Merge pull request #128 from mdr-engineering/feature/ftd_na_ConfigurablePrivateHEC

Moved the private ELB into its own variable, independent of moose

base/splunk_servers/indexer_cluster/elb-private-for-moose-only.tf → base/splunk_servers/indexer_cluster/elb-private.tf

@@ -6,10 +6,10 @@
 # DNS Entry
 module "private_dns_record_hec_pvt" {
   source = "../../../submodules/dns/private_CNAME_record"
-  enabled = local.is_moose ? true : false
+  enabled = var.splunk_private_hec ? true : false
 
   name = "${var.prefix}-hec"
-  target_dns_names = local.is_moose ? [ aws_lb.hec_pvt[0].dns_name ] : [ "na" ]
+  target_dns_names = var.splunk_private_hec ? [ aws_lb.hec_pvt[0].dns_name ] : [ "na" ]
   dns_info = var.dns_info
 
   providers = {
@@ -20,7 +20,7 @@ module "private_dns_record_hec_pvt" {
 #########################
 # Certificate - NOTE: Public certificate for a private HEC
 resource "aws_acm_certificate" "hec_pvt_cert" {
-  count = local.is_moose ? 1 : 0
+  count = var.splunk_private_hec ? 1 : 0
 
   domain_name       = "${var.prefix}-hec.${var.dns_info["private"]["zone"]}"
   validation_method = "DNS"
@@ -29,14 +29,14 @@ resource "aws_acm_certificate" "hec_pvt_cert" {
 }
 
 resource "aws_acm_certificate_validation" "hec_pvt_cert_validation" {
-  certificate_arn         = local.is_moose ? aws_acm_certificate.hec_pvt_cert[0].arn : ""
+  certificate_arn         = var.splunk_private_hec ? aws_acm_certificate.hec_pvt_cert[0].arn : ""
   validation_record_fqdns = [for record in aws_route53_record.hec_pvt_cert_validation: record.fqdn] # will be empty if not moose
 }
 
 resource "aws_route53_record" "hec_pvt_cert_validation" {
   provider = aws.mdr-common-services-commercial
 
-  for_each = ( local.is_moose ? {
+  for_each = ( var.splunk_private_hec ? {
       for dvo in aws_acm_certificate.hec_pvt_cert[0].domain_validation_options: dvo.domain_name => {
         name   = dvo.resource_record_name
         record = dvo.resource_record_value
@@ -56,7 +56,7 @@ resource "aws_route53_record" "hec_pvt_cert_validation" {
 #########################
 # ELB
 resource "aws_lb" "hec_pvt" {
-  count = local.is_moose ? 1 : 0
+  count = var.splunk_private_hec ? 1 : 0
 
   tags               = merge(var.standard_tags, var.tags)
   name               = "${var.prefix}-hec-private"
@@ -67,7 +67,7 @@ resource "aws_lb" "hec_pvt" {
 }
 
 resource "aws_lb_listener" "hec_pvt_443" {
-  count             = local.is_moose ? 1 : 0
+  count             = var.splunk_private_hec ? 1 : 0
 
   load_balancer_arn = aws_lb.hec_pvt[0].arn
   port              = 443
@@ -81,7 +81,7 @@ resource "aws_lb_listener" "hec_pvt_443" {
 }
 
 resource "aws_lb_listener" "hec_pvt_8088" {
-  count = local.is_moose ? 1 : 0
+  count = var.splunk_private_hec ? 1 : 0
 
   load_balancer_arn = aws_lb.hec_pvt[0].arn
   port              = 8088
@@ -95,7 +95,7 @@ resource "aws_lb_listener" "hec_pvt_8088" {
 }
 
 resource "aws_lb_target_group" "hec_pvt_8088" {
-  count = local.is_moose ? 1 : 0
+  count = var.splunk_private_hec ? 1 : 0
 
   name         = "${var.prefix}-hec-pvt-targets"
   port         = 8088
@@ -109,9 +109,9 @@ resource "aws_lb_target_group" "hec_pvt_8088" {
   }
 }
 
-# Attach the instnaces to the ELB
+# Attach the instances to the ELB
 resource "aws_autoscaling_attachment" "hec_pvt_asg_attachments" {
-  for_each = local.is_moose ? toset([ module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0] ]) : []
+  for_each = var.splunk_private_hec ? toset([ module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0] ]) : []
   alb_target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
   autoscaling_group_name = each.key
 }

base/splunk_servers/indexer_cluster/security-group-elb-pvt.tf

@@ -1,5 +1,5 @@
 resource "aws_security_group" "hec_pvt_elb_security_group" {
-  count = local.is_moose ? 1 : 0
+  count = var.splunk_private_hec ? 1 : 0
   name = "hec_pvt_elb_security_group"
   description = "Security Group for the private moose HEC ELBs"
   vpc_id = var.vpc_id
@@ -7,7 +7,7 @@ resource "aws_security_group" "hec_pvt_elb_security_group" {
 }
 
 ## Ingress
-resource "aws_security_group_rule" "hec-pvt-https-in" {
+resource "aws_security_group_rule" "hec-pvt-https-in-moose" {
   count             = local.is_moose ? 1 : 0
   description       = "HEC port - HTTPS for moose only"
   type              = "ingress"
@@ -18,9 +18,20 @@ resource "aws_security_group_rule" "hec-pvt-https-in" {
   security_group_id = aws_security_group.hec_pvt_elb_security_group[0].id
 }
 
-resource "aws_security_group_rule" "hec-pvt-in" {
+resource "aws_security_group_rule" "hec-pvt-https-in-customer" {
+  count             = var.splunk_private_hec ? 1 : 0
+  description       = "HEC port - HTTPS for customer instances"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = [ var.vpc_cidr ]
+  security_group_id = aws_security_group.hec_pvt_elb_security_group[0].id
+}
+
+resource "aws_security_group_rule" "hec-pvt-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "HEC port in"
+  description       = "HEC port in - Moose Only"
   type              = "ingress"
   from_port         = 8088
   to_port           = 8088
@@ -29,9 +40,20 @@ resource "aws_security_group_rule" "hec-pvt-in" {
   security_group_id = aws_security_group.hec_pvt_elb_security_group[0].id
 }
 
+resource "aws_security_group_rule" "hec-pvt-in-customer" {
+  count             = var.splunk_private_hec ? 1 : 0
+  description       = "HEC port in for Customer"
+  type              = "ingress"
+  from_port         = 8088
+  to_port           = 8088
+  protocol          = "tcp"
+  cidr_blocks       = [ var.vpc_cidr ]
+  security_group_id = aws_security_group.hec_pvt_elb_security_group[0].id
+}
+
 ## Egress
 resource "aws_security_group_rule" "hec-pvt-out" {
-  count             = local.is_moose ? 1 : 0
+  count             = var.splunk_private_hec ? 1 : 0
   description       = "HEC to the indexers"
   type              = "egress"
   from_port         = 8088

base/splunk_servers/indexer_cluster/vars.tf

@@ -3,6 +3,12 @@ variable "prefix" {
   type = string
 }
 
+variable "splunk_private_hec" {
+  description = "Whether the customer needs a private HTTP Event Collector"
+  type = bool
+  default = false
+}
+
 variable "splunk_volume_sizes" {
   description = "Map of volume sizes"
   type = map(map(number))