From 840204773db6735f1b6f26ecd7290105f467f005 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Mon, 5 May 2025 11:38:18 +0300 Subject: [PATCH 1/2] feat: Add AWS NLB load balancer type * Adds NLB variants of existing classic load balancers * Adds dualstack support on the NLBs * CF TCP LB is now limited to 50 ports, instead of 100 Signed-off-by: Ismayil Mirzali --- terraform/aws/template_generator.go | 14 +- terraform/aws/templates/cf_dns.tf | 6 +- terraform/aws/templates/cf_lb.tf | 243 ----------------------- terraform/aws/templates/cf_lb_common.tf | 247 ++++++++++++++++++++++++ terraform/aws/templates/cf_nlb.tf | 202 +++++++++++++++++++ terraform/aws/templates/iso_segments.tf | 92 ++++++++- 6 files changed, 551 insertions(+), 253 deletions(-) create mode 100644 terraform/aws/templates/cf_lb_common.tf create mode 100644 terraform/aws/templates/cf_nlb.tf diff --git a/terraform/aws/template_generator.go b/terraform/aws/template_generator.go index ca38c9634..9108ac9b9 100644 --- a/terraform/aws/template_generator.go +++ b/terraform/aws/template_generator.go @@ -13,8 +13,10 @@ type templates struct { iam string lbSubnet string cfLB string + cfNLB string cfDNS string concourseLB string + cfCommon string sslCertificate string isoSeg string vpc string @@ -43,7 +45,13 @@ func (tg TemplateGenerator) Generate(state storage.State) string { case "concourse": template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.concourseLB}, "\n") case "cf": - template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfLB, tmpls.sslCertificate, tmpls.isoSeg}, "\n") + template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfLB, tmpls.cfCommon, tmpls.sslCertificate, tmpls.isoSeg}, "\n") + + if state.LB.Domain != "" { + template = strings.Join([]string{template, tmpls.cfDNS}, "\n") + } + case "nlb": + template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfNLB, tmpls.cfCommon, tmpls.sslCertificate, tmpls.isoSeg}, "\n") if state.LB.Domain != "" { template = strings.Join([]string{template, tmpls.cfDNS}, "\n") @@ -60,6 +68,8 @@ func (t TemplateGenerator) readTemplates() templates { "lb_subnet.tf": "", "cf_lb.tf": "", "cf_dns.tf": "", + "cf_lb_common.tf": "", + "cf_nlb.tf": "", "concourse_lb.tf": "", "ssl_certificate.tf": "", "iso_segments.tf": "", @@ -94,8 +104,10 @@ func (t TemplateGenerator) readTemplates() templates { base: listings["base.tf"], iam: listings["iam.tf"], lbSubnet: listings["lb_subnet.tf"], + cfCommon: listings["cf_lb_common.tf"], cfLB: listings["cf_lb.tf"], cfDNS: listings["cf_dns.tf"], + cfNLB: listings["cf_nlb.tf"], concourseLB: listings["concourse_lb.tf"], sslCertificate: listings["ssl_certificate.tf"], isoSeg: listings["iso_segments.tf"], diff --git a/terraform/aws/templates/cf_dns.tf b/terraform/aws/templates/cf_dns.tf index f2b37b8cb..15a882506 100644 --- a/terraform/aws/templates/cf_dns.tf +++ b/terraform/aws/templates/cf_dns.tf @@ -39,7 +39,7 @@ resource "aws_route53_record" "wildcard_dns" { type = "CNAME" ttl = 300 - records = ["${aws_elb.cf_router_lb.dns_name}"] + records = var.dualstack ? [aws_lb.cf_router_lb.dns_name] : ["${aws_elb.cf_router_lb.dns_name}"] } resource "aws_route53_record" "ssh" { @@ -48,7 +48,7 @@ resource "aws_route53_record" "ssh" { type = "CNAME" ttl = 300 - records = ["${aws_elb.cf_ssh_lb.dns_name}"] + records = var.dualstack ? [aws_lb.cf_ssh_lb.dns_name] : ["${aws_elb.cf_ssh_lb.dns_name}"] } resource "aws_route53_record" "bosh" { @@ -66,7 +66,7 @@ resource "aws_route53_record" "tcp" { type = "CNAME" ttl = 300 - records = ["${aws_elb.cf_tcp_lb.dns_name}"] + records = var.dualstack ? [aws_lb.cf_tcp_lb.dns_name] : ["${aws_elb.cf_tcp_lb.dns_name}"] } resource "aws_route53_record" "iso" { diff --git a/terraform/aws/templates/cf_lb.tf b/terraform/aws/templates/cf_lb.tf index 8521f8cb2..1c9a51303 100644 --- a/terraform/aws/templates/cf_lb.tf +++ b/terraform/aws/templates/cf_lb.tf @@ -1,75 +1,3 @@ -variable "elb_idle_timeout" { - type = number - default = 60 -} - -resource "aws_security_group" "cf_ssh_lb_security_group" { - name = "${var.env_id}-cf-ssh-lb-security-group" - description = "CF SSH" - vpc_id = local.vpc_id - - ingress { - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - protocol = "tcp" - from_port = 2222 - to_port = 2222 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-ssh-lb-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_ssh_lb_security_group" { - value = aws_security_group.cf_ssh_lb_security_group.id -} - -resource "aws_security_group" "cf_ssh_lb_internal_security_group" { - name = "${var.env_id}-cf-ssh-lb-internal-security-group" - description = "CF SSH Internal" - vpc_id = local.vpc_id - - ingress { - security_groups = ["${aws_security_group.cf_ssh_lb_security_group.id}"] - protocol = "tcp" - from_port = 2222 - to_port = 2222 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-ssh-lb-internal-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_ssh_lb_internal_security_group" { - value = aws_security_group.cf_ssh_lb_internal_security_group.id -} - resource "aws_elb" "cf_ssh_lb" { name = "${var.short_env_id}-cf-ssh-lb" cross_zone_load_balancing = true @@ -107,88 +35,6 @@ output "cf_ssh_lb_url" { value = aws_elb.cf_ssh_lb.dns_name } -resource "aws_security_group" "cf_router_lb_security_group" { - name = "${var.env_id}-cf-router-lb-security-group" - description = "CF Router" - vpc_id = local.vpc_id - - ingress { - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - protocol = "tcp" - from_port = 80 - to_port = 80 - } - - ingress { - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - protocol = "tcp" - from_port = 443 - to_port = 443 - } - - ingress { - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - protocol = "tcp" - from_port = 4443 - to_port = 4443 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-router-lb-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_router_lb_security_group" { - value = aws_security_group.cf_router_lb_security_group.id -} - -resource "aws_security_group" "cf_router_lb_internal_security_group" { - name = "${var.env_id}-cf-router-lb-internal-security-group" - description = "CF Router Internal" - vpc_id = local.vpc_id - - ingress { - security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"] - protocol = "tcp" - from_port = 80 - to_port = 80 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-router-lb-internal-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_router_lb_internal_security_group" { - value = aws_security_group.cf_router_lb_internal_security_group.id -} resource "aws_elb" "cf_router_lb" { name = "${var.short_env_id}-cf-router-lb" @@ -235,21 +81,6 @@ resource "aws_elb" "cf_router_lb" { } } -resource "aws_lb_target_group" "cf_router_4443" { - name = "${var.short_env_id}-routertg-4443" - port = 4443 - protocol = "TCP" - vpc_id = local.vpc_id - - health_check { - protocol = "TCP" - } - - tags = { - Name = "${var.env_id}" - } -} - output "cf_router_lb_name" { value = aws_elb.cf_router_lb.name } @@ -258,80 +89,6 @@ output "cf_router_lb_url" { value = aws_elb.cf_router_lb.dns_name } -resource "aws_security_group" "cf_tcp_lb_security_group" { - name = "${var.env_id}-cf-tcp-lb-security-group" - description = "CF TCP" - vpc_id = local.vpc_id - - ingress { - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - protocol = "tcp" - from_port = 1024 - to_port = 1123 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-tcp-lb-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_tcp_lb_security_group" { - value = aws_security_group.cf_tcp_lb_security_group.id -} - -resource "aws_security_group" "cf_tcp_lb_internal_security_group" { - name = "${var.env_id}-cf-tcp-lb-internal-security-group" - description = "CF TCP Internal" - vpc_id = local.vpc_id - - ingress { - security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] - protocol = "tcp" - from_port = 1024 - to_port = 1123 - } - - ingress { - security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] - protocol = "tcp" - from_port = 80 - to_port = 80 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - } - - tags = { - Name = "${var.env_id}-cf-tcp-lb-security-group" - } - - lifecycle { - ignore_changes = [name] - } -} - -output "cf_tcp_lb_internal_security_group" { - value = aws_security_group.cf_tcp_lb_internal_security_group.id -} - resource "aws_elb" "cf_tcp_lb" { name = "${var.short_env_id}-cf-tcp-lb" cross_zone_load_balancing = true diff --git a/terraform/aws/templates/cf_lb_common.tf b/terraform/aws/templates/cf_lb_common.tf new file mode 100644 index 000000000..46e3dcdfb --- /dev/null +++ b/terraform/aws/templates/cf_lb_common.tf @@ -0,0 +1,247 @@ +variable "elb_idle_timeout" { + type = number + default = 60 +} + +resource "aws_lb_target_group" "cf_router_4443" { + name = "${var.short_env_id}-routertg-4443" + port = 4443 + protocol = "TCP" + vpc_id = local.vpc_id + + health_check { + protocol = "TCP" + } + + tags = { + Name = "${var.env_id}" + } +} + +resource "aws_security_group" "cf_ssh_lb_security_group" { + name = "${var.env_id}-cf-ssh-lb-security-group" + description = "CF SSH" + vpc_id = local.vpc_id + + ingress { + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 2222 + to_port = 2222 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-ssh-lb-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + +resource "aws_security_group" "cf_ssh_lb_internal_security_group" { + name = "${var.env_id}-cf-ssh-lb-internal-security-group" + description = "CF SSH Internal" + vpc_id = local.vpc_id + + ingress { + security_groups = ["${aws_security_group.cf_ssh_lb_security_group.id}"] + protocol = "tcp" + from_port = 2222 + to_port = 2222 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-ssh-lb-internal-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + +resource "aws_security_group" "cf_router_lb_security_group" { + name = "${var.env_id}-cf-router-lb-security-group" + description = "CF Router" + vpc_id = local.vpc_id + + ingress { + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 80 + to_port = 80 + } + + ingress { + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 443 + to_port = 443 + } + + ingress { + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 4443 + to_port = 4443 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-router-lb-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + +resource "aws_security_group" "cf_router_lb_internal_security_group" { + name = "${var.env_id}-cf-router-lb-internal-security-group" + description = "CF Router Internal" + vpc_id = local.vpc_id + + ingress { + security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"] + protocol = "tcp" + from_port = 80 + to_port = 80 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-router-lb-internal-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + + +resource "aws_security_group" "cf_tcp_lb_security_group" { + name = "${var.env_id}-cf-tcp-lb-security-group" + description = "CF TCP" + vpc_id = local.vpc_id + + ingress { + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 1024 + to_port = 1123 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-tcp-lb-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + + +resource "aws_security_group" "cf_tcp_lb_internal_security_group" { + name = "${var.env_id}-cf-tcp-lb-internal-security-group" + description = "CF TCP Internal" + vpc_id = local.vpc_id + + ingress { + security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] + protocol = "tcp" + from_port = 1024 + to_port = 1123 + } + + ingress { + security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] + protocol = "tcp" + from_port = 80 + to_port = 80 + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + } + + tags = { + Name = "${var.env_id}-cf-tcp-lb-security-group" + } + + lifecycle { + ignore_changes = [name] + } +} + +output "cf_tcp_lb_security_group" { + value = aws_security_group.cf_tcp_lb_security_group.id +} + +output "cf_tcp_lb_internal_security_group" { + value = aws_security_group.cf_tcp_lb_internal_security_group.id +} + +output "cf_router_lb_internal_security_group" { + value = aws_security_group.cf_router_lb_internal_security_group.id +} + +output "cf_router_lb_security_group" { + value = aws_security_group.cf_router_lb_security_group.id +} + +output "cf_ssh_lb_internal_security_group" { + value = aws_security_group.cf_ssh_lb_internal_security_group.id +} + + +output "cf_ssh_lb_security_group" { + value = aws_security_group.cf_ssh_lb_security_group.id +} + diff --git a/terraform/aws/templates/cf_nlb.tf b/terraform/aws/templates/cf_nlb.tf new file mode 100644 index 000000000..611628188 --- /dev/null +++ b/terraform/aws/templates/cf_nlb.tf @@ -0,0 +1,202 @@ +resource "aws_lb" "cf_ssh_lb" { + name = "${var.short_env_id}-cf-ssh-lb" + internal = false + load_balancer_type = "network" + security_groups = [aws_security_group.cf_ssh_lb_security_group.id] + subnets = [for subnet in aws_subnet.lb_subnets : subnet.id] + + enable_deletion_protection = false + enable_cross_zone_load_balancing = true + + # idle_timeout = var.elb_idle_timeout + ip_address_type = "dualstack" + + tags = { + Name = var.env_id + } +} + +resource "aws_lb" "cf_router_lb" { + name = "${var.short_env_id}-cf-router-lb" + internal = false + load_balancer_type = "network" + security_groups = [aws_security_group.cf_router_lb_security_group.id] + subnets = [for subnet in aws_subnet.lb_subnets : subnet.id] + + enable_deletion_protection = false + enable_cross_zone_load_balancing = true + + # idle_timeout = var.elb_idle_timeout + ip_address_type = "dualstack" + + tags = { + Name = var.env_id + } +} + +resource "aws_lb" "cf_tcp_lb" { + name = "${var.short_env_id}-cf-tcp-lb" + internal = false + load_balancer_type = "network" + security_groups = [aws_security_group.cf_tcp_lb_security_group.id] + subnets = [for subnet in aws_subnet.lb_subnets : subnet.id] + + enable_deletion_protection = false + enable_cross_zone_load_balancing = true + + # idle_timeout = var.elb_idle_timeout + ip_address_type = "dualstack" + + tags = { + Name = var.env_id + } +} + +resource "aws_lb_listener" "cf_tcp_lb" { + for_each = toset([for x in range(1024, 1074, 1) : tostring(x)]) + + load_balancer_arn = aws_lb.cf_tcp_lb.arn + port = each.value + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.cf_tcp_nlb[each.value].arn + } + + depends_on = [ + aws_lb_target_group.cf_tcp_nlb + ] +} + +resource "aws_lb_target_group" "cf_tcp_nlb" { + for_each = toset([for x in range(1024, 1074, 1) : tostring(x)]) + + name = "${var.short_env_id}-cf-tcp-nlb-${each.value}" + port = each.value + protocol = "TCP" + vpc_id = local.vpc_id + + health_check { + healthy_threshold = 6 + unhealthy_threshold = 3 + interval = 15 + protocol = "TCP" + port = 80 + } + + tags = { + Name = "${var.env_id}-${each.value}" + } +} + +resource "aws_lb_target_group" "cf_ssh_nlb" { + name = "${var.short_env_id}-cf-ssh-nlb" + port = 2222 + protocol = "TCP" + vpc_id = local.vpc_id + + health_check { + healthy_threshold = 5 + unhealthy_threshold = 2 + interval = 12 + protocol = "TCP" + port = 2222 + } + + tags = { + Name = "${var.env_id}" + } +} + + +resource "aws_lb_target_group" "cf_router_nlb" { + name = "${var.short_env_id}-cf-router-nlb" + port = 80 + protocol = "TCP" + vpc_id = local.vpc_id + + health_check { + healthy_threshold = 5 + unhealthy_threshold = 2 + interval = 15 + protocol = "TCP" + port = 80 + } + + tags = { + Name = "${var.env_id}" + } +} + +resource "aws_lb_listener" "cf_ssh" { + load_balancer_arn = aws_lb.cf_ssh_lb.arn + port = "2222" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.cf_ssh_nlb.arn + } +} + +resource "aws_lb_listener" "cf_router_http" { + load_balancer_arn = aws_lb.cf_router_lb.arn + port = "80" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.cf_router_nlb.arn + } +} + +resource "aws_lb_listener" "cf_router_https" { + load_balancer_arn = aws_lb.cf_router_lb.arn + port = "443" + protocol = "TLS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_iam_server_certificate.lb_cert.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.cf_router_nlb.arn + } +} + +resource "aws_lb_listener" "cf_router_4443" { + load_balancer_arn = aws_lb.cf_router_lb.arn + port = "4443" + protocol = "TLS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_iam_server_certificate.lb_cert.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.cf_router_nlb.arn + } +} + +output "cf_ssh_lb_name" { + value = aws_lb.cf_ssh_lb.name +} + +output "cf_ssh_lb_url" { + value = aws_lb.cf_ssh_lb.dns_name +} + +output "cf_router_lb_name" { + value = aws_lb.cf_router_lb.name +} + +output "cf_router_lb_url" { + value = aws_lb.cf_router_lb.dns_name +} + +output "cf_tcp_lb_name" { + value = aws_lb.cf_tcp_lb.name +} + +output "cf_tcp_lb_url" { + value = aws_lb.cf_tcp_lb.dns_name +} diff --git a/terraform/aws/templates/iso_segments.tf b/terraform/aws/templates/iso_segments.tf index fc9945dfa..c06a429a4 100644 --- a/terraform/aws/templates/iso_segments.tf +++ b/terraform/aws/templates/iso_segments.tf @@ -5,17 +5,17 @@ variable "isolation_segments" { } variable "iso_to_bosh_ports" { - type = list(any) + type = list(number) default = [22, 6868, 2555, 4222, 25250] } variable "iso_to_shared_tcp_ports" { - type = list(any) + type = list(number) default = [9090, 9091, 8082, 8300, 8301, 8889, 8443, 3000, 4443, 8080, 3457, 9023, 9022, 4222] } variable "iso_to_shared_udp_ports" { - type = list(any) + type = list(number) default = [8301, 8302, 8600] } @@ -39,12 +39,13 @@ resource "aws_subnet" "iso_subnets" { resource "aws_route_table_association" "route_iso_subnets" { count = local.iso_az_count - subnet_id = element(aws_subnet.iso_subnets.