Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
AFS
/
xdr-terraform-modules
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

Merge pull request #274 from mdr-engineering/feature/ftd_MSOCI-1795_RemoveSATOSAELB

Removes ELB for SATOSA
Frederick Damstra 3 yıl önce
ebeveyn
adbe93d299 565da5d88b
işleme
58577b2c43
4 değiştirilmiş dosya ile 5 ekleme ve 175 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 0 35
      base/splunk_servers/customer_searchhead/certificate-auth.tf
  2. 0 134
      base/splunk_servers/customer_searchhead/elb-auth.tf
  3. 0 4
      base/splunk_servers/customer_searchhead/outputs.tf
  4. 5 2
      base/splunk_servers/customer_searchhead/waf.tf

+ 0 - 35
base/splunk_servers/customer_searchhead/certificate-auth.tf
Dosyayı Görüntüle 

@@ -1,35 +0,0 @@
 
-#Certificate 
-resource "aws_acm_certificate" "cert-auth" {
 
-  domain_name       = "${local.auth_short_name}.${var.dns_info["public"]["zone"]}"
 
-  validation_method = "DNS"
 
-
 
-  lifecycle {
 
-    create_before_destroy = true
 
-  }
 
-
 
-  tags = merge(var.standard_tags, var.tags)
 
-}
 
-
 
-resource "aws_acm_certificate_validation" "cert-auth" {
 
-  certificate_arn         = aws_acm_certificate.cert-auth.arn
 
-  validation_record_fqdns = [for record in aws_route53_record.cert-validation-auth: record.fqdn]
 
-}
 
-
 
-resource "aws_route53_record" "cert-validation-auth" {
 
-  provider = aws.mdr-common-services-commercial
 
-
 
-  for_each = {
 
-    for dvo in aws_acm_certificate.cert-auth.domain_validation_options : dvo.domain_name => {
 
-      name   = dvo.resource_record_name
 
-      record = dvo.resource_record_value
 
-      type   = dvo.resource_record_type
 
-    }
 
-  }
 
-
 
-  allow_overwrite = true
 
-  name            = each.value.name
 
-  records         = [each.value.record]
 
-  ttl             = 60
 
-  type            = each.value.type
 
-  zone_id         = var.dns_info["public"]["zone_id"]
 
-}

+ 0 - 134
base/splunk_servers/customer_searchhead/elb-auth.tf
Dosyayı Görüntüle 

@@ -1,134 +0,0 @@
 
-resource "aws_lb" "searchhead-auth-alb" {
 
-  name               = "${local.alb_name}-auth"
 
-  internal           = false
 
-  load_balancer_type = "application"
 
-  # Not supported for NLB
 
-  security_groups    = [aws_security_group.searchhead-auth-alb-sg.id]
 
-  # Note, changing subnets results in recreation of the resource
 
-  subnets            = var.public_subnets
 
-  enable_cross_zone_load_balancing = true
 
-
 
-  access_logs {
 
-    bucket  = "xdr-elb-${ var.environment }"
 
-    enabled = true
 
-  }
 
-
 
-  tags = merge(var.standard_tags, var.tags)
 
-}
 
-
 
-#########################
 
-# Listeners
 
-resource "aws_lb_listener" "searchhead-auth-alb-listener-https" {
 
-  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
 
-  port              = "443"
 
-  protocol          = "HTTPS"
 
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
 
-  certificate_arn   = aws_acm_certificate.cert-auth.arn
 
-
 
-  default_action {
 
-    type             = "forward"
 
-    target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
 
-  }
 
-}
 
-
 
-# Redirect HTTP to HTTPS
 
-resource "aws_lb_listener" "searchhead-auth-alb-listener-http" {
 
-  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
 
-  port              = "80"
 
-  protocol          = "HTTP"
 
-
 
-  default_action {
 
-    type             = "redirect"
 
-
 
-    redirect {
 
-      port        = "443"
 
-      protocol    = "HTTPS"
 
-      status_code = "HTTP_301"
 
-    }
 
-  }
 
-}
 
-
 
-#########################
 
-# Targets
 
-resource "aws_lb_target_group" "searchhead-auth-alb-target-10000" {
 
-  name     = "${local.alb_name}-10000"
 
-  port     = 10000
 
-  protocol = "HTTPS"
 
-  target_type = "instance"
 
-  vpc_id   = var.vpc_id
 
-  tags = merge(var.standard_tags, var.tags)
 
