aashish-fiftyfive
/
infra-assessment
forknuté z LiveLike/infra-assessment


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208
							## Security Group for ALB
resource "aws_security_group" "alb_sg" {
  name        = "alb-security-group"
  description = "ALB security group to allow HTTP and HTTPS traffic"
  vpc_id      = var.vpc_id

  tags = var.tags
}

## Ingress Security Group Rule for ALB Security Group
resource "aws_security_group_rule" "ingress_alb_sg_rule" {
  for_each = var.ingress_alb_sg_rule

  type                     = "ingress"
  from_port                = each.value.from_port
  to_port                  = each.value.to_port
  protocol                 = each.value.protocol
  cidr_blocks              = try(each.value.cidr_blocks, null)
  source_security_group_id = try(each.value.source_security_group_id, null)
  security_group_id        = aws_security_group.alb_sg.id
}

## Egress Security Group Rule for ALB Security Group
resource "aws_security_group_rule" "egress_alb_sg_rule" {
  for_each = var.egress_alb_sg_rule

  type                     = "egress"
  from_port                = each.value.from_port
  to_port                  = each.value.to_port
  protocol                 = each.value.protocol
  cidr_blocks              = try(each.value.cidr_blocks, null)
  source_security_group_id = lookup(each.value, "cidr_blocks", null) == null ? try(each.value.source_security_group_id, aws_security_group.ec2_sg.id, null) : null
  security_group_id        = aws_security_group.alb_sg.id
}

## Security Group for EC2
resource "aws_security_group" "ec2_sg" {
  name        = "ec2-security-group"
  description = "EC2 security group to allow traffic only from ALB"
  vpc_id      = var.vpc_id

  tags = var.tags
}

## Ingress Security Group Rule for EC2 Security Group
resource "aws_security_group_rule" "ingress_ec2_sg_rule" {
  for_each = var.ingress_ec2_sg_rule

  type                     = "ingress"
  from_port                = each.value.from_port
  to_port                  = each.value.to_port
  protocol                 = each.value.protocol
  cidr_blocks              = try(each.value.cidr_blocks, null)
  source_security_group_id = lookup(each.value, "cidr_blocks", null) == null ? try(each.value.source_security_group_id, aws_security_group.alb_sg.id, null) : null
  security_group_id        = aws_security_group.ec2_sg.id
}

## Egress Security Group Rule for EC2 Security Group
resource "aws_security_group_rule" "egress_ec2_sg_rule" {
  for_each = var.egress_ec2_sg_rule

  type                     = "egress"
  from_port                = each.value.from_port
  to_port                  = each.value.to_port
  protocol                 = each.value.protocol
  cidr_blocks              = try(each.value.cidr_blocks, null)
  source_security_group_id = try(each.value.source_security_group_id, null)
  security_group_id        = aws_security_group.ec2_sg.id
}

## Fetch Ubuntu Family AMI Id

data "aws_ami" "ec2_ami" {
  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  most_recent = true

  owners = ["amazon"]
}

## Target Group
resource "aws_lb_target_group" "ec2_alb_target_group" {
  name                 = var.ec2_alb_target_group.name
  port                 = var.ec2_alb_target_group.port
  protocol             = var.ec2_alb_target_group.protocol
  vpc_id               = var.vpc_id
  deregistration_delay = var.ec2_alb_target_group.deregistration_delay

  tags = var.tags
}

## ALB
resource "aws_lb" "alb_ec2" {
  name                       = var.alb_ec2.name
  enable_deletion_protection = var.alb_ec2.enable_deletion_protection
  internal                   = var.alb_ec2.internal
  load_balancer_type         = var.alb_ec2.load_balancer_type
  security_groups            = [aws_security_group.alb_sg.id]
  subnets                    = var.alb_subnet_ids

  tags = var.tags

  depends_on = [
    aws_lb_target_group.ec2_alb_target_group
  ]
}

## ALB Listener
resource "aws_lb_listener" "alb_listener" {
  for_each = var.alb_listener

  load_balancer_arn = aws_lb.alb_ec2.arn
  port              = each.value.port
  protocol          = each.value.protocol
  certificate_arn   = each.value.protocol == "HTTPS" ? try(each.value.certificate_arn, null) : null
  ssl_policy        = each.value.protocol == "HTTPS" ? try(each.value.ssl_policy, null) : null

  default_action {
    type             = each.value.action_type
    target_group_arn = each.value.action_type == "forward" ? aws_lb_target_group.ec2_alb_target_group.arn : null

    dynamic "redirect" {
      for_each = each.value.action_type == "redirect" ? [each.value.redirect] : []

      content {
        status_code = redirect.value.status_code
        port        = redirect.value.port
        protocol    = redirect.value.protocol
      }
    }
  }

  tags = var.tags

  depends_on = [
    aws_lb.alb_ec2
  ]
}

## Launch Template
resource "aws_launch_template" "ec2_launch_template" {
  name = var.ec2_launch_template.name

  block_device_mappings {
    device_name = var.ec2_launch_template.device_name

    ebs {
      volume_size           = var.ec2_launch_template.ebs_volume_size
      delete_on_termination = true
      volume_type           = var.ec2_launch_template.ebs_volume_type
    }
  }

  ebs_optimized          = var.ec2_launch_template.ebs_optimized
  image_id               = data.aws_ami.ec2_ami.id
  instance_type          = var.ec2_launch_template.instance_type
  key_name               = var.ec2_launch_template.key_name
  vpc_security_group_ids = [aws_security_group.ec2_sg.id]
  update_default_version = true

  user_data = filebase64("${path.module}/userdata.sh")

  tag_specifications {
    resource_type = "instance"

    tags = var.tags
  }
}

## AutoScaling Group
resource "aws_autoscaling_group" "ec2_autoscaling_group" {
  name = var.ec2_autoscaling_group.name

  min_size                  = var.ec2_autoscaling_group.min_size
  max_size                  = var.ec2_autoscaling_group.max_size
  desired_capacity          = var.ec2_autoscaling_group.desired_capacity
  vpc_zone_identifier       = [var.ec2_subnet_id]
  default_cooldown          = var.ec2_autoscaling_group.default_cooldown
  health_check_grace_period = var.ec2_autoscaling_group.health_check_grace_period

  launch_template {
    id      = aws_launch_template.ec2_launch_template.id
    version = "$Latest"
  }

  target_group_arns = [aws_lb_target_group.ec2_alb_target_group.arn]

  dynamic "tag" {
    for_each = var.tags
    content {
      key                 = tag.key
      value               = tag.value
      propagate_at_launch = true
    }
  }

  depends_on = [
    aws_lb.alb_ec2
  ]
}