#------------------------------------------------------------------------------ # An external ALB for the indexers for HEC #------------------------------------------------------------------------------ ######################### # DNS Entry module "private_dns_record_hec_pvt" { source = "../../../submodules/dns/private_CNAME_record" enabled = local.splunk_private_hec ? true : false name = "${var.prefix}-hec" target_dns_names = local.splunk_private_hec ? [aws_lb.hec_pvt[0].dns_name] : ["na"] dns_info = var.dns_info providers = { aws.c2 = aws.c2 } } ######################### # Certificate - NOTE: Public certificate for a private HEC resource "aws_acm_certificate" "hec_pvt_cert" { count = local.splunk_private_hec ? 1 : 0 domain_name = "${var.prefix}-hec.${var.dns_info["private"]["zone"]}" validation_method = "DNS" lifecycle { create_before_destroy = true } tags = merge(local.standard_tags, var.tags) } resource "aws_acm_certificate_validation" "hec_pvt_cert_validation" { count = local.splunk_private_hec ? 1 : 0 certificate_arn = aws_acm_certificate.hec_pvt_cert[count.index].arn validation_record_fqdns = [for record in aws_route53_record.hec_pvt_cert_validation : record.fqdn] # will be empty if not moose } resource "aws_route53_record" "hec_pvt_cert_validation" { provider = aws.mdr-common-services-commercial for_each = (local.splunk_private_hec ? { for dvo in aws_acm_certificate.hec_pvt_cert[0].domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } : {} ) # Empty map if not moose allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = var.dns_info["public"]["zone_id"] } ######################### # ELB resource "aws_lb" "hec_pvt" { count = local.splunk_private_hec ? 1 : 0 tags = merge(local.standard_tags, var.tags) name = "${var.prefix}-hec-private" load_balancer_type = "application" security_groups = [aws_security_group.hec_pvt_elb_security_group[0].id] subnets = var.private_subnets internal = true drop_invalid_header_fields = true } resource "aws_lb_listener" "hec_pvt_443" { count = local.splunk_private_hec ? 1 : 0 load_balancer_arn = aws_lb.hec_pvt[0].arn port = 443 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.hec_pvt_cert[0].arn default_action { type = "forward" target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn } } resource "aws_lb_listener" "hec_pvt_8088" { count = local.splunk_private_hec ? 1 : 0 load_balancer_arn = aws_lb.hec_pvt[0].arn port = 8088 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.hec_pvt_cert[0].arn default_action { type = "forward" target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn } } resource "aws_lb_target_group" "hec_pvt_8088" { count = local.splunk_private_hec ? 1 : 0 name = "${var.prefix}-hec-pvt-targets" port = 8088 protocol = "HTTPS" target_type = "instance" vpc_id = var.vpc_id health_check { path = "/services/collector/health/1.0" protocol = "HTTPS" } } # Attach the instances to the ELB resource "aws_autoscaling_attachment" "hec_pvt_asg_attachments" { for_each = local.splunk_private_hec ? toset([module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0]]) : [] lb_target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn autoscaling_group_name = each.key }