Merge pull request #416 from mdr-engineering/feature/ftd_MSOCI-2138_StaticIPForHEC

Adds NLB with static IP for HEC

base/splunk_servers/indexer_cluster/asg.tf

@@ -15,6 +15,9 @@ module "indexer0" {
   iam_instance_profile       = module.instance_profile.profile_id
   common_services_account    = var.common_services_account
   tags = merge(var.standard_tags, var.tags, var.instance_tags[0], { Name = "${local.asg_name}-0" } )
+
+  # 2022-04-22: FTD - Debugging dying indexers in test
+  suspended_processes = var.environment == "test" ? [ "Terminate" ] : [ ]
 }
 
 module "indexer1" {
@@ -34,6 +37,9 @@ module "indexer1" {
   iam_instance_profile       = module.instance_profile.profile_id
   common_services_account    = var.common_services_account
   tags = merge(var.standard_tags, var.tags, var.instance_tags[1], { Name = "${local.asg_name}-1" } )
+
+  # 2022-04-22: FTD - Debugging dying indexers in test
+  suspended_processes = var.environment == "test" ? [ "Terminate" ] : [ ]
 }
 
 module "indexer2" {
@@ -53,4 +59,7 @@ module "indexer2" {
   iam_instance_profile       = module.instance_profile.profile_id
   common_services_account    = var.common_services_account
   tags = merge(var.standard_tags, var.tags, var.instance_tags[2], { Name = "${local.asg_name}-2" } )
+
+  # 2022-04-22: FTD - Debugging dying indexers in test
+  suspended_processes = var.environment == "test" ? [ "Terminate" ] : [ ]
 }

base/splunk_servers/indexer_cluster/elb-without-ack.tf

@@ -2,21 +2,6 @@
 # An external ALB for the indexers for HEC
 #------------------------------------------------------------------------------
 
-#########################
-# DNS Entry
-module "public_dns_record_hec" {
-  source = "../../../submodules/dns/public_ALIAS_record"
-
-  name = "${var.prefix}-hec"
-  target_dns_name = aws_lb.hec.dns_name
-  target_zone_id  = aws_lb.hec.zone_id
-  dns_info = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}
-
 #########################
 # Certificate
 resource "aws_acm_certificate" "hec_cert" {

base/splunk_servers/indexer_cluster/nlb-for-hec.tf

@@ -0,0 +1,104 @@
+# An NLB to allow for a static IP on the hec
+
+#########################
+# DNS Entry
+module "public_dns_record_hec_static" {
+  source = "../../../submodules/dns/public_ALIAS_record"
+
+  name = "${var.prefix}-hec"
+  target_dns_name = aws_lb.hec_static.dns_name
+  target_zone_id  = aws_lb.hec_static.zone_id
+  dns_info = var.dns_info
+
+  providers = {
+    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+  }
+}
+
+#########################
+# EIP
+resource "aws_eip" "hec_static" {
+  count = 2
+  vpc = true
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#########################
+# ELB
+resource "aws_lb" "hec_static" {
+  tags               = merge(var.standard_tags, var.tags)
+  name               = "${var.prefix}-hec-static"
+  load_balancer_type = "network"
+  internal           = false
+
+  subnet_mapping {
+    subnet_id     = var.public_subnets[0]
+    allocation_id = aws_eip.hec_static[0].id
+  }
+
+  subnet_mapping {
+    subnet_id     = var.public_subnets[1]
+    allocation_id = aws_eip.hec_static[1].id
+  }
+
+  # Access logs are a feedback loop. They create logs that are then sent back through the HEC.
+  # They should remain disabled.
+  #access_logs {
+  #  bucket  = "xdr-elb-${ var.environment }"
+  #  enabled = true
+  #}
+}
+
+#resource "aws_lb_listener" "front_end" {
+#  load_balancer_arn = aws_lb.front_end.arn
+#  port              = "443"
+#  protocol          = "TLS"
+#  certificate_arn   = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
+#  alpn_policy       = "HTTP2Preferred"
+#
+#  default_action {
+#    type             = "forward"
+#    target_group_arn = aws_lb_target_group.front_end.arn
+#  }
+#}
+
+resource "aws_lb_listener" "hec_static_443" {
+  count             = anytrue([ local.is_moose, var.hec_listen_443 ]) ? 1 : 0
+  load_balancer_arn = aws_lb.hec_static.arn
+  port              = 443
+  protocol          = "TCP"
+  default_action {
+    type = "forward"
+    target_group_arn = aws_lb_target_group.hec_static_8088.arn
+  }
+}
+
+resource "aws_lb_listener" "hec_static_8088" {
+  load_balancer_arn = aws_lb.hec_static.arn
+  port              = 8088
+  protocol          = "TCP"
+  default_action {
+    type = "forward"
+    target_group_arn = aws_lb_target_group.hec_static_8088.arn
+  }
+}
+
+resource "aws_lb_target_group" "hec_static_8088" {
+  name         = "${var.prefix}-hec-static-targets"
+  port         = 8088
+  protocol     = "TCP"
+  target_type  = "alb"
+  vpc_id       = var.vpc_id
+
+#  health_chec_static {
+#    path     = "/services/collector/health/1.0"
+#    protocol = "HTTPS"
+#  }
+}
+
+resource "aws_lb_target_group_attachment" "hec_static" {
+  target_group_arn = aws_lb_target_group.hec_static_8088.arn
+  target_id        = aws_lb.hec.id
+  port             = 8088
+}

base/splunk_servers/indexer_cluster/outputs.tf

@@ -2,7 +2,7 @@ output "elb_attachments" {
   value = [ module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0] ]
 }
 
-output "nlb_ips" {
+output "splunkdata_nlb_ips" {
   # Should be in git@github.xdr.accenturefederalcyber.com:mdr-engineering/msoc-CUST-pop.git in deployment-apps/CUST_hf_outputs/local/outputs.conf
   value = aws_eip.nlb[*].public_ip
 }
@@ -10,3 +10,15 @@ output "nlb_ips" {
 output "instance_profile" {
   value = module.instance_profile.role_id
 }
+
+output "hec_static" {
+  value = module.public_dns_record_hec_static.forward
+}
+
+output "hec_ack" {
+  value = module.public_dns_record_hec_ack.forward
+}
+
+output "hec_nlb_ips" {
+  value = aws_eip.hec_static[*].public_ip
+}

submodules/dns/public_ALIAS_record/outputs.tf

@@ -1,4 +1,4 @@
 output "forward" { 
   # Parenthesis required to resolve ambiguity
-  value = { for entry in aws_route53_record.dns: entry.fqdn => entry.records }
+  value = [ for entry in aws_route53_record.dns: entry.fqdn ]
 }

submodules/splunk/splunk_indexer_asg/main.tf

@@ -201,4 +201,6 @@ resource "aws_autoscaling_group" "splunk_indexer_asg" {
 
     # how long to wait for a healthy instance. Default is 10m, which sucks when troubleshooting, but larger instances need it
     #wait_for_capacity_timeout = "1m"
+
+    suspended_processes = var.suspended_processes
 }

submodules/splunk/splunk_indexer_asg/variables.tf

@@ -1,3 +1,9 @@
+variable suspended_processes {
+  description = "Suspended processes for debugging the ASG"
+  type = list(string)
+  default = []
+}
+
 variable asg_number {
   type = number
 }