Switch Ingress ELB to a network load balancer

* Require terraform-provider-aws 1.7 or higher

aws/container-linux/kubernetes/ingress.tf

@@ -1,32 +1,80 @@
-# Ingress Network Load Balancer
+# Network Load Balancer for Ingress
-resource "aws_elb" "ingress" {
+resource "aws_lb" "ingress" {
   name               = "${var.cluster_name}-ingress"
+  load_balancer_type = "network"
+  internal           = false
+
   subnets = ["${aws_subnet.public.*.id}"]
-  security_groups = ["${aws_security_group.worker.id}"]
-
-  listener {
-    lb_port           = 80
-    lb_protocol       = "tcp"
-    instance_port     = 80
-    instance_protocol = "tcp"
 }
 
-  listener {
+# Forward HTTP traffic to instances
-    lb_port           = 443
+resource "aws_lb_listener" "ingress-http" {
-    lb_protocol       = "tcp"
+  load_balancer_arn = "${aws_lb.ingress.arn}"
-    instance_port     = 443
+  protocol          = "TCP"
-    instance_protocol = "tcp"
+  port              = 80
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.workers-http.arn}"
   }
+}
+
+# Forward HTTPS traffic to instances
+resource "aws_lb_listener" "ingress-https" {
+  load_balancer_arn = "${aws_lb.ingress.arn}"
+  protocol          = "TCP"
+  port              = 443
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.workers-https.arn}"
+  }
+}
+
+# Network Load Balancer target groups of instances
+
+resource "aws_lb_target_group" "workers-http" {
+  name        = "${var.cluster_name}-workers-http"
+  vpc_id      = "${aws_vpc.network.id}"
+  target_type = "instance"
+
+  protocol = "TCP"
+  port     = 80
 
   # Ingress Controller HTTP health check
   health_check {
-    target              = "HTTP:10254/healthz"
+    protocol = "HTTP"
-    healthy_threshold   = 2
+    port     = 10254
-    unhealthy_threshold = 4
+    path     = "/healthz"
-    timeout             = 5
+
-    interval            = 6
+    # NLBs required to use same healthy and unhealthy thresholds
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+
+    # Interval between health checks required to be 10 or 30
+    interval = 10
+  }
 }
 
-  connection_draining         = true
+resource "aws_lb_target_group" "workers-https" {
-  connection_draining_timeout = 300
+  name        = "${var.cluster_name}-workers-https"
+  vpc_id      = "${aws_vpc.network.id}"
+  target_type = "instance"
+
+  protocol = "TCP"
+  port     = 443
+
+  # Ingress Controller HTTP health check
+  health_check {
+    protocol = "HTTP"
+    port     = 10254
+    path     = "/healthz"
+
+    # NLBs required to use same healthy and unhealthy thresholds
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+
+    # Interval between health checks required to be 10 or 30
+    interval = 10
+  }
 }

aws/container-linux/kubernetes/outputs.tf

@@ -1,4 +1,4 @@
 output "ingress_dns_name" {
-  value       = "${aws_elb.ingress.dns_name}"
+  value       = "${aws_lb.ingress.dns_name}"
-  description = "DNS name of the ELB for distributing traffic to Ingress controllers"
+  description = "DNS name of the network load balancer for distributing traffic to Ingress controllers"
 }

aws/container-linux/kubernetes/require.tf

@@ -5,7 +5,7 @@ terraform {
 }
 
 provider "aws" {
-  version = "~> 1.0"
+  version = "~> 1.7"
 }
 
 provider "local" {

aws/container-linux/kubernetes/workers.tf

@@ -1,7 +1,6 @@
 # Workers AutoScaling Group
 resource "aws_autoscaling_group" "workers" {
   name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}"
-  load_balancers = ["${aws_elb.ingress.id}"]
 
   # count
   desired_capacity          = "${var.worker_count}"
@@ -16,6 +15,12 @@ resource "aws_autoscaling_group" "workers" {
   # template
   launch_configuration = "${aws_launch_configuration.worker.name}"
 
+  # target groups to which instances should be added
+  target_group_arns = [
+    "${aws_lb_target_group.workers-http.id}",
+    "${aws_lb_target_group.workers-https.id}",
+  ]
+
   lifecycle {
     # override the default destroy and replace update behavior
     create_before_destroy = true
@@ -153,6 +158,16 @@ resource "aws_security_group_rule" "worker-node-exporter" {
   self      = true
 }
 
+resource "aws_security_group_rule" "ingress-health" {
+  security_group_id = "${aws_security_group.worker.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 10254
+  to_port     = 10254
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "worker-kubelet" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -193,16 +208,6 @@ resource "aws_security_group_rule" "worker-kubelet-read-self" {
   self      = true
 }
 
-resource "aws_security_group_rule" "ingress-health-self" {
-  security_group_id = "${aws_security_group.worker.id}"
-
-  type      = "ingress"
-  protocol  = "tcp"
-  from_port = 10254
-  to_port   = 10254
-  self      = true
-}
-
 resource "aws_security_group_rule" "worker-bgp" {
   security_group_id = "${aws_security_group.worker.id}"