diff --git a/services/terraform/remote/service_backup.tf b/services/terraform/remote/service_backup.tf index 4e4ea829e..9fb83cc50 100644 --- a/services/terraform/remote/service_backup.tf +++ b/services/terraform/remote/service_backup.tf @@ -1,174 +1,174 @@ locals { backup_service_image_tag = local.is_staging ? "0.4-staging" : "0.3" backup_service_container_name = "backup-service-server" backup_service_server_image = "commapp/backup-server:${local.backup_service_image_tag}" backup_service_container_http_port = 50052 backup_service_domain_name = "backup.${local.root_domain}" } resource "aws_ecs_task_definition" "backup_service" { family = "backup-service-task-def" container_definitions = jsonencode([ { name = local.backup_service_container_name image = local.backup_service_server_image essential = true portMappings = [ { containerPort = local.backup_service_container_http_port protocol = "tcp" appProtocol = "http" }, ] environment = [ { name = "RUST_LOG" - value = "info" + value = local.is_staging ? "info,backup=debug,comm_lib=debug" : "info" }, { name = "BLOB_SERVICE_URL", value = local.blob_local_url # If this ever fails, we can fallback to blob public URL: # "https://${local.blob_service_domain_name}" }, ] logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = "/ecs/backup-service-task-def" "awslogs-region" = "us-east-2" "awslogs-stream-prefix" = "ecs" } } } ]) task_role_arn = aws_iam_role.backup_service.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn network_mode = "bridge" cpu = "256" memory = "256" requires_compatibilities = ["EC2"] # Set this to true if you want to keep old revisions # when this definition is changed skip_destroy = false } resource "aws_ecs_service" "backup_service" { name = "backup-service" cluster = aws_ecs_cluster.comm_services.id launch_type = "EC2" task_definition = aws_ecs_task_definition.backup_service.arn force_new_deployment = true desired_count = 1 lifecycle { ignore_changes = [desired_count] } service_connect_configuration { # to be able to reach Blob service by DNS name enabled = true } # HTTP load_balancer { target_group_arn = aws_lb_target_group.backup_service_http.arn container_name = local.backup_service_container_name container_port = local.backup_service_container_http_port } deployment_circuit_breaker { enable = true rollback = true } enable_execute_command = true enable_ecs_managed_tags = true } # Security group to configure access to the service resource "aws_security_group" "backup_service" { name = "backup-service-ecs-sg" vpc_id = aws_vpc.default.id ingress { from_port = local.backup_service_container_http_port to_port = local.backup_service_container_http_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "HTTP port" } # Allow all outbound traffic egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } } resource "aws_lb_target_group" "backup_service_http" { name = "backup-service-ecs-http-tg" port = local.backup_service_container_http_port protocol = "HTTP" vpc_id = aws_vpc.default.id target_type = "instance" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 protocol = "HTTP" path = "/health" matcher = "200-204" } } # Load Balancer resource "aws_lb" "backup_service" { load_balancer_type = "application" name = "backup-service-lb" internal = false subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } resource "aws_lb_listener" "backup_service_https" { load_balancer_arn = aws_lb.backup_service.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" certificate_arn = data.aws_acm_certificate.backup_service.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.backup_service_http.arn } lifecycle { # Target group cannot be destroyed if it is used replace_triggered_by = [aws_lb_target_group.backup_service_http] # Required to avoid no-op plan differences ignore_changes = [default_action[0].forward[0].stickiness[0].duration] } } # SSL Certificate data "aws_acm_certificate" "backup_service" { domain = local.backup_service_domain_name statuses = ["ISSUED"] } diff --git a/services/terraform/remote/service_blob.tf b/services/terraform/remote/service_blob.tf index 1f1ac9a21..432b6d4b3 100644 --- a/services/terraform/remote/service_blob.tf +++ b/services/terraform/remote/service_blob.tf @@ -1,198 +1,198 @@ locals { blob_service_image_tag = local.is_staging ? "latest" : "1.1.0" blob_service_container_name = "blob-service-server" blob_service_server_image = "commapp/blob-server:${local.blob_service_image_tag}" # HTTP port & configuration for ECS Service Connect blob_service_container_http_port = 50053 blob_sc_port_name = "blob-service-ecs-http" blob_sc_dns_name = "blob-service" # URL accessible by other services in the same Service Connect namespace # This renders to 'http://blob-service:50053' blob_local_url = "http://${local.blob_sc_dns_name}:${local.blob_service_container_http_port}" blob_service_container_grpc_port = 50051 blob_service_grpc_public_port = 50053 blob_service_domain_name = "blob.${local.root_domain}" blob_service_s3_bucket = "commapp-blob${local.s3_bucket_name_suffix}" } resource "aws_ecs_task_definition" "blob_service" { family = "blob-service-task-def" container_definitions = jsonencode([ { name = local.blob_service_container_name image = local.blob_service_server_image essential = true portMappings = [ { name = local.blob_sc_port_name containerPort = local.blob_service_container_http_port protocol = "tcp" appProtocol = "http" } ] environment = [ { name = "RUST_LOG" - value = "info" + value = local.is_staging ? "info,blob=debug,comm_lib=debug" : "info" }, { name = "BLOB_S3_BUCKET_NAME", value = local.blob_service_s3_bucket } ] logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = "/ecs/blob-service-task-def" "awslogs-region" = "us-east-2" "awslogs-stream-prefix" = "ecs" } } } ]) task_role_arn = aws_iam_role.services_ddb_full_access.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn network_mode = "bridge" cpu = "512" memory = "512" requires_compatibilities = ["EC2"] # Set this to true if you want to keep old revisions # when this definition is changed skip_destroy = false } resource "aws_ecs_service" "blob_service" { name = "blob-service" cluster = aws_ecs_cluster.comm_services.id launch_type = "EC2" task_definition = aws_ecs_task_definition.blob_service.arn force_new_deployment = true desired_count = 1 lifecycle { ignore_changes = [desired_count] } # Expose Blob service to other services in the cluster service_connect_configuration { enabled = true service { discovery_name = local.blob_sc_dns_name port_name = local.blob_sc_port_name client_alias { port = local.blob_service_container_http_port dns_name = local.blob_sc_dns_name } } } # HTTP load_balancer { target_group_arn = aws_lb_target_group.blob_service_http.arn container_name = local.blob_service_container_name container_port = local.blob_service_container_http_port } deployment_circuit_breaker { enable = true rollback = true } } # Security group to configure access to the service resource "aws_security_group" "blob_service" { name = "blob-service-ecs-sg" vpc_id = aws_vpc.default.id ingress { from_port = local.blob_service_container_http_port to_port = local.blob_service_container_http_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "HTTP port" } # Allow all outbound traffic egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } } resource "aws_lb_target_group" "blob_service_http" { name = "blob-service-ecs-http-tg" port = local.blob_service_container_http_port protocol = "HTTP" vpc_id = aws_vpc.default.id # ECS Fargate requires target type set to IP target_type = "instance" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 protocol = "HTTP" path = "/health" matcher = "200-499" } } # Load Balancer resource "aws_lb" "blob_service" { load_balancer_type = "application" name = "blob-service-lb" internal = false #security_groups = [aws_security_group.blob_service.id] subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } resource "aws_lb_listener" "blob_service_https" { load_balancer_arn = aws_lb.blob_service.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" certificate_arn = data.aws_acm_certificate.blob_service.