feat(terraform): add target group and listener rules (#104)

* feat(terraform): add target group and listener rules * feat(terraform): add `CDN_URL` to environment variables * fix(terraform): fix linting * fix(terraform): add a host to the listener rules
dvsa · May 7, 2024 · 248de3d · 248de3d
1 parent 09eabd1
commit 248de3d
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 16 deletions.
diff --git a/infra/terraform/environments/dev/main.tf b/infra/terraform/environments/dev/main.tf
@@ -39,6 +39,28 @@ data "aws_cognito_user_pools" "this" {
   name = "DVSA-DEVAPPDEV-COGNITO-USERS"
 }
 
+data "aws_lb" "this" {
+  for_each = toset(local.legacy_service_names)
+
+  name = "DEVAPPDEV-OLCS-PRI-${(each.key == "API" ? "SVCS" : each.key)}-ALB"
+}
+
+data "aws_lb_listener" "this" {
+  for_each = toset(local.legacy_service_names)
+
+  load_balancer_arn = data.aws_lb.this[each.key].arn
+  port              = each.key == "API" ? 80 : 443
+}
+
+data "aws_vpc" "this" {
+  filter {
+    name = "tag:Name"
+    values = [
+      "DEV/APP-VPC"
+    ]
+  }
+}
+
 module "service" {
   source = "../../modules/service"
 
@@ -52,7 +74,8 @@ module "service" {
       cpu    = 1024
       memory = 4096
 
-      image = "${data.aws_ecr_repository.this["api"].repository_url}:${var.api_image_tag}"
+      version    = var.api_image_tag
+      repository = data.aws_ecr_repository.this["api"].repository_url
 
       task_iam_role_statements = [
         {
@@ -124,13 +147,21 @@ module "service" {
       security_group_ids = [
         data.aws_security_group.this["API"].id
       ]
+
+      lb_listener_arn           = data.aws_lb_listener.this["API"].arn
+      listener_rule_host_header = "api.*"
+
+      vpc_id = data.aws_vpc.this.id
     }
 
     "internal" = {
       cpu    = 1024
       memory = 4096
 
-      image = "${data.aws_ecr_repository.this["internal"].repository_url}:${var.internal_image_tag}"
+      version    = var.internal_image_tag
+      repository = data.aws_ecr_repository.this["internal"].repository_url
+
+      add_cdn_url_to_env = true
 
       task_iam_role_statements = [
         {
@@ -158,13 +189,21 @@ module "service" {
       security_group_ids = [
         data.aws_security_group.this["IUWEB"].id
       ]
+
+      lb_listener_arn           = data.aws_lb_listener.this["IUWEB"].arn
+      listener_rule_host_header = "iuweb.*"
+
+      vpc_id = data.aws_vpc.this.id
     }
 
     "selfserve" = {
       cpu    = 1024
       memory = 4096
 
-      image = "${data.aws_ecr_repository.this["selfserve"].repository_url}:${var.selfserve_image_tag}"
+      version    = var.selfserve_image_tag
+      repository = data.aws_ecr_repository.this["selfserve"].repository_url
+
+      add_cdn_url_to_env = true
 
       task_iam_role_statements = [
         {
@@ -192,6 +231,11 @@ module "service" {
       security_group_ids = [
         data.aws_security_group.this["SSWEB"].id
       ]
+
+      lb_listener_arn           = data.aws_lb_listener.this["SSWEB"].arn
+      listener_rule_host_header = "ssweb.*"
+
+      vpc_id = data.aws_vpc.this.id
     }
   }
 }
diff --git a/infra/terraform/modules/service/README.md b/infra/terraform/modules/service/README.md
@@ -28,6 +28,8 @@
 
