Right now I'm learning how to setup a website served by a GCP bucket using Pulumi however, I've stuck at the last step exposing an IP address and attaching it to the LB. Everything looks good except This load balancer has no frontend configured
I think the ForwardingRule is what I need but it doesn't except the BucketBackend (see code and output below).
Any suggestions on how to move forward?
####### WEBSITE ##########
web_bucket = gcp.storage.Bucket('web',
project="myproj",
cors=[gcp.storage.BucketCorArgs(
max_age_seconds=3600,
methods=[
"GET",
],
origins=["https://myproj.com", "https://sandbox.myproj.com"],
response_headers=["*"],
)],
force_destroy=True,
location="US",
uniform_bucket_level_access=True,
website=gcp.storage.BucketWebsiteArgs(
main_page_suffix="index.html",
not_found_page="404.html",
),
)
pulumi.export('web bucket', web_bucket.url)
ssl_certificate = gcp.compute.SSLCertificate("SSLCertificate",
project="myproj",
name_prefix="certificate-",
private_key=(lambda path: open(path).read())("ssl/private.key"),
certificate=(lambda path: open(path).read())("ssl/certificate.crt"))
http_health_check = gcp.compute.HttpHealthCheck("httphealthcheck",
project="myproj",
request_path="/",
check_interval_sec=1,
timeout_sec=1
)
# Backend Bucket Service
web_backend = gcp.compute.BackendBucket("web-backend",
project="myproj",
description="Serves website",
bucket_name=web_bucket.name,
enable_cdn=True
)
# LB Backend hostpath and rules
url_map = gcp.compute.URLMap("urlmap",
project="myproj",
description="URL mapping",
default_service=web_backend.id,
host_rules=[gcp.compute.URLMapHostRuleArgs(
hosts=["myproj.io"],
path_matcher="allpaths",
)],
path_matchers=[gcp.compute.URLMapPathMatcherArgs(
name="allpaths",
default_service=web_backend.id,
path_rules=[gcp.compute.URLMapPathMatcherPathRuleArgs(
paths=["/*"],
service=web_backend.id,
)],
)]
)
# Route to backed (bucket backend)
target_https_proxy = gcp.compute.TargetHttpsProxy("targethttpsproxy",
project="myproj",
url_map=url_map.id,
ssl_certificates=[ssl_certificate.id])
# Forwarding rule for External Network Load Balancing using Backend Services
web_forward = gcp.compute.ForwardingRule("webforward",
project="myproj",
region="us-central1",
port_range="80",
backend_service=web_backend.id # this doesn't work
)
Diagnostics:
gcp:compute:ForwardingRule (default):
error: 1 error occurred:
* Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.backendService': 'https://compute.googleapis.com/compute/beta/projects/myproj/global/backendBuckets/web-backend-576fa1b'. Unexpected resource collection 'backendBuckets'., invalid
I was using the wrong fowarding rule class. Because of the LB setup regional forwarding was wrong.
# Forwarding rule for External Network Load Balancing using Backend Services
web_forward = gcp.compute.GlobalForwardingRule("webforward",
project="myproj",
port_range="443",
target=nbprod_target_https_proxy.self_link
)
I am new to powershell and the AWS CLI and have look and looked for someone else who has posted this...
What I'm trying to do is get the code right to create a report of each AWS Security Group that shows the inbound rules.
Something like this I would image the output would be.
SecurityGroupName GroupID, Type, Protcol, PortRange, Source, Description
SSH & HTTP gs-1111 SSH TCP 22 0.0.0.0/0 Inbound SSH & HTTP
SSH & HTTP gs-1111 HTTP TCP 80 1.2.34 Inbound SSH & HTTP
HTTPS gs-2222 HTTPS TCP 443 0.0.0.0/0
'
But I can't figure it out.
I can use $GroupID=Get-EC2SecurityGroup -Region us-east-1 |Select-Object -ExpandProperty GroupID
ForEach ($item in $GroupID) {
(Get-EC2SecurityGroup -Region us-east-1 -GroupId $item).IpPermissions | Select-Object IPProtocol,IpRange, FromPort,ToPort}
to get the basic rule but can't seem to combine all the properties you need. This is where my lack of powershell really hurts. Any help would be great!
First, you need to create a new Powershell array that will hold all the objects.
Later, run over all the security groups in the specific region and add relevant data to the hash-table object.
Then, just add the object to the array we created earlier.
