Simplify lb_config variable structure to remove invariant properties

CMSgov · Feb 13, 2025 · b26bc00 · b26bc00
1 parent 4d7d163
commit b26bc00
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 147 deletions.
diff --git a/ops/terraform/services/server/main.tf b/ops/terraform/services/server/main.tf
@@ -221,57 +221,18 @@ module "fhir_asg" {
 
   lb_config = {
     name                       = "bfd-${local.env}-${local.legacy_service}-nlb"
-    internal                   = !local.lb_is_public
-    load_balancer_type         = "network"
-    ip_address_type            = "ipv4"
+    is_public                  = local.lb_is_public
     enable_deletion_protection = !local.is_ephemeral_env
-    load_balancer_security_group_config = {
-      egress = {
-        description = "To VPC instances"
-        cidr_blocks = [data.aws_vpc.main.cidr_block]
-      }
-      ingress = local.lb_is_public ? {
-        description     = "Public Internet access"
-        cidr_blocks     = ["0.0.0.0/0"]
-        prefix_list_ids = []
-        } : {
-        description     = "From VPN, VPC peerings, the MGMT VPC, and self"
-        cidr_blocks     = concat(data.aws_vpc_peering_connection.peers[*].peer_cidr_block, [data.aws_vpc.mgmt.cidr_block, data.aws_vpc.main.cidr_block])
-        prefix_list_ids = [data.aws_ec2_managed_prefix_list.vpn.id, data.aws_ec2_managed_prefix_list.jenkins.id]
-      }
+    ingress = {
+      blue_port       = local.lb_blue_ingress_port
+      green_port      = local.lb_green_ingress_port
+      cidr_blocks     = !local.lb_is_public ? concat(data.aws_vpc_peering_connection.peers[*].peer_cidr_block, [data.aws_vpc.mgmt.cidr_block, data.aws_vpc.main.cidr_block]) : ["0.0.0.0/0"]
+      prefix_list_ids = !local.lb_is_public ? [data.aws_ec2_managed_prefix_list.vpn.id, data.aws_ec2_managed_prefix_list.jenkins.id] : []
     }
-    load_balancer_listener_config = [
-      {
-        id                  = local.green_state
-        port                = local.lb_green_ingress_port
-        protocol            = "TCP"
-        default_action_type = "forward"
-      },
-      {
-        id                  = local.blue_state
-        port                = local.lb_blue_ingress_port
-        protocol            = "TCP"
-        default_action_type = "forward"
-      }
-    ]
-    target_group_config = [
-      {
-        id                            = local.green_state
-        name                          = "${local.lb_name}-tg-${local.green_state}"
-        port                          = local.service_port
-        deregisteration_delay_seconds = 60
-        protocol                      = "TCP"
-        health_check_config           = local.tg_health_check_config
-      },
-      {
-        id                            = local.blue_state
-        name                          = "${local.lb_name}-tg-${local.blue_state}"
-        port                          = local.service_port
-        deregisteration_delay_seconds = 60
-        protocol                      = "TCP"
-        health_check_config           = local.tg_health_check_config
-      }
-    ]
+    egress = {
+      cidr_blocks = [data.aws_vpc.main.cidr_block]
+    }
+    server_listen_port = local.service_port
   }
 }
 

diff --git a/ops/terraform/services/server/modules/bfd_server_asg/main.tf b/ops/terraform/services/server/modules/bfd_server_asg/main.tf
@@ -22,6 +22,15 @@ locals {
     }
   }
 
+  lb_targets = {
+    blue = {
+      ingress_port = var.lb_config.ingress.blue_port
+    }
+    green = {
+      ingress_port = var.lb_config.ingress.green_port
+    }
+  }
+
   env      = terraform.workspace
   seed_env = var.seed_env
 
@@ -155,37 +164,37 @@ resource "aws_security_group" "base" {
 
 # app server
 resource "aws_security_group" "app" {
-  count       = var.lb_config == null ? 0 : 1
+  lifecycle {
+    create_before_destroy = true
+  }
+
   name        = "bfd-${local.env}-${var.role}-app"
   description = "Allow access to app servers"
   vpc_id      = var.env_config.vpc_id
   tags        = merge({ Name = "bfd-${local.env}-${var.role}-app" }, local.additional_tags)
 
