Make ECS ALB be optional - dynamic creation (#98)

LeoDiazL · web-flow · commit 853658719842 · 2025-09-29T15:25:11.000-03:00
* Adding conditional to create lb and fixing vars
* Fixing lb output conditionals
* Fixing case where ignore is true
* Ignoring R53 creation if no ALB is created
diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf
@@ -512,7 +512,7 @@ module "aws_ecs" {
 
 module "aws_route53_ecs" {
   source = "../modules/aws/route53"
-  count  = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0
+  count  = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && module.aws_ecs[0].load_balancer_arn != "" ? 1 : 0
   # R53 values
   aws_r53_domain_name           = var.aws_r53_domain_name
   aws_r53_sub_domain_name       = var.aws_r53_sub_domain_name
@@ -533,7 +533,7 @@ module "aws_route53_ecs" {
 
 module "aws_waf_ecs" {
   source = "../modules/aws/waf"
-  count  = var.aws_waf_enable && var.aws_ecs_enable ? 1 : 0
+  count  = var.aws_waf_enable && var.aws_ecs_enable && module.aws_ecs[0].load_balancer_arn != "" ? 1 : 0
   aws_waf_enable             = var.aws_waf_enable
   aws_waf_logging_enable     = var.aws_waf_logging_enable
   aws_waf_log_retention_days = var.aws_waf_log_retention_days
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
@@ -49,15 +49,15 @@ resource "aws_ecs_task_definition" "ecs_task" {
           "memory": local.aws_ecs_container_mem[count.index],
           "essential": true,
           "networkMode": "awsvpc",
-          "portMappings": [
+          "portMappings": length(local.aws_ecs_container_port) > 0 ? [
             {
               "name": "port-${local.aws_ecs_container_port[count.index]}",
               "containerPort": tonumber(local.aws_ecs_container_port[count.index]),
               "hostPort": tonumber(local.aws_ecs_container_port[count.index]),
               "protocol": "tcp",
               "appProtocol": "http"
             }
-          ],
+          ] : []
           "environment": local.env_repo_vars,
           "logConfiguration": var.aws_ecs_cloudwatch_enable ? {
             "logDriver": "awslogs",
@@ -78,9 +78,9 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" {
   count                    = var.aws_ecs_task_ignore_definition ? 0 : length(local.aws_ecs_task_json_definition_file)
   family                   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)] : "${local.aws_ecs_task_name[count.index + length(local.aws_ecs_app_image)]}${count.index+length(local.aws_ecs_app_image)}"
   network_mode             = local.aws_ecs_task_network_mode[count.index + length(local.aws_ecs_app_image)]
-  requires_compatibilities = ["${local.aws_ecs_task_type[count.index +length(local.aws_ecs_app_image)]}"]
-  cpu                      = local.aws_ecs_task_cpu[count.index+length(local.aws_ecs_app_image)]
-  memory                   = local.aws_ecs_task_mem[count.index+length(local.aws_ecs_app_image)]
+  requires_compatibilities = [local.aws_ecs_task_type[count.index + length(local.aws_ecs_app_image)]]
+  cpu                      = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)]
+  memory                   = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)]
   execution_role_arn       = local.ecsTaskExecutionRole
   container_definitions    = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}"))
 }
@@ -115,7 +115,7 @@ resource "aws_ecs_service" "ecs_service" {
   count            = var.aws_ecs_task_ignore_definition ? 0 : local.tasks_count
   name             = var.aws_ecs_service_name != "" ? "${var.aws_ecs_service_name}${count.index}" : "${var.aws_resource_identifier}-${count.index}-service"
   cluster          = aws_ecs_cluster.cluster.id
-  task_definition = local.tasks_arns[count.index]
+  task_definition  = local.tasks_arns[count.index]
 
   desired_count    = local.aws_ecs_node_count[count.index]
   launch_type      = var.aws_ecs_service_launch_type
@@ -126,11 +126,16 @@ resource "aws_ecs_service" "ecs_service" {
     assign_public_ip = var.aws_ecs_assign_public_ip
   }
 
-  load_balancer {
-    target_group_arn = aws_alb_target_group.lb_targets[count.index].id
-    container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
-    container_port   = local.aws_ecs_container_port[count.index]
+  dynamic "load_balancer" {
+    for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []
+    content {
+      target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+      container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
+      container_port   = local.aws_ecs_container_port[count.index]
+    }
   }
+
+  depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]
 }
 
 resource "aws_ecs_service" "ecs_service_ignore_definition" {
@@ -148,19 +153,23 @@ resource "aws_ecs_service" "ecs_service_ignore_definition" {
     assign_public_ip = var.aws_ecs_assign_public_ip
   }
 
-  load_balancer {
-    target_group_arn = aws_alb_target_group.lb_targets[count.index].id
-    container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
-    container_port   = local.aws_ecs_container_port[count.index]
+  dynamic "load_balancer" {
+    for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []
+    content {
+      target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+      container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
+      container_port   = local.aws_ecs_container_port[count.index]
+    }
   }
 
   lifecycle {
     ignore_changes = [task_definition]
   }
+
+  depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]
 }
 
