#---------------------------------------------------------------------------- # INTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "internal" { name = "${local.server_name_stem}-alb-internal-${var.environment}" security_groups = [aws_security_group.alb_internal.id] internal = true subnets = var.public_subnets load_balancer_type = "application" drop_invalid_header_fields = true access_logs { bucket = "xdr-elb-${var.environment}" enabled = true } idle_timeout = 1200 tags = merge(local.standard_tags, var.tags, { Name = "${local.server_name_stem}-alb-internal-${var.environment}" }) } # Create a new target group resource "aws_alb_target_group" "internal" { name = "${local.server_name_stem}-alb-targets" port = 443 protocol = "HTTPS" vpc_id = var.vpc_id health_check { protocol = "HTTPS" port = "443" path = "/" matcher = "200,302" timeout = "4" interval = "5" unhealthy_threshold = 2 healthy_threshold = 2 } #stickiness { # type = "lb_cookie" # enabled = false #} tags = merge(local.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "internal" { count = local.instance_count target_group_arn = aws_alb_target_group.internal.arn target_id = aws_instance.instance[count.index].id port = 443 } # Create a new alb listener resource "aws_alb_listener" "https_internal" { load_balancer_arn = aws_alb.internal.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.cert_private.arn default_action { target_group_arn = aws_alb_target_group.internal.arn type = "forward" } } resource "aws_lb_listener" "listener_http" { load_balancer_arn = aws_alb.internal.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } #---------------------------------------------------------------------------- # DNS Entry #---------------------------------------------------------------------------- module "alb_private_dns_record" { source = "../../submodules/dns/private_CNAME_record" name = local.server_name_stem target_dns_names = [aws_alb.internal.dns_name] dns_info = var.dns_info providers = { aws.c2 = aws.c2 } } #---------------------------------------------------------------------------- # ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "alb_internal" { vpc_id = var.vpc_id name = "${local.server_name_stem}-alb-sg-internal" description = "ALB for ${local.server_name_stem}" tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "internal_http_from_local" { type = "ingress" description = "HTTP - Inbound from internal VPCs" from_port = "80" to_port = "80" protocol = "tcp" cidr_blocks = local.supernets security_group_id = aws_security_group.alb_internal.id } resource "aws_security_group_rule" "internal_https_from_local" { type = "ingress" description = "HTTPS - Inbound from internal_vpc" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = local.supernets security_group_id = aws_security_group.alb_internal.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "internal_alb_to_server" { type = "egress" description = "HTTPS to the Server" from_port = "443" to_port = "443" protocol = "tcp" source_security_group_id = aws_security_group.instance.id security_group_id = aws_security_group.alb_internal.id }