#---------------------------------------------------------------------------- # INTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "vault" { name = "vault-alb-${var.environment}" security_groups = [aws_security_group.vault_ALB_server.id] internal = true subnets = var.subnets load_balancer_type = "application" drop_invalid_header_fields = true access_logs { bucket = "xdr-elb-${var.environment}" enabled = true } tags = merge(local.standard_tags, var.tags, { Name = "vault-alb-${var.environment}" }) } # Create a new target group resource "aws_alb_target_group" "vault" { name = "vault-alb-targets-https-${var.environment}" port = 443 protocol = "HTTPS" #deregistration_delay = "${local.lb_deregistration_delay}" vpc_id = var.vpc_id health_check { protocol = "HTTPS" path = "/v1/sys/health" matcher = "200" timeout = "4" interval = "5" } stickiness { type = "lb_cookie" enabled = false } tags = merge(local.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "vault" { for_each = toset(var.instance_count) target_group_arn = aws_alb_target_group.vault.arn target_id = aws_instance.instance[each.key].id port = 443 } # Create a new alb listener resource "aws_alb_listener" "vault_https" { load_balancer_arn = aws_alb.vault.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.cert.arn default_action { target_group_arn = aws_alb_target_group.vault.arn type = "forward" } } # ######################### # # DNS Entry # module "public_dns_record" { # source = "../../submodules/dns/public_ALIAS_record" # name = var.instance_name # target_dns_name = aws_lb.openvpn-nlb.dns_name # target_zone_id = aws_lb.openvpn-nlb.zone_id # dns_info = var.dns_info # providers = { # aws.mdr-common-services-commercial = aws.mdr-common-services-commercial # } # } #---------- # DNS Entry #---------- #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. ) resource "aws_route53_record" "vault_internal" { zone_id = var.dns_info["private"]["zone_id"] name = var.instance_name type = "CNAME" records = [aws_alb.vault.dns_name] ttl = "60" provider = aws.c2 } #---------------------------------------------------------------------------- # Vault ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "vault_ALB_server" { vpc_id = var.vpc_id name = "vault-alb-sg" description = "ALB for Vault" tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "vault_server_from_vpc" { type = "ingress" description = "Allows the server to receive traffic from everywhere" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.vault_ALB_server.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "alb_to_vault_server" { type = "egress" description = "Allows the ALB to talk to the vault servers" from_port = 443 to_port = 443 protocol = "tcp" source_security_group_id = aws_security_group.instance_security_group.id security_group_id = aws_security_group.vault_ALB_server.id }