locals { # alb_clients access the SH alb_clients = ( var.environment == "test" ? toset(concat( ["10.0.0.0/8"], local.portal_test_whitelist )) : ["0.0.0.0/0"] ) } resource "aws_lb" "searchhead-alb" { name = local.alb_name internal = false # tfsec:ignore:aws-elb-alb-not-public Intentionally public load_balancer_type = "application" # Not supported for NLB security_groups = [aws_security_group.searchhead-alb-sg.id] # Note, changing subnets results in recreation of the resource subnets = var.public_subnets enable_cross_zone_load_balancing = true drop_invalid_header_fields = true access_logs { bucket = "xdr-elb-${var.environment}" enabled = true } tags = merge(local.standard_tags, var.tags) } ######################### # Listeners resource "aws_lb_listener" "searchhead-alb-listener-https" { load_balancer_arn = aws_lb.searchhead-alb.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.cert.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.searchhead-alb-target-8000.arn } } # Redirect HTTP to HTTPS resource "aws_lb_listener" "searchhead-alb-listener-http" { load_balancer_arn = aws_lb.searchhead-alb.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } ######################### # Targets resource "aws_lb_target_group" "searchhead-alb-target-8000" { name = "${local.alb_name}-8000" port = 8000 protocol = "HTTPS" target_type = "instance" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) health_check { enabled = true path = "/en-US/account/login?return_to=%2Fen-US%2F" port = 8000 protocol = "HTTPS" } # Stickiness is not needed here, but we'll need it if we add SHs stickiness { type = "lb_cookie" cookie_duration = 86400 # 1 day enabled = true } } resource "aws_lb_target_group_attachment" "searchhead-alb-target-8000-instance" { target_group_arn = aws_lb_target_group.searchhead-alb-target-8000.arn target_id = aws_instance.instance.id port = 8000 } ######################### # Security Group for ALB resource "aws_security_group" "searchhead-alb-sg" { name = "${local.alb_name}-customer-alb-sh" description = "Security Group for the Customer Searchhead ALB" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } resource "aws_security_group_rule" "searchhead-alb-https-in" { description = "HTTPS in" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = local.alb_clients security_group_id = aws_security_group.searchhead-alb-sg.id } resource "aws_security_group_rule" "searchhead-http-in" { # Port 80 is open as a redirect to 443 description = "Allow redirect from 80 to 443" type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = local.alb_clients security_group_id = aws_security_group.searchhead-alb-sg.id } resource "aws_security_group_rule" "searchhead-alb-8000-out" { description = "Allow outbound to default splunk web" type = "egress" from_port = 8000 to_port = 8000 protocol = "tcp" # Maybe should limit to the local vpc, but I don't readily have that cidr available cidr_blocks = [var.vpc_cidr] security_group_id = aws_security_group.searchhead-alb-sg.id } ######################### # DNS Entry module "public_dns_record_cust-elb" { source = "../../../submodules/dns/public_ALIAS_record" name = local.dns_short_name target_dns_name = aws_lb.searchhead-alb.dns_name target_zone_id = aws_lb.searchhead-alb.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } }