Merge pull request #14 from zoitech/upgrade_and_improvements

Upgrade and improvements
zoitech · Dec 1, 2019 · 9b90f4a · 9b90f4a
2 parents 1e57c52 + 1640c5f
commit 9b90f4a
Show file tree

Hide file tree

Showing 20 changed files with 496 additions and 534 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,35 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+#terraform.tfstate
+#*.tfstate.backup
+#*.backup
+*.lock.info
+**/*.tfplan
+**/.terraform/
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+*.tf.xxx
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+*tfplan*
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,23 @@
-## Release Version: 0.0.2
+## 1.0.0
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* Terraform version 0.12.x
+* List variables "http_target_group_names", "http_target_group_ports" and "http_host_headers" replaced with list of objects variable "http_target_group_parameters" ([#11](https://github.com/zoitech/terraform-aws-saml/issues/11))
+* List variables "https_target_group_names", "https_target_group_ports" and "https_host_headers" replaced with list of objects variable "https_target_group_parameters" ([#11](httpss://github.com/zoitech/terraform-aws-saml/issues/11))
+* Changed variable name of "lb_http_listener" to "create_lb_http_listener" ([#12](https://github.com/zoitech/terraform-aws-saml/issues/12))
+Changed variable name of "lb_https_listener" to "create_lb_https_listener" ([#12](httpss://github.com/zoitech/terraform-aws-saml/issues/12))
+* Changed variable name of "lb_internal" to "create_internal_lb" ([#12](httpss://github.com/zoitech/terraform-aws-saml/issues/12))
+* Changed variabble name of "lb_https_offloading" to "enable_lb_https_offloading" ([#12](httpss://github.com/zoitech/terraform-aws-saml/issues/12))
+* Variables "lb_private_subnet_ids" and "lb_public_subnet_ids" replaced with "lb_subnet_ids"
+
+ENHANCEMENTS:
+
+* Upgraded module to terraform 0.12.x ([#10](https://github.com/zoitech/terraform-aws-saml/issues/10))
+* Reduced security group complexity ([#13](https://github.com/zoitech/terraform-aws-saml/issues/13))
+* Enabled access logs ([#7](https://github.com/zoitech/terraform-aws-saml/issues/7))
+
+## 0.0.2
 
 BACKWARDS INCOMPATIBILITIES / NOTES:
 

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License (MIT)
 
-Copyright (c) 2018 Zoi TechCon GmbH
+Copyright (c) 2019 Zoi TechCon GmbH
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

diff --git a/README.md b/README.md
@@ -1,6 +1,5 @@
 # AWS Application Load Balancer Module
-Terraform module which sets up an application load balancer with either a HTTP listener, a HTTPS listener or both, and one or more target groups as required.
-The idea behind this module is to support webservers hosting multiple sites for example a windows server running IIS.
+Terraform module which sets up an application load balancer with either a HTTP listener, a HTTPS listener or both, and one or more target groups as needed. Terraform version required is 0.12.x .
 
 The following resources are created:
 * Application load balancer (internal or external)
@@ -13,234 +12,145 @@ lb = load balancer
 sg = security group  
 tg = target group  
 
-
 ## Usage
-### Specify this Module as Source
+
 ```hcl
 module "alb" {
-  source = "git::https://github.com/zoitech/terraform-aws-alb.git"
-
-  # Or to specifiy a particular module version:
-  source = "git::https://github.com/zoitech/terraform-aws-alb.git?ref=v0.0.1"
-```
-### Target Group Arguments
-The position of the values in each list corresponds to the value in the same position of the other list. E.g. a https request to "serv9.mysite.com" will be sent to the target group with name "Serv9-int-ssl" on port "10503".
+  source             = "git::https://github.com/zoitech/terraform-aws-alb.git"
+  aws_region         = "eu-central-1"
+  vpc_id             = "vpc-1234567b"
+  prefix             = "p-dept.123-"
+  suffix             = "-abc"
+  lb_name            = "my-load-balancer"
+  create_internal_lb = true
+  lb_security_group_ids   = ["sg-1524364d", "172625db"]
+  lb_subnet_ids           = ["subnet-fd42536a", "subnet-98781bac"]
+  create_lb_http_listener = true
+  lb_http_listener_port   = 80
+  http_target_group_parameters = [
+    {
+      target_group = "application-1-http"
+      host_headers = ["application-1.com"]
+      port         = 80
+    },
+    {
+      target_group = "application-2-http"
+      host_headers = ["application-2.com"]
+      port         = 10002
+    },
+  ]
+
+  create_lb_https_listener = true
+  lb_https_listener_port   = 443
+  https_target_group_parameters = [
+    {
+      target_group = "application-1-https"
+      host_headers = ["application-1.com"]
+      port         = 443
+    },
+    {
+      target_group = "application-2-https"
+      host_headers = ["application-2.com"]
+      port         = 10002
+    },
+  ]
+  enable_lb_https_offloading = false
+  certificate_arn = "arn:aws:acm:eu-central-1:xxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+```
+
+### Health Checks
+
+Health checks for all target groups can be set.
+
+HTTP:
 
-Each of the three HTTP lists must contain an equal number of values, as is the case for when using HTTPS.
 ```hcl
-# HTTP required arguments (if "lb_http_listener = true" ):
-
-http_target_group_names = ["Serv1-int", "Serv2-int", "Serv3-int"]
-http_target_group_ports = ["10500", "10501", "80"]
-http_host_headers = ["serv1.mysite.com", "serv2.mysite.com", "serv3.mysite.com"]
 http_health_check_interval = 15 #default = 30
 http_health_check_path = "/status/load-balancer" #default = "/"
 http_health_check_port = 1500 #default = "traffic-port"
 http_health_check_timeout = 10 #default = 5
 http_health_check_healthy_threshold = 2 #default = 3
 http_health_check_unhealthy_threshold = 2 #default = 3
 http_health_check_matcher = "200-299" #default = 200 (Success codes)
+```
 
