trackit · jgchoppe · Oct 23, 2020 · Oct 23, 2020 · Oct 23, 2020 · Oct 23, 2020
diff --git a/envs/qa.tfvars b/envs/qa.tfvars
@@ -1,6 +1,8 @@
 // -- ACM
-acm_domain_name = "acm.trackit.boilerplate.internal"
+acm_domain_name = "terraform-boilerplate-qa.trackit.io"
 // -- ALB
+alb_name = "tf-boilerplate-alb"
+hosted_zone_name = "trackit.io"
 // -- AutoScalling
 // -- Backup
 backup_name = "tf-boilerplate-qa"

diff --git a/tf/2-variables.tf b/tf/2-variables.tf
@@ -27,14 +27,30 @@ variable "tags" {
 variable "acm_domain_name" {
   type        = string
   description = "A domain name for which the certificate should be issued"
-  default     = "acm.trackit.boilerplate.internal"
+  default     = "terraform-boilerplate-qa.trackit.io"
 }
 
 /*
 // ALB variables
 */
 
+variable "alb_name" {
+  type        = string
+  description = "The resource name and Name tag of the load balancer."
+  default     = "alb"
+}
 
+variable "alb_load_balancer_type" {
+  type        = string
+  description = "The type of load balancer to create. Possible values are application or network."
+  default     = "application"
+}
+
+variable "hosted_zone_name" {
+  type        = string
+  description = "The name of the hosted zone"
+  default     = "trackit.io"
+}
 
 /*
 // AutoScalling variables

diff --git a/tf/4-outputs.tf b/tf/4-outputs.tf
@@ -4,22 +4,28 @@
 
 output "acm" {
   value = {
-    arn         = aws_acm_certificate.cert.arn
-    domain_name = aws_acm_certificate.cert.domain_name
-  }
-}
-
-output "acmpa_ca_authority" {
-  value = {
-    arn = aws_acmpca_certificate_authority.ca_authority.arn
+    arn         = aws_acm_certificate.public_cert.arn
+    domain_name = aws_acm_certificate.public_cert.domain_name
   }
 }
 
 /*
 // ALB outputs
 */
 
-
+output "alb" {
+  value = {
+    alb = {
+      arn = module.alb.this_lb_arn
+      id  = module.alb.this_lb_id
+    },
+    acm_cert = {
+      arn                       = aws_acm_certificate.public_cert.arn
+      domain_validation_options = aws_acm_certificate.public_cert.domain_validation_options
+      record_fqdns              = aws_acm_certificate_validation.acm_validation.validation_record_fqdns
+    }
+  }
+}
 
 /*
 // AutoScalling outputs

diff --git a/tf/acm.tf b/tf/acm.tf
@@ -1,27 +1,10 @@
-resource "aws_acmpca_certificate_authority" "ca_authority" {
-  certificate_authority_configuration {
-    key_algorithm     = "RSA_4096"
-    signing_algorithm = "SHA512WITHRSA"
+resource "aws_acm_certificate" "public_cert" {
 
-    subject {
-      common_name = "trackit.boilerplate.internal"
-    }
-  }
-
-  permanent_deletion_time_in_days = 7
-
-  tags = local.tags
-}
-
-resource "aws_acm_certificate" "cert" {
-
-  # Only used for private certificate
-  certificate_authority_arn = aws_acmpca_certificate_authority.ca_authority.arn
 
   # Only used for ACM cert with route53 public hosted zone
-  # validation_method = "DNS"
+  validation_method = "DNS"
 
-  domain_name = "trackit.boilerplate.internal"
+  domain_name = var.acm_domain_name
 
   tags = local.tags
 }
diff --git a/tf/alb.tf b/tf/alb.tf
@@ -0,0 +1,114 @@
+# https://registry.terraform.io/modules/terraform-aws-modules/alb/aws/5.9.0
+
+resource "aws_security_group" "alb_security_group" {
+  name        = "alb-security-group"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = local.tags
+}
+
+module "alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 5.9.0"
+
+  name = var.alb_name
+
+  load_balancer_type = var.alb_load_balancer_type
+
+  vpc_id          = module.vpc.vpc_id
+  subnets         = module.vpc.private_subnets
+  security_groups = [aws_security_group.alb_security_group.id]
+
+  #access_logs = {
+  #  bucket = "my-alb-logs"
+  #}
+
+  # A list of maps containing key/value pairs that define the target groups to be created.
+  # Order of these maps is important and the index of these are to be referenced in listener definitions.
+  # Required key/values: name, backend_protocol, backend_port
+  target_groups = [
+    {
+      name_prefix      = "pref-"
+      backend_protocol = "HTTP"
+      backend_port     = 80
+      target_type      = "instance"
+    }
+  ]
+
+  # A list of maps describing the HTTPS listeners for this ALB.
+  # Required key/values: port, certificate_arn.
+  # Optional key/values: ssl_policy (defaults to ELBSecurityPolicy-2016-08),
+  # target_group_index (defaults to https_listeners[count.index])
+  https_listeners = [
+    {
+      port               = 443
+      protocol           = "HTTPS"
+      certificate_arn    = aws_acm_certificate_validation.acm_validation.certificate_arn
+      target_group_index = 0
+    }
+  ]
+
+  # A list of maps describing the HTTP listeners or TCP ports for this ALB.
+  # Required key/values: port, protocol.
+  # Optional key/values: target_group_index (defaults to http_tcp_listeners[count.index])
+  http_tcp_listeners = [
+    {
+      port               = 80
+      protocol           = "HTTP"
+      target_group_index = 0
+    }
+  ]
+
+  tags = local.tags
+}
+
+data "aws_route53_zone" "selected" {
+  name         = var.hosted_zone_name
+  private_zone = false
+}
+
+resource "aws_route53_record" "acm_record" {
+  for_each = {
+    for dvo in aws_acm_certificate.public_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.selected.zone_id
+}
+
+resource "aws_acm_certificate_validation" "acm_validation" {
+  certificate_arn         = aws_acm_certificate.public_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.acm_record : record.fqdn]
+}