From 00610237313d417cfbc538796a075b40ac3da762 Mon Sep 17 00:00:00 2001
From: Jochen Ehret <jochen.ehret@sap.com>
Date: Thu, 8 Feb 2024 16:01:33 +0100
Subject: [PATCH] Update AWS ALB plan-patches

* this set of patch files works with the recent bbl version 9.0.17
* note that there is still an ELB being created because you can't remove tf resources in _override files
* the Route 53 DNS record points to the new ALB
---
 plan-patches/alb-aws/cloud-config/lb-ops.yml  |   5 +-
 plan-patches/alb-aws/terraform/cf-alb.tf      | 150 ++++++++++++++++++
 .../alb-aws/terraform/cf-elb_override.tf      |   9 ++
 .../alb-aws/terraform/cf-lb_override.tf       | 146 -----------------
 4 files changed, 162 insertions(+), 148 deletions(-)
 create mode 100644 plan-patches/alb-aws/terraform/cf-alb.tf
 create mode 100644 plan-patches/alb-aws/terraform/cf-elb_override.tf
 delete mode 100644 plan-patches/alb-aws/terraform/cf-lb_override.tf

diff --git a/plan-patches/alb-aws/cloud-config/lb-ops.yml b/plan-patches/alb-aws/cloud-config/lb-ops.yml
index 045ba8f40..0927f4d09 100644
--- a/plan-patches/alb-aws/cloud-config/lb-ops.yml
+++ b/plan-patches/alb-aws/cloud-config/lb-ops.yml
@@ -1,7 +1,8 @@
 - type: replace
   path: /vm_extensions/name=cf-router-network-properties/cloud_properties?
   value:
-    lb_target_groups: ((cf_router_target_group_names))
+    lb_target_groups:
+    - ((cf_router_alb_target_group))
     security_groups:
-    - ((cf_router_lb_internal_security_group))
+    - ((cf_router_alb_internal_security_group))
     - ((internal_security_group))
diff --git a/plan-patches/alb-aws/terraform/cf-alb.tf b/plan-patches/alb-aws/terraform/cf-alb.tf
new file mode 100644
index 000000000..a476518fc
--- /dev/null
+++ b/plan-patches/alb-aws/terraform/cf-alb.tf
@@ -0,0 +1,150 @@
+resource "aws_lb" "cf_router_alb" {
+  name               = "${var.short_env_id}-cf-router-lb"
+  load_balancer_type = "application"
+
+  security_groups = ["${aws_security_group.cf_router_alb_security_group.id}"]
+  subnets         = flatten(["${aws_subnet.lb_subnets.*.id}"])
+}
+
+resource "aws_lb_listener" "cf_router_alb_443" {
+  load_balancer_arn = "${aws_lb.cf_router_alb.arn}"
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = "${aws_iam_server_certificate.lb_cert.arn}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.cf_router_alb_80.arn}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "cf_router_alb_4443" {
+  load_balancer_arn = "${aws_lb.cf_router_alb.arn}"
+  port              = "4443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = "${aws_iam_server_certificate.lb_cert.arn}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.cf_router_alb_80.arn}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "cf_router_alb_80" {
+  load_balancer_arn = "${aws_lb.cf_router_alb.arn}"
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.cf_router_alb_80.arn}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_target_group" "cf_router_alb_80" {
+  name     = "${var.short_env_id}-routertg-80"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = "${local.vpc_id}"
+
+  health_check {
+    path = "/health"
+    port = 8080
+  }
+}
+
+resource "aws_security_group" "cf_router_alb_security_group" {
+  name        = "${var.env_id}-cf-router-alb-security-group"
+  description = "CF Router"
+  vpc_id      = "${local.vpc_id}"
+
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    protocol        = "tcp"
+    from_port       = 80
+    to_port         = 80
+  }
+
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    protocol        = "tcp"
+    from_port       = 443
+    to_port         = 443
+  }
+
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    protocol        = "tcp"
+    from_port       = 4443
+    to_port         = 4443
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.env_id}-cf-router-alb-security-group"
+  }
+
+  lifecycle {
+    ignore_changes = ["name"]
+  }
+}
+
+resource "aws_security_group" "cf_router_alb_internal_security_group" {
+  name        = "${var.env_id}-cf-router-alb-internal-security-group"
+  description = "CF Router Internal"
+  vpc_id      = "${local.vpc_id}"
+
+  ingress {
+    security_groups = ["${aws_security_group.cf_router_alb_security_group.id}"]
+    protocol        = "tcp"
+    from_port       = 80
+    to_port         = 80
+  }
+
+  # Enable gorouter healthcheck
+  ingress {
+    security_groups = ["${aws_security_group.cf_router_alb_security_group.id}"]
+    protocol        = "tcp"
+    from_port       = 8080
+    to_port         = 8080
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.env_id}-cf-router-alb-internal-security-group"
+  }
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}
+
+output "cf_router_alb_internal_security_group" {
+  value = "${aws_security_group.cf_router_alb_internal_security_group.id}"
+}
+
+output "cf_router_alb_target_group" {
+  value = "${aws_lb_target_group.cf_router_alb_80.name}"
+}
+
+output "cf_router_alb_name" {
+  value = "${aws_lb.cf_router_alb.name}"
+}
+
+output "cf_router_alb_url" {
+  value = "${aws_lb.cf_router_alb.dns_name}"
+}
diff --git a/plan-patches/alb-aws/terraform/cf-elb_override.tf b/plan-patches/alb-aws/terraform/cf-elb_override.tf
new file mode 100644
index 000000000..03a26db21
--- /dev/null
+++ b/plan-patches/alb-aws/terraform/cf-elb_override.tf
@@ -0,0 +1,9 @@
+# remap CNAME record from ELB to ALB DNS name
+resource "aws_route53_record" "wildcard_dns" {
+  zone_id = "${aws_route53_zone.env_dns_zone[0].id}"
+  name    = "*.${var.system_domain}"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = ["${aws_lb.cf_router_alb.dns_name}"]
+}
diff --git a/plan-patches/alb-aws/terraform/cf-lb_override.tf b/plan-patches/alb-aws/terraform/cf-lb_override.tf
deleted file mode 100644
index c3a88bbf1..000000000
--- a/plan-patches/alb-aws/terraform/cf-lb_override.tf
+++ /dev/null
@@ -1,146 +0,0 @@
-resource "aws_lb" "cf_router" {
-  name               = "${var.short_env_id}-cf-router-lb"
-  load_balancer_type = "application"
-
-  security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-  subnets         = ["${aws_subnet.lb_subnets.*.id}"]
-}
-
-resource "aws_lb_listener" "cf_router_443" {
-  load_balancer_arn = "${aws_lb.cf_router.arn}"
-  port              = "443"
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2015-05"
-  certificate_arn   = "${aws_iam_server_certificate.lb_cert.arn}"
-
-  default_action {
-    target_group_arn = "${aws_lb_target_group.cf_router_443.arn}"
-    type             = "forward"
-  }
-}
-
-resource "aws_lb_target_group" "cf_router_443" {
-  name     = "${var.short_env_id}-routertg-443"
-  port     = 443
-  protocol = "HTTPS"
-  vpc_id   = "${local.vpc_id}"
-
-  health_check {
-    path = "/health"
-    port = 8080
-  }
-}
-
-resource "aws_lb_listener" "cf_router_4443" {
-  load_balancer_arn = "${aws_lb.cf_router.arn}"
-  port              = "4443"
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2015-05"
-  certificate_arn   = "${aws_iam_server_certificate.lb_cert.arn}"
-
-  default_action {
-    target_group_arn = "${aws_lb_target_group.cf_router_4443.arn}"
-    type             = "forward"
-  }
-}
-
-resource "aws_lb_target_group" "cf_router_4443" {
-  name     = "${var.short_env_id}-routertg-4443"
-  port     = 4443
-  protocol = "HTTPS"
-  vpc_id   = "${local.vpc_id}"
-
-  health_check {
-    path = "/health"
-    port = 8080
-  }
-}
-
-resource "aws_lb_listener" "cf_router_80" {
-  load_balancer_arn = "${aws_lb.cf_router.arn}"
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    target_group_arn = "${aws_lb_target_group.cf_router_80.arn}"
-    type             = "forward"
-  }
-}
-
-resource "aws_lb_target_group" "cf_router_80" {
-  name     = "${var.short_env_id}-routertg-80"
-  port     = 80
-  protocol = "HTTP"
-  vpc_id   = "${local.vpc_id}"
-
-  health_check {
-    path = "/health"
-    port = 8080
-  }
-}
-
-resource "aws_security_group" "cf_router_lb_internal_security_group" {
-  name        = "${var.env_id}-cf-router-lb-internal-security-group"
-  description = "CF Router Internal"
-  vpc_id      = "${local.vpc_id}"
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 80
-    to_port         = 80
-  }
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 8080
-    to_port         = 8080
-  }
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 443
-    to_port         = 443
-  }
-
-  ingress {
-    security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"]
-    protocol        = "tcp"
-    from_port       = 4443
-    to_port         = 4443
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags {
-    Name = "${var.env_id}-cf-router-lb-internal-security-group"
-  }
-
-  lifecycle {
-    ignore_changes = ["name"]
-  }
-}
-
-output "cf_router_lb_name" {
-  value = "${aws_lb.cf_router.name}"
-}
-
-output "cf_router_lb_url" {
-  value = "${aws_lb.cf_router.dns_name}"
-}
-
-resource "aws_route53_record" "wildcard_dns" {
-  zone_id = "${aws_route53_zone.env_dns_zone.id}"
-  name    = "*.${var.system_domain}"
-  type    = "CNAME"
-  ttl     = 300
-
-  records = ["${aws_lb.cf_router.dns_name}"]
-}