locals { #allow some users to view test portal portal_test_whitelist = [ "12.245.107.250/32", # DPS Office Legato "12.204.167.162/32", # DPS Office San Antonio "54.86.98.62/32", # DPS AWS User VPN "75.138.227.80/32", # Duane Waddle "24.11.231.98/32", # George Starcher "99.151.37.185/32", # Wesley Leonard "70.106.200.157/32", # John Reuther "73.10.53.113/32", # Rick Page Home "50.21.207.50/32", # Brad Poulton "70.160.60.248/32", # Brandon Naughton "99.56.213.129/32", # Frederick Damstra ] } # --------------------------------------------------------------------------------------------------------------------- # LOAD BALANCER FOR PORTAL # --------------------------------------------------------------------------------------------------------------------- data "aws_caller_identity" "current" {} resource "aws_alb" "portal" { name = "portal-alb-${var.environment}" security_groups = [ aws_security_group.customer_portal_alb.id, ] internal = false subnets = var.subnets tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" }) access_logs { bucket = "xdr-elb-${ var.environment }" prefix = "" enabled = true } } # Create a new target group resource "aws_alb_target_group" "portal" { name = "portal-alb-targets-${var.environment}" port = 443 protocol = "HTTPS" vpc_id = var.vpc_id health_check { protocol = "HTTPS" path = "/" matcher = "200-400" } stickiness { type = "lb_cookie" enabled = false } tags = merge( var.standard_tags, var.tags, ) } resource "aws_autoscaling_attachment" "portal" { autoscaling_group_name = module.customer_portal_asg.this_autoscaling_group_name alb_target_group_arn = aws_alb_target_group.portal.arn } # Create a new alb listener ( certificate_arn wait for DNS cut over ) resource "aws_alb_listener" "portal_https" { load_balancer_arn = aws_alb.portal.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" #certificate_arn = aws_acm_certificate_validation.portal_cert.certificate_arn default_action { target_group_arn = aws_alb_target_group.portal.arn type = "forward" } } # resource "aws_alb_listener_certificate" "portal_https_cert" { # certificate_arn = data.aws_acm_certificate.portal_cert_v2.arn # listener_arn = aws_alb_listener.portal_https.arn # } # HTTPs Redirect resource "aws_lb_listener" "portal_https_redirect" { load_balancer_arn = aws_alb.portal.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } #resource "aws_route53_record" "portal_cert_validation" { # name = "${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_name}" # type = "${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_type}" # zone_id = "${data.terraform_remote_state.infra.public_zone}" # records = ["${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_value}"] # ttl = 60 #} #resource "aws_acm_certificate" "portal_cert" { # domain_name = "portal.${data.terraform_remote_state.infra.private_zone2_name}" # validation_method = "DNS" # # tags = { # Name = "portal-cert-${terraform.workspace}" # Environment = "${terraform.workspace}" # } #} #data "aws_acm_certificate" "portal_cert_v2" { # domain = "portal.${terraform.workspace == "test" ? "xdrtest" : "xdr" }.accenturefederalcyber.com" # most_recent = true #} #resource "aws_acm_certificate_validation" "portal_cert" { # certificate_arn = "${aws_acm_certificate.portal_cert.arn}" # validation_record_fqdns = ["${aws_route53_record.portal_cert_validation.fqdn}"] #} #Wait to transfer the DNS until you are 100% ready! # DNS Alias for the LB # resource "aws_route53_record" "portal" { # zone_id = var.dns_info["public"]["zone_id"] # name = "portal.${var.dns_info["public"]["zone_id"]}" # records = [ aws_alb.portal.dns_name, ] # type = "CNAME" # ttl = 60 # } # resource "aws_route53_record" "portal_private" { # zone_id = var.dns_info["private"]["zone_id"] # name = "portal.${var.dns_info["private"]["zone_id"]}" # type = "CNAME" # records = [ aws_alb.portal.dns_name, ] # ttl = 60 # } #------------------------------------ # Security Group #------------------------------------ resource "aws_security_group" "customer_portal_alb" { name = "customer_portal_alb_inbound_sg" description = "Allow Customer Portal ALB HTTP Traffic Inbound" vpc_id = var.vpc_id ingress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ] } #Allow viewing of test portal from home. We don't want world to view test portal. ingress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = flatten(local.portal_test_whitelist) } ## Needed for HTTPs redirect ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ] } } resource "aws_security_group_rule" "customer_portal_alb" { protocol = "tcp" type = "egress" from_port = 443 to_port = 443 security_group_id = aws_security_group.customer_portal_alb.id source_security_group_id = aws_security_group.customer_portal.id }