terraform: use HTTPS health check for AWS

cli/internal/terraform/terraform/aws/main.tf

@@ -125,6 +125,14 @@ resource "aws_security_group" "security_group" {
     description = "konnectivity"
   }
 
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [aws_vpc.vpc.cidr_block]
+    description = "allow all internal"
+  }
+
   dynamic "ingress" {
     for_each = var.debug ? [1] : []
     content {
@@ -144,60 +152,67 @@ resource "aws_cloudwatch_log_group" "log_group" {
 }
 
 module "load_balancer_target_bootstrapper" {
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-bootstrapper"
+  name                 = "${local.name}-bootstrapper"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_bootstrapper
+  port                 = local.ports_bootstrapper
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
 }
 
 module "load_balancer_target_kubernetes" {
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-kubernetes"
+  name                 = "${local.name}-kubernetes"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_kubernetes
+  port                 = local.ports_kubernetes
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "HTTPS"
+  healthcheck_path     = "/readyz"
 }
 
 module "load_balancer_target_verify" {
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-verify"
+  name                 = "${local.name}-verify"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_verify
+  port                 = local.ports_verify
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
 }
 
 module "load_balancer_target_debugd" {
-  count  = var.debug ? 1 : 0 // only deploy debugd in debug mode
+  count                = var.debug ? 1 : 0 // only deploy debugd in debug mode
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-debugd"
+  name                 = "${local.name}-debugd"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_debugd
+  port                 = local.ports_debugd
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
 }
 
 module "load_balancer_target_konnectivity" {
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-konnectivity"
+  name                 = "${local.name}-konnectivity"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_konnectivity
+  port                 = local.ports_konnectivity
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
 }
 
 # TODO: Remove when development is more advanced
 module "load_balancer_target_ssh" {
-  count  = var.debug ? 1 : 0 // only deploy SSH in debug mode
+  count                = var.debug ? 1 : 0 // only deploy SSH in debug mode
-  source = "./modules/load_balancer_target"
+  source               = "./modules/load_balancer_target"
-  name   = "${local.name}-ssh"
+  name                 = "${local.name}-ssh"
-  vpc_id = aws_vpc.vpc.id
+  vpc_id               = aws_vpc.vpc.id
-  lb_arn = aws_lb.front_end.arn
+  lb_arn               = aws_lb.front_end.arn
-  port   = local.ports_ssh
+  port                 = local.ports_ssh
-  tags   = local.tags
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
 }
 
 module "instance_group_control_plane" {

cli/internal/terraform/terraform/aws/modules/load_balancer_target/main.tf

@@ -15,8 +15,12 @@ resource "aws_lb_target_group" "front_end" {
   tags     = var.tags
 
   health_check {
-    port     = var.port
+    port                = var.port
-    protocol = "TCP"
+    protocol            = var.healthcheck_protocol
+    path                = var.healthcheck_protocol == "HTTPS" ? var.healthcheck_path : null
+    interval            = 10
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
   }
 
   lifecycle {

cli/internal/terraform/terraform/aws/modules/load_balancer_target/variables.tf

@@ -18,6 +18,18 @@ variable "lb_arn" {
   description = "ARN of the load balancer."
 }
 
+variable "healthcheck_protocol" {
+  type        = string
+  default     = "TCP"
+  description = "Type of the load balancer target."
+}
+
+variable "healthcheck_path" {
+  type        = string
+  default     = ""
+  description = "Path for health check."
+}
+
 variable "tags" {
   type        = map(string)
   description = "The tags to add to the loadbalancer."