Creates an ingress stack powered by AWS Application Load Balancer targeting Istio ingress in Flightdeck clusters. A target group will be created for each cluster running in the configured network.
module "ingress" {
providers = {
# You can use different provider instances when using multiple accounts.
aws.cluster = aws
aws.route53 = aws
}
source = "github.com/thoughtbot/flightdeck//aws/ingress?ref=v0.4.0"
# Unique name for the Application Load Balancer
name = "example-production-ingress"
# Names of clusters to target from this load balancer.
# Clusters should be added here before they're created.
cluster_names = ["example-production-v1"]
# Name of a Route 53 hosted zone to which records should be added.
# You can leave this out if you're managing DNS and certificates separately.
# If provided, DNS aliases and ACM certificate validation are automatic.
hosted_zone_name = "example.com"
# Primary domain name for the ACM certificate.
primary_domain_name = "example.com"
# Any other domains which should be routed to this load balancer.
# These domains will have DNS aliases and will be listed on the certificate.
alternative_domain_names = ["www.example.com"]
# Any extra tags you want to apply to all created resources.
tags = { Module = "ingress/production" }
}If you're migrating to a new Flightdeck cluster (or migrating to Flightdeck from a non-Flightdeck deployment) you can use multiple target groups to slowly shift traffic from the old deployment to the new cluster.
First add a new target group for the new cluster with a weight of zero:
module "ingress" {
cluster_names = ["example-production-v1", "example-production-v2"]
target_group_weights = {
example-production-v1 = 100
example-production-v2 = 0
}
}Once applications are deployed to the new cluster, add a small weight:
module "ingress" {
cluster_names = ["example-production-v1", "example-production-v2"]
target_group_weights = {
example-production-v1 = 95
example-production-v2 = 5
}
}You can gradually increase the weight and reapply until all traffic targets the new cluster. Then, de-provision the old cluster and remove its target group:
module "ingress" {
cluster_names = ["example-production-v2"]
target_group_weights = {
example-production-v2 = 100
}
}| Name | Version |
|---|---|
| terraform | >= 0.14.8 |
| aws | ~> 5.0 |
| Name | Source | Version |
|---|---|---|
| alb | github.com/thoughtbot/terraform-alb-ingress | v0.5.2 |
| cluster_name | ../cluster-name | n/a |
| network | ../network-data | n/a |
| waf | ../waf | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alarm_actions | SNS topics or other actions to invoke for alarms | list(object({ arn = string })) |
[] |
no |
| alarm_evaluation_minutes | Number of minutes of alarm state until triggering an alarm | number |
2 |
no |
| alternative_domain_names | Alternative domain names for the ALB | list(string) |
[] |
no |
| certificate_domain_name | Override the domain name for the ACM certificate (defaults to primary domain) | string |
null |
no |
| cluster_names | List of clusters that this ingress stack will forward to | list(string) |
n/a | yes |
| create_aliases | Set to false to disable creation of Route 53 aliases | bool |
true |
no |
| enable_waf | Enable AWS WAF for this ingress resource | bool |
false |
no |
| failure_threshold | Percentage of failed requests considered an anomaly | number |
5 |
no |
| hosted_zone_name | Hosted zone for AWS Route53 | string |
null |
no |
| issue_certificates | Set to false to disable creation of ACM certificates | bool |
true |
no |
| legacy_target_group_names | Names of legacy target groups which should be included | list(string) |
[] |
no |
| name | Name of the AWS network in which ingress should be provided | string |
n/a | yes |
| namespace | Prefix to apply to created resources | list(string) |
[] |
no |
| network_tags | Tags for finding the AWS VPC and subnets | map(string) |
{} |
no |
| primary_domain_name | Primary domain name for the ALB | string |
n/a | yes |
| slow_response_threshold | Response time considered extremely slow | number |
10 |
no |
| tags | Tags to apply to created resources | map(string) |
{} |
no |
| target_group_weights | Weight for each target group (defaults to 100) | map(number) |
{} |
no |
| validate_certificates | Set to false to disable validation via Route 53 | bool |
true |
no |
| waf_allowed_ip_list | Applicable if WAF is enabled. List of allowed IP addresses, these IP addresses will be exempted from any configured rules | list(string) |
[] |
no |
| waf_aws_managed_rule_groups | Applicable if WAF is enabled. Rule statement values used to run the rules that are defined in a managed rule group. You may review this list for the available AWS managed rule groups - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | map(object({ |
{ |
no |
| waf_block_ip_list | Applicable if WAF is enabled. List of IP addresses to be blocked and denied access to the ingress / cloudfront. | list(string) |
[] |
no |
| waf_rate_limit | Applicable if WAF is enabled. Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | map(object({ |
{ |
no |
| Name | Description |
|---|---|
| alb | The load balancer |
| http_listener | The HTTP listener |
| https_listener | The HTTPS listener |
| security_group | Security group for the load balancer |