9. Load Balancer & Auto Scaling Group

Finally, let's create a webserver cluster that will consist of:

• an Application Load Balancer that will forward traffic to

• a Target Group (collection of EC2 instances, built from custom AMI) managed by

• an Auto Scaling Group

terraform/webserver-cluster/variables.tf

variable "server_port" {
  description = "The port the server will use for HTTP requests"
  type        = number
  default     = 8080
}

variable "cluster_min_size" {
  description = "Minimum number of EC2 instances in Auto Scaling Group"
  type        = number
  default     = 3
}

variable "cluster_max_size" {
  description = "Maximum number of EC2 instances in Auto Scaling Group"
  type        = number
  default     = 6
}

terraform/webserver-cluster/main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.62.0"
    }
  }

  required_version = ">= 1.0.8"
}

provider "aws" {
  region = "eu-central-1"
}

data "terraform_remote_state" "network" {
  backend = "local"

  config = {
    "path" = "../network/terraform.tfstate"
  }
}

data "terraform_remote_state" "iam" {
  backend = "local"

  config = {
    "path" = "../iam/terraform.tfstate"
  }
}

data "terraform_remote_state" "secrets" {
  backend = "local"

  config = {
    "path" = "../secrets/terraform.tfstate"
  }
}

data "terraform_remote_state" "database" {
  backend = "local"

  config = {
    "path" = "../database/terraform.tfstate"
  }
}

data "aws_ami" "node_app" {
  filter {
    name   = "name"
    values = ["node-app-*"]
  }

  owners      = ["self"]
  most_recent = true
}

locals {
  vpc_id               = data.terraform_remote_state.network.outputs.vpc_id
  iam_instance_profile = data.terraform_remote_state.iam.outputs.ec2_instance_profile_name
}

resource "aws_security_group" "public" {
  vpc_id = local.vpc_id

  ingress {
    description = "Allow HTTP from everywhere"
    protocol    = "tcp"
    from_port   = 80
    to_port     = 80
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    description = "Allow outbound traffic on all ports"
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "private" {
  vpc_id = local.vpc_id

  ingress {
    protocol        = "tcp"
    from_port       = var.server_port
    to_port         = var.server_port
    security_groups = [aws_security_group.public.id]
  }

  egress {
    description = "Allow outbound traffic on all ports"
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_launch_configuration" "webserver" {
  image_id             = data.aws_ami.node_app.id
  instance_type        = "t2.micro"
  iam_instance_profile = local.iam_instance_profile
  security_groups      = [aws_security_group.private.id]
  user_data = templatefile(
    "./user_data.sh",
    {
      port          = var.server_port,
      db_secert_arn = data.terraform_remote_state.secrets.outputs.db_secert_arn,
      db_endpoint   = data.terraform_remote_state.database.outputs.endpoint
    }
  )

  lifecycle {
    # reference used in ASG launch configuration will be updated after creating a new resource and destroying this one
    create_before_destroy = true
  }
}

resource "aws_lb_target_group" "asg" {
  name     = "webserver-cluster"
  port     = var.server_port
  protocol = "HTTP"
  vpc_id   = local.vpc_id

  health_check {
    path                = "/"
    protocol            = "HTTP"
    matcher             = "200"
    interval            = 15
    timeout             = 3
    healthy_threshold   = 2
    unhealthy_threshold = 2
  }
}

resource "aws_autoscaling_group" "asg" {
  # Explicitly depend on the launch configuration's name so each time it's replaced, this ASG is also replaced 
  name = aws_launch_configuration.webserver.name

  launch_configuration = aws_launch_configuration.webserver.name
  vpc_zone_identifier  = data.terraform_remote_state.network.outputs.private_subnet_ids

  target_group_arns = [aws_lb_target_group.asg.arn]
  health_check_type = "ELB"

  min_size = var.cluster_min_size
  max_size = var.cluster_max_size

  # Wait for at least this many instances to pass health checks before considering the ASG deployment complete
  min_elb_capacity = var.cluster_min_size

  # When replacing this ASG, create the replacement first, and only delete the original after 
  lifecycle {
    create_before_destroy = true
  }

  tag {
    key                 = "Name"
    value               = "TerraformWorkshopsWebserver"
    propagate_at_launch = true
  }
}

resource "aws_lb" "alb" {
  name               = "alb"
  load_balancer_type = "application"
  subnets            = data.terraform_remote_state.network.outputs.public_subnet_ids
  security_groups    = [aws_security_group.public.id]
}

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.alb.arn
  port              = 80
  protocol          = "HTTP"

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      message_body = "404: page not found"
      status_code  = 404
    }
  }
}

resource "aws_lb_listener_rule" "asg" {
  listener_arn = aws_lb_listener.http.arn
  priority     = 100

  condition {
    path_pattern {
      values = ["*"]
    }
  }

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.asg.arn
  }
}

terraform/webserver-cluster/user_data.sh

#!/bin/bash
su ubuntu -c 'export PORT=${port} SECRET_ID=${db_secert_arn} DB_ENDPOINT=${db_endpoint} && nohup ~/.nvm/versions/node/v16.3.0/bin/node ~/app/index.js &'

terraform/webserver-cluster/outputs.tf

@@ -1,7 +1,4 @@
-output "public_ip_address" {
-  value = aws_instance.public.public_ip
-}
-
-output "private_ip_address" {
-  value = aws_instance.private.private_ip
+output "alb_dns_name" {
+  value       = aws_lb.alb.dns_name
+  description = "The domain name of the load balander"
 }

Apply.