From fc5be7040541a011897a396e417cd6fc104f9b18 Mon Sep 17 00:00:00 2001
From: Andrew Cravenho <andrew@cravenho.me>
Date: Thu, 16 Aug 2018 09:47:24 -0400
Subject: [PATCH] Switch to an Application Load Balancer and remove Classic
 Load Balancer

---
 README.md                 |  4 +-
 modules/stack/deploy.tf   |  4 +-
 modules/stack/hosts.tf    |  2 +-
 modules/stack/outputs.tf  |  2 +-
 modules/stack/routing.tf  | 83 +++++++++++++++++++++------------------
 modules/stack/security.tf |  8 ++--
 modules/stack/subnets.tf  | 15 +++++++
 7 files changed, 70 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 7a7968a..0cf8a6f 100644
--- a/README.md
+++ b/README.md
@@ -68,9 +68,9 @@ The infra created, at a high level, is as follows:
 - A VPC containing all of the resources provisioned
 - A public subnet for the app servers, and a private subnet for the database (and Redis for now)
 - An internet gateway to provide internet access for the VPC
-- An ELB which exposes the app server HTTP endpoints to the world
+- An ALB which exposes the app server HTTP endpoints to the world
 - A security group to lock down ingress to the app servers to 80/443 + SSH
-- A security group to allow the ELB to talk to the app servers
+- A security group to allow the ALB to talk to the app servers
 - A security group to allow the app servers access to the database
 - An internal DNS zone
 - A DNS record for the database
diff --git a/modules/stack/deploy.tf b/modules/stack/deploy.tf
index dc9cc74..d09721f 100644
--- a/modules/stack/deploy.tf
+++ b/modules/stack/deploy.tf
@@ -24,8 +24,8 @@ resource "aws_codedeploy_deployment_group" "explorer" {
   }
 
   load_balancer_info {
-    elb_info {
-      name = "${var.prefix}-explorer-${element(keys(var.chains),count.index)}-elb"
+    target_group_info {
+      name = "${aws_lb_target_group.explorer.*.name[count.index]}"
     }
   }
 
diff --git a/modules/stack/hosts.tf b/modules/stack/hosts.tf
index 699b38e..345d337 100644
--- a/modules/stack/hosts.tf
+++ b/modules/stack/hosts.tf
@@ -51,7 +51,7 @@ resource "aws_autoscaling_group" "explorer" {
   launch_configuration = "${aws_launch_configuration.explorer.name}"
   vpc_zone_identifier  = ["${aws_subnet.default.id}"]
   availability_zones   = ["${data.aws_availability_zones.available.names}"]
-  load_balancers       = ["${aws_elb.explorer.*.name[count.index]}"]
+  target_group_arns    = ["${aws_lb_target_group.explorer.*.arn[count.index]}"]
 
   # Health checks are performed by CodeDeploy hooks
   health_check_type = "EC2"
diff --git a/modules/stack/outputs.tf b/modules/stack/outputs.tf
index 595dbc1..98690cb 100644
--- a/modules/stack/outputs.tf
+++ b/modules/stack/outputs.tf
@@ -20,7 +20,7 @@ output "codedeploy_bucket_path" {
 
 output "explorer_urls" {
   description = "A map of each chain to the DNS name of its corresponding Explorer instance"
-  value       = "${zipmap(keys(var.chains), aws_elb.explorer.*.dns_name)}"
+  value       = "${zipmap(keys(var.chains), aws_lb.explorer.*.dns_name)}"
 }
 
 output "db_instance_address" {
diff --git a/modules/stack/routing.tf b/modules/stack/routing.tf
index ba07c01..6760afd 100644
--- a/modules/stack/routing.tf
+++ b/modules/stack/routing.tf
@@ -15,39 +15,16 @@ resource "aws_route" "internet_access" {
   gateway_id             = "${aws_internet_gateway.default.id}"
 }
 
-# The ELB for the app server
-resource "aws_elb" "explorer" {
-  count = "${length(var.chains)}"
-  name  = "${var.prefix}-explorer-${element(keys(var.chains),count.index)}-elb"
+# The ALB for the app server
+resource "aws_lb" "explorer" {
+  count              = "${length(var.chains)}"
+  name               = "${var.prefix}-explorer-${element(keys(var.chains),count.index)}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = ["${aws_security_group.alb.id}"]
+  subnets            = ["${aws_subnet.default.id}", "${aws_subnet.alb.id}"]
 
