feat: Add http/https nlb resources (#32)

* feat: Add http/https nlb resources

* docs: update terraform docs

* chore: Update resource name leggth exceeding 32 characters

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: rebelopsio

clickhouse/README.md

@@ -95,8 +95,11 @@ At this stage the data should be present on all nodes of the cluster given that
 | [aws_kms_alias.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/kms_alias) | resource |
 | [aws_kms_key.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/kms_key) | resource |
 | [aws_lb.nlb](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb) | resource |
+| [aws_lb_listener.clickhouse_http_nlb_listener](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_listener) | resource |
 | [aws_lb_listener.clickhouse_nlb_listener](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_listener) | resource |
+| [aws_lb_target_group.clickhouse_http_nlb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_target_group) | resource |
 | [aws_lb_target_group.clickhouse_nlb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group_attachment.clickhouse_http_nlb_target_group_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_target_group_attachment) | resource |
 | [aws_lb_target_group_attachment.clickhouse_nlb_target_group_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/lb_target_group_attachment) | resource |
 | [aws_route53_record.clickhouse_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/route53_record) | resource |
 | [aws_route53_record.clickhouse_keeper](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/route53_record) | resource |
@@ -140,6 +143,7 @@ At this stage the data should be present on all nodes of the cluster given that
 | [aws_security_group_rule.keeper_outbound](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.keeper_raft](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.keeper_ssh](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.nlb_http_inbound](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.nlb_inbound](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.nlb_to_clickhouse](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/security_group_rule) | resource |
 | [aws_volume_attachment.clickhouse](https://registry.terraform.io/providers/hashicorp/aws/5.82.2/docs/resources/volume_attachment) | resource |

clickhouse/nlb.tf

@@ -28,6 +28,25 @@ resource "aws_lb_listener" "clickhouse_nlb_listener" {
   }
 }
 
+resource "aws_lb_listener" "clickhouse_http_nlb_listener" {
+  count             = var.enable_nlb ? 1 : 0
+  load_balancer_arn = aws_lb.nlb[0].arn
+  port              = var.enable_nlb_tls || var.enable_encryption ? var.https_port : var.http_port
+  protocol          = var.enable_nlb_tls ? "TLS" : "TCP"
+
+  # Use provided certificate ARN or generated certificate for HTTPS
+  certificate_arn = var.enable_nlb_tls ? (
+    var.use_generated_cert ? aws_acm_certificate.nlb[0].arn : var.tls_certificate_arn
+  ) : null
+
+  ssl_policy = var.enable_nlb_tls ? "ELBSecurityPolicy-TLS13-1-2-2021-06" : null
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.clickhouse_http_nlb_target_group[0].arn
+  }
+}
+
 resource "aws_lb_target_group" "clickhouse_nlb_target_group" {
   count       = var.enable_nlb ? 1 : 0
   name        = "${var.cluster_name}-nlb-tg"
@@ -48,9 +67,36 @@ resource "aws_lb_target_group" "clickhouse_nlb_target_group" {
   }
 }
 
+resource "aws_lb_target_group" "clickhouse_http_nlb_target_group" {
+  count       = var.enable_nlb ? 1 : 0
+  name        = "${substr(var.cluster_name, 0, 20)}-ch-http-tg"
+  port        = var.enable_encryption ? var.https_port : var.http_port
+  protocol    = "TCP"
+  vpc_id      = module.vpc.vpc_id
+  target_type = "ip"
+
+  health_check {
+    enabled             = true
+    port                = var.enable_encryption ? var.https_port : var.http_port
+    protocol            = "HTTP"
+    path                = "/ping"
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+    interval            = 30
+    timeout             = 10
+  }
+}
+
 resource "aws_lb_target_group_attachment" "clickhouse_nlb_target_group_attachment" {
   for_each         = var.enable_nlb ? module.clickhouse_cluster : {}
   target_group_arn = aws_lb_target_group.clickhouse_nlb_target_group[0].arn
   target_id        = module.clickhouse_cluster[each.key].id
   port             = var.enable_encryption ? var.tcp_port_secure : var.tcp_port
 }
+
+resource "aws_lb_target_group_attachment" "clickhouse_http_nlb_target_group_attachment" {
+  for_each         = var.enable_nlb ? module.clickhouse_cluster : {}
+  target_group_arn = aws_lb_target_group.clickhouse_http_nlb_target_group[0].arn
+  target_id        = module.clickhouse_cluster[each.key].id
+  port             = var.enable_encryption ? var.https_port : var.http_port
+}

clickhouse/sg.tf

@@ -33,6 +33,17 @@ resource "aws_security_group_rule" "nlb_inbound" {
   description       = "Allow inbound traffic to NLB"
 }
 
+resource "aws_security_group_rule" "nlb_http_inbound" {
+  count             = var.enable_nlb ? 1 : 0
+  security_group_id = aws_security_group.nlb[0].id
+  type              = "ingress"
+  from_port         = var.enable_encryption ? var.https_port : var.http_port
+  to_port           = var.enable_encryption ? var.https_port : var.http_port
+  protocol          = "tcp"
+  cidr_blocks       = var.nlb_type == "external" ? ["0.0.0.0/0"] : [local.vpc_cidr]
+  description       = "Allow inbound HTTP traffic to ClickHouse NLB"
+}
+
 resource "aws_security_group_rule" "nlb_to_clickhouse" {
   count                    = var.enable_nlb ? 1 : 0
   security_group_id        = aws_security_group.nlb[0].id