*.id, count.index) + subnet_id = aws_subnet.iso_subnets[count.index].id route_table_id = aws_route_table.nated_route_table.id } + resource "aws_elb" "iso_router_lb" { - count = var.isolation_segments + count = var.isolation_segments == "1" && var.dualstack == false ? 1 : 0 name = "${var.short_env_id}-iso-router-lb" cross_zone_load_balancing = true @@ -88,6 +89,85 @@ resource "aws_elb" "iso_router_lb" { } } +resource "aws_lb" "iso_router_nlb" { + count = var.isolation_segments == "1" && var.dualstack ? 1 : 0 + name = "${var.short_env_id}-iso-router-lb" + internal = false + load_balancer_type = "network" + security_groups = [aws_security_group.cf_router_lb_security_group.id] + subnets = [for subnet in aws_subnet.lb_subnets : subnet.id] + + enable_deletion_protection = false + enable_cross_zone_load_balancing = true + + # idle_timeout = var.elb_idle_timeout + ip_address_type = "dualstack" + + tags = { + Name = var.env_id + } +} + +resource "aws_lb_target_group" "iso_router_nlb_http" { + count = var.isolation_segments == "1" && var.dualstack ? 1 : 0 + name = "${var.short_env_id}-iso-router-nlb-http" + port = 80 + protocol = "HTTP" + vpc_id = local.vpc_id + + health_check { + healthy_threshold = 5 + unhealthy_threshold = 2 + interval = 15 + protocol = "TCP" + port = 80 + } + + tags = { + Name = "${var.env_id}" + } +} + +resource "aws_lb_listener" "iso_router_nlb_http" { + count = var.isolation_segments == "1" && var.dualstack ? 1 : 0 + load_balancer_arn = aws_lb.iso_router_nlb[0].arn + port = "80" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.iso_router_nlb_http[0].arn + } +} + +resource "aws_lb_listener" "iso_router_nlb_https" { + count = var.isolation_segments == "1" && var.dualstack ? 1 : 0 + load_balancer_arn = aws_lb.iso_router_nlb[0].arn + port = "443" + protocol = "TLS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_iam_server_certificate.lb_cert.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.iso_router_nlb_http[0].arn + } +} + +resource "aws_lb_listener" "iso_router_nlb_4443" { + count = var.isolation_segments == "1" && var.dualstack ? 1 : 0 + load_balancer_arn = aws_lb.iso_router_nlb[0].arn + port = "4443" + protocol = "TLS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_iam_server_certificate.lb_cert.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.iso_router_nlb_http[0].arn + } +} + resource "aws_lb_target_group" "iso_router_lb_4443" { count = var.isolation_segments name = "${var.short_env_id}-isotg-4443" @@ -211,7 +291,7 @@ resource "aws_security_group_rule" "nat_to_isolated_cells_rule" { } output "cf_iso_router_lb_name" { - value = one(aws_elb.iso_router_lb[*].name) + value = var.dualstack ? one(aws_lb.iso_router_nlb[*].name) : one(aws_elb.iso_router_lb[*].name) } output "iso_security_group_id" { From c2e49a72ede813411093cea77b392a3d9040e291 Mon Sep 17 00:00:00 2001 From: Ismayil Mirzali Date: Wed, 7 May 2025 13:53:22 +0300 Subject: [PATCH 2/2] fix: update aws tests to include common lb manifest Signed-off-by: Ismayil Mirzali --- terraform/aws/template_generator_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/aws/template_generator_test.go b/terraform/aws/template_generator_test.go index e9285d1f0..a1cd60f6a 100644 --- a/terraform/aws/template_generator_test.go +++ b/terraform/aws/template_generator_test.go @@ -52,7 +52,7 @@ var _ = Describe("TemplateGenerator", func() { Context("when a CF lb type is provided with no system domain", func() { BeforeEach(func() { - expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "ssl_certificate", "iso_segments") + expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "cf_lb_common", "ssl_certificate", "iso_segments") lb = storage.LB{ Type: "cf", } @@ -65,7 +65,7 @@ var _ = Describe("TemplateGenerator", func() { Context("when a CF lb type is provided with a system domain", func() { BeforeEach(func() { - expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "ssl_certificate", "iso_segments", "cf_dns") + expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "cf_lb_common", "ssl_certificate", "iso_segments", "cf_dns") lb = storage.LB{ Type: "cf", Domain: "some-domain",