-  subnets                     = ["${aws_subnet.default.id}"]
-  security_groups             = ["${aws_security_group.elb.id}"]
-  cross_zone_load_balancing   = true
-  connection_draining         = true
-  connection_draining_timeout = 400
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 15
-    interval            = 30
-    target              = "HTTP:4000/en/blocks"
-  }
-
-  listener {
-    instance_port     = 4000
-    instance_protocol = "http"
-    lb_port           = 80
-    lb_protocol       = "http"
-  }
-
-  #listener {
-  #  instance_port      = 443
-  #  instance_protocol  = "http"
-  #  lb_port            = 443
-  #  lb_protocol        = "https"
-  #  ssl_certificate_id = "arn:aws:iam::ID:server-certificate/NAME"
-  #}
+  enable_deletion_protection = false
 
   tags {
     prefix = "${var.prefix}"
@@ -55,10 +32,40 @@ resource "aws_elb" "explorer" {
   }
 }
 
-resource "aws_lb_cookie_stickiness_policy" "explorer" {
-  count                    = "${length(var.chains)}"
-  name                     = "${var.prefix}-explorer-${element(keys(var.chains),count.index)}-stickiness-policy"
-  load_balancer            = "${aws_elb.explorer.*.id[count.index]}"
-  lb_port                  = 80
-  cookie_expiration_period = 600
+# The Target Group for the ALB
+resource "aws_lb_target_group" "explorer" {
+  count    = "${length(var.chains)}"
+  name     = "${var.prefix}-explorer-${element(keys(var.chains),count.index)}-alb-target"
+  port     = 4000  
+  protocol = "HTTP"  
+  vpc_id   = "${aws_vpc.vpc.id}"   
+  tags {
+    prefix = "${var.prefix}"
+    origin = "terraform"
+  }   
+  stickiness {    
+    type            = "lb_cookie"
+    cookie_duration = 600    
+    enabled         = true  
+  }   
+  health_check {    
+    healthy_threshold   = 2    
+    unhealthy_threshold = 2    
+    timeout             = 15    
+    interval            = 30    
+    path                = "/en/blocks"    
+    port                = 4000  
+  }
+}
+
+# The Listener for the ALB
+resource "aws_alb_listener" "alb_listener" {  
+  load_balancer_arn = "${aws_lb.explorer.arn}"  
+  port              = 80  
+  protocol          = "HTTP"
+  
+  default_action {    
+    target_group_arn = "${aws_lb_target_group.explorer.arn}"
+    type             = "forward"  
+  }
 }
diff --git a/modules/stack/security.tf b/modules/stack/security.tf
index 7c995ad..a461061 100644
--- a/modules/stack/security.tf
+++ b/modules/stack/security.tf
@@ -139,10 +139,10 @@ resource "aws_iam_role" "deployer" {
   assume_role_policy = "${data.aws_iam_policy_document.deployer-assume-role-policy.json}"
 }
 
-# A security group for the ELB so it is accessible via the web
-resource "aws_security_group" "elb" {
-  name        = "${var.prefix}-poa-elb"
-  description = "A security group for the app server ELB, so it is accessible via the web"
+# A security group for the ALB so it is accessible via the web
+resource "aws_security_group" "alb" {
+  name        = "${var.prefix}-poa-alb"
+  description = "A security group for the app server ALB, so it is accessible via the web"
   vpc_id      = "${aws_vpc.vpc.id}"
 
   # HTTP from anywhere
diff --git a/modules/stack/subnets.tf b/modules/stack/subnets.tf
index 476d9e8..ec521ca 100644
--- a/modules/stack/subnets.tf
+++ b/modules/stack/subnets.tf
@@ -13,6 +13,21 @@ resource "aws_subnet" "default" {
   }
 }
 
+## ALB subnet
+resource "aws_subnet" "alb" {
+  vpc_id                  = "${aws_vpc.vpc.id}"
+  cidr_block              = "${var.public_subnet_cidr}"
+  cidr_block              = "${cidrsubnet(var.db_subnet_cidr, 5, 1)}"
+  availability_zone       = "${data.aws_availability_zones.available.names[1]}"
+  map_public_ip_on_launch = true
+
+  tags {
+    name   = "${var.prefix}-default-subnet"
+    prefix = "${var.prefix}"
+    origin = "terraform"
+  }
+}
+
 ## Database subnet
 resource "aws_subnet" "database" {
   count                   = "${length(data.aws_availability_zones.available.names)}"