From be2b38f2acc4b28419f64fc94f0c3efc9ea32e22 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Wed, 2 Nov 2022 11:46:52 +0100 Subject: [PATCH] terraform: use HTTPS health check for AWS --- cli/internal/terraform/terraform/aws/main.tf | 91 +++++++++++-------- .../aws/modules/load_balancer_target/main.tf | 8 +- .../modules/load_balancer_target/variables.tf | 12 +++ 3 files changed, 71 insertions(+), 40 deletions(-) diff --git a/cli/internal/terraform/terraform/aws/main.tf b/cli/internal/terraform/terraform/aws/main.tf index 51cf3c3f0..4a8f6b3ca 100644 --- a/cli/internal/terraform/terraform/aws/main.tf +++ b/cli/internal/terraform/terraform/aws/main.tf @@ -125,6 +125,14 @@ resource "aws_security_group" "security_group" { description = "konnectivity" } + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [aws_vpc.vpc.cidr_block] + description = "allow all internal" + } + dynamic "ingress" { for_each = var.debug ? [1] : [] content { @@ -144,60 +152,67 @@ resource "aws_cloudwatch_log_group" "log_group" { } module "load_balancer_target_bootstrapper" { - source = "./modules/load_balancer_target" - name = "${local.name}-bootstrapper" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_bootstrapper - tags = local.tags + source = "./modules/load_balancer_target" + name = "${local.name}-bootstrapper" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_bootstrapper + tags = local.tags + healthcheck_protocol = "TCP" } module "load_balancer_target_kubernetes" { - source = "./modules/load_balancer_target" - name = "${local.name}-kubernetes" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_kubernetes - tags = local.tags + source = "./modules/load_balancer_target" + name = "${local.name}-kubernetes" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_kubernetes + tags = local.tags + healthcheck_protocol = "HTTPS" + healthcheck_path = "/readyz" } module "load_balancer_target_verify" { - source = "./modules/load_balancer_target" - name = "${local.name}-verify" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_verify - tags = local.tags + source = "./modules/load_balancer_target" + name = "${local.name}-verify" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_verify + tags = local.tags + healthcheck_protocol = "TCP" } module "load_balancer_target_debugd" { - count = var.debug ? 1 : 0 // only deploy debugd in debug mode - source = "./modules/load_balancer_target" - name = "${local.name}-debugd" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_debugd - tags = local.tags + count = var.debug ? 1 : 0 // only deploy debugd in debug mode + source = "./modules/load_balancer_target" + name = "${local.name}-debugd" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_debugd + tags = local.tags + healthcheck_protocol = "TCP" } module "load_balancer_target_konnectivity" { - source = "./modules/load_balancer_target" - name = "${local.name}-konnectivity" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_konnectivity - tags = local.tags + source = "./modules/load_balancer_target" + name = "${local.name}-konnectivity" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_konnectivity + tags = local.tags + healthcheck_protocol = "TCP" } # TODO: Remove when development is more advanced module "load_balancer_target_ssh" { - count = var.debug ? 1 : 0 // only deploy SSH in debug mode - source = "./modules/load_balancer_target" - name = "${local.name}-ssh" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - port = local.ports_ssh - tags = local.tags + count = var.debug ? 1 : 0 // only deploy SSH in debug mode + source = "./modules/load_balancer_target" + name = "${local.name}-ssh" + vpc_id = aws_vpc.vpc.id + lb_arn = aws_lb.front_end.arn + port = local.ports_ssh + tags = local.tags + healthcheck_protocol = "TCP" } module "instance_group_control_plane" { diff --git a/cli/internal/terraform/terraform/aws/modules/load_balancer_target/main.tf b/cli/internal/terraform/terraform/aws/modules/load_balancer_target/main.tf index 4ca55acc7..a0d091e26 100644 --- a/cli/internal/terraform/terraform/aws/modules/load_balancer_target/main.tf +++ b/cli/internal/terraform/terraform/aws/modules/load_balancer_target/main.tf @@ -15,8 +15,12 @@ resource "aws_lb_target_group" "front_end" { tags = var.tags health_check { - port = var.port - protocol = "TCP" + port = var.port + protocol = var.healthcheck_protocol + path = var.healthcheck_protocol == "HTTPS" ? var.healthcheck_path : null + interval = 10 + healthy_threshold = 2 + unhealthy_threshold = 2 } lifecycle { diff --git a/cli/internal/terraform/terraform/aws/modules/load_balancer_target/variables.tf b/cli/internal/terraform/terraform/aws/modules/load_balancer_target/variables.tf index 82863b60b..dc9b15770 100644 --- a/cli/internal/terraform/terraform/aws/modules/load_balancer_target/variables.tf +++ b/cli/internal/terraform/terraform/aws/modules/load_balancer_target/variables.tf @@ -18,6 +18,18 @@ variable "lb_arn" { description = "ARN of the load balancer." } +variable "healthcheck_protocol" { + type = string + default = "TCP" + description = "Type of the load balancer target." +} + +variable "healthcheck_path" { + type = string + default = "" + description = "Path for health check." +} + variable "tags" { type = map(string) description = "The tags to add to the loadbalancer."