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.blob_service_http.arn } lifecycle { # Required only for existing resources to avoid plan difference ignore_changes = [default_action[0].forward[0].stickiness[0].duration] # Target group cannot be destroyed if it is used replace_triggered_by = [aws_lb_target_group.blob_service_http] } } # SSL Certificate data "aws_acm_certificate" "blob_service" { domain = local.blob_service_domain_name statuses = ["ISSUED"] } # Required for Route53 DNS record output "blob_service_load_balancer_dns_name" { value = aws_lb.blob_service.dns_name } diff --git a/services/terraform/remote/service_feature_flags.tf b/services/terraform/remote/service_feature_flags.tf index 1d7d5113e..bd41bfd9c 100644 --- a/services/terraform/remote/service_feature_flags.tf +++ b/services/terraform/remote/service_feature_flags.tf @@ -1,186 +1,186 @@ locals { feature_flags_image_tag = local.is_staging ? "latest" : "0.1.1" feature_flags_container_name = "feature-flags-server" feature_flags_container_port = 50055 feature_flags_server_image = "commapp/feature-flags:${local.feature_flags_image_tag}" feature_flags_domain_name = "feature-flags.${local.root_domain}" } # Task definition - defines container resources, ports, # environment variables, docker image etc. resource "aws_ecs_task_definition" "feature_flags" { family = "feature-flags-service-task-def" container_definitions = jsonencode([ { name = local.feature_flags_container_name image = local.feature_flags_server_image essential = true portMappings = [ { name = "feature-flags-http" containerPort = local.feature_flags_container_port protocol = "tcp" appProtocol = "http" } ] environment = [ { name = "RUST_LOG" - value = "info" + value = local.is_staging ? "info,feature_flags=debug,comm_lib=debug" : "info" } ] logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = "/ecs/feature-flags-task-def" "awslogs-region" = "us-east-2" "awslogs-stream-prefix" = "ecs" } } } ]) task_role_arn = aws_iam_role.feature_flags_service.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn network_mode = "awsvpc" cpu = "256" memory = "512" requires_compatibilities = ["EC2", "FARGATE"] # Set this to true if you want to keep old revisions # when this definition is changed skip_destroy = true } # ECS Service - defines task scaling, load balancer connection, # network configuration etc. resource "aws_ecs_service" "feature_flags" { name = "feature-flags-service" cluster = aws_ecs_cluster.comm_services.id launch_type = "FARGATE" task_definition = aws_ecs_task_definition.feature_flags.arn force_new_deployment = true desired_count = 1 # Allow external changes without Terraform plan difference # We can freely specify replica count in AWS Console lifecycle { ignore_changes = [desired_count] } load_balancer { target_group_arn = aws_lb_target_group.feature_flags_ecs.arn container_name = local.feature_flags_container_name container_port = local.feature_flags_container_port } network_configuration { assign_public_ip = true security_groups = [ aws_security_group.feature_flags.id, ] subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } deployment_circuit_breaker { enable = true rollback = true } } # Running service instances are registered here # to be accessed by the load balancer resource "aws_lb_target_group" "feature_flags_ecs" { name = "feature-flags-ecs-tg" port = local.feature_flags_container_port protocol = "HTTP" vpc_id = aws_vpc.default.id # ECS Fargate requires target type set to IP target_type = "ip" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 protocol = "HTTP" # The features endpoint should return HTTP 400 # if no platform, staff, code version is specified path = "/features" matcher = "200-499" } } # Security group to configure access to the service resource "aws_security_group" "feature_flags" { name = "feature-flags-service-sg" vpc_id = aws_vpc.default.id ingress { from_port = local.feature_flags_container_port to_port = local.feature_flags_container_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "HTTP port" } # Allow all outbound traffic egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } } # Load Balancer resource "aws_lb" "feature_flags" { load_balancer_type = "application" name = "feature-flags-service-lb" internal = false #security_groups = [aws_security_group.feature_flags.id] subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } resource "aws_lb_listener" "feature_flags_https" { load_balancer_arn = aws_lb.feature_flags.