-
 
-  health_check {
 
-    enabled = true
 
-    path = "/Saml2IDP/proxy.xml"
 
-    port = 10000
 
-    protocol = "HTTPS"
 
-  }
 
-
 
-  # Stickiness is not needed here, but we'll need it if we add SHs
 
-  stickiness {
 
-    type = "lb_cookie"
 
-    cookie_duration = 86400 # 1 day
 
-    enabled = true
 
-  }
 
-}
 
-
 
-resource "aws_lb_target_group_attachment" "searchhead-auth-alb-target-10000-instance" {
 
-  target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
 
-  target_id        = aws_instance.instance.id
 
-  port             = 10000
 
-}
 
-
 
-#########################
 
-# Security Group for ALB
 
-resource "aws_security_group" "searchhead-auth-alb-sg" {
 
-  name = "${local.alb_name}-customer-auth-alb-sh"
 
-  description = "Security Group for the Customer Searchhead Authorization ALB"
 
-  vpc_id = var.vpc_id
 
-  tags = merge(var.standard_tags, var.tags)
 
-}
 
-
 
-resource "aws_security_group_rule" "searchhead-auth-alb-https-in" {
 
-  type              = "ingress"
 
-  from_port         = 443
 
-  to_port           = 443
 
-  protocol          = "tcp"
 
-  cidr_blocks       = local.alb_clients
 
-  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
 
-}
 
-
 
-resource "aws_security_group_rule" "searchhead-auth-http-in" {
 
-  # Port 80 is open as a redirect to 443
 
-  type              = "ingress"
 
-  from_port         = 80
 
-  to_port           = 80
 
-  protocol          = "tcp"
 
-  cidr_blocks       = local.alb_clients
 
-  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
 
-}
 
-
 
-resource "aws_security_group_rule" "searchhead-auth-alb-10000-out" {
 
-  type              = "egress"
 
-  from_port         = 10000
 
-  to_port           = 10000
 
-  protocol          = "tcp"
 
-  # Maybe should limit to the local vpc, but I don't readily have that cidr available
 
-  cidr_blocks       = [ var.vpc_cidr ]
 
-  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
 
-}
 
-
 
-#########################
 
-# DNS Entry
 
-module "public_dns_record_cust-auth-elb" {
 
-  source = "../../../submodules/dns/public_ALIAS_record"
 
-
 
-  name = "${local.auth_short_name}"
 
-
 
-  target_dns_name = aws_lb.searchhead-auth-alb.dns_name
 
-  target_zone_id  = aws_lb.searchhead-auth-alb.zone_id
 
-  dns_info = var.dns_info
 
-
 
-  providers = {
 
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
 
-  }
 
-}

+ 0 - 4
base/splunk_servers/customer_searchhead/outputs.tf
Dosyayı Görüntüle 

@@ -2,10 +2,6 @@ output fqdn {
 
   value = module.public_dns_record_cust-elb.forward
 
 }
 
 
-output auth-fqdn {
 
-  value = module.public_dns_record_cust-auth-elb.forward
 
-}
 
-
 
 output instance_arn {
 
   value = aws_instance.instance.arn
 
 }

+ 5 - 2
base/splunk_servers/customer_searchhead/waf.tf
Dosyayı Görüntüle 

@@ -7,7 +7,8 @@ module "waf" {
 
   resource_arn = aws_lb.searchhead-alb.arn
 
   fqdns = concat( # first entry in list will be the WAF name
 
     keys(module.public_dns_record_cust-elb.forward),
 
-    keys(module.public_dns_record_cust-auth-elb.forward),
 
+    # example, to add additional valid hostnames
 
+    #    keys(module.public_dns_record_cust-auth-elb.forward),
 
   )
 
 
 
@@ -18,15 +19,17 @@ module "waf" {
 
   aws_account_id = var.aws_account_id
 
 }
 
 
+# Example: If you want to attach the WAF to an additional ALB
 
+#
 
 # Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
 
 # using the commented section below, if the need arises.
 
 
-# Temporary disabled
 
 #resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
 
 #  resource_arn = aws_lb.searchhead-auth-alb.arn
 
 #  web_acl_arn  = module.waf.web_acl_id
 
 #}
 
 
+# Example: If you want a second WAF, that should be straightforward
 
 #module "waf-auth" {
 
 #  source = "../../../submodules/wafv2"
 
 #