 # Cloudwatch config
-
 resource "aws_cloudwatch_log_group" "ecs_cw_log_group" {
   count             = var.aws_ecs_cloudwatch_enable ? 1 : 0
   name              = var.aws_ecs_cloudwatch_lg_name
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf
@@ -1,5 +1,5 @@
 locals {
-  aws_ecs_container_port      = [for n in split(",", var.aws_ecs_container_port) : tonumber(n)]
+  aws_ecs_container_port      = var.aws_ecs_container_port != "" ? [for n in split(",", var.aws_ecs_container_port) : tonumber(n)] : var.aws_ecs_task_ignore_definition ? [80] : []
   aws_ecs_sg_container_port   = distinct(local.aws_ecs_container_port)
   aws_ecs_lb_port             = var.aws_ecs_lb_port != "" ?  [for n in split(",", var.aws_ecs_lb_port) : tonumber(n)] : local.aws_ecs_container_port
   aws_ecs_sg_lb_port          = distinct(local.aws_ecs_lb_port)
@@ -36,6 +36,7 @@ resource "aws_security_group_rule" "incoming_alb" {
 ### ALB --- Make this optional -- Using ALB name intentionally. (To make clear is an A LB)
 
 resource "aws_alb" "ecs_lb" {
+  count           = length(local.aws_ecs_sg_container_port) > 1 ? 1 : 0
   name            = var.aws_resource_identifier_supershort
   subnets         = var.aws_selected_subnets
   security_groups = [aws_security_group.ecs_lb_sg.id]
@@ -46,8 +47,9 @@ resource "aws_alb" "ecs_lb" {
 }
 
 data "aws_alb" "selected_lb" {
-  name = var.aws_resource_identifier_supershort
-  depends_on = [ aws_alb.ecs_lb ]
+  count      = length(local.aws_ecs_sg_container_port)
+  name       = var.aws_resource_identifier_supershort
+  depends_on = [aws_alb.ecs_lb]
 }
 
 resource "aws_alb_target_group" "lb_targets" {
@@ -74,7 +76,7 @@ resource "null_resource" "http_redirect_dep" {
 
 resource "aws_alb_listener" "lb_listener_ssl" {
   count             = var.aws_certificate_enabled ? length(local.aws_ecs_lb_port) : 0
-  load_balancer_arn = aws_alb.ecs_lb.id
+  load_balancer_arn = aws_alb.ecs_lb[0].id
   port              = local.aws_ecs_lb_port[count.index]
   # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
   ssl_policy        = var.aws_ecs_lb_ssl_policy
@@ -92,7 +94,7 @@ resource "aws_alb_listener" "lb_listener_ssl" {
 
 resource "aws_alb_listener" "lb_listener" {
   count             = var.aws_certificate_enabled ? 0 : length(local.aws_ecs_lb_port)
-  load_balancer_arn = aws_alb.ecs_lb.id
+  load_balancer_arn = aws_alb.ecs_lb[0].id
   port              = local.aws_ecs_lb_port[count.index]
   protocol          = "HTTP"
   default_action {
@@ -123,7 +125,7 @@ resource "aws_alb_listener_rule" "redirect_based_on_path" {
 
 resource "aws_alb_listener" "http_redirect" {
   count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) ? 1 : 0
-  load_balancer_arn = aws_alb.ecs_lb.id
+  load_balancer_arn = aws_alb.ecs_lb[0].id
   port              = "80"
   protocol          = "HTTP"
 
@@ -161,7 +163,7 @@ resource "aws_alb_listener" "https_redirect" {
   count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) && var.aws_certificate_enabled ? 1 : 0
   #count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) ? var.aws_certificates_selected_arn != "" ? 1 : 0 : 0
   #count             = var.aws_ecs_lb_redirect_enable && var.aws_certificates_selected_arn != "" && !contains(local.aws_ecs_lb_port,443) ? 1 : 0
-  load_balancer_arn = "${aws_alb.ecs_lb.id}"
+  load_balancer_arn = "${aws_alb.ecs_lb[0].id}"
   port              = "443"
   protocol          = "HTTPS"
   certificate_arn   = var.aws_certificates_selected_arn
@@ -226,30 +228,30 @@ resource "aws_security_group_rule" "incoming_ecs_lb_ports" {
 }
 
 output "load_balancer_dns" {
-  value = aws_alb.ecs_lb.dns_name
+  value = length(local.aws_ecs_sg_container_port) > 1 ? aws_alb.ecs_lb[0].dns_name : ""
 }
 
 output "load_balancer_port" {
-  value = var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].port : aws_alb_listener.lb_listener[0].port
+  value = length(local.aws_ecs_sg_container_port) > 1 ? (var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].port : aws_alb_listener.lb_listener[0].port) : ""
 }
 
 output "load_balancer_protocol" {
-  value = var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].protocol : aws_alb_listener.lb_listener[0].protocol
+  value = length(local.aws_ecs_sg_container_port) > 1 ? (var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].protocol : aws_alb_listener.lb_listener[0].protocol) : ""
 }
 
 output "load_balancer_zone_id" {
-  #value = aws_alb.ecs_lb.zone_id
-  value = data.aws_alb.selected_lb.zone_id
+  #value = aws_alb.ecs_lb[0].zone_id
+  value = length(local.aws_ecs_sg_container_port) > 1 ? data.aws_alb.selected_lb[0].zone_id : ""
 }
 
 output "load_balancer_arn" {
-  value = aws_alb.ecs_lb.arn
+  value = length(local.aws_ecs_sg_container_port) > 1 ? aws_alb.ecs_lb[0].arn : ""
 }
 
 output "ecs_sg_id" {
   value = aws_security_group.ecs_sg.id
 }
 
 output "ecs_lb_sg_id" {
-  value = aws_security_group.ecs_lb_sg.id
+  value = length(local.aws_ecs_sg_container_port) > 1 ? aws_security_group.ecs_lb_sg.id : ""
 }
