Ebs root volume and other fixes

README.md

@@ -45,6 +45,7 @@ In addition, you have the option to create:
 | ebs\_encrypted | Encrypts EBS volume | `bool` | `true` | no |
 | ebs\_kms\_key\_id | Encrypts EBS volume with custom KMS key (requires ebs\_encrypted=true) | `string` | `""` | no |
 | ebs\_mount\_dir | Custom EBS mount point - e.g /home | `string` | `"/mnt/ebs"` | no |
+| ebs\_root\_size | Size of EBS root volume in GB | `number` | `40` | no |
 | ebs\_size | Size of EBS volumes in GB | `number` | `40` | no |
 | ebs\_type | EBS volume type | `string` | `"gp2"` | no |
 | efs\_mount\_dir | Custom EFS mount point - e.g /home | `string` | `"/mnt/efs"` | no |

_variables.tf

@@ -70,6 +70,11 @@ variable "efs_mount_dir" {
   description = "Custom EFS mount point - e.g /home"
 }
 
+variable "ebs_root_size" {
+  default     = 40
+  description = "Size of EBS root volume in GB"
+}
+
 variable "ebs_size" {
   default     = 40
   description = "Size of EBS volumes in GB"

alb.tf

@@ -46,8 +46,8 @@ resource "aws_lb_listener" "alb_https_listener" {
   load_balancer_arn = aws_lb.alb[0].arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = var.certificate_arn
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = var.certificate_arn == "" ? null : var.certificate_arn
 
   default_action {
     type             = "forward"
@@ -60,4 +60,4 @@ resource "aws_autoscaling_attachment" "alb_asg_attachment" {
   autoscaling_group_name = aws_autoscaling_group.asg[count.index].name
   lb_target_group_arn    = aws_lb_target_group.alb_tg[0].arn
   depends_on             = [aws_lb_target_group.alb_tg]
-}
+}

launch-template.tf

@@ -46,15 +46,17 @@ resource "aws_launch_template" "default" {
     arn = aws_iam_instance_profile.default.arn
   }
 
+  dynamic "block_device_mappings" {
+    for_each = var.ebs_root_size > 0 ? [1] : []
+    content {
+      device_name = "/dev/sda1"
 
-  block_device_mappings {
-    device_name = "/dev/sda1"
-
-    ebs {
-      volume_size           = var.ebs_size
-      delete_on_termination = true
-      volume_type           = "gp2"
-      encrypted             = false
+      ebs {
+        volume_size           = var.ebs_root_size
+        delete_on_termination = true
+        volume_type           = "gp2"
+        encrypted             = false
+      }
     }
   }
 

userdata-cwlogs.tpl

@@ -2,7 +2,7 @@
 echo "### SETUP CLOUDWATCH LOGS AGENT"
 
 yum update -y
-yum install -y awslogs
+yum install -y awslogs amazon-cloudwatch-agent
 
 # UNTESTED CODE BELOW
 cat <<EOF >> /tmp/cwlogs-config.json

userdata-ebs.tpl

@@ -31,4 +31,4 @@ mkdir -p $${EBS_DIR}
 mount $${VOLUME} $${EBS_DIR}
 
 # Persist the volume in /etc/fstab so it gets mounted again
-echo '$${VOLUME} $${EBS_DIR} ext4 defaults,nofail 0 2' >> /etc/fstab
+echo "$${VOLUME} $${EBS_DIR} ext4 defaults,nofail 0 2" >> /etc/fstab