Merge pull request #136 from mdr-engineering/feature/ftd_MSOCI-1625_MigrateMooseToGC

Updates legacy_hec module to better handle iratemoses aliases

base/splunk_servers/legacy_hec/README.md

@@ -1,5 +1,36 @@
-This module creates two HEC load balancers for legacy compatibility. It should not be added to new accounts.
+# Summary
 
-Without this, the existing customer AWS data and other things submitting ot the HEC could get lost during the migration.
+This module creates HEC load balancers using the previous domain name for
+for legacy compatibility. It should not be added to new accounts.
+
+Without this, the existing customer AWS data and other things submitting to the
+HEC could get lost during the migration.
 
 But if activity is low/zero, destroy it!
+
+## iratemoses Aliases
+
+Additionally, for MOOSE only, it creates 'iratemoses' aliases.
+
+## List of HECs
+
+### Permanent:
+
+These are the HECs created by the indexer cluster module, which will stick around:
+
+moose-hec.xdrtest.accenturefederalcyber.com - Non-ack external HEC
+moose-hec-ack.xdrtest.accenturefederalcyber.com - ACK external HEC
+moose-hec.pvt.xdrtest.accenturefederalcyber.com - non-ack internal HEC
+moose-hec-ack.pvt.xdrtest.accenturefederalcyber.com - ACK internal HEC
+
+These are the HECs that are created by the legacy_hec module, which should not be used for any new purposes:
+
+moose-hec.mdr-test.defpoint.com
+moose-hec-ack.mdr-test.defpoint.com
+iratemoses.msoc.defpoint.local (moose only)
+iratemoses.mdr-test.defpoint.com (moose only)
+
+Notably, the following intentionally do not exist:
+
+moose-hec.msoc.defpoint.local
+moose-hec-ack.msoc.defpoint.local

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -14,6 +14,25 @@ resource "aws_route53_record" "hec-ack" {
   provider = aws.legacy
 }
 
+resource "aws_route53_record" "hec-ack-internal" {
+  # the 'private' copy of the msoc.defpoint.com domain
+  name = "${var.prefix}-hec-ack"
+  type = "CNAME"
+  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
+  ttl = "600"
+  records = [ aws_elb.hec_classiclb.dns_name ]
+
+  provider = aws.legacy
+}
+
+output hec-with-acks-fqdn {
+  value = aws_route53_record.hec-ack.fqdn
+}
+
+output hec-with-acks-records {
+  value = aws_elb.hec_classiclb.dns_name
+}
+
 #########################
 # Certificate
 resource "aws_acm_certificate" "hec_classiclb_cert" {

base/splunk_servers/legacy_hec/elb-without-ack-internal.tf

@@ -1,19 +1,39 @@
 #------------------------------------------------------------------------------
-# An external ALB for the indexers for HEC
+# An internal ALB without ACKs for moose only
 #------------------------------------------------------------------------------
 
 #########################
 # DNS Entry
 resource "aws_route53_record" "hec_internal" {
+  count = local.is_moose ? 1 : 0
   name = "iratemoses"
   type = "CNAME"
   zone_id = var.dns_info["legacy_private"]["zone_id"]
   ttl = "600"
-  records = [ aws_lb.hec_internal.dns_name ]
+  records = [ aws_lb.hec_internal[count.index].dns_name ]
 
   provider = aws.legacy
 }
 
+resource "aws_route53_record" "hec_internal_accenturefederalcyber" {
+  count = local.is_moose ? 1 : 0
+  name = "iratemoses"
+  type = "CNAME"
+  zone_id = var.dns_info["private"]["zone_id"]
+  ttl = "600"
+  records = [ aws_lb.hec_internal[count.index].dns_name ]
+
+  provider = aws.c2
+}
+
+output hec-without-acks-internal-fqdn {
+  value = local.is_moose ? aws_route53_record.hec_internal[0].fqdn : "<not created for non-moose>"
+}
+
+output hec-without-acks-internal-records {
+  value = local.is_moose ? aws_lb.hec_internal[0].dns_name : "<not created for non-moose>"
+}
+
 #########################
 # Certificate
 
