Merge pull request #115 from mdr-engineering/feature/ftd_MSOCI-1445_LegacyCompatibilityALBs

Creates elbs with legacy DNS names and certificates for use during migration

base/splunk_servers/indexer_cluster/outputs.tf

@@ -0,0 +1,3 @@
+output "elb_attachments" {
+  value = [ module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0] ]
+}

base/splunk_servers/legacy_hec/README.md

@@ -0,0 +1,5 @@
+This module creates two HEC load balancers for legacy compatibility. It should not be added to new accounts.
+
+Without this, the existing customer AWS data and other things submitting ot the HEC could get lost during the migration.
+
+But if activity is low/zero, destroy it!

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -0,0 +1,168 @@
+#------------------------------------------------------------------------------
+# An external ELB for the indexers for HEC, because acknowledgements
+#------------------------------------------------------------------------------
+
+#########################
+# DNS Entry
+resource "aws_route53_record" "hec-ack" {
+  name = "${var.prefix}-hec-ack"
+  type = "CNAME"
+  zone_id = var.dns_info["legacy_public"]["zone_id"]
+  ttl = "600"
+  records = [ aws_elb.hec_classiclb.dns_name ]
+
+  provider = aws.legacy
+}
+
+#########################
+# Certificate
+resource "aws_acm_certificate" "hec_classiclb_cert" {
+  domain_name       = "${var.prefix}-hec-ack.${var.dns_info["legacy_public"]["zone"]}"
+  validation_method = "DNS"
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "hec_classiclb_cert_validation" {
+  certificate_arn         = aws_acm_certificate.hec_classiclb_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.hec_classiclb_cert_validation: record.fqdn]
+}
+
+resource "aws_route53_record" "hec_classiclb_cert_validation" {
+  provider = aws.legacy
+
+  for_each = {
+    for dvo in aws_acm_certificate.hec_classiclb_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["legacy_public"]["zone_id"]
+}
+
+
+#########################
+# ELB
+resource "aws_elb" "hec_classiclb" {
+  tags = merge(var.standard_tags, var.tags)
+  name            = "${var.prefix}-legacy-hec-classic"
+  security_groups = [ data.aws_security_group.hec_elb_security_group.id ]
+  subnets         = var.public_subnets
+  internal        = false
+
+  listener {
+    instance_port      = 8088
+    instance_protocol  = "https"
+    lb_port            = 8088
+    lb_protocol        = "https"
+    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
+  }
+
+  listener {
+    instance_port      = 8088
+    instance_protocol  = "https"
+    lb_port            = 443
+    lb_protocol        = "https"
+    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
+  }
+
+  health_check {
+    healthy_threshold   = 10
+    unhealthy_threshold = 2
+    timeout             = 5
+    target              = "HTTPS:8088/services/collector/health/1.0"
+    interval            = 30
+  }
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+}
+
+# AWS Firehose / Splunk requirement for ELB cookies to have
+# cookie_expiration_period=0.  Terraform does not support that directly
+# and expects >=1.  Not specifying an expiration period causes a period
+# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
+resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_443" {
+  name                     = "sticky443-2"
+  load_balancer            = aws_elb.hec_classiclb.id
+  lb_port                  = 443
+}
+
+# AWS Firehose / Splunk requirement for ELB cookies to have
+# cookie_expiration_period=0.  Terraform does not support that directly
+# and expects >=1.  Not specifying an expiration period causes a period
+# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
+resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_8088" {
+  name                     = "sticky8088"
+  load_balancer            = aws_elb.hec_classiclb.id
+  lb_port                  = 8088
+}
+
+# Attach the instnaces to the ELB
+resource "aws_autoscaling_attachment" "hec_classic_asg_attachments" {
+  for_each = toset(var.elb_attachments)
+  elb      = aws_elb.hec_classiclb.id
+  autoscaling_group_name = each.key
+}
+
+# See https://github.com/terraform-providers/terraform-provider-aws/issues/995
+resource "aws_load_balancer_policy" "listener_policy-tls-1-2" {
+  load_balancer_name = aws_elb.hec_classiclb.name
+  policy_name        = "elb-tls-1-2"
+  policy_type_name   = "SSLNegotiationPolicyType"
+
+  policy_attribute {
+    name  = "Reference-Security-Policy"
+    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  }
+
+  # Workaround for bug above.  If changing TLS policy then be
+  # prepared to taint the resource.  Tested/working taint commands
+  # (as of 2020-06-25) are:
+  # terraform taint --module customer.indexer_cluster aws_load_balancer_policy.listener_policy-tls-1-2
+  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_443
+  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_8088
+  #
+  # As of this time, w/ terraform 0.11.14, you have to taint all three
+  # to effect a change here.
+  #
+  # 2020-11-04 - Confirmed this is still a bug in 0.13
+  lifecycle {
+    ignore_changes = [ policy_attribute ]
+  }
+}
+
+# Have to make sure to add the sticky policy here too or it causes
+# the listener to lose the sticky policy set above and terraform
+# attempts to re-add it on each apply run
+resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_443" {
+  load_balancer_name = aws_elb.hec_classiclb.name
+  load_balancer_port = 443
+
+  policy_names = [
+    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
+    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_443.name,
+  ]
+}
+
+# Have to make sure to add the sticky policy here too or it causes
+# the listener to lose the sticky policy set above and terraform
+# attempts to re-add it on each apply run
+resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_8088" {
+  load_balancer_name = aws_elb.hec_classiclb.name
+  load_balancer_port = 8088
+
+  policy_names = [
+    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
+    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_8088.name,
+  ]
+}

