diff --git a/services/terraform/self-host/aws_lb.tf b/services/terraform/self-host/aws_lb.tf new file mode 100644 --- /dev/null +++ b/services/terraform/self-host/aws_lb.tf @@ -0,0 +1,82 @@ +resource "aws_security_group" "lb_sg" { + name = "lb-sg" + description = "Security group for keyserver load balancer" + vpc_id = local.vpc_id + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_lb_target_group" "keyserver_service" { + name = "keyserver-service-ecs-tg" + port = 3000 + protocol = "HTTP" + vpc_id = local.vpc_id + + # "awsvpc" network mode requires target type set to ip + target_type = "ip" + + stickiness { + type = "lb_cookie" + cookie_duration = 86500 + enabled = true + } + + health_check { + enabled = true + healthy_threshold = 2 + unhealthy_threshold = 3 + + protocol = "HTTP" + path = "/health" + matcher = "200-299" + } +} + +resource "aws_lb" "keyserver_service" { + load_balancer_type = "application" + name = "keyserver-service-lb" + security_groups = [aws_security_group.lb_sg.id] + + internal = false + subnets = local.vpc_subnets +} + +resource "aws_lb_listener" "keyserver_service" { + load_balancer_arn = aws_lb.keyserver_service.arn + port = "443" + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = data.aws_acm_certificate.keyserver_service.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.keyserver_service.arn + } + + lifecycle { + ignore_changes = [default_action[0].forward[0].stickiness[0].duration] + replace_triggered_by = [aws_lb_target_group.keyserver_service] + } +} + + +data "aws_acm_certificate" "keyserver_service" { + domain = var.domain_name + statuses = ["ISSUED"] +} + +output "keyserver_service_load_balancer_dns_name" { + value = aws_lb.keyserver_service.dns_name +} diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf --- a/services/terraform/self-host/keyserver_primary.tf +++ b/services/terraform/self-host/keyserver_primary.tf @@ -35,16 +35,16 @@ { name = "keyserver-port" containerPort = 3000 + hostPort = 3000, protocol = "tcp" }, - { - name = "http-port" - containerPort = 80 - protocol = "tcp" - appProtocol = "http" - }, + ] environment = [ + { + name = "COMM_LISTEN_ADDR" + value = "0.0.0.0" + }, { name = "COMM_DATABASE_HOST" value = "${aws_db_instance.mariadb.address}" @@ -79,6 +79,16 @@ "domain" : "https://web.comm.app" }) }, + { + name = "COMM_JSONCONFIG_facts_keyserver_url" + value = jsonencode({ + "baseDomain" : "https://${var.domain_name}", + "basePath" : "/", + "baseRoutePath" : "/", + "https" : false, + "proxy" : "none" + }) + }, { name = "COMM_JSONCONFIG_secrets_identity_service_config", value = jsonencode({ @@ -125,6 +135,12 @@ assign_public_ip = true } + load_balancer { + target_group_arn = aws_lb_target_group.keyserver_service.arn + container_name = local.keyserver_service_container_name + container_port = 3000 + } + deployment_circuit_breaker { enable = true rollback = true @@ -135,14 +151,22 @@ name = "keyserver-service-ecs-sg" vpc_id = local.vpc_id - # Allow all inbound traffic. This is temporary until load balancer is configured + # Allow all inbound traffic on port 3000 ingress { - from_port = 0 - to_port = 65535 + from_port = 3000 + to_port = 3000 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } + ingress { + description = "Allow inbound traffic from any IPv6 address" + from_port = 3000 + to_port = 3000 + protocol = "tcp" + ipv6_cidr_blocks = ["::/0"] + } + # Allow all outbound traffic egress { from_port = 0 diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf --- a/services/terraform/self-host/variables.tf +++ b/services/terraform/self-host/variables.tf @@ -1,3 +1,8 @@ +variable "domain_name" { + description = "Domain name for your keyserver" + type = string +} + variable "mariadb_username" { description = "MariaDB username" type = string