-  dynamic "ingress" {
-    for_each = var.lb_config.target_group_config
-    content {
-      from_port       = ingress.value.port
-      to_port         = ingress.value.port
-      protocol        = ingress.value.protocol
-      security_groups = concat([aws_security_group.lb.id], var.legacy_sg_id != null ? [var.legacy_sg_id] : [])
-      # TODO: Replace above "security_groups" definition with below commented code in BFD-3878
-      # security_groups = [aws_security_group.lb.id]
-      # TODO: Replace above "security_groups" definition with above commented code in BFD-3878
-    }
+  ingress {
+    from_port       = var.lb_config.server_listen_port
+    to_port         = var.lb_config.server_listen_port
+    protocol        = "TCP"
+    security_groups = concat([aws_security_group.lb.id], var.legacy_sg_id != null ? [var.legacy_sg_id] : [])
+    # TODO: Replace above "security_groups" definition with below commented code in BFD-3878
+    # security_groups = [aws_security_group.lb.id]server_listen_port
+    # TODO: Replace above "security_groups" definition with above commented code in BFD-3878
   }
 }
 
 # database
 resource "aws_security_group_rule" "allow_db_access" {
-  for_each    = var.db_config != null ? toset(var.db_config.db_sg) : []
+  for_each    = toset(var.db_config.db_sg)
   type        = "ingress"
   from_port   = 5432
   to_port     = 5432
   protocol    = "tcp"
   description = "Allows access to the ${var.db_config.role} db"
 
-  security_group_id        = each.value                   # The SG associated with each replica
-  source_security_group_id = aws_security_group.app[0].id # Every instance in the ASG
+  security_group_id        = each.value                # The SG associated with each replica
+  source_security_group_id = aws_security_group.app.id # Every instance in the ASG
 }
 
 ## Launch Template
@@ -549,31 +558,30 @@ EOF
 
 ### Load Balancer Components ###
 resource "aws_lb" "main" {
-  name                             = var.lb_config.name
-  internal                         = coalesce(var.lb_config.internal, true)
-  load_balancer_type               = var.lb_config.load_balancer_type
+  name                             = "bfd-${local.env}-${var.role}-nlb"
+  internal                         = !var.lb_config.is_public
+  load_balancer_type               = "network"
   security_groups                  = [aws_security_group.lb.id]
   subnets                          = data.aws_subnet.app_subnets[*].id # Gives AZs and VPC association
-  enable_deletion_protection       = coalesce(var.lb_config.enable_deletion_protection, false)
-  client_keep_alive                = coalesce(var.lb_config.client_keep_alive_seconds, 3600)
-  idle_timeout                     = coalesce(var.lb_config.idle_timeout_seconds, 60)
-  ip_address_type                  = coalesce(var.lb_config.ip_address_type, "ipv4")
-  enable_http2                     = coalesce(var.lb_config.enable_http2, "false")
-  desync_mitigation_mode           = coalesce(var.lb_config.desync_mitigation_mode, "strictest")
-  enable_cross_zone_load_balancing = coalesce(var.lb_config.enable_cross_zone_load_balancing, "true")
+  enable_deletion_protection       = var.lb_config.enable_deletion_protection
+  idle_timeout                     = 60
+  ip_address_type                  = "ipv4"
+  enable_http2                     = false
+  desync_mitigation_mode           = "strictest"
+  enable_cross_zone_load_balancing = true
 
   tags = local.additional_tags
 }
 
 resource "aws_lb_listener" "main" {
-  for_each = { for config in var.lb_config.load_balancer_listener_config : config.id => config }
+  for_each = local.lb_targets
 
   load_balancer_arn = aws_lb.main.arn
-  port              = each.value.port
-  protocol          = each.value.protocol
+  port              = each.value.ingress_port
+  protocol          = "TCP"
 
   default_action {
-    type             = each.value.default_action_type
+    type             = "forward"
     target_group_arn = aws_lb_target_group.main[each.key].arn
   }
 }
@@ -591,37 +599,31 @@ resource "aws_security_group" "lb" {
 
   # Dynamic, per-listener CIDR Block ingress rules
   dynamic "ingress" {
-    for_each = var.lb_config.load_balancer_listener_config
+    for_each = local.lb_targets
     content {
-      from_port   = ingress.value.port
-      to_port     = ingress.value.port
-      protocol    = ingress.value.protocol
-      cidr_blocks = var.lb_config.load_balancer_security_group_config.ingress.cidr_blocks
-      description = var.lb_config.load_balancer_security_group_config.ingress.description
+      from_port   = ingress.value.ingress_port
+      to_port     = ingress.value.ingress_port
+      protocol    = "TCP"
+      cidr_blocks = var.lb_config.ingress.cidr_blocks
     }
   }
 