@@ -22,6 +42,7 @@ resource "aws_route53_record" "hec_internal" {
 #########################
 # ELB
 resource "aws_lb" "hec_internal" {
+  count              = local.is_moose ? 1 : 0
   tags               = merge(var.standard_tags, var.tags)
   name               = "iratemoses"
   load_balancer_type = "application"
@@ -32,31 +53,33 @@ resource "aws_lb" "hec_internal" {
 
 resource "aws_lb_listener" "hec_internal_443" {
   count             = local.is_moose ? 1 : 0
-  load_balancer_arn = aws_lb.hec.arn
+  load_balancer_arn = aws_lb.hec_internal[count.index].arn
   port              = 443
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
-  certificate_arn   = aws_acm_certificate.hec_cert.arn
+  certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
   default_action {
     type = "forward"
-    target_group_arn = aws_lb_target_group.hec_internal_8088.arn
+    target_group_arn = aws_lb_target_group.hec_internal_8088[count.index].arn
   }
 }
 
 resource "aws_lb_listener" "hec_internal_8088" {
-  load_balancer_arn = aws_lb.hec.arn
+  count             = local.is_moose ? 1 : 0
+  load_balancer_arn = aws_lb.hec_internal[count.index].arn
   port              = 8088
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
-  certificate_arn   = aws_acm_certificate.hec_cert.arn
+  certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
   default_action {
     type = "forward"
-    target_group_arn = aws_lb_target_group.hec_internal_8088.arn
+    target_group_arn = aws_lb_target_group.hec_internal_8088[count.index].arn
   }
 }
 
 resource "aws_lb_target_group" "hec_internal_8088" {
-  name         = "${var.prefix}-legacy-hec-targets"
+  count        = local.is_moose ? 1 : 0
+  name         = "${var.prefix}-legacy-hec-int-tgts"
   port         = 8088
   protocol     = "HTTPS"
   target_type  = "instance"
@@ -68,9 +91,9 @@ resource "aws_lb_target_group" "hec_internal_8088" {
   }
 }
 
-# Attach the instnaces to the ELB
+# Attach the instances to the ELB
 resource "aws_autoscaling_attachment" "hec_internal_asg_attachments" {
-  for_each = toset( var.elb_attachments )
-  alb_target_group_arn = aws_lb_target_group.hec_internal_8088.arn
+  for_each = local.is_moose ? toset( var.elb_attachments ) : []
+  alb_target_group_arn = aws_lb_target_group.hec_internal_8088[0].arn
   autoscaling_group_name = each.key
 }

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -14,7 +14,22 @@ resource "aws_route53_record" "hec" {
   provider = aws.legacy
 }
 
+resource "aws_route53_record" "hec_public_internal" {
+  name = "${var.prefix}-hec"
+  type = "CNAME"
+  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
+  ttl = "600"
+  records = [ aws_lb.hec.dns_name ]
+
+  provider = aws.legacy
+}
+
+output hec-without-ack-fqdn {
+  value = aws_route53_record.hec.fqdn
+}
+
 resource "aws_route53_record" "iratemoses" {
+  count = local.is_moose ? 1 : 0
   name = "iratemoses"
   type = "CNAME"
   zone_id = var.dns_info["legacy_public"]["zone_id"]
@@ -24,15 +39,43 @@ resource "aws_route53_record" "iratemoses" {
   provider = aws.legacy
 }
 
+resource "aws_route53_record" "iratemoses_public_internal" {
+  count = local.is_moose ? 1 : 0
+  name = "iratemoses"
+  type = "CNAME"
+  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
+  ttl = "600"
+  records = [ aws_lb.hec.dns_name ]
+
+  provider = aws.legacy
+}
+
+resource "aws_route53_record" "iratemoses_public" {
+  count = local.is_moose ? 1 : 0
+  name = "iratemoses"
+  type = "CNAME"
+  zone_id = var.dns_info["public"]["zone_id"]
+  ttl = "600"
+  records = [ aws_lb.hec.dns_name ]
+
+  provider = aws.mdr-common-services-commercial
+}
+
+output hec-without-ack-iratemoses-fqdn {
+  value = local.is_moose ? aws_route53_record.iratemoses[0].fqdn : "<not created for non-moose>"
+}
+
+output hec-without-ack-records {
+  value = aws_lb.hec.dns_name
+}
+
 #########################
 # Certificate
 resource "aws_acm_certificate" "hec_cert" {
   domain_name       = "${var.prefix}-hec.${var.dns_info["legacy_public"]["zone"]}"
   validation_method = "DNS"
 
-  subject_alternative_names = [
-    "iratemoses.${var.dns_info["legacy_public"]["zone"]}",
-  ]
+  subject_alternative_names = local.is_moose ? [ "iratemoses.${var.dns_info["legacy_public"]["zone"]}" ] : [ ]
 
   tags = merge(var.standard_tags, var.tags)
 }