# lb ports locals { alb_listener_ports = { ui = "8000" api = "8080" agent = "8081" } } #---------------------------------------------------------------------------- # INTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "sensu_internal" { name = "sensu-alb-internal-${var.environment}" security_groups = [ aws_security_group.sensu_alb_server_internal.id ] internal = true subnets = var.subnets load_balancer_type = "application" access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } tags = merge(var.standard_tags, var.tags, { Name = "sensu-alb-internal-${var.environment}" }) } resource "aws_alb_target_group" "sensu_internal" { for_each = local.alb_listener_ports name = "sensu-alb-targets-${each.key}" port = each.value protocol = "HTTPS" #deregistration_delay = "${local.lb_deregistration_delay}" vpc_id = var.vpc_id health_check { protocol = "HTTPS" port = "8080" path = "/health" matcher = "200" timeout = "4" interval = "5" } stickiness { type = "lb_cookie" enabled = false } tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "sensu_internal" { for_each = local.alb_listener_ports target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn target_id = aws_instance.instance.id port = each.value } # Create a new alb listener resource "aws_alb_listener" "sensu_internal" { for_each = local.alb_listener_ports load_balancer_arn = aws_alb.sensu_internal.arn port = each.value protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert.arn default_action { target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn type = "forward" } } #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. ) resource "aws_route53_record" "sensu_internal" { zone_id = var.dns_info["private"]["zone_id"] name = var.instance_name type = "CNAME" records = [aws_alb.sensu_internal.dns_name] ttl = "60" provider = aws.c2 } #---------------------------------------------------------------------------- # ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "sensu_alb_server_internal" { vpc_id = var.vpc_id name = "sensu-alb-sg-internal" description = "Sensu Internal LB SG" tags = merge(var.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "sensu_from_vpc" { for_each = local.alb_listener_ports type = "ingress" from_port = each.value to_port = each.value protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] description = "Sensu ${each.key}" security_group_id = aws_security_group.sensu_alb_server_internal.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "sensu_from_alb" { for_each = local.alb_listener_ports type = "egress" from_port = each.value to_port = each.value protocol = "tcp" source_security_group_id = aws_security_group.instance_security_group.id description = "Sensu ${each.key}" security_group_id = aws_security_group.sensu_alb_server_internal.id } #---------------------------------------------------------------------------- # EXTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "sensu_external" { name = "sensu-alb-external-${var.environment}" security_groups = [ aws_security_group.sensu_alb_server_external.id ] internal = false subnets = var.subnets load_balancer_type = "application" access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } tags = merge(var.standard_tags, var.tags, { Name = "sensu-alb-external-${var.environment}" }) } # Create a new target group resource "aws_alb_target_group" "sensu_external" { name = "sensu-alb-targets-agent-external" port = 8081 protocol = "HTTPS" #deregistration_delay = "${local.lb_deregistration_delay}" vpc_id = var.vpc_id health_check { protocol = "HTTPS" port = "8080" path = "/health" matcher = "200" timeout = "4" interval = "5" } stickiness { type = "lb_cookie" enabled = false } tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "sensu_external" { target_group_arn = aws_alb_target_group.sensu_external.arn target_id = aws_instance.instance.id port = 8081 } # Create a new alb listener resource "aws_alb_listener" "sensu_https_external" { load_balancer_arn = aws_alb.sensu_external.arn port = "8081" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert_public.arn default_action { target_group_arn = aws_alb_target_group.sensu_external.arn type = "forward" } } # ######################### # # DNS Entry module "public_dns_record" { source = "../../submodules/dns/public_ALIAS_record" name = var.instance_name target_dns_name = aws_alb.sensu_external.dns_name target_zone_id = aws_alb.sensu_external.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } } #---------------------------------------------------------------------------- # ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "sensu_alb_server_external" { vpc_id = var.vpc_id name = "sensu-alb-sg-external" description = "Sensu LB SG" tags = merge(var.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- #count = 0 in test. No need to let customers connect to test. resource "aws_security_group_rule" "sensu-afs-pop" { count = var.environment == "test" ? 0 : 1 description = "Sensu - AFS POP" type = "ingress" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = var.afs_pop security_group_id = aws_security_group.sensu_alb_server_external.id } #count = 0 in test. No need to let customers connect to test. resource "aws_security_group_rule" "sensu-afs-azure-pop" { count = var.environment == "test" ? 0 : 1 description = "Sensu - AFS Azure POP" type = "ingress" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = var.afs_azure_pop security_group_id = aws_security_group.sensu_alb_server_external.id } #count = 0 in test. No need to let customers connect to test. resource "aws_security_group_rule" "sensu-nga-pop" { count = var.environment == "test" ? 0 : 1 description = "Sensu - NGA POP" type = "ingress" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = var.nga_pop security_group_id = aws_security_group.sensu_alb_server_external.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "alb_to_sensu_server" { type = "egress" from_port = 8081 to_port = 8081 protocol = "tcp" source_security_group_id = aws_security_group.instance_security_group.id description = "Allows the ALB to talk to the Sensu servers" security_group_id = aws_security_group.sensu_alb_server_external.id } resource "aws_security_group_rule" "alb_to_sensu_health" { type = "egress" from_port = 8080 to_port = 8080 protocol = "tcp" source_security_group_id = aws_security_group.instance_security_group.id description = "Allows the ALB to talk to the Sensu Health check" security_group_id = aws_security_group.sensu_alb_server_external.id }