resource "aws_lb" "openvpn-nlb" { name = "openvpn-nlb" internal = false load_balancer_type = "network" # Not supported for NLB #security_groups = [aws_security_group.openvpn-nlb-sg.id] # Note, changing subnets results in recreation of the resource subnets = var.public_subnets enable_cross_zone_load_balancing = true access_logs { bucket = "xdr-elb-${ var.environment }" enabled = true } tags = merge(var.standard_tags, var.tags) } ######################### # Listeners resource "aws_lb_listener" "openvpn-nlb-listener-https" { load_balancer_arn = aws_lb.openvpn-nlb.arn port = "443" protocol = "TLS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that) certificate_arn = aws_acm_certificate.cert.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn } } # Only alb's can redirect #resource "aws_lb_listener" "openvpn-nlb-listener-http" { # load_balancer_arn = aws_lb.openvpn-nlb.arn # port = "80" # protocol = "HTTP" # # default_action { # type = "redirect" # # redirect { # port = "443" # protocol = "HTTPS" # status_code = "HTTP_301" # } # } #} resource "aws_lb_listener" "openvpn-nlb-listener-openvpn" { load_balancer_arn = aws_lb.openvpn-nlb.arn port = "1194" protocol = "UDP" default_action { type = "forward" target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn } } ######################### # Targets resource "aws_lb_target_group" "openvpn-nlb-target-https" { name = "openvpn-nlb-target-https" port = 443 protocol = "TLS" target_type = "instance" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "openvpn-nlb-target-https-instance" { target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn target_id = aws_instance.instance.id port = 443 } resource "aws_lb_target_group" "openvpn-nlb-target-openvpn" { name = "openvpn-nlb-target-openvpn" port = 1194 protocol = "UDP" target_type = "instance" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "openvpn-nlb-target-openvpn-instance" { target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn target_id = aws_instance.instance.id port = 1194 } ######################### # Security Group for NLB # # From tf: # Error: error creating network Load Balancer: InvalidConfigurationRequest: Security groups are not supported for load balancers with type 'network' #resource "aws_security_group" "openvpn-nlb-sg" { # name = "openvpn_nlb_sg" # description = "Security Group for the OpenVPN NLB" # vpc_id = var.vpc_id # tags = merge(var.standard_tags, var.tags) #} # #resource "aws_security_group_rule" "openvpn-nlb-in" { # type = "ingress" # from_port = 1194 # to_port = 1194 # protocol = "udp" # cidr_blocks = [ "0.0.0.0/0" ] # security_group_id = aws_security_group.openvpn-nlb-sg.id #} # #resource "aws_security_group_rule" "openvpn-nlb-https-in" { # type = "ingress" # from_port = 443 # to_port = 443 # protocol = "tcp" # cidr_blocks = [ "0.0.0.0/0" ] # security_group_id = aws_security_group.openvpn-nlb-sg.id #} # #resource "aws_security_group_rule" "openvpn-nlb-out" { # type = "egress" # from_port = 1194 # to_port = 1194 # protocol = "udp" # # Maybe should limit to the local vpc, but I don't readily have that cidr available # cidr_blocks = [ "10.0.0.0/8" ] # security_group_id = aws_security_group.openvpn-nlb-sg.id #} # #resource "aws_security_group_rule" "openvpn-nlb-https-out" { # type = "egress" # from_port = 443 # to_port = 443 # protocol = "tcp" # # Maybe should limit to the local vpc, but I don't readily have that cidr available # cidr_blocks = [ "10.0.0.0/8" ] # security_group_id = aws_security_group.openvpn-nlb-sg.id #} ######################### # DNS Entry module "public_dns_record" { source = "../../submodules/dns/public_ALIAS_record" name = var.instance_name target_dns_name = aws_lb.openvpn-nlb.dns_name target_zone_id = aws_lb.openvpn-nlb.zone_id dns_info = var.dns_info providers = { aws.mdr-common-services-commercial = aws.mdr-common-services-commercial } }