add-alb-and-waf-to-ec2

Author: LeoDiazL

action.yaml

@@ -280,6 +280,44 @@ inputs:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
 
+  # AWS ALB
+  aws_alb_create:
+    description: "Global toggle for ALB creation"
+    required: false
+  aws_alb_security_group_name:
+    description: "Name of the security group to use for ALB"
+    required: false
+  aws_alb_app_port:
+    description: "Comma-separated list of application ports for ALB target group"
+    required: false
+  aws_alb_app_protocol:
+    description: "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)"
+    required: false
+  aws_alb_listen_port:
+    description: "Comma-separated list of listener ports for ALB"
+    required: false
+  aws_alb_listen_protocol:
+    description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)"
+    required: false
+  aws_alb_healthcheck_path:
+    description: "Health check path for ALB target group"
+    required: false
+  aws_alb_healthcheck_protocol:
+    description: "Health check protocol for ALB target group"
+    required: false
+  aws_alb_ssl_policy:
+    description: "SSL policy for HTTPS listeners"
+    required: false
+  aws_alb_access_log_enabled:
+    description: "Enable ALB access logs"
+    required: false
+  aws_alb_access_log_bucket_name:
+    description: "S3 bucket name to store the ALB access logs"
+    required: false
+  aws_alb_access_log_expire:
+    description: "Delete the access logs after this amount of days"
+    required: false
+
   # AWS WAF
   aws_waf_enable:
     description: 'Enable WAF for load balancer.'
@@ -1307,6 +1345,20 @@ runs:
         AWS_ELB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_elb_access_log_expire }}
         AWS_ELB_ADDITIONAL_TAGS: ${{ inputs.aws_elb_additional_tags }}
 
+        # AWS ALB
+        AWS_ALB_CREATE: ${{ inputs.aws_alb_create }}
+        AWS_ALB_SECURITY_GROUP_NAME: ${{ inputs.aws_alb_security_group_name }}
+        AWS_ALB_APP_PORT: ${{ inputs.aws_alb_app_port }}
+        AWS_ALB_APP_PROTOCOL: ${{ inputs.aws_alb_app_protocol }}
+        AWS_ALB_LISTEN_PORT: ${{ inputs.aws_alb_listen_port }}
+        AWS_ALB_LISTEN_PROTOCOL: ${{ inputs.aws_alb_listen_protocol }}
+        AWS_ALB_HEALTHCHECK_PATH: ${{ inputs.aws_alb_healthcheck_path }}
+        AWS_ALB_HEALTHCHECK_PROTOCOL: ${{ inputs.aws_alb_healthcheck_protocol }}
+        AWS_ALB_SSL_POLICY: ${{ inputs.aws_alb_ssl_policy }}
+        AWS_ALB_ACCESS_LOG_ENABLED: ${{ inputs.aws_alb_access_log_enabled }}
+        AWS_ALB_ACCESS_LOG_BUCKET_NAME: ${{ inputs.aws_alb_access_log_bucket_name }}
+        AWS_ALB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_alb_access_log_expire }}
+
         # AWS WAF
         AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }}
         AWS_WAF_LOGGING_ENABLE: ${{ inputs.aws_waf_logging_enable }}

operations/_scripts/generate/generate_vars_terraform.sh

@@ -132,6 +132,22 @@ if [[ $(alpha_only "$AWS_ELB_CREATE") == true ]]; then
   aws_elb_additional_tags=$(generate_var aws_elb_additional_tags $AWS_ELB_ADDITIONAL_TAGS)
 fi
 
