Code Snip: This sites Load Balancer Terraform

Friday, Jan 30, 2026

Code Snip: The Terraform configuration the Frontent Distributions

Part of the Terraform for this site This Website

resource "aws_lb" "ECSWebServerLB" {
  name               = "ECSWebServerLB"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.ecs_lb_sg.id]
  subnets            = [for ps in aws_subnet.public_subnets : ps.id]

  enable_deletion_protection = false

  tags = {
    Name = "ECSWebServerLB"
  }

  depends_on = [aws_subnet.public_subnets]
}

resource "aws_lb_target_group" "ECSWebServerTG" {
  name     = "ECSWebServerTG"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.ecs_vpc.id

  health_check {
    enabled             = true
    path                = "/"
    protocol            = "HTTP"
    port                = "traffic-port"
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 5
    interval            = 30
  }
}

resource "aws_lb_listener_rule" "WebServerRule" {
  listener_arn = aws_lb_listener.ECSWebServerListener.arn
  priority    = 100

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.ECSWebServerTG.arn
  }

  condition {
    http_header {
      http_header_name = "X-Auth-Header"
      values = [random_password.backend_auth_key_code.result]
    }
  }
}

resource "aws_lb_listener" "ECSWebServerListener" {
  # for_each = var.frontend_apps

  load_balancer_arn = aws_lb.ECSWebServerLB.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  certificate_arn = local.ssl_cert_arn


  default_action {
    type             = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "You need to access through the Cloudfront Distro."
      status_code  = "403"
    }
  }
}

resource "aws_lb_listener" "ECSHttpListener" {
  load_balancer_arn = aws_lb.ECSWebServerLB.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type             = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_target_group" "TG" {
  for_each = var.frontend_apps

  name     = "${replace(each.key, "_", "")}TG"
  port     = var.backend_tasks[each.value.backend_key].external_port
  protocol = "HTTP"
  vpc_id   = aws_vpc.ecs_vpc.id
  target_type = "ip"

  health_check {
    enabled             = true
    path                = "/"
    protocol            = "HTTP"
    port                = "traffic-port"
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 5
    interval            = 30
    matcher = "200,301,302"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_listener_rule" "thisDomainRule" {
  for_each = var.frontend_apps

  listener_arn = aws_lb_listener.ECSWebServerListener.arn
  priority    = each.value.lb_priority

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.TG[each.key].arn
  }

  condition {
    http_header {
      http_header_name = "X-Auth-Header"
      values = [random_password.backend_auth_key_code.result]
    }
  }

  condition {
    host_header {
      values = each.value.domain_names
    }
  }

  # depends_on = [aws_lb_target_group.TG[each.key].arn]

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_listener_certificate" "thisDomainCert" {
  for_each = var.frontend_apps

  listener_arn = aws_lb_listener.ECSWebServerListener.arn
  certificate_arn = each.value.certificate_arn
}