# lb ports locals { alb_listener_ports = { ui = "8000" api = "8080" agent = "8081" } } #---------------------------------------------------------------------------- # INTERNAL LB #---------------------------------------------------------------------------- resource "aws_alb" "sensu_internal" { name = "sensu-alb-internal-${var.environment}" security_groups = [aws_security_group.sensu_alb_server_internal.id] internal = true subnets = var.private_subnets load_balancer_type = "application" drop_invalid_header_fields = true access_logs { bucket = "xdr-elb-${var.environment}" enabled = true } tags = merge(local.standard_tags, var.tags, { Name = "sensu-alb-internal-${var.environment}" }) } resource "aws_alb_target_group" "sensu_internal" { for_each = local.alb_listener_ports name = "sensu-alb-targets-${each.key}" port = each.value protocol = "HTTPS" #deregistration_delay = "${local.lb_deregistration_delay}" vpc_id = var.vpc_id health_check { protocol = "HTTPS" port = "8080" path = "/health" matcher = "200" timeout = "4" interval = "5" } stickiness { type = "lb_cookie" enabled = false } tags = merge(local.standard_tags, var.tags) } resource "aws_lb_target_group_attachment" "sensu_internal" { for_each = local.alb_listener_ports target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn target_id = aws_instance.instance.id port = each.value } # Create a new alb listener resource "aws_alb_listener" "sensu_internal" { for_each = local.alb_listener_ports load_balancer_arn = aws_alb.sensu_internal.arn port = each.value protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy certificate_arn = aws_acm_certificate.cert.arn default_action { target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn type = "forward" } } #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. ) resource "aws_route53_record" "sensu_internal" { zone_id = var.dns_info["private"]["zone_id"] name = var.instance_name type = "CNAME" records = [aws_alb.sensu_internal.dns_name] ttl = "60" provider = aws.c2 } #---------------------------------------------------------------------------- # Sensu ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "sensu_alb_server_internal" { vpc_id = var.vpc_id name = "sensu-alb-sg-internal" description = "Sensu Internal LB SG" tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "sensu_from_vpc" { for_each = local.alb_listener_ports type = "ingress" description = "Sensu ${each.key}" from_port = each.value to_port = each.value protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.sensu_alb_server_internal.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "sensu_from_alb" { for_each = local.alb_listener_ports type = "egress" description = "Sensu ${each.key}" from_port = each.value to_port = each.value protocol = "tcp" source_security_group_id = aws_security_group.instance_security_group.id security_group_id = aws_security_group.sensu_alb_server_internal.id }