cloudfoundry · Volatus · May 5, 2025 · May 7, 2025
diff --git a/terraform/aws/template_generator.go b/terraform/aws/template_generator.go
@@ -13,8 +13,10 @@ type templates struct {
 	iam            string
 	lbSubnet       string
 	cfLB           string
+	cfNLB          string
 	cfDNS          string
 	concourseLB    string
+	cfCommon       string
 	sslCertificate string
 	isoSeg         string
 	vpc            string
@@ -43,7 +45,13 @@ func (tg TemplateGenerator) Generate(state storage.State) string {
 	case "concourse":
 		template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.concourseLB}, "\n")
 	case "cf":
-		template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfLB, tmpls.sslCertificate, tmpls.isoSeg}, "\n")
+		template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfLB, tmpls.cfCommon, tmpls.sslCertificate, tmpls.isoSeg}, "\n")
+
+		if state.LB.Domain != "" {
+			template = strings.Join([]string{template, tmpls.cfDNS}, "\n")
+		}
+	case "nlb":
+		template = strings.Join([]string{template, tmpls.lbSubnet, tmpls.cfNLB, tmpls.cfCommon, tmpls.sslCertificate, tmpls.isoSeg}, "\n")
 
 		if state.LB.Domain != "" {
 			template = strings.Join([]string{template, tmpls.cfDNS}, "\n")
@@ -60,6 +68,8 @@ func (t TemplateGenerator) readTemplates() templates {
 		"lb_subnet.tf":       "",
 		"cf_lb.tf":           "",
 		"cf_dns.tf":          "",
+		"cf_lb_common.tf":    "",
+		"cf_nlb.tf":          "",
 		"concourse_lb.tf":    "",
 		"ssl_certificate.tf": "",
 		"iso_segments.tf":    "",
@@ -94,8 +104,10 @@ func (t TemplateGenerator) readTemplates() templates {
 		base:           listings["base.tf"],
 		iam:            listings["iam.tf"],
 		lbSubnet:       listings["lb_subnet.tf"],
+		cfCommon:       listings["cf_lb_common.tf"],
 		cfLB:           listings["cf_lb.tf"],
 		cfDNS:          listings["cf_dns.tf"],
+		cfNLB:          listings["cf_nlb.tf"],
 		concourseLB:    listings["concourse_lb.tf"],
 		sslCertificate: listings["ssl_certificate.tf"],
 		isoSeg:         listings["iso_segments.tf"],

diff --git a/terraform/aws/template_generator_test.go b/terraform/aws/template_generator_test.go
@@ -52,7 +52,7 @@ var _ = Describe("TemplateGenerator", func() {
 
 		Context("when a CF lb type is provided with no system domain", func() {
 			BeforeEach(func() {
-				expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "ssl_certificate", "iso_segments")
+				expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "cf_lb_common", "ssl_certificate", "iso_segments")
 				lb = storage.LB{
 					Type: "cf",
 				}
@@ -65,7 +65,7 @@ var _ = Describe("TemplateGenerator", func() {
 
 		Context("when a CF lb type is provided with a system domain", func() {
 			BeforeEach(func() {
-				expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "ssl_certificate", "iso_segments", "cf_dns")
+				expectedTemplate = expectTemplate("base", "iam", "vpc", "lb_subnet", "cf_lb", "cf_lb_common", "ssl_certificate", "iso_segments", "cf_dns")
 				lb = storage.LB{
 					Type:   "cf",
 					Domain: "some-domain",

diff --git a/terraform/aws/templates/cf_dns.tf b/terraform/aws/templates/cf_dns.tf
@@ -39,7 +39,7 @@ resource "aws_route53_record" "wildcard_dns" {
   type    = "CNAME"
   ttl     = 300
 
-  records = ["${aws_elb.cf_router_lb.dns_name}"]
+  records = var.dualstack ? [aws_lb.cf_router_lb.dns_name] : ["${aws_elb.cf_router_lb.dns_name}"]
 }
 
 resource "aws_route53_record" "ssh" {
@@ -48,7 +48,7 @@ resource "aws_route53_record" "ssh" {
   type    = "CNAME"
   ttl     = 300
 
-  records = ["${aws_elb.cf_ssh_lb.dns_name}"]
+  records = var.dualstack ? [aws_lb.cf_ssh_lb.dns_name] : ["${aws_elb.cf_ssh_lb.dns_name}"]
 }
 
 resource "aws_route53_record" "bosh" {
@@ -66,7 +66,7 @@ resource "aws_route53_record" "tcp" {
   type    = "CNAME"
   ttl     = 300
 