Code snippet:
$region = 'YOUR_REGION'
$allSG = #()
Get-EC2SecurityGroup -Region $region | % {
$obj = #{
Description = $_.IpPermission.Ipv4Ranges.Description
GroupId = $_.GroupId
SecurityGroupName = $_.GroupName
Source = $_.IpPermission.Ipv4Ranges.CidrIp
FromPort = $_.IpPermission.FromPort
ToPort = $_.IpPermission.ToPort
Protocol = $_.IpPermission.IpProtocol
}
$object = new-object psobject -Property $obj
$allSG += $object
}
Output:
Insights:
Some Descriptions might be missing.
The From/To Port represent the Type (e.g - 80 = HTTP, 443 = HTTPS)
More about Get-EC2SecurityGroup.
I have an ENI created, and I need to attach it as a secondary ENI to my EC2 instance dynamically using cloud formation. As I am using red hat AMI, I have to go ahead and manually configure RHEL which includes steps as mentioned in below post.
Manually Configuring secondary Elastic network interface on Red hat ami- 7.5
Can someone please tell me how to automate all of this using cloud formation. Is there a way to do all of it using user data in a cloud formation template? Also, I need to make sure that the configurations remain even if I reboot my ec2 instance (currently the configurations get deleted after reboot.)
Though it's not complete automation but you can do below to make sure that the ENI comes up after every reboot of your ec2 instance (only for RHEL instances). If anyone has any better suggestion, kindly share.
vi /etc/systemd/system/create.service
Add below content
[Unit]
Description=XYZ
After=network.target
[Service]
ExecStart=/usr/local/bin/my.sh
[Install]
WantedBy=multi-user.target
Change permissions and enable the service
chmod a+x /etc/systemd/system/create.service
systemctl enable /etc/systemd/system/create.service
Below shell script does the configuration on rhel for ENI
vi /usr/local/bin/my.sh
add below content
#!/bin/bash
my_eth1=`curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/0e:3f:96:77:bb:f8/local-ipv4s/`
echo "this is the value--" $my_eth1 "hoo"
GATEWAY=`ip route | awk '/default/ { print $3 }'`
printf "NETWORKING=yes\nNOZEROCONF=yes\nGATEWAYDEV=eth0\n" >/etc/sysconfig/network
printf "\nBOOTPROTO=dhcp\nDEVICE=eth1\nONBOOT=yes\nTYPE=Ethernet\nUSERCTL=no\n" >/etc/sysconfig/network-scripts/ifcfg-eth1
ifup eth1
ip route add default via $GATEWAY dev eth1 tab 2
ip rule add from $my_eth1/32 tab 2 priority 600
Start the service
systemctl start create.service
You can check if the script ran fine or not by --
journalctl -u create.service -b
Still need to figure out the joining of the secondary ENI from Linux, but this was the Python script I wrote to have the instance find the corresponding ENI and attach it to itself. Basically the script works by taking a predefined naming tag for both the ENI and Instance, then joins the two together.
Pre-reqs for setting this up are:
IAM role on the instance to allow access to S3 bucket where script is stored
Install pip and the AWS CLI in the user data section
curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install awscli --upgrade
aws configure set default.region YOUR_REGION_HERE
pip install boto3
sleep 180
Note on sleep 180 command: I have my ENI swap out on instance in an autoscaling group. This allows an extra 3 min for the other instance to shut down and drop the ENI, so the new one can pick it up. May or may not be necessary for your use case.
AWS CLI command in user data to download the file onto the instance (example below)
aws s3api get-object --bucket YOURBUCKETNAME --key NAMEOFOBJECT.py /home/ec2-user/NAMEOFOBJECT.py
# coding: utf-8
import boto3
import sys
import time
client = boto3.client('ec2')
# Get the ENI ID
eni = client.describe_network_interfaces(
Filters=[
{
'Name': 'tag:Name',
'Values': ['Put the name of your ENI tag here']
},
]
)
eni_id = eni['NetworkInterfaces'][0]['NetworkInterfaceId']
# Get ENI status
eni_status = eni['NetworkInterfaces'][0]['Status']
print('Current Status: {}\n'.format(eni_status))
# Detach if in use
if eni_status == 'in-use':
eni_attach_id = eni['NetworkInterfaces'][0]['Attachment']['AttachmentId']
eni_detach = client.detach_network_interface(
AttachmentId=eni_attach_id,
DryRun=False,
Force=False
)
print(eni_detach)
# Wait until ENI is available
print('start\n-----')
while eni_status != 'available':
print('checking...')