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" certificate_arn = data.aws_acm_certificate.feature_flags.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.feature_flags_ecs.arn } lifecycle { ignore_changes = [default_action[0].forward[0].stickiness[0].duration] replace_triggered_by = [aws_lb_target_group.feature_flags_ecs] } } # SSL Certificate data "aws_acm_certificate" "feature_flags" { domain = local.feature_flags_domain_name statuses = ["ISSUED"] } # Required for Route53 DNS record output "feature_flags_load_balancer_dns_name" { value = aws_lb.feature_flags.dns_name } diff --git a/services/terraform/remote/service_reports.tf b/services/terraform/remote/service_reports.tf index 8c8fb5731..76bc8a371 100644 --- a/services/terraform/remote/service_reports.tf +++ b/services/terraform/remote/service_reports.tf @@ -1,209 +1,209 @@ locals { reports_service_image_tag = local.is_staging ? "latest" : "0.1.1" reports_service_container_name = "reports-service-server" reports_service_server_image = "commapp/reports-server:${local.reports_service_image_tag}" reports_service_container_http_port = 50056 reports_service_domain_name = "reports.${local.root_domain}" } resource "aws_secretsmanager_secret" "email_config" { name_prefix = "email_config" description = "E-mail configuration for the reports service" } resource "aws_secretsmanager_secret_version" "email_config" { secret_id = aws_secretsmanager_secret.email_config.id secret_string = jsonencode(local.secrets["emailConfig"]) } resource "aws_ecs_task_definition" "reports_service" { family = "reports-service-task-def" container_definitions = jsonencode([ { name = local.reports_service_container_name image = local.reports_service_server_image essential = true portMappings = [ { containerPort = local.reports_service_container_http_port protocol = "tcp" appProtocol = "http" }, ] environment = [ { name = "RUST_LOG" - value = "info" + value = local.is_staging ? "info,reports=debug,comm_lib=debug" : "info" }, { name = "MAX_REPORT_SIZE" value = "314572800" # 300MB }, { name = "PUBLIC_URL", value = "https://${local.reports_service_domain_name}" }, { name = "BLOB_SERVICE_URL", value = local.blob_local_url # If this ever fails, we can fallback to blob public URL: # "https://${local.blob_service_domain_name}" }, ] # Don't enable e-mails on staging. secrets = local.is_staging ? [] : [ { # This is exposed as an environment variable in the container name = "EMAIL_CONFIG" valueFrom = aws_secretsmanager_secret.email_config.arn } ] logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = "/ecs/reports-service-task-def" "awslogs-region" = "us-east-2" "awslogs-stream-prefix" = "ecs" } } } ]) task_role_arn = aws_iam_role.reports_service.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn network_mode = "awsvpc" cpu = "1024" memory = "8192" requires_compatibilities = ["EC2", "FARGATE"] # Set this to true if you want to keep old revisions # when this definition is changed skip_destroy = false } resource "aws_ecs_service" "reports_service" { name = "reports-service" cluster = aws_ecs_cluster.comm_services.id launch_type = "FARGATE" task_definition = aws_ecs_task_definition.reports_service.arn force_new_deployment = true desired_count = 1 lifecycle { ignore_changes = [desired_count] } service_connect_configuration { # to be able to reach Blob service by DNS name enabled = true } # HTTP load_balancer { target_group_arn = aws_lb_target_group.reports_service_http.arn container_name = local.reports_service_container_name container_port = local.reports_service_container_http_port } network_configuration { assign_public_ip = true security_groups = [ aws_security_group.reports_service.id, ] subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } deployment_circuit_breaker { enable = true rollback = true } enable_execute_command = true enable_ecs_managed_tags = true } # Security group to configure access to the service resource "aws_security_group" "reports_service" { name = "reports-service-ecs-sg" vpc_id = aws_vpc.default.id ingress { from_port = local.reports_service_container_http_port to_port = local.reports_service_container_http_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "HTTP port" } # Allow all outbound traffic egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } } resource "aws_lb_target_group" "reports_service_http" { name = "reports-service-ecs-http-tg" port = local.reports_service_container_http_port protocol = "HTTP" vpc_id = aws_vpc.default.id # ECS Fargate requires target type set to IP target_type = "ip" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 protocol = "HTTP" path = "/health" matcher = "200-204" } } # Load Balancer resource "aws_lb" "reports_service" { load_balancer_type = "application" name = "reports-service-lb" internal = false subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } resource "aws_lb_listener" "reports_service_https" { load_balancer_arn = aws_lb.reports_service.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" certificate_arn = data.aws_acm_certificate.reports_service.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.reports_service_http.arn } lifecycle { # Required to avoid no-op plan differences ignore_changes = [default_action[0].forward[0].stickiness[0].duration] } } # SSL Certificate data "aws_acm_certificate" "reports_service" { domain = local.reports_service_domain_name statuses = ["ISSUED"] } diff --git a/services/terraform/remote/service_tunnelbroker.tf b/services/terraform/remote/service_tunnelbroker.tf index 48f10e00a..4651e10b5 100644 --- a/services/terraform/remote/service_tunnelbroker.tf +++ b/services/terraform/remote/service_tunnelbroker.tf @@ -1,290 +1,290 @@ locals { tunnelbroker_config = { docker_image = "commapp/tunnelbroker" docker_tag = local.is_staging ? "latest" : "0.7" grpc_port = 50051 websocket_port = 51001 container_name = "tunnelbroker-server" domain_name = "tunnelbroker.${local.root_domain}" local_dns_name = "tunnelbroker" grpc_port_name = "tunnelbroker_grpc" } # Used for other services to connect to Tunnelbroker gRPC endpoint tunnelbroker_local_grpc_url = "http://${local.tunnelbroker_config.local_dns_name}:${local.tunnelbroker_config.grpc_port}" # utility locals tunnelbroker_docker_image = "${local.tunnelbroker_config.docker_image}:${local.tunnelbroker_config.docker_tag}" rabbitmq_password = local.secrets.amqpPassword[local.environment] } # RabbitMQ resource "aws_mq_broker" "tunnelbroker_rabbitmq" { broker_name = "tunnelbroker-rabbitmq" # Keep RabbitMQ version in sync with docker-compose.yml engine_type = "RabbitMQ" engine_version = "3.11.16" host_instance_type = local.is_staging ? "mq.t3.micro" : "mq.m5.large" apply_immediately = local.is_staging deployment_mode = "SINGLE_INSTANCE" # Access from outside VPC - this allows to access the RabbitMQ console from browser publicly_accessible = true user { username = "comm" password = local.rabbitmq_password } } locals { amqp_endpoint = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].endpoints[0] } # Task definition - defines container resources, ports, # environment variables, docker image etc. resource "aws_ecs_task_definition" "tunnelbroker" { family = "tunnelbroker-task-def" container_definitions = jsonencode([ { name = local.tunnelbroker_config.container_name image = local.tunnelbroker_docker_image essential = true portMappings = [ { name = "tunnelbroker_ws" containerPort = local.tunnelbroker_config.websocket_port protocol = "tcp" appProtocol = "http" }, { name = local.tunnelbroker_config.grpc_port_name containerPort = local.tunnelbroker_config.grpc_port protocol = "tcp" appProtocol = "grpc" } ] environment = [ { name = "RUST_LOG" - value = "info" + value = local.is_staging ? "info,tunnelbroker=debug,comm_lib=debug" : "info" }, { name = "AMQP_URI", value = local.amqp_endpoint }, { name = "AMQP_USERNAME" value = "comm" }, { name = "AMQP_PASSWORD" value = nonsensitive(local.rabbitmq_password) }, { name = "COMM_TUNNELBROKER_IDENTITY_ENDPOINT", value = local.identity_local_url } ] logConfiguration = { "logDriver" = "awslogs" "options" = { "awslogs-create-group" = "true" "awslogs-group" = "/ecs/tunnelbroker-task-def" "awslogs-region" = "us-east-2" "awslogs-stream-prefix" = "ecs" } } } ]) task_role_arn = aws_iam_role.services_ddb_full_access.arn execution_role_arn = aws_iam_role.ecs_task_execution.arn