# --------------------------------------------------------------------------------------------------------------------- # LOAD BALANCER FOR PORTAL # --------------------------------------------------------------------------------------------------------------------- resource "aws_alb" "portal" { name = "portal-alb-${var.environment}" security_groups = [ aws_security_group.customer_portal_alb.id, ] internal = false subnets = var.public_subnets tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" }) access_logs { bucket = "xdr-elb-${ var.environment }" prefix = "" enabled = true } } # Create a new target group resource "aws_alb_target_group" "portal" { name = "portal-alb-targets-${var.environment}" port = 443 protocol = "HTTPS" vpc_id = var.vpc_id health_check { protocol = "HTTPS" path = "/api/health/" matcher = "200-400" } stickiness { type = "lb_cookie" enabled = false } tags = merge( var.standard_tags, var.tags, ) } # Create a new alb listener ( certificate_arn wait for DNS cut over ) resource "aws_alb_listener" "portal_https" { load_balancer_arn = aws_alb.portal.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" certificate_arn = aws_acm_certificate.cert.arn default_action { target_group_arn = aws_alb_target_group.portal.arn type = "forward" } } # HTTPs Redirect resource "aws_lb_listener" "portal_https_redirect" { load_balancer_arn = aws_alb.portal.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } # Attach the instances to the ELB resource "aws_autoscaling_attachment" "customer_portal_asg_attachment" { alb_target_group_arn = aws_alb_target_group.portal.arn autoscaling_group_name = aws_autoscaling_group.customer_portal.name } #---------- # DNS Entry #---------- module "public_dns_record" { source = "../../submodules/dns/public_ALIAS_record" name = "portal" target_dns_name = aws_alb.portal.dns_name target_zone_id = aws_alb.portal.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } } #------------------------------------ # Security Group #------------------------------------ resource "aws_security_group" "customer_portal_alb" { name = "customer_portal_alb_inbound_sg" description = "Allow Customer Portal ALB HTTP Traffic Inbound" vpc_id = var.vpc_id } resource "aws_security_group_rule" "customer_portal_alb_https" { protocol = "tcp" type = "ingress" from_port = 443 to_port = 443 security_group_id = aws_security_group.customer_portal_alb.id cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ] } #Allow viewing of test portal from home. We don't want world to view test portal. resource "aws_security_group_rule" "customer_portal_alb_https_test" { protocol = "tcp" type = "ingress" from_port = 443 to_port = 443 security_group_id = aws_security_group.customer_portal_alb.id cidr_blocks = flatten(var.portal_test_whitelist) } ## Needed for HTTPs redirect resource "aws_security_group_rule" "customer_portal_alb_http" { protocol = "tcp" type = "ingress" from_port = 80 to_port = 80 security_group_id = aws_security_group.customer_portal_alb.id cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ] } resource "aws_security_group_rule" "customer_portal_alb" { protocol = "tcp" type = "egress" from_port = 443 to_port = 443 security_group_id = aws_security_group.customer_portal_alb.id source_security_group_id = aws_security_group.customer_portal.id }