Merge pull request #206 from mdr-engineering/feature/bp_MSOCI-1622_sensu

Fixes Sensu ALB and Allows LCPs

base/sensu/elb.tf

@@ -15,7 +15,7 @@ resource "aws_alb" "sensu_internal" {
   name               = "sensu-alb-internal-${var.environment}"
   security_groups    = [ aws_security_group.sensu_alb_server_internal.id ]
   internal           = true 
-  subnets            = var.subnets
+  subnets            = var.private_subnets
   load_balancer_type = "application"
 
 
@@ -134,7 +134,7 @@ resource "aws_alb" "sensu_external" {
   name               = "sensu-alb-external-${var.environment}"
   security_groups    = [ aws_security_group.sensu_alb_server_external.id ]
   internal           = false 
-  subnets            = var.subnets
+  subnets            = var.public_subnets
   load_balancer_type = "application"
 
 
@@ -180,7 +180,7 @@ resource "aws_lb_target_group_attachment" "sensu_external" {
 # Create a new alb listener
 resource "aws_alb_listener" "sensu_https_external" {
   load_balancer_arn = aws_alb.sensu_external.arn
-  port              = "8081"
+  port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
   certificate_arn   = aws_acm_certificate.cert_public.arn
@@ -221,6 +221,32 @@ resource "aws_security_group" "sensu_alb_server_external" {
 # INGRESS
 #----------------------------------------------------------------------------
 
+resource "aws_security_group_rule" "sensu-external-ips" {
+
+  # This deserves some explanation.  Terraform "for_each" expects to be
+  # getting as input a map of values to iterate over as part of the foreach.
+  # The keys of the map are used to name each of these objects created.  Looking
+  # in the terraform plan output of a for_each you'll see things like:
+  #
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
+  #
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
+  # makes a new thing that is a map of maps, where the key value is the description with
+  # blanks removed.
+  #
+  # We could have made the variable more natively-friendly to for_each but this seemed
+  # like a better solution for what we were trying to accomplish.
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
+
+  description = "Sensu - ${each.value.description}"
+  type = "ingress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = each.value.cidr_blocks
+  security_group_id = aws_security_group.sensu_alb_server_external.id
+}
+
 #count = 0 in test. No need to let customers connect to test. 
 resource "aws_security_group_rule" "sensu-afs-pop" {
   count = var.environment == "test" ? 0 : 1

base/sensu/main.tf

@@ -16,7 +16,7 @@ data "aws_kms_key" "ebs-key" {
 }
 
 resource "aws_network_interface" "instance" {
-  subnet_id = var.subnets[0]
+  subnet_id = var.private_subnets[0]
   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.instance_security_group.id ]
   description = var.instance_name
   tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })

base/sensu/vars.tf

@@ -7,7 +7,11 @@ variable "azs" {
   type = list(string)
 }
 
-variable "subnets" {
+variable "private_subnets" {
+  type = list(string)
+}
+
+variable "public_subnets" {
   type = list(string)
 }
 
@@ -50,3 +54,7 @@ variable "aws_partition_alias" { type = string }
 variable "aws_account_id" { type = string }
 variable "common_services_account" { type = string }
 variable "instance_termination_protection" { type = bool }
+variable "c2_services_external_ips" {
+  type = list(object({cidr_blocks=list(string),description=string}))
+  default = []
+}