MSOCI-1623 Adds internal LB, removes external instance IP

Tag as v3.1.5

base/threatquotient/alb.tf

@@ -0,0 +1,142 @@
+#----------------------------------------------------------------------------
+# INTERNAL LB
+#----------------------------------------------------------------------------
+resource "aws_alb" "internal" {
+  name               = "${local.server_name_stem}-alb-internal-${var.environment}"
+  security_groups    = [ aws_security_group.alb_internal.id ]
+  internal           = true
+  subnets            = var.public_subnets
+  load_balancer_type = "application"
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  idle_timeout = 1200
+
+  tags = merge(var.standard_tags, var.tags, { Name = "${local.server_name_stem}-alb-internal-${var.environment}" })
+}
+
+# Create a new target group
+resource "aws_alb_target_group" "internal" {
+  name                 = "${local.server_name_stem}-alb-targets"
+  port                 = 443
+  protocol             = "HTTPS"
+  vpc_id               = var.vpc_id
+
+  health_check {
+    protocol = "HTTPS"
+    port     = "443"
+    path     = "/"
+    matcher  = "200,302"
+    timeout  = "4"
+    interval = "5"
+    unhealthy_threshold = 2
+    healthy_threshold   = 2
+  }
+
+  #stickiness {
+  #  type    = "lb_cookie"
+  #  enabled = false
+  #}
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_lb_target_group_attachment" "internal" {
+  count            = local.instance_count
+  target_group_arn = aws_alb_target_group.internal.arn
+  target_id        = aws_instance.instance[count.index].id
+  port             = 443
+}
+
+# Create a new alb listener
+resource "aws_alb_listener" "https_internal" {
+  load_balancer_arn = aws_alb.internal.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert_private.arn
+
+  default_action {
+    target_group_arn = aws_alb_target_group.internal.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "listener_http" {
+  load_balancer_arn = aws_alb.internal.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# #########################
+# # DNS Entry
+module "alb_private_dns_record" {
+  source = "../../submodules/dns/private_CNAME_record"
+
+  name = local.server_name_stem
+  target_dns_names = [ aws_alb.internal.dns_name ]
+  dns_info = var.dns_info
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}
+
+#----------------------------------------------------------------------------
+# ALB Security Group
+#----------------------------------------------------------------------------
+resource "aws_security_group" "alb_internal" {
+  vpc_id      = var.vpc_id
+  name        = "${local.server_name_stem}-alb-sg-internal"
+  description = "ALB for ${local.server_name_stem}"
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
+resource "aws_security_group_rule" "internal_http_from_local" {
+  description = "HTTP inbound from internal VPCs"
+  type = "ingress"
+  from_port = "80"
+  to_port = "80"
+  protocol = "tcp"
+  cidr_blocks = var.supernets
+  security_group_id = aws_security_group.alb_internal.id
+}
+
+resource "aws_security_group_rule" "internal_https_from_local" {
+  description = "HTTPS inbound from internal_vpc"
+  type = "ingress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = var.supernets
+  security_group_id = aws_security_group.alb_internal.id
+}
+
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
+resource "aws_security_group_rule" "internal_alb_to_server" {
+  description = "HTTPS to the Server"
+  type = "egress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  source_security_group_id = aws_security_group.instance.id
+  security_group_id = aws_security_group.alb_internal.id
+}

base/threatquotient/certificate.tf

@@ -0,0 +1,37 @@
+#----------------------------------------------------------------------------
+# Public DNS Certificate
+#----------------------------------------------------------------------------
+resource "aws_acm_certificate" "cert_private" {
+  domain_name       = "${local.server_name_stem}.${var.dns_info["private"]["zone"]}"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "cert_private" {
+  certificate_arn         = aws_acm_certificate.cert_private.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation_private: record.fqdn]
+}
+
+resource "aws_route53_record" "cert_validation_private" {
+  provider = aws.mdr-common-services-commercial
+
+  for_each = {
+    for dvo in aws_acm_certificate.cert_private.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["public"]["zone_id"] # private zones sitll use public dns for validation
+}

base/threatquotient/main.tf

@@ -11,17 +11,9 @@ data "aws_kms_key" "ebs-key" {
   key_id = "alias/ebs_root_encrypt_decrypt"
 }
 
-resource "aws_network_interface" "instance" {
-  count = local.instance_count
-  subnet_id = var.public_subnets[count.index % 3]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.instance.id ]
-  description = "${local.server_name_stem}-${count.index}"
-  tags = merge(var.standard_tags, var.tags, { Name = "${local.server_name_stem}-${count.index}" })
-}
-
 resource "aws_instance" "instance" {
   count = local.instance_count
-  
+
   tenancy = "default"
   ebs_optimized = true
   disable_api_termination = var.instance_termination_protection
@@ -30,6 +22,8 @@ resource "aws_instance" "instance" {
   key_name = "msoc-build"
   monitoring = false
   iam_instance_profile = "msoc-default-instance-profile"
+  associate_public_ip_address = false
+  subnet_id = var.public_subnets[count.index % 3]
 
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
@@ -122,11 +116,6 @@ resource "aws_instance" "instance" {
     snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
   }
 
-  network_interface {
-    device_index = 0
-    network_interface_id = aws_network_interface.instance[count.index].id
-  }
-
   user_data = data.template_cloudinit_config.cloud_init_config[count.index].rendered
   tags = merge( var.standard_tags, var.tags, { Name = "${local.server_name_stem}-${count.index}" })
   volume_tags = merge( var.standard_tags, var.tags, { Name = "${local.server_name_stem}-${count.index}" })