Hands-on lab: AWS Network load balancer
Goal : to setup a completely self-contained terraform lab making use of official module in order to quickly setup and tinker with on web console without worrying about costs.
The starting point of this lab (branch: v1) i was already able to bring up the most of the essential components which may not necessarily be explicitly defined in the tf manifest; Some components would be “naturally” bring in order to make sense of the options your provided. An example would be defining a public subnet in VPC means you need an Internet Gateway right ? right … ? I guess depends on how familiar you are with AWS, for me this is actually good. If we run `terraform state list` we get the following:
data.aws_availability_zones.available
aws_iam_server_certificate.test_cert
aws_lb_listener.testing
module.alb.data.aws_partition.current
module.alb.aws_lb.this[0]
module.ec2_a["admin"].data.aws_partition.current
module.ec2_a["admin"].aws_instance.this[0]
module.ec2_a["web_a"].data.aws_partition.current
module.ec2_a["web_a"].aws_instance.this[0]
module.ec2_b.aws_instance.this[0]
module.vpc.aws_default_network_acl.this[0]
module.vpc.aws_default_route_table.default[0]
module.vpc.aws_default_security_group.this[0]
module.vpc.aws_internet_gateway.this[0]
module.vpc.aws_route.public_internet_gateway[0]
module.vpc.aws_route_table.public[0]
module.vpc.aws_route_table_association.public[0]
module.vpc.aws_route_table_association.public[1]
module.vpc.aws_subnet.public[0]
module.vpc.aws_subnet.public[1]
module.vpc.aws_vpc.this[0]
while the resources and modules i have defined are:
source = "terraform-aws-modules/alb/aws"
source = "terraform-aws-modules/vpc/aws"
source = "terraform-aws-modules/ec2-instance/aws"
resource "aws_lb_listener"
resource "aws_iam_server_certificate"
Tried to test it out using the url for the load balancer and it seems it is not reachable. Check on webconsole and AWS will actually warns you about the endpoint not reachable. We can update it on the console and run terraform refresh and get the state of the default security group. We will see this which we will add to our VPC module using `default_security_group_ingress` directive for our later version.
ingress = [
{
cidr_blocks = [
"0.0.0.0/0",
]
description = "test"
from_port = 443
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_groups = []
self = false
to_port = 443
},
]In branch v2, we will make use of aws_vpc_security_group_ingress_rule to define a HTTPS ingress rules (allowing any host to connect to 443, which might not be recommended for some use cases. We do this for the sake of this lab)
Added the rule and found that it wasn’t in effect at the first try. when i did terraform apply it was then tried to create. i suspect it might have something to do with the order in main.tf
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc_security_group_ingress_rule.https_in will be created
+ resource "aws_vpc_security_group_ingress_rule" "https_in" {
+ arn = (known after apply)
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 443
+ id = (known after apply)
+ ip_protocol = "tcp"
+ security_group_id = "sg-03451b9ddd616204d"
+ security_group_rule_id = (known after apply)
+ tags_all = {}
+ to_port = 443
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
After adding this, we will be access our “Hello world” response using the alb DNS name (then you will see why i said try to use the key store on AWS rather than like me using self-signed cert, browswer will complain)
In my main.tf, i have used a alb listener with fixed response default action, the reason is that it’s not apparent to me which of these options i should be using for default_action. According to the Doc valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc.
We will head to web console and add the listener there instead and do terraform state refresh to see how it is defined programmatically