eni_state = client.describe_network_interfaces(
Filters=[
{
'Name': 'tag:Name',
'Values': ['Put the name of your ENI tag here']
},
]
)
eni_status = eni_state['NetworkInterfaces'][0]['Status']
print('ENI is currently: ' + eni_status + '\n')
if eni_status != 'available':
time.sleep(10)
print('end')
# Get the instance ID
instance = client.describe_instances(
Filters=[
{
'Name': 'tag:Name',
'Values': ['Put the tag name of your instance here']
},
{
'Name': 'instance-state-name',
'Values': ['running']
}
]
)
instance_id = instance['Reservations'][0]['Instances'][0]['InstanceId']
# Attach the ENI
response = client.attach_network_interface(
DeviceIndex=1,
DryRun=False,
InstanceId=instance_id,
NetworkInterfaceId=eni_id
)
I'm using AWS Powershell Tools and AWS CLI.
I am able to add inbound rules to a security group using code like the following:
$IpRange = New-Object -TypeName Amazon.EC2.Model.IpRange
$IpRange.CidrIp = "102.196.30.33/32"
$IpRange.Description = "RDP"
$IpPermission = New-Object Amazon.EC2.Model.IpPermission
$IpPermission.IpProtocol = "tcp"
$IpPermission.FromPort = 2089
$IpPermission.ToPort = 2089
$IpPermission.Ipv4Ranges = $IpRange
Grant-EC2SecurityGroupIngress -GroupId sg-9773d0bb -IpPermission $IpPermission
# Verify inbound rule has been correctly added
aws ec2 describe-security-groups --group-ids sg-9773d0bb
However, if I try to add a second call to Grant-EC2SecurityGroupIngress and specify a port range, then the second call doesn't work:
$IpRange.Description = "FTP PASV"
$IpPermission.FromPort = 2025
$IpPermission.ToPort = 2030
Grant-EC2SecurityGroupIngress -GroupId sg-9773d0bb -IpPermission $IpPermission
# Verify inbound rule has been correctly added
aws ec2 describe-security-groups --group-ids sg-9773d0bb
No error is returned, however the rule is not added. Why not?
UPDATE
Some people have suggested using the AWS CLI authorize-security-group-ingress rule instead, however that returns an "Invalid JSON" error message if I add a description to the rule:
Usually something like this would indicate trouble with incorrect escaping of quotes, but I don't think it is. Here it is with double quotes around the string, and the internal double quotes escaped either using back-ticks, or double-double quotes:
Answer in two parts:
PART 1: Grant-EC2SecurityGroupIngress.
Internally this command is modifying $IpPermission. If you try to change the $IpRange.CidrIp to a different address then you will see the error:
Grant-EC2SecurityGroupIngress : Cannot set values for both Ipv4Ranges and IpRanges properties on
the IpPermission type which is part of the request. Consider using only Ipv4Ranges as IpRanges has
been marked obsolete.
The solution is to reallocate $IpPermission.
$IpRange.CidrIp = "102.196.30.33/32"
$IpRange.Description = "FTP PASV"
$IpPermission = New-Object Amazon.EC2.Model.IpPermission
$IpPermission.IpProtocol = "tcp"
$IpPermission.FromPort = 2025
$IpPermission.ToPort = 2030
$IpPermission.Ipv4Ranges = $IpRange
Grant-EC2SecurityGroupIngress -GroupId $sg -IpPermission $IpPermission
PART 2: For PowerShell (Windows) AWS CLI: you need to escape the double-quotes and surround the string with double-quotes.
Here is a working example:
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": 2025, \"ToPort\": 2030, \"IpRanges\": [{\"CidrIp\": \"102.196.30.33/32\", \"Description\": \"FTP PASV\"}]}]"
If you're happy sticking with the AWS Command-Line Interface (CLI), this worked for me:
aws ec2 authorize-security-group-ingress --group-id sg-xxx --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 2025, "ToPort": 2030, "IpRanges": [{"CidrIp": "102.196.30.33/32", "Description": "FTP PASV"}]}]'
Given the Datomic Cloudformation template (described here and here), I can deploy a Datomic instance in AWS. I can also use Terraform to automate this.
Using Terraform, how do we put a load balancer in front of the instance in that instance in the Cloudformation template?