+#-- AWS ALB --#
+if [[ $(alpha_only "$AWS_ALB_CREATE") == true ]]; then
+  aws_alb_create=$(generate_var aws_alb_create $AWS_ALB_CREATE)
+  aws_alb_security_group_name=$(generate_var aws_alb_security_group_name $AWS_ALB_SECURITY_GROUP_NAME)
+  aws_alb_app_port=$(generate_var aws_alb_app_port $AWS_ALB_APP_PORT)
+  aws_alb_app_protocol=$(generate_var aws_alb_app_protocol $AWS_ALB_APP_PROTOCOL)
+  aws_alb_listen_port=$(generate_var aws_alb_listen_port $AWS_ALB_LISTEN_PORT)
+  aws_alb_listen_protocol=$(generate_var aws_alb_listen_protocol $AWS_ALB_LISTEN_PROTOCOL)
+  aws_alb_healthcheck_path=$(generate_var aws_alb_healthcheck_path $AWS_ALB_HEALTHCHECK_PATH)
+  aws_alb_healthcheck_protocol=$(generate_var aws_alb_healthcheck_protocol $AWS_ALB_HEALTHCHECK_PROTOCOL)
+  aws_alb_ssl_policy=$(generate_var aws_alb_ssl_policy $AWS_ALB_SSL_POLICY)
+  aws_alb_access_log_enabled=$(generate_var aws_alb_access_log_enabled $AWS_ALB_ACCESS_LOG_ENABLED)
+  aws_alb_access_log_bucket_name=$(generate_var aws_alb_access_log_bucket_name $AWS_ALB_ACCESS_LOG_BUCKET_NAME)
+  aws_alb_access_log_expire=$(generate_var aws_alb_access_log_expire $AWS_ALB_ACCESS_LOG_EXPIRE)
+fi
+
 #-- AWS WAF --#
 if [[ $(alpha_only "$AWS_WAF_ENABLE") == true ]]; then
   aws_waf_enable=$(generate_var aws_waf_enable $AWS_WAF_ENABLE)
@@ -509,6 +525,20 @@ $aws_elb_access_log_expire
 $aws_elb_access_log_bucket_name
 $aws_elb_additional_tags
 
+#-- ALB --#
+$aws_alb_create
+$aws_alb_security_group_name
+$aws_alb_app_port
+$aws_alb_app_protocol
+$aws_alb_listen_port
+$aws_alb_listen_protocol
+$aws_alb_healthcheck_path
+$aws_alb_healthcheck_protocol
+$aws_alb_ssl_policy
+$aws_alb_access_log_enabled
+$aws_alb_access_log_bucket_name
+$aws_alb_access_log_expire
+
 #-- WAF --#
 $aws_waf_enable
 $aws_waf_logging_enable

operations/deployment/terraform/aws/aws_variables.tf

@@ -327,7 +327,79 @@ variable "aws_elb_additional_tags" {
   default     = "{}"
 }
 
-# AWS LB
+# AWS ALB
+variable "aws_alb_create" {
+  type        = bool
+  description = "Global toggle for ALB creation"
+  default     = false
+}
+
+variable "aws_alb_security_group_name" {
+  type        = string
+  description = "Name of the security group to use for ALB"
+  default     = ""
+}
+
+variable "aws_alb_app_port" {
+  type        = string
+  description = "Comma-separated list of application ports for ALB target group"
+  default     = ""
+}
+
+variable "aws_alb_app_protocol" {
+  type        = string
+  description = "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)"
+  default     = ""
+}
+
+variable "aws_alb_listen_port" {
+  type        = string
+  description = "Comma-separated list of listener ports for ALB"
+  default     = ""
+}
+
+variable "aws_alb_listen_protocol" {
+  type        = string
+  description = "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)"
+  default     = ""
+}
+
+# Healthcheck
+variable "aws_alb_healthcheck_path" {
+  type        = string
+  description = "Health check path for ALB target group"
+  default     = "/"
+}
+
+variable "aws_alb_healthcheck_protocol" {
+  type        = string
+  description = "Health check protocol for ALB target group"
+  default     = "HTTP"
+}
+
+variable "aws_alb_ssl_policy" {
+  type        = string
+  description = "SSL policy for HTTPS listeners"
+  default     = null
+}
+# Logging
+variable "aws_alb_access_log_enabled" {
+  type        = bool
+  description = "Enable ALB access logs"
+  default     = false
+}
+
+variable "aws_alb_access_log_bucket_name" {
+  type        = string
+  description = "S3 bucket name to store the ALB access logs"
+  default     = ""
+}
+
+variable "aws_alb_access_log_expire" {
+  type        = string
+  description = "Delete the access logs after this amount of days"
+  default     = "90"
+}
 
