resource "aws_lb" "searchhead-auth-alb" { name = "${local.alb_name}-auth" internal = false load_balancer_type = "application" # Not supported for NLB security_groups = [aws_security_group.searchhead-auth-alb-sg.id] # Note, changing subnets results in recreation of the resource subnets = var.public_subnets enable_cross_zone_load_balancing = true access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } tags = merge(var.standard_tags, var.tags) } ######################### # Listeners resource "aws_lb_listener" "searchhead-auth-alb-listener-https" { load_balancer_arn = aws_lb.searchhead-auth-alb.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert-auth.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn } } # Redirect HTTP to HTTPS resource "aws_lb_listener" "searchhead-auth-alb-listener-http" { load_balancer_arn = aws_lb.searchhead-auth-alb.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } ######################### # Targets resource "aws_lb_target_group" "searchhead-auth-alb-target-10000" { name = "${local.alb_name}-10000" port = 10000 protocol = "HTTPS" target_type = "instance" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) health_check { enabled = true path = "/Saml2IDP/proxy.xml" port = 10000 protocol = "HTTPS" } # Stickiness is not needed here, but we'll need it if we add SHs stickiness { type = "lb_cookie" cookie_duration = 86400 # 1 day enabled = true } } resource "aws_lb_target_group_attachment" "searchhead-auth-alb-target-10000-instance" { target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn target_id = aws_instance.instance.id port = 10000 } ######################### # Security Group for ALB resource "aws_security_group" "searchhead-auth-alb-sg" { name = "${local.alb_name}-customer-auth-alb-sh" description = "Security Group for the Customer Searchhead Authorization ALB" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) } resource "aws_security_group_rule" "searchhead-auth-alb-https-in" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = local.alb_clients security_group_id = aws_security_group.searchhead-auth-alb-sg.id } resource "aws_security_group_rule" "searchhead-auth-http-in" { # Port 80 is open as a redirect to 443 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = local.alb_clients security_group_id = aws_security_group.searchhead-auth-alb-sg.id } resource "aws_security_group_rule" "searchhead-auth-alb-10000-out" { type = "egress" from_port = 10000 to_port = 10000 protocol = "tcp" # Maybe should limit to the local vpc, but I don't readily have that cidr available cidr_blocks = [ var.vpc_cidr ] security_group_id = aws_security_group.searchhead-auth-alb-sg.id } ######################### # DNS Entry module "public_dns_record_cust-auth-elb" { source = "../../../submodules/dns/public_ALIAS_record" name = "${local.auth_short_name}" target_dns_name = aws_lb.searchhead-auth-alb.dns_name target_zone_id = aws_lb.searchhead-auth-alb.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } }