Using ELB instead of ALB per Rancher docs

nextrevision · Feb 21, 2017 · 0f322a6 · 0f322a6
1 parent 754e3d7
commit 0f322a6
Show file tree

Hide file tree

Showing 10 changed files with 164 additions and 127 deletions.
diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ terraform destroy
 * **vpc_cidr**: subnet in CIDR format to assign to the VPC (default: `192.168.199.0/24`)
 * **subnet_cidrs**: list of subnet ranges (3 required) (default: `["192.168.199.0/26", "192.168.199.64/26", "192.168.199.128/26"`)
 * **availability_zones**: AZs for placing instances and subnets (may change based on your account's availability) (default: `["us-east-1a", "us-east-1b", "us-east-1d"]`)
+* **internal_elb**: Make ELB internal to VPC vs externally accessible (default: `false`)
 
 > Note: if you use an AMI other than RancherOS, the automatic launching of the Rancher server container will not work. You will need to update the user-data template according to the needs of your AMI.
 

diff --git a/alb.tf b/alb.tf
diff --git a/alb_http.tf b/alb_http.tf
diff --git a/alb_https.tf b/alb_https.tf
diff --git a/elb_common.tf b/elb_common.tf
@@ -0,0 +1,35 @@
+#------------------------------------------#
+# Elastic Load Balancer Common Configuration
+#------------------------------------------#
+resource "aws_security_group" "rancher_ha_elb" {
+    name        = "${var.name_prefix}-elb-default"
+    description = "Rancher HA ELB Common Traffic"
+    vpc_id      = "${aws_vpc.rancher_ha.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_self" {
+    type              = "ingress"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    self              = true
+    security_group_id = "${aws_security_group.rancher_ha_elb.id}"
+}
+
+resource "aws_security_group_rule" "allow_icmp" {
+    type              = "ingress"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "icmp"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = "${aws_security_group.rancher_ha_elb.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_out" {
+    type              = "egress"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = "${aws_security_group.rancher_ha_elb.id}"
+}
diff --git a/elb_http.tf b/elb_http.tf
@@ -0,0 +1,52 @@
+#------------------------------------------#
+# Elastic Load Balancer Configuration
+#------------------------------------------#
+resource "aws_elb" "rancher_ha_http" {
+    count    = "${1 - var.enable_https}"
+    name     = "${var.name_prefix}-elb-http"
+    internal = "${var.internal_elb}"
+
+    listener {
+        instance_port     = 8080
+        instance_protocol = "tcp"
+        lb_port           = 80
+        lb_protocol       = "tcp"
+    }
+
+    health_check {
+        healthy_threshold   = 2
+        unhealthy_threshold = 2
+        timeout             = 3
+        target              = "HTTP:8080/ping"
+        interval            = 30
+    }
+
+    subnets         = ["${aws_subnet.rancher_ha.*.id}"]
+    security_groups = ["${aws_security_group.rancher_ha_elb.id}"]
+    instances       = ["${aws_instance.rancher_ha.*.id}"]
+
+    idle_timeout                = 400
+    cross_zone_load_balancing   = true
+    connection_draining         = true
+    connection_draining_timeout = 400
+
+    tags {
+        Name = "${var.name_prefix}-elb-http"
+    }
+}
+
+resource "aws_proxy_protocol_policy" "rancher_ha_http_proxy_policy" {
+    count          = "${1 - var.enable_https}"
+    load_balancer  = "${aws_elb.rancher_ha_https.name}"
+    instance_ports = ["80", "81", "8080"]
+}
+
+resource "aws_security_group_rule" "allow_http" {
+    count             = "${1 - var.enable_https}"
+    type              = "ingress"
+    from_port         = 80
+    to_port           = 80
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = "${aws_security_group.rancher_ha_elb.id}"
+}
diff --git a/elb_https.tf b/elb_https.tf
@@ -0,0 +1,61 @@
+#------------------------------------------#
+# Elastic Load Balancer Configuration
+#------------------------------------------#
+resource "aws_elb" "rancher_ha_https" {
+    count    = "${var.enable_https}"
+    name     = "${var.name_prefix}-elb-https"
+    internal = "${var.internal_elb}"
+
+    listener {
+        instance_port      = 8080
+        instance_protocol  = "tcp"
+        lb_port            = 443
+        lb_protocol        = "ssl"
+        ssl_certificate_id = "${aws_iam_server_certificate.rancher_ha.arn}"
+    }
+
+    health_check {
+        healthy_threshold   = 2
+        unhealthy_threshold = 2
+        timeout             = 3
+        target              = "HTTP:8080/ping"
+        interval            = 30
+    }
+
+    subnets         = ["${aws_subnet.rancher_ha.*.id}"]
+    security_groups = ["${aws_security_group.rancher_ha_elb.id}"]
+    instances       = ["${aws_instance.rancher_ha.*.id}"]
+
+    idle_timeout                = 400
+    cross_zone_load_balancing   = true
+    connection_draining         = true
+    connection_draining_timeout = 400
+
+    tags {
+        Name = "${var.name_prefix}-elb-https"
+    }
+}
+
+resource "aws_iam_server_certificate" "rancher_ha" {
+    count             = "${var.enable_https}"
+    name              = "${var.name_prefix}-certificate"
+    certificate_body  = "${file("${var.cert_body}")}"
+    private_key       = "${file("${var.cert_private_key}")}"
+    certificate_chain = "${file("${var.cert_chain}")}"
+}
+
+resource "aws_proxy_protocol_policy" "rancher_ha_https_proxy_policy" {
+    count          = "${var.enable_https}"
+    load_balancer  = "${aws_elb.rancher_ha_https.name}"
+    instance_ports = ["81", "443", "8080"]
+}
+
+resource "aws_security_group_rule" "allow_https" {
+    count             = "${var.enable_https}"
+    type              = "ingress"
+    from_port         = 443
+    to_port           = 443
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = "${aws_security_group.rancher_ha_elb.id}"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,6 +1,10 @@
 #------------------------------------------#
 # AWS Outputs
 #------------------------------------------#
-output "alb_dns" {
-    value = "${aws_alb.rancher_ha.dns_name}"
+output "elb_http_dns" {
+    value = "${aws_elb.rancher_ha_http.dns_name}"
+}
+
+output "elb_https_dns" {
+    value = "${aws_elb.rancher_ha_https.dns_name}"
 }
diff --git a/terraform.tfvars b/terraform.tfvars
@@ -5,7 +5,7 @@ key_name = "rancher-example"
 db_pass = "rancherdbpass"
 
 # To enable SSL termination on the ELBs, uncomment the lines below.
-#enable_https = true
-#cert_body = "certs/cert1.pem"              # Signed Certificate
-#cert_private_key = "certs/privkey1.pem"    # Certificate Private Key
-#cert_chain = "certs/chain1.pem"            # CA chain
+# enable_https = true
+# cert_body = "certs/cert1.pem"              # Signed Certificate
+# cert_private_key = "certs/privkey1.pem"    # Certificate Private Key
+# cert_chain = "certs/chain1.pem"            # CA chain
diff --git a/variables.tf b/variables.tf
@@ -50,6 +50,11 @@ variable "availability_zones" {
     description = "Availability zones to place subnets"
 }
 
+variable "internal_elb" {
+    default     = "false"
+    description = "Force the ELB to be internal only"
+}
+
 #------------------------------------------#
 # Database Variables
 #------------------------------------------#