ALB as internal/internet facing 🥅

terraform/implementation/ecs/README.md

@@ -31,6 +31,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_alb_internal"></a> [alb\_internal](#input\_alb\_internal) | Whether the ALB is public or private | `bool` | `true` | no |
 | <a name="input_appmesh_name"></a> [appmesh\_name](#input\_appmesh\_name) | The name of the App Mesh | `string` | `"appmesh"` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
 | <a name="input_cloudmap_namespace_name"></a> [cloudmap\_namespace\_name](#input\_cloudmap\_namespace\_name) | The name of the CloudMap namespace | `string` | `"cloudmap-service-connect"` | no |

terraform/implementation/ecs/_variable.tf

@@ -1,3 +1,9 @@
+variable "alb_internal" {
+  description = "Whether the ALB is public or private"
+  type        = bool
+  default     = true
+}
+
 variable "appmesh_name" {
   description = "The name of the App Mesh"
   type        = string

terraform/implementation/ecs/main.tf

@@ -38,6 +38,7 @@ module "ecs" {
   private_subnet_ids = flatten(module.vpc.private_subnets)
   vpc_id             = module.vpc.vpc_id
 
+  alb_internal         = var.alb_internal
   cw_retention_in_days = var.cw_retention_in_days
   region               = var.region
 }

terraform/implementation/setup/README.md

@@ -22,7 +22,6 @@ No modules.
 | [aws_dynamodb_table.tfstate_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_iam_policy.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
@@ -31,6 +30,15 @@ No modules.
 | [local_file.setup_env](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.setup](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.amazon_dynamodb_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.amazon_ec2_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.amazon_route53_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.amazon_vpc_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_appmesh_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_iam_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_logs_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_s3_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.elastic_load_balancing_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.github_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 

terraform/implementation/setup/iam.tf

@@ -67,39 +67,39 @@ data "aws_iam_policy_document" "github_assume_role" {
 # trivy:ignore:AVD-AWS-0057
 data "aws_iam_policy_document" "github" {
   statement {
-  actions = [
-    "ecr:GetAuthorizationToken",
-    "ecr:BatchGetImage",
-    "ecr:BatchCheckLayerAvailability",
-    "ecr:CreateRepository",
-    "ecr:DescribeRepositories",
-    "ecr:DescribeImages",
-    "ecr:GetDownloadUrlForLayer",
-    "ecr:InitiateLayerUpload",
-    "ecr:ListTagsForResource",
-    "ecr:ListImages",
-    "ecr:PutImage",
-    "ecr:UploadLayerPart",
-    "ecr:CompleteLayerUpload",
-    "ecr:TagResource",
-    "ecs:CreateCluster",
-    "ecs:DescribeClusters",
-    "ecs:DescribeTaskDefinition",
-    "ecs:DescribeServices",
-    "ecs:UpdateService",
-    "ecs:TagResource",
-    "ecs:CreateService",
-    "ecs:RegisterTaskDefinition",
-    "servicediscovery:GetNamespace",
-    "servicediscovery:ListTagsForResource",
-    "servicediscovery:GetService",
-    "servicediscovery:CreatePrivateDnsNamespace",
-    "servicediscovery:TagResource",
-    "servicediscovery:GetOperation",
-  ]
-  resources = [
-    "*"
-  ]
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:CreateRepository",
+      "ecr:DescribeRepositories",
+      "ecr:DescribeImages",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:InitiateLayerUpload",
+      "ecr:ListTagsForResource",
+      "ecr:ListImages",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:TagResource",
+      "ecs:CreateCluster",
+      "ecs:DescribeClusters",
+      "ecs:DescribeTaskDefinition",
+      "ecs:DescribeServices",
+      "ecs:UpdateService",
+      "ecs:TagResource",
+      "ecs:CreateService",
+      "ecs:RegisterTaskDefinition",
+      "servicediscovery:GetNamespace",
+      "servicediscovery:ListTagsForResource",
+      "servicediscovery:GetService",
+      "servicediscovery:CreatePrivateDnsNamespace",
+      "servicediscovery:TagResource",
+      "servicediscovery:GetOperation",
+    ]
+    resources = [
+      "*"
+    ]
   }
 }
 
@@ -109,7 +109,7 @@ resource "aws_iam_policy" "github" {
 }
 
 resource "aws_iam_role" "github" {
-  name               = "${var.project}-github-role-${var.owner}-${random_string.setup.result}"
+  name = "${var.project}-github-role-${var.owner}-${random_string.setup.result}"
   managed_policy_arns = [
     aws_iam_policy.github.arn,
     data.aws_iam_policy.amazon_vpc_full_access.arn,

terraform/implementation/setup/main.tf

@@ -65,21 +65,21 @@ resource "aws_dynamodb_table" "tfstate_lock" {
 
 resource "local_file" "setup_env" {
   content  = <<-EOT
-    WORKSPACE=${terraform.workspace}
-    BUCKET=${aws_s3_bucket.tfstate.bucket}
-    DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id}
-    REGION=${var.region}
-    TERRAFORM_ROLE=${aws_iam_role.github.arn}
+    WORKSPACE="${terraform.workspace}"
+    BUCKET="${aws_s3_bucket.tfstate.bucket}"
+    DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
+    REGION="${var.region}"
+    TERRAFORM_ROLE="${aws_iam_role.github.arn}"
   EOT
   filename = ".env"
 }
 
 resource "local_file" "ecs_env" {
   content  = <<-EOT
-    BUCKET=${aws_s3_bucket.tfstate.bucket}
-    DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id}
-    REGION=${var.region}
-    TERRAFORM_ROLE=${aws_iam_role.github.arn}
+    BUCKET="${aws_s3_bucket.tfstate.bucket}"
+    DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
+    REGION="${var.region}"
+    TERRAFORM_ROLE="${aws_iam_role.github.arn}"
   EOT
   filename = "../ecs/.env"
 }

terraform/modules/ecs/README.md

@@ -56,6 +56,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_alb_internal"></a> [alb\_internal](#input\_alb\_internal) | Flag to determine if the ALB is public | `bool` | `true` | no |
 | <a name="input_appmesh_name"></a> [appmesh\_name](#input\_appmesh\_name) | Name of the AWS App Mesh | `string` | n/a | yes |
 | <a name="input_cloudmap_namespace_name"></a> [cloudmap\_namespace\_name](#input\_cloudmap\_namespace\_name) | Name of the AWS Cloud Map namespace | `string` | n/a | yes |
 | <a name="input_cloudmap_service_name"></a> [cloudmap\_service\_name](#input\_cloudmap\_service\_name) | Name of the AWS Cloud Map service | `string` | n/a | yes |

terraform/modules/ecs/_variable.tf

@@ -1,3 +1,8 @@
+variable "alb_internal" {
+  type        = bool
+  description = "Flag to determine if the ALB is public"
+  default     = true
+}
 variable "appmesh_name" {
   type        = string
   description = "Name of the AWS App Mesh"

terraform/modules/ecs/alb.tf

@@ -2,7 +2,7 @@
 # trivy:ignore:AVD-AWS-0053
 resource "aws_alb" "ecs" {
   name                       = var.ecs_alb_name
-  internal                   = false
+  internal                   = var.alb_internal
   load_balancer_type         = "application"
   subnets                    = flatten([var.public_subnet_ids])
   security_groups            = [aws_security_group.alb.id]