 # AWS WAF
 variable "aws_waf_enable" {

operations/deployment/terraform/aws/bitovi_main.tf

@@ -130,6 +130,70 @@ module "aws_elb" {
   }
 }
 
+module "aws_lb" {
+  source = "../modules/aws/lb"
+  count  = var.aws_ec2_instance_create && var.aws_alb_create ? 1 : 0
+  # ALB Values
+  aws_alb_security_group_name  = var.aws_alb_security_group_name
+  aws_alb_app_port             = var.aws_alb_app_port
+  aws_alb_app_protocol         = var.aws_alb_app_protocol
+  aws_alb_listen_port          = var.aws_alb_listen_port
+  aws_alb_listen_protocol      = var.aws_alb_listen_protocol
+  aws_alb_healthcheck_path     = var.aws_alb_healthcheck_path
+  aws_alb_healthcheck_protocol = var.aws_alb_healthcheck_protocol
+  aws_alb_ssl_policy           = var.aws_alb_ssl_policy
+  # Logging
+  aws_alb_access_log_enabled     = var.aws_alb_access_log_enabled
+  aws_alb_access_log_bucket_name = var.aws_alb_access_log_bucket_name
+  aws_alb_access_log_expire      = var.aws_alb_access_log_expire
+  # EC2
+  aws_vpc_selected_id     = module.vpc.aws_selected_vpc_id
+  aws_vpc_subnet_selected = module.vpc.aws_vpc_subnet_selected
+  aws_instance_server_id  = module.ec2[0].aws_instance_server_id
+  aws_alb_target_sg_id    = module.ec2[0].aws_security_group_ec2_sg_id
+  # Certs
+  aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
+  # Others
+  aws_resource_identifier            = var.aws_resource_identifier
+  aws_resource_identifier_supershort = var.aws_resource_identifier_supershort
+  # Module dependencies
+  depends_on = [module.vpc, module.ec2]
+
+  providers = {
+    aws = aws.lb
+  }
+}
+
+module "aws_waf_ec2_alb" {
+  source                     = "../modules/aws/waf"
+  count                      = var.aws_waf_enable && var.aws_ec2_instance_create && var.aws_alb_create ? 1 : 0
+  aws_waf_enable             = var.aws_waf_enable
+  aws_waf_logging_enable     = var.aws_waf_logging_enable
+  aws_waf_log_retention_days = var.aws_waf_log_retention_days
+  aws_resource_identifier    = var.aws_resource_identifier
+  # Rules
+  aws_waf_rule_rate_limit               = var.aws_waf_rule_rate_limit
+  aws_waf_rule_managed_rules            = var.aws_waf_rule_managed_rules
+  aws_waf_rule_managed_bad_inputs       = var.aws_waf_rule_managed_bad_inputs
+  aws_waf_rule_ip_reputation            = var.aws_waf_rule_ip_reputation
+  aws_waf_rule_anonymous_ip             = var.aws_waf_rule_anonymous_ip
+  aws_waf_rule_bot_control              = var.aws_waf_rule_bot_control
+  aws_waf_rule_geo_block_countries      = var.aws_waf_rule_geo_block_countries
+  aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries
+  aws_waf_rule_user_arn                 = var.aws_waf_rule_user_arn
+  aws_waf_rule_sqli                     = var.aws_waf_rule_sqli
+  aws_waf_rule_linux                    = var.aws_waf_rule_linux
+  aws_waf_rule_unix                     = var.aws_waf_rule_unix
+  aws_waf_rule_admin_protection         = var.aws_waf_rule_admin_protection
+  # Incoming
+  aws_lb_resource_arn = module.aws_lb[0].aws_lb_resource_arn
+  # Others
+  depends_on = [module.aws_lb]
+  providers = {
+    aws = aws.waf
+  }
+}
+
 module "efs" {
   source = "../modules/aws/efs"
   count  = var.aws_efs_enable ? 1 : 0