Using Terraform, how do we put a Route53 domain name in front of the Datomic instance (or load balancer) in the Cloudformation template?
The Datomic Cloudformation template looks like this:
cf.json
{"Resources":
{"LaunchGroup":
{"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":
{"MinSize":{"Ref":"GroupSize"},
"Tags":
[{"Key":"Name",
"Value":{"Ref":"AWS::StackName"},
"PropagateAtLaunch":"true"}],
"MaxSize":{"Ref":"GroupSize"},
"AvailabilityZones":{"Fn::GetAZs":""},
"LaunchConfigurationName":{"Ref":"LaunchConfig"}}},
"LaunchConfig":
{"Type":"AWS::AutoScaling::LaunchConfiguration",
"Properties":
{"ImageId":
{"Fn::FindInMap":
["AWSRegionArch2AMI", {"Ref":"AWS::Region"},
{"Fn::FindInMap":
["AWSInstanceType2Arch", {"Ref":"InstanceType"}, "Arch"]}]},
"UserData":
{"Fn::Base64":
{"Fn::Join":
["\n",
["exec > >(tee \/var\/log\/user-data.log|logger -t user-data -s 2>\/dev\/console) 2>&1",
{"Fn::Join":["=", ["export XMX", {"Ref":"Xmx"}]]},
{"Fn::Join":["=", ["export JAVA_OPTS", {"Ref":"JavaOpts"}]]},
{"Fn::Join":
["=",
["export DATOMIC_DEPLOY_BUCKET",
{"Ref":"DatomicDeployBucket"}]]},
{"Fn::Join":
["=", ["export DATOMIC_VERSION", {"Ref":"DatomicVersion"}]]},
"cd \/datomic", "cat <<EOF >aws.properties",
"host=`curl http:\/\/169.254.169.254\/latest\/meta-data\/local-ipv4`",
"alt-host=`curl http:\/\/169.254.169.254\/latest\/meta-data\/public-ipv4`",
"aws-dynamodb-region=us-east-1\naws-transactor-role=datomic-aws-transactor-10\naws-peer-role=datomic-aws-peer-10\nprotocol=ddb\nmemory-index-max=256m\nport=4334\nmemory-index-threshold=32m\nobject-cache-max=128m\nlicense-key=\naws-dynamodb-table=your-system-name",
"EOF", "chmod 744 aws.properties",
"AWS_ACCESS_KEY_ID=\"${DATOMIC_READ_DEPLOY_ACCESS_KEY_ID}\" AWS_SECRET_ACCESS_KEY=\"${DATOMIC_READ_DEPLOY_AWS_SECRET_KEY}\" aws s3 cp \"s3:\/\/${DATOMIC_DEPLOY_BUCKET}\/${DATOMIC_VERSION}\/startup.sh\" startup.sh",
"chmod 500 startup.sh", ".\/startup.sh"]]}},
"InstanceType":{"Ref":"InstanceType"},
"InstanceMonitoring":{"Ref":"InstanceMonitoring"},
"SecurityGroups":{"Ref":"SecurityGroups"},
"IamInstanceProfile":{"Ref":"InstanceProfile"},
"BlockDeviceMappings":
[{"DeviceName":"\/dev\/sdb", "VirtualName":"ephemeral0"}]}}},
"Mappings":
{"AWSInstanceType2Arch":
{"m3.large":{"Arch":"64h"},
"c4.8xlarge":{"Arch":"64h"},
"t2.2xlarge":{"Arch":"64h"},
"c3.large":{"Arch":"64h"},
"hs1.8xlarge":{"Arch":"64h"},
"i2.xlarge":{"Arch":"64h"},
"r4.4xlarge":{"Arch":"64h"},
"m1.small":{"Arch":"64p"},
"m4.large":{"Arch":"64h"},
"m4.xlarge":{"Arch":"64h"},
"c3.8xlarge":{"Arch":"64h"},
"m1.xlarge":{"Arch":"64p"},
"cr1.8xlarge":{"Arch":"64h"},
"m4.10xlarge":{"Arch":"64h"},
"i3.8xlarge":{"Arch":"64h"},
"m3.2xlarge":{"Arch":"64h"},
"r4.large":{"Arch":"64h"},
"c4.xlarge":{"Arch":"64h"},
"t2.medium":{"Arch":"64h"},
"t2.xlarge":{"Arch":"64h"},