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -0,0 +1,104 @@
+#------------------------------------------------------------------------------
+# An external ALB for the indexers for HEC
+#------------------------------------------------------------------------------
+
+#########################
+# DNS Entry
+resource "aws_route53_record" "hec" {
+  name = "${var.prefix}-hec"
+  type = "CNAME"
+  zone_id = var.dns_info["legacy_public"]["zone_id"]
+  ttl = "600"
+  records = [ aws_elb.hec_classiclb.dns_name ]
+
+  provider = aws.legacy
+}
+
+#########################
+# Certificate
+resource "aws_acm_certificate" "hec_cert" {
+  domain_name       = "${var.prefix}-hec.${var.dns_info["legacy_public"]["zone"]}"
+  validation_method = "DNS"
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "hec_cert_validation" {
+  certificate_arn         = aws_acm_certificate.hec_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.hec_cert_validation: record.fqdn]
+}
+
+resource "aws_route53_record" "hec_cert_validation" {
+  provider = aws.legacy
+
+  for_each = {
+    for dvo in aws_acm_certificate.hec_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["legacy_public"]["zone_id"]
+}
+
+#########################
+# ELB
+resource "aws_lb" "hec" {
+  tags               = merge(var.standard_tags, var.tags)
+  name               = "${var.prefix}-legacy-hec"
+  load_balancer_type = "application"
+  security_groups    = [ data.aws_security_group.hec_elb_security_group.id ]
+  subnets            = var.public_subnets
+  internal           = false
+}
+
+resource "aws_lb_listener" "hec_443" {
+  count             = local.is_moose ? 1 : 0
+  load_balancer_arn = aws_lb.hec.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = aws_acm_certificate.hec_cert.arn
+  default_action {
+    type = "forward"
+    target_group_arn = aws_lb_target_group.hec_8088.arn
+  }
+}
+
+resource "aws_lb_listener" "hec_8088" {
+  load_balancer_arn = aws_lb.hec.arn
+  port              = 8088
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = aws_acm_certificate.hec_cert.arn
+  default_action {
+    type = "forward"
+    target_group_arn = aws_lb_target_group.hec_8088.arn
+  }
+}
+
+resource "aws_lb_target_group" "hec_8088" {
+  name         = "${var.prefix}-legacy-hec-targets"
+  port         = 8088
+  protocol     = "HTTPS"
+  target_type  = "instance"
+  vpc_id       = var.vpc_id
+
+  health_check {
+    path     = "/services/collector/health/1.0"
+    protocol = "HTTPS"
+  }
+}
+
+# Attach the instnaces to the ELB
+resource "aws_autoscaling_attachment" "hec_asg_attachments" {
+  for_each = toset( var.elb_attachments )
+  alb_target_group_arn = aws_lb_target_group.hec_8088.arn
+  autoscaling_group_name = each.key
+}

base/splunk_servers/legacy_hec/main.tf

@@ -0,0 +1,4 @@
+# Some instance variables
+locals {
+  is_moose = length(regexall("moose", var.prefix)) > 0 ? true : false
+}

base/splunk_servers/legacy_hec/security-group-elbs.tf

@@ -0,0 +1,4 @@
+data "aws_security_group" "hec_elb_security_group" {
+  name   = "hec_elb_security_group"
+  vpc_id = var.vpc_id
+}

base/splunk_servers/legacy_hec/vars.tf

@@ -0,0 +1,40 @@
+variable elb_attachments {
+  type = list
+}
+
+variable "prefix" {
+  description = "Prefix for Instance Names"
+  type = string
+}
+
+variable "azs" {
+  type = list(string)
+}
+
+variable "public_subnets" {
+  type = list(string)
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "vpc_cidr" {
+  type = string
+}
+
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map
+  default     = { }
+}
+
+variable "cidr_map" { type = map }
+variable "dns_info" { type = map }
+variable "standard_tags" { type = map }
+variable "environment" { type = string }
+variable "aws_region" { type = string }
+variable "aws_account_id" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
+variable "common_services_account" { type = string }

base/splunk_servers/legacy_hec/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 0.13"
+}