + Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" + } +} + resource "aws_security_group" "ifs_lb_sc" { name = "load balancer security group" description = "control access to the load balancer" @@ -20,41 +146,32 @@ resource "aws_security_group" "ifs_lb_sc" { } } -resource "aws_lb" "ifs_lb" { - name = "ifs-load-balancer" - load_balancer_type = "application" - security_groups = [aws_security_group.ifs_lb_sc.id] - subnets = data.aws_subnets.shared-public.ids - drop_invalid_header_fields = false -} - -resource "aws_lb_target_group" "ifs_target_group" { - name = "ifs-target-group" - port = 80 - protocol = "HTTP" - vpc_id = data.aws_vpc.shared.id - target_type = "ip" - deregistration_delay = 30 +resource "aws_security_group" "ifs_target_sc" { + name = "target security group" + description = "allow health check traffic from load balancer" + vpc_id = data.aws_vpc.shared.id - stickiness { - type = "lb_cookie" + ingress { + description = "allow traffic from load balancer" + from_port = 80 + to_port = 80 + protocol = "tcp" + security_groups = [module.lb_access_logs_enabled.security_group.id] } - health_check { - healthy_threshold = "2" - interval = "30" - unhealthy_threshold = "3" - matcher = "200-499" - timeout = "20" - path = "/health" + egress { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } resource "aws_lb_listener" "https_listener" { #checkov:skip=CKV_AWS_103 - depends_on = [aws_acm_certificate_validation.external] - - load_balancer_arn = aws_lb.ifs_lb.arn + depends_on = [aws_acm_certificate_validation.external] + load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn port = 443 protocol = "HTTPS" certificate_arn = aws_acm_certificate.external.arn From 856d17ef172593f5041c3addeb43895c769225c1 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 11:46:36 +0100 Subject: [PATCH 03/13] use latest task def --- terraform/environments/cdpt-ifs/ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 5dd357e384f..d25f074fdce 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -361,7 +361,7 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { resource "aws_ecs_service" "ecs_service" { name = var.networking[0].application cluster = aws_ecs_cluster.ecs_cluster.id - task_definition = aws_ecs_task_definition.ifs_task_definition.arn + task_definition = aws_ecs_task_definition.latest_task_definition.arn desired_count = local.application_data.accounts[local.environment].app_count health_check_grace_period_seconds = 60 capacity_provider_strategy { From 9d010157c8b4fae84c0386ede4e24b167a7d6b9b Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 11:49:16 +0100 Subject: [PATCH 04/13] fix typo --- terraform/environments/cdpt-ifs/ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index d25f074fdce..b0d4f64e27a 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -361,7 +361,7 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { resource "aws_ecs_service" "ecs_service" { name = var.networking[0].application cluster = aws_ecs_cluster.ecs_cluster.id - task_definition = aws_ecs_task_definition.latest_task_definition.arn + task_definition = data.aws_ecs_task_definition.latest_task_definition.arn desired_count = local.application_data.accounts[local.environment].app_count health_check_grace_period_seconds = 60 capacity_provider_strategy { From c404882d61c6e5c972eae0bb22e08eccdbeedf64 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 12:10:15 +0100 Subject: [PATCH 05/13] revert lb logging, keep latest TD --- .../environments/cdpt-ifs/loadbalancer.tf | 288 +++++++++--------- terraform/environments/cdpt-ifs/locals.tf | 40 +-- terraform/environments/cdpt-ifs/route53.tf | 16 +- 3 files changed, 172 insertions(+), 172 deletions(-) diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf index ccf668a1c39..7f027723067 100644 --- a/terraform/environments/cdpt-ifs/loadbalancer.tf +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -1,129 +1,3 @@ -# resource "aws_security_group" "ifs_lb_sc" { -# name = "load balancer security group" -# description = "control access to the load balancer" -# vpc_id = data.aws_vpc.shared.id - -# ingress { -# description = "allow access on HTTPS" -# from_port = 443 -# to_port = 443 -# protocol = "tcp" -# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] -# } - -# egress { -# description = "Open all outbound ports" -# from_port = 0 -# to_port = 0 -# protocol = "-1" -# cidr_blocks = ["0.0.0.0/0"] -# } -# } - -# resource "aws_lb" "ifs_lb" { -# name = "ifs-load-balancer" -# load_balancer_type = "application" -# security_groups = [aws_security_group.ifs_lb_sc.id] -# subnets = data.aws_subnets.shared-public.ids -# drop_invalid_header_fields = false -# } - -# resource "aws_lb_target_group" "ifs_target_group" { -# name = "ifs-target-group" -# port = 80 -# protocol = "HTTP" -# vpc_id = data.aws_vpc.shared.id -# target_type = "ip" -# deregistration_delay = 30 - -# stickiness { -# type = "lb_cookie" -# } - -# health_check { -# healthy_threshold = "2" -# interval = "30" -# unhealthy_threshold = "3" -# matcher = "200-499" -# timeout = "20" -# path = "/health" -# } -# } - -# resource "aws_lb_listener" "https_listener" { -# #checkov:skip=CKV_AWS_103 -# depends_on = [aws_acm_certificate_validation.external] - -# load_balancer_arn = aws_lb.ifs_lb.arn -# port = 443 -# protocol = "HTTPS" -# certificate_arn = aws_acm_certificate.external.arn - -# default_action { -# target_group_arn = aws_lb_target_group.ifs_target_group.id -# type = "forward" -# } -# } - -#================================================================= - - -module "lb_access_logs_enabled" { - source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" - providers = { - aws.bucket-replication = aws - } - vpc_all = "${local.vpc_name}-${local.environment}" - force_destroy_bucket = true - application_name = local.application_name - public_subnets = data.aws_subnets.shared-public.ids - loadbalancer_ingress_rules = local.loadbalancer_ingress_rules - loadbalancer_egress_rules = local.loadbalancer_egress_rules - account_number = local.environment_management.account_ids[terraform.workspace] - region = "eu-west-2" - enable_deletion_protection = false - idle_timeout = 60 - tags = { Name = "lb_module" } - -} - -resource "random_string" "ifs_target_group_name" { - length = 8 - special = false -} - -resource "aws_lb_target_group" "ifs_target_group" { - name = "ifs-target-group" - port = 80 - protocol = "HTTP" - vpc_id = data.aws_vpc.shared.id - target_type = "ip" - deregistration_delay = 30 - - stickiness { - type = "lb_cookie" - } - - health_check { - healthy_threshold = "5" - interval = "60" - protocol = "HTTP" - unhealthy_threshold = "2" - matcher = "200-499" - timeout = "15" - path = "/health" - } - - lifecycle { - create_before_destroy = true - ignore_changes = [name] - } - - tags = { - Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" - } -} - resource "aws_security_group" "ifs_lb_sc" { name = "load balancer security group" description = "control access to the load balancer" @@ -146,32 +20,41 @@ resource "aws_security_group" "ifs_lb_sc" { } } -resource "aws_security_group" "ifs_target_sc" { - name = "target security group" - description = "allow health check traffic from load balancer" - vpc_id = data.aws_vpc.shared.id +resource "aws_lb" "ifs_lb" { + name = "ifs-load-balancer" + load_balancer_type = "application" + security_groups = [aws_security_group.ifs_lb_sc.id] + subnets = data.aws_subnets.shared-public.ids + drop_invalid_header_fields = false +} - ingress { - description = "allow traffic from load balancer" - from_port = 80 - to_port = 80 - protocol = "tcp" - security_groups = [module.lb_access_logs_enabled.security_group.id] +resource "aws_lb_target_group" "ifs_target_group" { + name = "ifs-target-group" + port = 80 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "ip" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" } - egress { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + health_check { + healthy_threshold = "2" + interval = "30" + unhealthy_threshold = "3" + matcher = "200-499" + timeout = "20" + path = "/health" } } resource "aws_lb_listener" "https_listener" { #checkov:skip=CKV_AWS_103 - depends_on = [aws_acm_certificate_validation.external] - load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn + depends_on = [aws_acm_certificate_validation.external] + + load_balancer_arn = aws_lb.ifs_lb.arn port = 443 protocol = "HTTPS" certificate_arn = aws_acm_certificate.external.arn @@ -181,3 +64,120 @@ resource "aws_lb_listener" "https_listener" { type = "forward" } } + +#================================================================= + + +# module "lb_access_logs_enabled" { +# source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" +# providers = { +# aws.bucket-replication = aws +# } +# vpc_all = "${local.vpc_name}-${local.environment}" +# force_destroy_bucket = true +# application_name = local.application_name +# public_subnets = data.aws_subnets.shared-public.ids +# loadbalancer_ingress_rules = local.loadbalancer_ingress_rules +# loadbalancer_egress_rules = local.loadbalancer_egress_rules +# account_number = local.environment_management.account_ids[terraform.workspace] +# region = "eu-west-2" +# enable_deletion_protection = false +# idle_timeout = 60 +# tags = { Name = "lb_module" } + +# } + +# resource "random_string" "ifs_target_group_name" { +# length = 8 +# special = false +# } + +# resource "aws_lb_target_group" "ifs_target_group" { +# name = "ifs-target-group" +# port = 80 +# protocol = "HTTP" +# vpc_id = data.aws_vpc.shared.id +# target_type = "ip" +# deregistration_delay = 30 + +# stickiness { +# type = "lb_cookie" +# } + +# health_check { +# healthy_threshold = "5" +# interval = "60" +# protocol = "HTTP" +# unhealthy_threshold = "2" +# matcher = "200-499" +# timeout = "15" +# path = "/health" +# } + +# lifecycle { +# create_before_destroy = true +# ignore_changes = [name] +# } + +# tags = { +# Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" +# } +# } + +# resource "aws_security_group" "ifs_lb_sc" { +# name = "load balancer security group" +# description = "control access to the load balancer" +# vpc_id = data.aws_vpc.shared.id + +# ingress { +# description = "allow access on HTTPS" +# from_port = 443 +# to_port = 443 +# protocol = "tcp" +# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] +# } + +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } + +# resource "aws_security_group" "ifs_target_sc" { +# name = "target security group" +# description = "allow health check traffic from load balancer" +# vpc_id = data.aws_vpc.shared.id + +# ingress { +# description = "allow traffic from load balancer" +# from_port = 80 +# to_port = 80 +# protocol = "tcp" +# security_groups = [module.lb_access_logs_enabled.security_group.id] +# } + +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } + +# resource "aws_lb_listener" "https_listener" { +# #checkov:skip=CKV_AWS_103 +# depends_on = [aws_acm_certificate_validation.external] +# load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn +# port = 443 +# protocol = "HTTPS" +# certificate_arn = aws_acm_certificate.external.arn + +# default_action { +# target_group_arn = aws_lb_target_group.ifs_target_group.id +# type = "forward" +# } +# } diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index eed297a9185..16f5c4c86af 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -20,26 +20,26 @@ locals { cluster_name = "${local.application_name}-ecs-cluster" })) - loadbalancer_ingress_rules = { - "cluster_ec2_lb_ingress" = { - description = "allow access on HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] - security_groups = [] - } - } + # loadbalancer_ingress_rules = { + # "cluster_ec2_lb_ingress" = { + # description = "allow access on HTTPS" + # from_port = 443 + # to_port = 443 + # protocol = "tcp" + # cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] + # security_groups = [] + # } + # } - loadbalancer_egress_rules = { - "cluster_ec2_lb_egress" = { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_groups = [] - } - } + # loadbalancer_egress_rules = { + # "cluster_ec2_lb_egress" = { + # description = "Open all outbound ports" + # from_port = 0 + # to_port = 0 + # protocol = "-1" + # cidr_blocks = ["0.0.0.0/0"] + # security_groups = [] + # } + # } } \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf index 40b7b8f0d81..ef72fe09aab 100644 --- a/terraform/environments/cdpt-ifs/route53.tf +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -52,10 +52,10 @@ resource "aws_route53_record" "external" { type = "A" alias { - #name = aws_lb.ifs_lb.dns_name - #zone_id = aws_lb.ifs_lb.zone_id - name = module.lb_access_logs_enabled.load_balancer.dns_name - zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + # name = module.lb_access_logs_enabled.load_balancer.dns_name + # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } @@ -108,10 +108,10 @@ resource "aws_route53_record" "external_prod" { type = "A" alias { - #name = aws_lb.ifs_lb.dns_name - #zone_id = aws_lb.ifs_lb.zone_id - name = module.lb_access_logs_enabled.load_balancer.dns_name - zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + # name = module.lb_access_logs_enabled.load_balancer.dns_name + # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } From 2ed3f9f6f8220b815a5fa076caa7345cba3b9590 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 12:25:13 +0100 Subject: [PATCH 06/13] working deployment, change healthcheck params --- terraform/environments/cdpt-ifs/loadbalancer.tf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf index 7f027723067..75b4e4dbde1 100644 --- a/terraform/environments/cdpt-ifs/loadbalancer.tf +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -41,11 +41,18 @@ resource "aws_lb_target_group" "ifs_target_group" { } health_check { - healthy_threshold = "2" - interval = "30" - unhealthy_threshold = "3" + # healthy_threshold = "2" + # interval = "30" + # unhealthy_threshold = "3" + # matcher = "200-499" + # timeout = "20" + # path = "/health" + healthy_threshold = "5" + interval = "60" + protocol = "HTTP" + unhealthy_threshold = "2" matcher = "200-499" - timeout = "20" + timeout = "15" path = "/health" } } From ff0e950887ba0a7d83088674af0cd02baac110b9 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 12:38:41 +0100 Subject: [PATCH 07/13] use lb logging, increase CPU --- terraform/environments/cdpt-ifs/ecs.tf | 2 +- terraform/environments/cdpt-ifs/locals.tf | 40 +++++++++++----------- terraform/environments/cdpt-ifs/route53.tf | 16 ++++----- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index b0d4f64e27a..f300671bf71 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -94,7 +94,7 @@ resource "aws_ecs_task_definition" "ifs_task_definition" { { name = "${local.application_name}-container" image = "${local.ecr_url}:${local.application_data.accounts[local.environment].environment_name}" - cpu = 2048 + cpu = 4096 memory = 2048 essential = true portMappings = [ diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index 16f5c4c86af..eed297a9185 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -20,26 +20,26 @@ locals { cluster_name = "${local.application_name}-ecs-cluster" })) - # loadbalancer_ingress_rules = { - # "cluster_ec2_lb_ingress" = { - # description = "allow access on HTTPS" - # from_port = 443 - # to_port = 443 - # protocol = "tcp" - # cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] - # security_groups = [] - # } - # } + loadbalancer_ingress_rules = { + "cluster_ec2_lb_ingress" = { + description = "allow access on HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] + security_groups = [] + } + } - # loadbalancer_egress_rules = { - # "cluster_ec2_lb_egress" = { - # description = "Open all outbound ports" - # from_port = 0 - # to_port = 0 - # protocol = "-1" - # cidr_blocks = ["0.0.0.0/0"] - # security_groups = [] - # } - # } + loadbalancer_egress_rules = { + "cluster_ec2_lb_egress" = { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_groups = [] + } + } } \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf index ef72fe09aab..81581b60ca5 100644 --- a/terraform/environments/cdpt-ifs/route53.tf +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -52,10 +52,10 @@ resource "aws_route53_record" "external" { type = "A" alias { - name = aws_lb.ifs_lb.dns_name - zone_id = aws_lb.ifs_lb.zone_id - # name = module.lb_access_logs_enabled.load_balancer.dns_name - # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + # name = aws_lb.ifs_lb.dns_name + # zone_id = aws_lb.ifs_lb.zone_id + name = module.lb_access_logs_enabled.load_balancer.dns_name + zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } @@ -108,10 +108,10 @@ resource "aws_route53_record" "external_prod" { type = "A" alias { - name = aws_lb.ifs_lb.dns_name - zone_id = aws_lb.ifs_lb.zone_id - # name = module.lb_access_logs_enabled.load_balancer.dns_name - # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + # name = aws_lb.ifs_lb.dns_name + # zone_id = aws_lb.ifs_lb.zone_id + name = module.lb_access_logs_enabled.load_balancer.dns_name + zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } From ce80181c4244d85f715840e864630d6fbbf69383 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 12:41:48 +0100 Subject: [PATCH 08/13] add files --- .../environments/cdpt-ifs/loadbalancer.tf | 298 +++++++++--------- 1 file changed, 149 insertions(+), 149 deletions(-) diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf index 75b4e4dbde1..8fe06aa62fc 100644 --- a/terraform/environments/cdpt-ifs/loadbalancer.tf +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -1,102 +1,31 @@ -resource "aws_security_group" "ifs_lb_sc" { - name = "load balancer security group" - description = "control access to the load balancer" - vpc_id = data.aws_vpc.shared.id - - ingress { - description = "allow access on HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] - } - - egress { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_lb" "ifs_lb" { - name = "ifs-load-balancer" - load_balancer_type = "application" - security_groups = [aws_security_group.ifs_lb_sc.id] - subnets = data.aws_subnets.shared-public.ids - drop_invalid_header_fields = false -} - -resource "aws_lb_target_group" "ifs_target_group" { - name = "ifs-target-group" - port = 80 - protocol = "HTTP" - vpc_id = data.aws_vpc.shared.id - target_type = "ip" - deregistration_delay = 30 - - stickiness { - type = "lb_cookie" - } - - health_check { - # healthy_threshold = "2" - # interval = "30" - # unhealthy_threshold = "3" - # matcher = "200-499" - # timeout = "20" - # path = "/health" - healthy_threshold = "5" - interval = "60" - protocol = "HTTP" - unhealthy_threshold = "2" - matcher = "200-499" - timeout = "15" - path = "/health" - } -} - -resource "aws_lb_listener" "https_listener" { - #checkov:skip=CKV_AWS_103 - depends_on = [aws_acm_certificate_validation.external] - - load_balancer_arn = aws_lb.ifs_lb.arn - port = 443 - protocol = "HTTPS" - certificate_arn = aws_acm_certificate.external.arn - - default_action { - target_group_arn = aws_lb_target_group.ifs_target_group.id - type = "forward" - } -} - -#================================================================= - +# resource "aws_security_group" "ifs_lb_sc" { +# name = "load balancer security group" +# description = "control access to the load balancer" +# vpc_id = data.aws_vpc.shared.id -# module "lb_access_logs_enabled" { -# source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" -# providers = { -# aws.bucket-replication = aws +# ingress { +# description = "allow access on HTTPS" +# from_port = 443 +# to_port = 443 +# protocol = "tcp" +# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] # } -# vpc_all = "${local.vpc_name}-${local.environment}" -# force_destroy_bucket = true -# application_name = local.application_name -# public_subnets = data.aws_subnets.shared-public.ids -# loadbalancer_ingress_rules = local.loadbalancer_ingress_rules -# loadbalancer_egress_rules = local.loadbalancer_egress_rules -# account_number = local.environment_management.account_ids[terraform.workspace] -# region = "eu-west-2" -# enable_deletion_protection = false -# idle_timeout = 60 -# tags = { Name = "lb_module" } +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } # } -# resource "random_string" "ifs_target_group_name" { -# length = 8 -# special = false +# resource "aws_lb" "ifs_lb" { +# name = "ifs-load-balancer" +# load_balancer_type = "application" +# security_groups = [aws_security_group.ifs_lb_sc.id] +# subnets = data.aws_subnets.shared-public.ids +# drop_invalid_header_fields = false # } # resource "aws_lb_target_group" "ifs_target_group" { @@ -112,6 +41,12 @@ resource "aws_lb_listener" "https_listener" { # } # health_check { +# # healthy_threshold = "2" +# # interval = "30" +# # unhealthy_threshold = "3" +# # matcher = "200-499" +# # timeout = "20" +# # path = "/health" # healthy_threshold = "5" # interval = "60" # protocol = "HTTP" @@ -120,65 +55,13 @@ resource "aws_lb_listener" "https_listener" { # timeout = "15" # path = "/health" # } - -# lifecycle { -# create_before_destroy = true -# ignore_changes = [name] -# } - -# tags = { -# Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" -# } -# } - -# resource "aws_security_group" "ifs_lb_sc" { -# name = "load balancer security group" -# description = "control access to the load balancer" -# vpc_id = data.aws_vpc.shared.id - -# ingress { -# description = "allow access on HTTPS" -# from_port = 443 -# to_port = 443 -# protocol = "tcp" -# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] -# } - -# egress { -# description = "Open all outbound ports" -# from_port = 0 -# to_port = 0 -# protocol = "-1" -# cidr_blocks = ["0.0.0.0/0"] -# } -# } - -# resource "aws_security_group" "ifs_target_sc" { -# name = "target security group" -# description = "allow health check traffic from load balancer" -# vpc_id = data.aws_vpc.shared.id - -# ingress { -# description = "allow traffic from load balancer" -# from_port = 80 -# to_port = 80 -# protocol = "tcp" -# security_groups = [module.lb_access_logs_enabled.security_group.id] -# } - -# egress { -# description = "Open all outbound ports" -# from_port = 0 -# to_port = 0 -# protocol = "-1" -# cidr_blocks = ["0.0.0.0/0"] -# } # } # resource "aws_lb_listener" "https_listener" { # #checkov:skip=CKV_AWS_103 -# depends_on = [aws_acm_certificate_validation.external] -# load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn +# depends_on = [aws_acm_certificate_validation.external] + +# load_balancer_arn = aws_lb.ifs_lb.arn # port = 443 # protocol = "HTTPS" # certificate_arn = aws_acm_certificate.external.arn @@ -188,3 +71,120 @@ resource "aws_lb_listener" "https_listener" { # type = "forward" # } # } + +#================================================================= + + +module "lb_access_logs_enabled" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" + providers = { + aws.bucket-replication = aws + } + vpc_all = "${local.vpc_name}-${local.environment}" + force_destroy_bucket = true + application_name = local.application_name + public_subnets = data.aws_subnets.shared-public.ids + loadbalancer_ingress_rules = local.loadbalancer_ingress_rules + loadbalancer_egress_rules = local.loadbalancer_egress_rules + account_number = local.environment_management.account_ids[terraform.workspace] + region = "eu-west-2" + enable_deletion_protection = false + idle_timeout = 60 + tags = { Name = "lb_module" } + +} + +resource "random_string" "ifs_target_group_name" { + length = 8 + special = false +} + +resource "aws_lb_target_group" "ifs_target_group" { + name = "ifs-target-group" + port = 80 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "ip" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" + } + + health_check { + healthy_threshold = "5" + interval = "60" + protocol = "HTTP" + unhealthy_threshold = "2" + matcher = "200-499" + timeout = "15" + path = "/health" + } + + lifecycle { + create_before_destroy = true + ignore_changes = [name] + } + + tags = { + Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" + } +} + +resource "aws_security_group" "ifs_lb_sc" { + name = "load balancer security group" + description = "control access to the load balancer" + vpc_id = data.aws_vpc.shared.id + + ingress { + description = "allow access on HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] + } + + egress { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "ifs_target_sc" { + name = "target security group" + description = "allow health check traffic from load balancer" + vpc_id = data.aws_vpc.shared.id + + ingress { + description = "allow traffic from load balancer" + from_port = 80 + to_port = 80 + protocol = "tcp" + security_groups = [module.lb_access_logs_enabled.security_group.id] + } + + egress { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_lb_listener" "https_listener" { + #checkov:skip=CKV_AWS_103 + depends_on = [aws_acm_certificate_validation.external] + load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn + port = 443 + protocol = "HTTPS" + certificate_arn = aws_acm_certificate.external.arn + + default_action { + target_group_arn = aws_lb_target_group.ifs_target_group.id + type = "forward" + } +} From 8cb2c9e1af95008656c4aad4e9281ff623cab9fb Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 13:01:54 +0100 Subject: [PATCH 09/13] increase ec2 --- terraform/environments/cdpt-ifs/application_variables.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index be9635976a2..5058d0bb41f 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -7,8 +7,8 @@ "ami_image_id": "ami-0e2606e2f0acb32c4", "instance_type": "t3.xlarge", "app_count": 1, - "ec2_desired_capacity": 1, - "ec2_max_size": 3, + "ec2_desired_capacity": 2, + "ec2_max_size": 5, "ec2_min_size": 1, "db_instance_class": "db.t3.small", "db_user": "dbadmin", From 1df2f092108129c73a3e9263149b990cf208d242 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 13:27:09 +0100 Subject: [PATCH 10/13] specify task and container resources --- terraform/environments/cdpt-ifs/ecs.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index f300671bf71..a4f81441d34 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -90,11 +90,13 @@ resource "aws_ecs_task_definition" "ifs_task_definition" { network_mode = "awsvpc" execution_role_arn = aws_iam_role.app_execution.arn task_role_arn = aws_iam_role.app_task.arn + cpu = "2048" + memory = "2048" container_definitions = jsonencode([ { name = "${local.application_name}-container" image = "${local.ecr_url}:${local.application_data.accounts[local.environment].environment_name}" - cpu = 4096 + cpu = 2048 memory = 2048 essential = true portMappings = [ From 65abdb26317ce00a825dd76d9c4d325dfa7a2d75 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 13:39:33 +0100 Subject: [PATCH 11/13] revert old lb --- terraform/environments/cdpt-ifs/ecs.tf | 2 - .../environments/cdpt-ifs/loadbalancer.tf | 298 +++++++++--------- terraform/environments/cdpt-ifs/locals.tf | 40 +-- terraform/environments/cdpt-ifs/route53.tf | 16 +- 4 files changed, 177 insertions(+), 179 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index a4f81441d34..b0d4f64e27a 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -90,8 +90,6 @@ resource "aws_ecs_task_definition" "ifs_task_definition" { network_mode = "awsvpc" execution_role_arn = aws_iam_role.app_execution.arn task_role_arn = aws_iam_role.app_task.arn - cpu = "2048" - memory = "2048" container_definitions = jsonencode([ { name = "${local.application_name}-container" diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf index 8fe06aa62fc..75b4e4dbde1 100644 --- a/terraform/environments/cdpt-ifs/loadbalancer.tf +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -1,102 +1,31 @@ -# resource "aws_security_group" "ifs_lb_sc" { -# name = "load balancer security group" -# description = "control access to the load balancer" -# vpc_id = data.aws_vpc.shared.id - -# ingress { -# description = "allow access on HTTPS" -# from_port = 443 -# to_port = 443 -# protocol = "tcp" -# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] -# } - -# egress { -# description = "Open all outbound ports" -# from_port = 0 -# to_port = 0 -# protocol = "-1" -# cidr_blocks = ["0.0.0.0/0"] -# } -# } - -# resource "aws_lb" "ifs_lb" { -# name = "ifs-load-balancer" -# load_balancer_type = "application" -# security_groups = [aws_security_group.ifs_lb_sc.id] -# subnets = data.aws_subnets.shared-public.ids -# drop_invalid_header_fields = false -# } - -# resource "aws_lb_target_group" "ifs_target_group" { -# name = "ifs-target-group" -# port = 80 -# protocol = "HTTP" -# vpc_id = data.aws_vpc.shared.id -# target_type = "ip" -# deregistration_delay = 30 - -# stickiness { -# type = "lb_cookie" -# } - -# health_check { -# # healthy_threshold = "2" -# # interval = "30" -# # unhealthy_threshold = "3" -# # matcher = "200-499" -# # timeout = "20" -# # path = "/health" -# healthy_threshold = "5" -# interval = "60" -# protocol = "HTTP" -# unhealthy_threshold = "2" -# matcher = "200-499" -# timeout = "15" -# path = "/health" -# } -# } - -# resource "aws_lb_listener" "https_listener" { -# #checkov:skip=CKV_AWS_103 -# depends_on = [aws_acm_certificate_validation.external] - -# load_balancer_arn = aws_lb.ifs_lb.arn -# port = 443 -# protocol = "HTTPS" -# certificate_arn = aws_acm_certificate.external.arn - -# default_action { -# target_group_arn = aws_lb_target_group.ifs_target_group.id -# type = "forward" -# } -# } - -#================================================================= - +resource "aws_security_group" "ifs_lb_sc" { + name = "load balancer security group" + description = "control access to the load balancer" + vpc_id = data.aws_vpc.shared.id -module "lb_access_logs_enabled" { - source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" - providers = { - aws.bucket-replication = aws + ingress { + description = "allow access on HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] } - vpc_all = "${local.vpc_name}-${local.environment}" - force_destroy_bucket = true - application_name = local.application_name - public_subnets = data.aws_subnets.shared-public.ids - loadbalancer_ingress_rules = local.loadbalancer_ingress_rules - loadbalancer_egress_rules = local.loadbalancer_egress_rules - account_number = local.environment_management.account_ids[terraform.workspace] - region = "eu-west-2" - enable_deletion_protection = false - idle_timeout = 60 - tags = { Name = "lb_module" } + egress { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } } -resource "random_string" "ifs_target_group_name" { - length = 8 - special = false +resource "aws_lb" "ifs_lb" { + name = "ifs-load-balancer" + load_balancer_type = "application" + security_groups = [aws_security_group.ifs_lb_sc.id] + subnets = data.aws_subnets.shared-public.ids + drop_invalid_header_fields = false } resource "aws_lb_target_group" "ifs_target_group" { @@ -112,6 +41,12 @@ resource "aws_lb_target_group" "ifs_target_group" { } health_check { + # healthy_threshold = "2" + # interval = "30" + # unhealthy_threshold = "3" + # matcher = "200-499" + # timeout = "20" + # path = "/health" healthy_threshold = "5" interval = "60" protocol = "HTTP" @@ -120,65 +55,13 @@ resource "aws_lb_target_group" "ifs_target_group" { timeout = "15" path = "/health" } - - lifecycle { - create_before_destroy = true - ignore_changes = [name] - } - - tags = { - Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" - } -} - -resource "aws_security_group" "ifs_lb_sc" { - name = "load balancer security group" - description = "control access to the load balancer" - vpc_id = data.aws_vpc.shared.id - - ingress { - description = "allow access on HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] - } - - egress { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_security_group" "ifs_target_sc" { - name = "target security group" - description = "allow health check traffic from load balancer" - vpc_id = data.aws_vpc.shared.id - - ingress { - description = "allow traffic from load balancer" - from_port = 80 - to_port = 80 - protocol = "tcp" - security_groups = [module.lb_access_logs_enabled.security_group.id] - } - - egress { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } } resource "aws_lb_listener" "https_listener" { #checkov:skip=CKV_AWS_103 - depends_on = [aws_acm_certificate_validation.external] - load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn + depends_on = [aws_acm_certificate_validation.external] + + load_balancer_arn = aws_lb.ifs_lb.arn port = 443 protocol = "HTTPS" certificate_arn = aws_acm_certificate.external.arn @@ -188,3 +71,120 @@ resource "aws_lb_listener" "https_listener" { type = "forward" } } + +#================================================================= + + +# module "lb_access_logs_enabled" { +# source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee" +# providers = { +# aws.bucket-replication = aws +# } +# vpc_all = "${local.vpc_name}-${local.environment}" +# force_destroy_bucket = true +# application_name = local.application_name +# public_subnets = data.aws_subnets.shared-public.ids +# loadbalancer_ingress_rules = local.loadbalancer_ingress_rules +# loadbalancer_egress_rules = local.loadbalancer_egress_rules +# account_number = local.environment_management.account_ids[terraform.workspace] +# region = "eu-west-2" +# enable_deletion_protection = false +# idle_timeout = 60 +# tags = { Name = "lb_module" } + +# } + +# resource "random_string" "ifs_target_group_name" { +# length = 8 +# special = false +# } + +# resource "aws_lb_target_group" "ifs_target_group" { +# name = "ifs-target-group" +# port = 80 +# protocol = "HTTP" +# vpc_id = data.aws_vpc.shared.id +# target_type = "ip" +# deregistration_delay = 30 + +# stickiness { +# type = "lb_cookie" +# } + +# health_check { +# healthy_threshold = "5" +# interval = "60" +# protocol = "HTTP" +# unhealthy_threshold = "2" +# matcher = "200-499" +# timeout = "15" +# path = "/health" +# } + +# lifecycle { +# create_before_destroy = true +# ignore_changes = [name] +# } + +# tags = { +# Name = "ifs-target-group-${random_string.ifs_target_group_name.result}" +# } +# } + +# resource "aws_security_group" "ifs_lb_sc" { +# name = "load balancer security group" +# description = "control access to the load balancer" +# vpc_id = data.aws_vpc.shared.id + +# ingress { +# description = "allow access on HTTPS" +# from_port = 443 +# to_port = 443 +# protocol = "tcp" +# cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] +# } + +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } + +# resource "aws_security_group" "ifs_target_sc" { +# name = "target security group" +# description = "allow health check traffic from load balancer" +# vpc_id = data.aws_vpc.shared.id + +# ingress { +# description = "allow traffic from load balancer" +# from_port = 80 +# to_port = 80 +# protocol = "tcp" +# security_groups = [module.lb_access_logs_enabled.security_group.id] +# } + +# egress { +# description = "Open all outbound ports" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } + +# resource "aws_lb_listener" "https_listener" { +# #checkov:skip=CKV_AWS_103 +# depends_on = [aws_acm_certificate_validation.external] +# load_balancer_arn = module.lb_access_logs_enabled.load_balancer.arn +# port = 443 +# protocol = "HTTPS" +# certificate_arn = aws_acm_certificate.external.arn + +# default_action { +# target_group_arn = aws_lb_target_group.ifs_target_group.id +# type = "forward" +# } +# } diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index eed297a9185..16f5c4c86af 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -20,26 +20,26 @@ locals { cluster_name = "${local.application_name}-ecs-cluster" })) - loadbalancer_ingress_rules = { - "cluster_ec2_lb_ingress" = { - description = "allow access on HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] - security_groups = [] - } - } + # loadbalancer_ingress_rules = { + # "cluster_ec2_lb_ingress" = { + # description = "allow access on HTTPS" + # from_port = 443 + # to_port = 443 + # protocol = "tcp" + # cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"] + # security_groups = [] + # } + # } - loadbalancer_egress_rules = { - "cluster_ec2_lb_egress" = { - description = "Open all outbound ports" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_groups = [] - } - } + # loadbalancer_egress_rules = { + # "cluster_ec2_lb_egress" = { + # description = "Open all outbound ports" + # from_port = 0 + # to_port = 0 + # protocol = "-1" + # cidr_blocks = ["0.0.0.0/0"] + # security_groups = [] + # } + # } } \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf index 81581b60ca5..ef72fe09aab 100644 --- a/terraform/environments/cdpt-ifs/route53.tf +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -52,10 +52,10 @@ resource "aws_route53_record" "external" { type = "A" alias { - # name = aws_lb.ifs_lb.dns_name - # zone_id = aws_lb.ifs_lb.zone_id - name = module.lb_access_logs_enabled.load_balancer.dns_name - zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + # name = module.lb_access_logs_enabled.load_balancer.dns_name + # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } @@ -108,10 +108,10 @@ resource "aws_route53_record" "external_prod" { type = "A" alias { - # name = aws_lb.ifs_lb.dns_name - # zone_id = aws_lb.ifs_lb.zone_id - name = module.lb_access_logs_enabled.load_balancer.dns_name - zone_id = module.lb_access_logs_enabled.load_balancer.zone_id + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + # name = module.lb_access_logs_enabled.load_balancer.dns_name + # zone_id = module.lb_access_logs_enabled.load_balancer.zone_id evaluate_target_health = true } } From 2786d493d8337b581742bff523294a29d6306a9d Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 14:53:30 +0100 Subject: [PATCH 12/13] revert to 1 instance --- terraform/environments/cdpt-ifs/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 5058d0bb41f..69af4119274 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -7,7 +7,7 @@ "ami_image_id": "ami-0e2606e2f0acb32c4", "instance_type": "t3.xlarge", "app_count": 1, - "ec2_desired_capacity": 2, + "ec2_desired_capacity": 1, "ec2_max_size": 5, "ec2_min_size": 1, "db_instance_class": "db.t3.small", From 89a44dd25bc325228b9afb58c68755738854636e Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 27 Jun 2024 15:04:57 +0100 Subject: [PATCH 13/13] reduce max size --- terraform/environments/cdpt-ifs/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 69af4119274..be9635976a2 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -8,7 +8,7 @@ "instance_type": "t3.xlarge", "app_count": 1, "ec2_desired_capacity": 1, - "ec2_max_size": 5, + "ec2_max_size": 3, "ec2_min_size": 1, "db_instance_class": "db.t3.small", "db_user": "dbadmin",