resource "aws_lb" "alsi-alb-elastic" { count = var.alsi_elastic_alb ? 1 : 0 name = "${var.prefix}-alsi-alb-elastic" internal = false load_balancer_type = "application" # Not supported for NLB security_groups = [aws_security_group.alsi-alb-elastic-sg.id] # Note, changing subnets results in recreation of the resource subnets = var.subnets enable_cross_zone_load_balancing = true access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } tags = merge(var.standard_tags, var.tags) } ######################### # Listeners resource "aws_lb_listener" "alsi-alb-elastic-listener-https" { count = var.alsi_elastic_alb ? 1 : 0 load_balancer_arn = aws_lb.alsi-alb-elastic[count.index].arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert_elastic[count.index].arn default_action { type = "forward" target_group_arn = aws_lb_target_group.alsi-alb-elastic-target-9200[count.index].arn } } # Only alb's can redirect resource "aws_lb_listener" "alsi-alb-elastic-listener-http" { count = var.alsi_elastic_alb ? 1 : 0 load_balancer_arn = aws_lb.alsi-alb-elastic[count.index].arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } ######################### # Targets resource "aws_lb_target_group" "alsi-alb-elastic-target-9200" { count = var.alsi_elastic_alb ? 1 : 0 name = "${var.prefix}-alsi-elastic-9200" port = 9200 protocol = "HTTPS" target_type = "instance" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) health_check { enabled = true path = "/api/v1/health" port = 9000 protocol = "HTTPS" } # sure would be nice to check the actual port #health_check { # enabled = true # path = "/" # port = 9000 # protocol = "HTTPS" #} } resource "aws_lb_target_group_attachment" "alsi-alb-elastic-target-9200-instance" { count = var.alsi_workers * (var.alsi_elastic_alb ? 1 : 0) target_group_arn = aws_lb_target_group.alsi-alb-elastic-target-9200[0].arn target_id = aws_instance.worker[count.index].id port = 9200 } ######################### # Security Group for ALB resource "aws_security_group" "alsi-alb-elastic-sg" { name_prefix = "${var.prefix}-alsi-alb-elastic-sg" lifecycle { create_before_destroy = true } # handle updates gracefully description = "Security Group for the Cribl ALB for elastic" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) } resource "aws_security_group_rule" "alsi-alb-elastic-https-in" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = toset(concat(var.cidr_map["vpc-access"], var.trusted_ips, var.splunk_data_sources)) security_group_id = aws_security_group.alsi-alb-elastic-sg.id } resource "aws_security_group_rule" "alsi-hec-http-in" { # Port 80 is open as a redirect to 443 type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = toset(concat(var.cidr_map["vpc-access"], var.trusted_ips, var.splunk_data_sources)) security_group_id = aws_security_group.alsi-alb-elastic-sg.id } resource "aws_security_group_rule" "alsi-alb-elastic-9200-out" { type = "egress" from_port = 9200 to_port = 9200 protocol = "tcp" source_security_group_id = aws_security_group.alsi_worker_security_group.id security_group_id = aws_security_group.alsi-alb-elastic-sg.id } ######################### # DNS Entry resource "aws_route53_record" "alsi-alb-elastic" { count = var.alsi_elastic_alb ? 1 : 0 zone_id = var.dns_info["public"]["zone_id"] name = "${ var.prefix }-alsi-elastic" type = "CNAME" records = [aws_lb.alsi-alb-elastic[count.index].dns_name] ttl = "60" provider = aws.mdr-common-services-commercial }