"c4.large":{"Arch":"64h"},
"c3.2xlarge":{"Arch":"64h"},
"m4.2xlarge":{"Arch":"64h"},
"i3.2xlarge":{"Arch":"64h"},
"m2.2xlarge":{"Arch":"64p"},
"c4.2xlarge":{"Arch":"64h"},
"cc2.8xlarge":{"Arch":"64h"},
"hi1.4xlarge":{"Arch":"64p"},
"m4.4xlarge":{"Arch":"64h"},
"i3.16xlarge":{"Arch":"64h"},
"r3.4xlarge":{"Arch":"64h"},
"m1.large":{"Arch":"64p"},
"m2.4xlarge":{"Arch":"64p"},
"c3.4xlarge":{"Arch":"64h"},
"r3.large":{"Arch":"64h"},
"c4.4xlarge":{"Arch":"64h"},
"r3.xlarge":{"Arch":"64h"},
"m2.xlarge":{"Arch":"64p"},
"r4.16xlarge":{"Arch":"64h"},
"t2.large":{"Arch":"64h"},
"m3.xlarge":{"Arch":"64h"},
"i2.4xlarge":{"Arch":"64h"},
"r4.8xlarge":{"Arch":"64h"},
"i3.large":{"Arch":"64h"},
"r3.8xlarge":{"Arch":"64h"},
"c1.medium":{"Arch":"64p"},
"r4.2xlarge":{"Arch":"64h"},
"i2.8xlarge":{"Arch":"64h"},
"m3.medium":{"Arch":"64h"},
"r3.2xlarge":{"Arch":"64h"},
"m1.medium":{"Arch":"64p"},
"i3.4xlarge":{"Arch":"64h"},
"m4.16xlarge":{"Arch":"64h"},
"i3.xlarge":{"Arch":"64h"},
"r4.xlarge":{"Arch":"64h"},
"c1.xlarge":{"Arch":"64p"},
"t1.micro":{"Arch":"64p"},
"c3.xlarge":{"Arch":"64h"},
"i2.2xlarge":{"Arch":"64h"},
"t2.small":{"Arch":"64h"}},
"AWSRegionArch2AMI":
{"ap-northeast-1":{"64p":"ami-eb494d8c", "64h":"ami-81f7cde6"},
"ap-northeast-2":{"64p":"ami-6eb66a00", "64h":"ami-f594489b"},
"ca-central-1":{"64p":"ami-204bf744", "64h":"ami-5e5be73a"},
"us-east-2":{"64p":"ami-5b42643e", "64h":"ami-896c4aec"},
"eu-west-2":{"64p":"ami-e52d3a81", "64h":"ami-55091e31"},
"us-west-1":{"64p":"ami-97cbebf7", "64h":"ami-442a0a24"},
"ap-southeast-1":{"64p":"ami-db1492b8", "64h":"ami-3e90165d"},
"us-west-2":{"64p":"ami-daa5c6ba", "64h":"ami-cb5030ab"},
"eu-central-1":{"64p":"ami-f3f02b9c", "64h":"ami-d564bcba"},
"us-east-1":{"64p":"ami-7f5f1e69", "64h":"ami-da5110cc"},
"eu-west-1":{"64p":"ami-66001700", "64h":"ami-77465211"},
"ap-southeast-2":{"64p":"ami-32cbdf51", "64h":"ami-66647005"},
"ap-south-1":{"64p":"ami-82126eed", "64h":"ami-723c401d"},
"sa-east-1":{"64p":"ami-afd7b9c3", "64h":"ami-ab9af4c7"}}},
"Parameters":
{"InstanceType":
{"Description":"Type of EC2 instance to launch",
"Type":"String",
"Default":"c3.large"},
"InstanceProfile":
{"Description":"Preexisting IAM role \/ instance profile",
"Type":"String",
"Default":"datomic-aws-transactor-10"},
"Xmx":
{"Description":"Xmx setting for the JVM",
"Type":"String",
"AllowedPattern":"\\d+[GgMm]",
"Default":"2625m"},
"GroupSize":
{"Description":"Size of machine group",
"Type":"String",
"Default":"1"},
"InstanceMonitoring":
{"Description":"Detailed monitoring for store instances?",
"Type":"String",
"Default":"true"},
"JavaOpts":
{"Description":"Options passed to Java launcher",
"Type":"String",
"Default":""},
"SecurityGroups":
{"Description":"Preexisting security groups.",
"Type":"CommaDelimitedList",
"Default":"datomic"},
"DatomicDeployBucket":
