# Architecture: # 1. DNS points to an NLB # 2. NLB:22 forwards to instance:22 # 3. NLB:443 forward to an ALB, which forwards to the instance # 4. NLB:80 forwards to the same ALB, which forwards to the instance. # # The module "static_nlb_to_alb" takes care of #3, but the rest # we have to handle here. # # tfsec:ignore:aws-elb-alb-not-public Purposefully public module "elb" { source = "../../submodules/load_balancer/static_nlb_to_alb" name = "github" subject_alternative_names = ["*.github.${var.dns_info["public"]["zone"]}"] target_ids = aws_instance.ghe[*].id listener_port = 443 target_port = 443 target_protocol = "HTTPS" target_security_group = aws_security_group.ghe_server.id allow_from_any = true redirect_80 = false # GitHub handles port 80, and needs it for LetsEncrypt # WAF variables waf_enabled = false # TODO: Turn this on #excluded_rules_AWSManagedRulesCommonRuleSet = [ "SizeRestrictions_BODY" ] #excluded_rules_AWSManagedRulesAmazonIpReputationList = [] #excluded_rules_AWSManagedRulesKnownBadInputsRuleSet = [] #excluded_rules_AWSManagedRulesSQLiRuleSet = [] #excluded_rules_AWSManagedRulesLinuxRuleSet = [] #excluded_rules_AWSManagedRulesUnixRuleSet = [] #additional_blocked_ips = [] #allowed_ips = [] #admin_ips = [] # Optional Variables healthcheck_port = 443 healthcheck_protocol = "HTTPS" healthcheck_path = "/status" healthcheck_matcher = "200" stickiness = false # Inherited Variables tags = merge(var.standard_tags, var.tags) dns_info = var.dns_info public_subnets = var.public_subnets environment = var.environment aws_partition = var.aws_partition aws_region = var.aws_region aws_account_id = var.aws_account_id vpc_id = var.vpc_id providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial aws.c2 = aws.c2 } } # Github Needs a Wildcard Record module "public_dns_record_wildcard" { source = "../../submodules/dns/public_ALIAS_record" name = "*.github.${var.dns_info["public"]["zone"]}" target_dns_name = module.elb.nlb.dns_name target_zone_id = module.elb.nlb.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } } ################################# # Add port 80 to the ALB and NLB # # GHE uses LetsEncrypt, which needs access on port 80. # ALB side resource "aws_lb_target_group" "github_alb_80" { name_prefix = "gita80" port = 80 protocol = "HTTP" vpc_id = var.vpc_id health_check { protocol = "HTTPS" port = 443 path = "/status" matcher = "200" timeout = "4" interval = "5" } lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "github_alb_80" { for_each = toset(aws_instance.ghe[*].id) target_group_arn = aws_lb_target_group.github_alb_80.arn target_id = each.value port = 80 } resource "aws_lb_listener" "github_alb_80" { load_balancer_arn = module.elb.alb_id port = "80" # tfsec:ignore:aws-elb-http-not-used HTTP only used for letsencrypt and redirect protocol = "HTTP" default_action { type = "forward" target_group_arn = aws_lb_target_group.github_alb_80.arn } lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) } resource "aws_security_group_rule" "github_alb_80" { description = "Github - Allow 80 from any" type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open security_group_id = module.elb.security_group_id } resource "aws_security_group_rule" "github_alb_80_out" { description = "Github - Allow 80 to the instances" type = "egress" from_port = 80 to_port = 80 protocol = "tcp" source_security_group_id = aws_security_group.ghe_server.id security_group_id = module.elb.security_group_id } # NLB Side resource "aws_lb_target_group" "github_nlb_80" { name_prefix = "gitn80" target_type = "alb" port = 80 protocol = "TCP" vpc_id = var.vpc_id lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "github_nlb_80" { target_group_arn = aws_lb_target_group.github_nlb_80.arn target_id = module.elb.alb_id port = 80 } resource "aws_lb_listener" "github_nlb_80" { load_balancer_arn = module.elb.nlb_id port = "80" protocol = "TCP" # tfsec:ignore:aws-elb-http-not-used HTTP only for letsencrypt and redirects default_action { type = "forward" target_group_arn = aws_lb_target_group.github_nlb_80.arn } lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) } ########################## # Add port 22 to the NLB resource "aws_lb_target_group" "github_ssh" { name_prefix = "gitssh" port = 22 protocol = "TCP" vpc_id = var.vpc_id lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "github_ssh" { for_each = toset(aws_instance.ghe[*].id) target_group_arn = aws_lb_target_group.github_ssh.arn target_id = each.value port = 22 } resource "aws_lb_listener" "github_ssh" { load_balancer_arn = module.elb.nlb_id port = "22" protocol = "TCP" default_action { type = "forward" target_group_arn = aws_lb_target_group.github_ssh.arn } lifecycle { create_before_destroy = true } tags = merge(var.standard_tags, var.tags) }