-# HTTP optional arguments (if "lb_http_listener = true" ):
-
-http_target_group_deregistration_delay = 30 #default = 300 (seconds)
-http_target_group_stickiness_enabled = true #default set to false
-http_target_group_stickiness_cookie_duration = 8640 #default 8640 seconds (1 day)
-
-# HTTPS required arguments (if "lb_https_listener = true" ):
-
-https_target_group_names = ["Serv1-int-ssl", "Serv2-int-ssl", "Serv9-int-ssl"]
-https_target_group_ports = ["443", "8080", "10503"]
-https_host_headers = ["serv1.mysite.com", "serv2.mysite.com", "serv9.mysite.com"]
+HTTPS:
+```hcl
 https_health_check_interval = 15 #default = 30
 https_health_check_path = "/status/load-balancer" #default = "/"
 https_health_check_port = 1500 #default = "traffic-port"
 https_health_check_timeout = 10 #default = 5
 https_health_check_healthy_threshold = 2 #default = 3
 https_health_check_unhealthy_threshold = 2 #default = 3
 https_health_check_matcher = "200-299" #default = 200 (Success codes)
-
-
-# HTTPS optional arguments (if "lb_https_listener = true" ):
-
-https_target_group_deregistration_delay = 30 #default = 300 (seconds)
-https_target_group_stickiness_enabled = true #default set to false
-https_target_group_stickiness_cookie_duration = 8640 #default 8640 seconds (1 day)
-```
-
-### VPC ID and Target Instance
-Are valid for both target groups and need only be set once. Multiple targets should be specified in a comma separated string without spaces. A maximum of 8 targets are currently supported in this module:
-```hcl
-vpc_id = "vpc-a01234bc"
-target_id = "i-00123456789123aaa,i-00123456789123bbb,i-00123456789123ccc"
 ```
 
+### Target Instance
 
-### Load Balancer Required Arguments
-#### Internal or External
-To configure the load balancer for internal or external (public) use:
-
-```hcl
-  lb_internal = false #default = true
-```
-#### Load Balancer Listener Protocols
-The following determines what kind of listener(s) will be applied to the load balancer:
-* HTTP
-* HTTPS
-* or both
-
-```hcl
-  lb_http_listener = true #default = true
-  *lb_https_listener = true #default = false
-```
-#### * HTTPS Offloading
-To enable offloading from HTTPS to HTTP set the following parameter "lb_https_offloading" to "true":
-
+Are valid for both target groups and need only be set once. Multiple targets should be specified in a comma separated string without spaces. A maximum of 8 targets are currently supported in this module:
 
