#---------------------------------------------------------------------------- # EXTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "jira_server_external" { name = "jira-server-alb-external-${var.environment}" security_groups = [ aws_security_group.jira_server_alb_server_external.id ] internal = false subnets = var.public_subnets load_balancer_type = "application" access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } idle_timeout = 1200 tags = merge(var.standard_tags, var.tags, { Name = "jira-server-alb-external-${var.environment}" }) } # Create a new target group resource "aws_alb_target_group" "jira_server_external" { name = "jira-server-alb-targets" port = 8080 protocol = "HTTP" vpc_id = var.vpc_id health_check { protocol = "HTTP" port = "8080" path = "/" matcher = "200,302" timeout = "4" interval = "5" unhealthy_threshold = 2 healthy_threshold = 2 } #stickiness { # type = "lb_cookie" # enabled = false #} tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "jira_server_external" { target_group_arn = aws_alb_target_group.jira_server_external.arn target_id = aws_instance.jira-server-instance.id port = 8080 } # Create a new alb listener resource "aws_alb_listener" "jira_server_https_external" { load_balancer_arn = aws_alb.jira_server_external.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert_public.arn default_action { target_group_arn = aws_alb_target_group.jira_server_external.arn type = "forward" } } resource "aws_lb_listener" "jira_server_listener_http" { load_balancer_arn = aws_alb.jira_server_external.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } # ######################### # # DNS Entry module "public_dns_record" { source = "../../../submodules/dns/public_ALIAS_record" name = "jira" target_dns_name = aws_alb.jira_server_external.dns_name target_zone_id = aws_alb.jira_server_external.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } } #---------------------------------------------------------------------------- # ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "jira_server_alb_server_external" { vpc_id = var.vpc_id name = "jira-server-alb-sg-external" description = "ALB for JIRA" tags = merge(var.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "http_from_internet" { description = "HTTP inbound from Internet" type = "ingress" from_port = "80" to_port = "80" protocol = "tcp" cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.jira_server_alb_server_external.id } resource "aws_security_group_rule" "https_from_internet" { description = "HTTPS inbound from Internet" type = "ingress" from_port = "443" to_port = "443" protocol = "tcp" cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.jira_server_alb_server_external.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "jira_alb_to_server" { description = "Jira to the Server" type = "egress" from_port = "8080" to_port = "8080" protocol = "tcp" source_security_group_id = aws_security_group.jira_server.id security_group_id = aws_security_group.jira_server_alb_server_external.id }