 | Name | Type |
 |------|------|
+| [aws_lb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
+| [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
 | [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
@@ -42,7 +44,7 @@
 | <a name="input_assets_version"></a> [assets\_version](#input\_assets\_version) | The version of the assets | `string` | n/a | yes |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for the environment | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment to deploy to | `string` | n/a | yes |
-| <a name="input_services"></a> [services](#input\_services) | The services to deploy | <pre>map(object({<br>    image              = string<br>    cpu                = number<br>    memory             = number<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>    task_iam_role_statements = list(object({<br>      effect    = string<br>      actions   = list(string)<br>      resources = list(string)<br>    }))<br>  }))</pre> | `{}` | no |
+| <a name="input_services"></a> [services](#input\_services) | The services to deploy | <pre>map(object({<br>    version    = string<br>    repository = string<br>    cpu        = number<br>    memory     = number<br>    task_iam_role_statements = list(object({<br>      effect    = string<br>      actions   = list(string)<br>      resources = list(string)<br>    }))<br>    add_cdn_url_to_env        = optional(bool, false)<br>    lb_listener_arn           = string<br>    listener_rule_priority    = optional(number, 10)<br>    listener_rule_host_header = optional(string, "*")<br>    security_group_ids        = list(string)<br>    subnet_ids                = list(string)<br>    vpc_id                    = string<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 

diff --git a/infra/terraform/modules/service/ecs.tf b/infra/terraform/modules/service/ecs.tf
@@ -1,3 +1,42 @@
+resource "aws_lb_target_group" "this" {
+  for_each = var.services
+
+  name        = "vol-app-${var.environment}-${each.key}-tg"
+  port        = 8080
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = each.value.vpc_id
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    interval            = 300
+    timeout             = 60
+    protocol            = "HTTP"
+    port                = 8080
+    path                = "/healthcheck"
+    matcher             = "200-499"
+  }
+}
+
+resource "aws_lb_listener_rule" "this" {
+  for_each = var.services
+
+  listener_arn = each.value.lb_listener_arn
+  priority     = each.value.listener_rule_priority
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this[each.key].arn
+  }
+
+  condition {
+    host_header {
+      values = [each.value.listener_rule_host_header]
+    }
+  }
+}
+
 module "ecs_cluster" {
   for_each = var.services
 
@@ -44,7 +83,7 @@ module "ecs_service" {
       cpu       = try(var.services[each.key].task_cpu_limit, var.services[each.key].cpu / 2)
       memory    = try(var.services[each.key].task_memory_limit, var.services[each.key].memory / 4)
       essential = true
-      image     = var.services[each.key].image
+      image     = "${var.services[each.key].repository}:${var.services[each.key].version}"
       port_mappings = [
         {
           name          = "http"
@@ -57,19 +96,39 @@ module "ecs_service" {
       # Have to explicitly set the user to null to avoid the default user being set to root.
       user = null
 
-      environment = [
-        {
-          name  = "ENVIRONMENT_NAME"
-          value = var.environment
-        }
-      ]
+      environment = concat(
+        [
+          {
+            name  = "ENVIRONMENT_NAME"
+            value = var.environment
+          },
+          {
+            name  = "APP_VERSION"
+            value = var.services[each.key].version
+          },
+        ],
+        each.value.add_cdn_url_to_env ? [
+          {
+            name  = "CDN_URL"
+            value = module.cloudfront.cloudfront_distribution_domain_name
+          }
+        ] : []
+      )
 
       readonly_root_filesystem = false
 
       memory_reservation = 100
     }
   }
 
+  load_balancer = {
+    service = {
+      target_group_arn = aws_lb_target_group.this[each.key].arn
+      container_name   = each.key
+      container_port   = 8080
+    }
+  }
+
   create_security_group = false
   security_group_ids    = var.services[each.key].security_group_ids
   subnet_ids            = var.services[each.key].subnet_ids

diff --git a/infra/terraform/modules/service/variables.tf b/infra/terraform/modules/service/variables.tf
@@ -15,16 +15,22 @@ variable "assets_version" {
 
 variable "services" {
   type = map(object({
-    image              = string
-    cpu                = number
-    memory             = number
-    security_group_ids = list(string)
-    subnet_ids         = list(string)
+    version    = string
+    repository = string
+    cpu        = number
+    memory     = number
     task_iam_role_statements = list(object({
       effect    = string
       actions   = list(string)
       resources = list(string)
     }))
+    add_cdn_url_to_env        = optional(bool, false)
+    lb_listener_arn           = string
+    listener_rule_priority    = optional(number, 10)
+    listener_rule_host_header = optional(string, "*")
+    security_group_ids        = list(string)
+    subnet_ids                = list(string)
+    vpc_id                    = string
   }))
   description = "The services to deploy"
   default     = {}