 ```hcl
-  lb_https_listener   = true #default = false
-  lb_https_offloading = true #default = false
+target_id = "i-00123456789123aaa,i-00123456789123bbb,i-00123456789123ccc"
 ```
-The following parameters need to be set:
-* http_target_group_names
-* http_target_group_ports
-* https_host_headers
-
-The following parameters need **not** be set as the HTTP counterparts are used instead:
-* https_target_group_names
-* https_target_group_ports
-
 
+#### HTTPS Offloading
+If HTTPS offloading is enabled ("enable_lb_https_offloading = true") the variable "https_target_group_parameters" is not required, as the "http_target_group_parameters" variable will be used.
 
-#### Load Balancer Listener Ports
-HTTP/HTTPS listener port of the load balancer depending on what kind of listener(s) are selected:
-```hcl
-  lb_http_listener_port = 8080 #default = 80
-  lb_https_listener_port = 443 #default = 443
-```
+### HTTP optional arguments (if "create_lb_http_listener = true" )
 
-#### SSL Certificate
-If a HTTPS listener is being used, set the SSL certificate:
 ```hcl
-  certificate_arn = "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+http_target_group_deregistration_delay = 30 #default = 300 (seconds)
+http_target_group_stickiness_enabled = true #default set to false
+http_target_group_stickiness_cookie_duration = 8640 #default 8640 seconds (1 day)
 ```
 
-#### Load Balancer Name
+### HTTPS optional arguments (if "create_lb_https_listener = true" )
 
-Set the load balancer name:
 ```hcl
-  lb_name = "Internal Services"
+https_target_group_deregistration_delay = 30 #default = 300 (seconds)
+https_target_group_stickiness_enabled = true #default set to false
+https_target_group_stickiness_cookie_duration = 8640 #default 8640 seconds (1 day)
 ```
 
-
-#### Subnets
-
-Specifying the subnets for the load balancer:
-
-```hcl
-  # If the load balancer is internal, configure lb_private_subnet_ids:
-
-  lb_private_subnet_ids = ["subnet-12345678", "subnet-abc87654"]
-
-  # If the load balancer is external, configure lb_public_subnet_ids:
-
-  lb_public_subnet_ids = ["subnet-98765432", "subnet-98765cba"]
-```
 #### Security Groups
-Four security groups are created by default.
-
-An empty security group is created and attached to the load balancer, which can be used later as the security group source in other security groups to allow traffic into the instance:
 
-* "Group-ALB-${var.lb_name}"
+The following security groups are created (depending on whether a HTTP listener, HTTPS listener or both are in use).
 
-The following security group permits all traffic outbound from the load balancer by default:
-
-* "Rule-all-out-all"
-
-A HTTP listener traffic in security group is created to allow HTTP traffic in only from specific sources. The name of the security group is configured as follows:
-
-* "Rule-allow-${var.lb_source_traffic_name}-in-HTTP"
-
-The variable "lb_source_traffic_name" should be set to a location or department where the source traffic is coming from:
-
-```hcl
-  lb_source_traffic_name = "Human-Resources"
-```
-
-Alternatively the variable "var.lb_sg_http_name" can be set to fully customize the name of the security group. If this variable is set, "var.lb_source_traffic_name" is no longer required:
-
-```hcl
-  lb_sg_http_name = "My-http-security-group-name"
-```
-The same applies for the HTTPS security group name:
+An empty security group is created and attached to the load balancer, which can be used later as the security group source in other security groups to allow traffic into the instance:
 
-```hcl
-  lb_sg_https_name = "My-https-security-group-name"
-```
+* Group-ALB-${var.lb_name}
 
-By default **all IP addresses are permitted** for both the HTTP and HTTPS security group. To specify specific IP ranges (or CIDR blocks) set the following variables:
+The HTTP and HTTPs security groups uses the previously mentioned security group as the source, and is attached to the target instances to allow traffic in:
 
-```hcl
-    rule_allow_lb_http_listener_traffic_in_cidr_blocks = ["172.16.0.0/16", "192.168.0.0/24"]
-    rule_allow_lb_https_listener_traffic_in_cidr_blocks = ["172.16.0.0/16", "192.168.0.0/24"]
-```
+* group_loadbalancer_in_http
+* group_loadbalancer_in_https
 
 ### Load Balancer Optional Arguments
-#### Adding Already Existing Security Groups
-
-Additional security groups can be added to the load balancer:
 
-```hcl
-  lb_security_group_ids = ["sg-12345678", "sg-abc87654"]
-```
 Idle timeout (default = 60) for the load balancer, defining if http2 is enabled (default = true) and enabling deletion protection (default = false) can also be set as follows:
+
 ```hcl
   lb_idle_timeout = 60
   lb_enable_http2 = true
   lb_enable_deletion_protection = false
-
-```
-##### Prefixes and Suffixes (not Latin words ;-))
-Can be set when there is a standard naming convention in use. They are applied to the name of the load balancer and target group resources (default = null/empty)
-```hcl
-  prefix = "P-"
-  suffix = "-HR"
 ```
+
 #### Outputs
-The following outputs are possible:
+The following outputs are available:
+
 * lb_name  (The name of the LB)
 * lb_arn (The ARN of the load balancer)
 * lb_arn_suffix (The ARN suffix for use with CloudWatch Metrics)
 * lb_dns_name (The DNS name of the load balancer)
 * lb_zone_id (The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record))
 
-Example usage:
+## Referencing a Tagged Version
+
 ```hcl
-#The name of the LB
-output "lb_name" {
-  value = "${module.alb.lb_name}"
-}
-#The ARN of the load balancer
-output "lb_arn" {
-  value = "${module.alb.lb_arn}"
-}
-#The ARN suffix for use with CloudWatch Metrics
-output "lb_arn_suffix" {
-  value = "${module.alb.lb_arn_suffix}"
-}
-#The DNS name of the load balancer
-output "lb_dns_name" {
-  value = "${module.alb.lb_dns_name}"
-}
-#The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record)
-output "lb_zone_id" {
-  value = "${module.alb.lb_zone_id}"
-}
+module "alb" {
+  source = "git::https://github.com/zoitech/terraform-aws-alb.git?ref=v1.0.0"
 ```
 
-
-
-
 ## Authors
 Module managed by [Zoi](https://github.com/zoitech).