network_mode = "bridge" cpu = "256" memory = "256" requires_compatibilities = ["EC2"] # Set this to true if you want to keep old revisions # when this definition is changed skip_destroy = true } # ECS Service - defines task scaling, load balancer connection, # network configuration etc. resource "aws_ecs_service" "tunnelbroker" { name = "tunnelbroker" cluster = aws_ecs_cluster.comm_services.id launch_type = "EC2" task_definition = aws_ecs_task_definition.tunnelbroker.arn force_new_deployment = true desired_count = 1 # Allow external changes without Terraform plan difference # We can freely specify replica count in AWS Console lifecycle { ignore_changes = [desired_count] } service_connect_configuration { enabled = true service { discovery_name = local.tunnelbroker_config.local_dns_name port_name = local.tunnelbroker_config.grpc_port_name client_alias { port = local.tunnelbroker_config.grpc_port dns_name = local.tunnelbroker_config.local_dns_name } } } # Websocket load_balancer { target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn container_name = local.tunnelbroker_config.container_name container_port = local.tunnelbroker_config.websocket_port } # gRPC load_balancer { target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn container_name = local.tunnelbroker_config.container_name container_port = local.tunnelbroker_config.grpc_port } deployment_circuit_breaker { enable = true rollback = true } } # Security group to configure access to the service resource "aws_security_group" "tunnelbroker" { name = "tunnelbroker-sg" vpc_id = aws_vpc.default.id # Websocket ingress { from_port = local.tunnelbroker_config.websocket_port to_port = local.tunnelbroker_config.websocket_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "Websocket port" } # gRPC ingress { from_port = local.tunnelbroker_config.grpc_port to_port = local.tunnelbroker_config.grpc_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "gRPC port" } # Allow all outbound traffic egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } } # Running service instances are registered here # to be accessed by the load balancer resource "aws_lb_target_group" "tunnelbroker_ws" { name = "tunnelbroker-ws-tg" port = local.tunnelbroker_config.websocket_port protocol = "HTTP" protocol_version = "HTTP1" vpc_id = aws_vpc.default.id target_type = "instance" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 protocol = "HTTP" path = "/health" matcher = "200" } } resource "aws_lb_target_group" "tunnelbroker_grpc" { name = "tunnelbroker-grpc-tg" port = local.tunnelbroker_config.grpc_port protocol = "HTTP" protocol_version = "GRPC" vpc_id = aws_vpc.default.id target_type = "instance" health_check { enabled = true healthy_threshold = 2 unhealthy_threshold = 3 } } # Load Balancer resource "aws_lb" "tunnelbroker" { load_balancer_type = "application" name = "tunnelbroker-lb" internal = false subnets = [ aws_subnet.public_a.id, aws_subnet.public_b.id, aws_subnet.public_c.id, ] } resource "aws_lb_listener" "tunnelbroker_ws" { load_balancer_arn = aws_lb.tunnelbroker.arn port = local.tunnelbroker_config.websocket_port protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" certificate_arn = data.aws_acm_certificate.tunnelbroker.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.tunnelbroker_ws.arn } lifecycle { ignore_changes = [default_action[0].forward[0].stickiness[0].duration] replace_triggered_by = [aws_lb_target_group.tunnelbroker_ws] } } resource "aws_lb_listener" "tunnelbroker_grpc" { load_balancer_arn = aws_lb.tunnelbroker.arn port = local.tunnelbroker_config.grpc_port protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" certificate_arn = data.aws_acm_certificate.tunnelbroker.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.tunnelbroker_grpc.arn } lifecycle { ignore_changes = [default_action[0].forward[0].stickiness[0].duration] replace_triggered_by = [aws_lb_target_group.tunnelbroker_grpc] } } # SSL Certificate data "aws_acm_certificate" "tunnelbroker" { domain = local.tunnelbroker_config.domain_name statuses = ["ISSUED"] } output "rabbitmq_console_url" { value = aws_mq_broker.tunnelbroker_rabbitmq.instances[0].console_url }