{"Type":"String",
"Default":"deploy-a0dbc565-faf2-4760-9b7e-29a8e45f428e"},
"DatomicVersion":{"Type":"String", "Default":"0.9.5561.50"}},
"Description":"Datomic Transactor Template"}
samples/cf-template.properties
#################################################################
# AWS instance and group settings
#################################################################
# required
# AWS instance type. See http://aws.amazon.com/ec2/instance-types/ for
# a list of legal instance types.
aws-instance-type=c3.large
# required, see http://docs.amazonwebservices.com/general/latest/gr/rande.html#ddb_region
aws-region=us-east-1
# required
# Enable detailed monitoring of AWS instances.
aws-instance-monitoring=true
# required
# Set group size >1 to create a standby pool for High Availability.
aws-autoscaling-group-size=1
# required, default = 70% of AWS instance RAM
# Passed to java launcher via -Xmx
java-xmx=
#################################################################
# Java VM options
#
# If you set the java-opts property, it will entirely replace the
# value used by bin/transactor, which you should consult as a
# starting point if you are configuring GC.
#
# Note that the single-quoting is necessary due to the whitespace
# between options.
#################################################################
# java-opts='-XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+CMSParallelRemarkEnabled -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly'
#################################################################
# security settings
#
# You must specify at least one of aws-ingress-grops or
# aws-ingress-cidrs to allows peers to connect!
#################################################################
# required
# The transactor needs to run in a security group that opens the
# transactor port to legal peers. If you specify a security group,
# `bin/transactor ensure-cf ...` will ensure that security group
# allows ingress on the transactor port.
aws-security-group=datomic
# Comma-delimited list of security groups. Security group syntax:
# group-name or aws-account-id:group-name
aws-ingress-groups=datomic
# Comma-delimited list of CIDRS.
# aws-ingress-cidrs=0.0.0.0/0
#################################################################
# datomic deployment settings
#################################################################
# required, default = VERSION number of Datomic you deploy from
# Which Datomic version to run.
datomic-version=
# required
# download Datomic from this bucket on startup. You typically will not change this.
datomic-deploy-s3-bucket=some-value
Unless you can't easily avoid it, I wouldn't recommend mixing Cloudformation with Terraform because it's going to make it a pain to do a lot of things. Normally I'd only recommend it for things such as the rare occurrences that Cloudformation covers a resource but not Terraform.
If you do need to do this you should be in luck because your Cloudformation template adds a tag to the autoscaling group with your instance(s) in that you can use to then link a load balancer to the autoscaling group and have the instances attach themselves to the load balancer as they are created (and detach when they are being deleted).
Unfortunately the Cloudformation template doesn't simply output the autoscaling group name so you'll probably need to do this in two separate terraform apply actions (probably keeping the configuration in separate folders).
Assuming something like this for your Cloudformation stack:
resource "aws_cloudformation_stack" "datomic" {
name = "datomic-stack"
...
}
Then a minimal example looks something like this:
data "aws_autoscaling_groups" "datomic" {
filter {
name = "key"
values = ["AWS::StackName"]
}
filter {
name = "value"
values = ["datomic-stack"]
}
}
resource "aws_lb_target_group" "datomic" {
name = "datomic-lb-tg"
port = 80
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
}
resource "aws_lb" "datomic" {
name = "datomic-lb"
internal = false
security_groups = ["${var.security_group_id}"]
subnets = ["${var.subnet_id"]
}
resource "aws_autoscaling_attachment" "asg_attachment" {
autoscaling_group_name = "${data.aws_autoscaling_groups.datomic.names[0]}"
alb_target_group_arn = "${aws_alb_target_group.datomic.arn}"
}
resource "aws_lb_listener" "datomic" {
load_balancer_arn = "${aws_lb.datomic.arn}"
port = "80"
protocol = "HTTP"
default_action {
target_group_arn = "${aws_lb_target_group.datomic.arn}"
type = "forward"
}
}
The above config will find the autoscaling group created by the Cloudformation template and then attach it to an application load balancer that listens for HTTP traffic and forwards HTTP traffic to the Datomic instances.
It's trivial from here to add a Route53 record to the load balancer but because your instances are in an autoscaling group you can't easily add Route53 records for these instances (and probably shouldn't need to).