   # Dynamic, per-listener prefix list ingress rules if prefix list IDs are specified
   dynamic "ingress" {
-    for_each = length(var.lb_config.load_balancer_security_group_config.ingress.prefix_list_ids) > 0 ? var.lb_config.load_balancer_listener_config : []
+    for_each = length(var.lb_config.ingress.prefix_list_ids) > 0 ? local.lb_targets : {}
     content {
-      from_port       = ingress.value.port
-      to_port         = ingress.value.port
-      protocol        = ingress.value.protocol
-      prefix_list_ids = var.lb_config.load_balancer_security_group_config.ingress.prefix_list_ids
-      description     = var.lb_config.load_balancer_security_group_config.ingress.description
+      from_port       = ingress.value.ingress_port
+      to_port         = ingress.value.ingress_port
+      protocol        = "TCP"
+      prefix_list_ids = var.lb_config.ingress.prefix_list_ids
     }
   }
 
-  dynamic "egress" {
-    for_each = var.lb_config.target_group_config
-    content {
-      from_port   = egress.value.port
-      to_port     = egress.value.port
-      protocol    = egress.value.protocol
-      cidr_blocks = var.lb_config.load_balancer_security_group_config.egress.cidr_blocks
-      description = var.lb_config.load_balancer_security_group_config.egress.description
-    }
+  egress {
+    from_port   = var.lb_config.server_listen_port
+    to_port     = var.lb_config.server_listen_port
+    protocol    = "TCP"
+    cidr_blocks = var.lb_config.egress.cidr_blocks
   }
 }
 
@@ -630,19 +632,19 @@ resource "aws_lb_target_group" "main" {
     create_before_destroy = true
   }
 
-  for_each = { for config in var.lb_config.target_group_config : config.id => config }
+  for_each = local.lb_targets
 
-  name                   = each.value.name
-  port                   = each.value.port
-  protocol               = each.value.protocol
+  name                   = "${aws_lb.main.name}-tg-${each.key}"
+  port                   = var.lb_config.server_listen_port
+  protocol               = "TCP"
   vpc_id                 = var.env_config.vpc_id
-  deregistration_delay   = each.value.deregisteration_delay_seconds
+  deregistration_delay   = 60
   connection_termination = true
   health_check {
-    healthy_threshold   = each.value.health_check_config.healthy_threshold
-    interval            = each.value.health_check_config.health_check_interval_seconds
-    timeout             = each.value.health_check_config.health_check_timeout_seconds
-    unhealthy_threshold = each.value.health_check_config.unhealthy_threshold
+    healthy_threshold   = 3
+    interval            = 10
+    timeout             = 8
+    unhealthy_threshold = 2
     port                = 7443
     protocol            = "TCP"
   }

diff --git a/ops/terraform/services/server/modules/bfd_server_asg/variables.tf b/ops/terraform/services/server/modules/bfd_server_asg/variables.tf
@@ -36,46 +36,19 @@ variable "db_config" {
 variable "lb_config" {
   description = "Load balancer information"
   type = object({
-    name                             = string
-    internal                         = optional(bool)
-    load_balancer_type               = string
-    enable_deletion_protection       = optional(bool)
-    client_keep_alive_seconds        = optional(number)
-    idle_timeout_seconds             = optional(number)
-    ip_address_type                  = string
-    enable_http2                     = optional(bool)
-    desync_mitigation_mode           = optional(string)
-    enable_cross_zone_load_balancing = optional(bool)
-    load_balancer_security_group_config = object({
-      ingress = object({
-        description     = string
-        cidr_blocks     = list(string)
-        prefix_list_ids = list(string)
-      })
-      egress = object({
-        description = string
-        cidr_blocks = list(string)
-      })
+    name                       = string
+    is_public                  = bool
+    enable_deletion_protection = bool
+    ingress = object({
+      green_port      = number
+      blue_port       = number
+      cidr_blocks     = list(string)
+      prefix_list_ids = list(string)
     })
-    load_balancer_listener_config = list(object({
-      id                  = string
-      port                = string
-      protocol            = string
-      default_action_type = string
-    }))
-    target_group_config = list(object({
-      id                            = string
-      name                          = string
-      port                          = number
-      protocol                      = string
-      deregisteration_delay_seconds = number
-      health_check_config = object({
-        healthy_threshold             = number
-        health_check_interval_seconds = number
-        health_check_timeout_seconds  = number
-        unhealthy_threshold           = number
-      })
-    }))
+    egress = object({
+      cidr_blocks = list(string)
+    })
+    server_listen_port = string
   })
   default = null
 }