-  records = ["${aws_elb.cf_tcp_lb.dns_name}"]
+  records = var.dualstack ? [aws_lb.cf_tcp_lb.dns_name] : ["${aws_elb.cf_tcp_lb.dns_name}"]
 }
 
 resource "aws_route53_record" "iso" {

diff --git a/terraform/aws/templates/cf_lb.tf b/terraform/aws/templates/cf_lb.tf
@@ -1,75 +1,3 @@
-variable "elb_idle_timeout" {
-  type    = number
-  default = 60
-}
-
-resource "aws_security_group" "cf_ssh_lb_security_group" {
-  name        = "${var.env_id}-cf-ssh-lb-security-group"
-  description = "CF SSH"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-    protocol         = "tcp"
-    from_port        = 2222
-    to_port          = 2222
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-ssh-lb-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_ssh_lb_security_group" {
-  value = aws_security_group.cf_ssh_lb_security_group.id
-}
-
-resource "aws_security_group" "cf_ssh_lb_internal_security_group" {
-  name        = "${var.env_id}-cf-ssh-lb-internal-security-group"
-  description = "CF SSH Internal"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_ssh_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 2222
-    to_port         = 2222
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-ssh-lb-internal-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_ssh_lb_internal_security_group" {
-  value = aws_security_group.cf_ssh_lb_internal_security_group.id
-}
-
 resource "aws_elb" "cf_ssh_lb" {
   name                      = "${var.short_env_id}-cf-ssh-lb"
   cross_zone_load_balancing = true
@@ -107,88 +35,6 @@ output "cf_ssh_lb_url" {
   value = aws_elb.cf_ssh_lb.dns_name
 }
 
-resource "aws_security_group" "cf_router_lb_security_group" {
-  name        = "${var.env_id}-cf-router-lb-security-group"
-  description = "CF Router"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-    protocol         = "tcp"
-    from_port        = 80
-    to_port          = 80
-  }
-
-  ingress {
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-    protocol         = "tcp"
-    from_port        = 443
-    to_port          = 443
-  }
-
-  ingress {
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-    protocol         = "tcp"
-    from_port        = 4443
-    to_port          = 4443
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-router-lb-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_router_lb_security_group" {
-  value = aws_security_group.cf_router_lb_security_group.id
-}
-
-resource "aws_security_group" "cf_router_lb_internal_security_group" {
-  name        = "${var.env_id}-cf-router-lb-internal-security-group"
-  description = "CF Router Internal"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 80
-    to_port         = 80
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-router-lb-internal-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_router_lb_internal_security_group" {
-  value = aws_security_group.cf_router_lb_internal_security_group.id
-}
 
 resource "aws_elb" "cf_router_lb" {
   name                      = "${var.short_env_id}-cf-router-lb"
@@ -235,21 +81,6 @@ resource "aws_elb" "cf_router_lb" {
   }
 }
 
-resource "aws_lb_target_group" "cf_router_4443" {
-  name     = "${var.short_env_id}-routertg-4443"
-  port     = 4443
-  protocol = "TCP"
-  vpc_id   = local.vpc_id
-
-  health_check {
-    protocol = "TCP"
-  }
-
-  tags = {
-    Name = "${var.env_id}"
-  }
-}
-
 output "cf_router_lb_name" {
   value = aws_elb.cf_router_lb.name
 }
@@ -258,80 +89,6 @@ output "cf_router_lb_url" {
   value = aws_elb.cf_router_lb.dns_name
 }
 
-resource "aws_security_group" "cf_tcp_lb_security_group" {
-  name        = "${var.env_id}-cf-tcp-lb-security-group"
-  description = "CF TCP"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-    protocol         = "tcp"
-    from_port        = 1024
-    to_port          = 1123
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-tcp-lb-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_tcp_lb_security_group" {
-  value = aws_security_group.cf_tcp_lb_security_group.id
-}
-
-resource "aws_security_group" "cf_tcp_lb_internal_security_group" {
-  name        = "${var.env_id}-cf-tcp-lb-internal-security-group"
-  description = "CF TCP Internal"
-  vpc_id      = local.vpc_id
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 1024
-    to_port         = 1123
-  }
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 80
-    to_port         = 80
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null
-  }
-
-  tags = {
-    Name = "${var.env_id}-cf-tcp-lb-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-}
-
-output "cf_tcp_lb_internal_security_group" {
-  value = aws_security_group.cf_tcp_lb_internal_security_group.id
-}
-
 resource "aws_elb" "cf_tcp_lb" {
   name                      = "${var.short_env_id}-cf-tcp-lb"
   cross_zone_load_balancing = true