AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
							#------------------------------------------------------------------------------
# An external ALB for the indexers for HEC
#------------------------------------------------------------------------------

#########################
# DNS Entry
resource "aws_route53_record" "hec" {
  name    = "${var.prefix}-hec"
  type    = "CNAME"
  zone_id = var.dns_info["legacy_public"]["zone_id"]
  ttl     = "600"
  records = [aws_lb.hec.dns_name]

  provider = aws.legacy
}

#resource "aws_route53_record" "hec_public_internal" {
#  name = "${var.prefix}-hec"
#  type = "CNAME"
#  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
#  ttl = "600"
#  records = [ aws_lb.hec.dns_name ]
#
#  provider = aws.legacy
#}

output "hec-without-ack-fqdn" {
  value = aws_route53_record.hec.fqdn
}

resource "aws_route53_record" "iratemoses" {
  count   = local.is_moose ? 1 : 0
  name    = "iratemoses"
  type    = "CNAME"
  zone_id = var.dns_info["legacy_public"]["zone_id"]
  ttl     = "600"
  records = [aws_lb.hec.dns_name]

  provider = aws.legacy
}

#resource "aws_route53_record" "iratemoses_public_internal" {
#  count = local.is_moose ? 1 : 0
#  name = "iratemoses"
#  type = "CNAME"
#  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
#  ttl = "600"
#  records = [ aws_lb.hec.dns_name ]
#
#  provider = aws.legacy
#}

resource "aws_route53_record" "iratemoses_public" {
  count   = local.is_moose ? 1 : 0
  name    = "iratemoses"
  type    = "CNAME"
  zone_id = var.dns_info["public"]["zone_id"]
  ttl     = "600"
  records = [aws_lb.hec.dns_name]

  provider = aws.mdr-common-services-commercial
}

output "hec-without-ack-iratemoses-fqdn" {
  value = local.is_moose ? aws_route53_record.iratemoses[0].fqdn : "<not created for non-moose>"
}

output "hec-without-ack-records" {
  value = aws_lb.hec.dns_name
}

#########################
# Certificate
resource "aws_acm_certificate" "hec_cert" {
  domain_name       = "${var.prefix}-hec.${var.dns_info["legacy_public"]["zone"]}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  subject_alternative_names = local.is_moose ? ["iratemoses.${var.dns_info["legacy_public"]["zone"]}"] : []

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_acm_certificate_validation" "hec_cert_validation" {
  certificate_arn         = aws_acm_certificate.hec_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.hec_cert_validation : record.fqdn]
}

resource "aws_route53_record" "hec_cert_validation" {
  provider = aws.legacy

  for_each = {
    for dvo in aws_acm_certificate.hec_cert.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = var.dns_info["legacy_public"]["zone_id"]
}

#########################
# ELB
resource "aws_lb" "hec" {
  tags                       = merge(local.standard_tags, var.tags)
  name                       = "${var.prefix}-legacy-hec"
  load_balancer_type         = "application"
  security_groups            = [data.aws_security_group.hec_elb_security_group.id]
  subnets                    = var.public_subnets
  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
  drop_invalid_header_fields = true
}

resource "aws_lb_listener" "hec_443" {
  count             = local.is_moose ? 1 : 0
  load_balancer_arn = aws_lb.hec.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.hec_cert.arn
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_8088.arn
  }
}

resource "aws_lb_listener" "hec_8088" {
  load_balancer_arn = aws_lb.hec.arn
  port              = 8088
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.hec_cert.arn
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_8088.arn
  }
}

resource "aws_lb_target_group" "hec_8088" {
  name        = "${var.prefix}-legacy-hec-targets"
  port        = 8088
  protocol    = "HTTPS"
  target_type = "instance"
  vpc_id      = var.vpc_id

  health_check {
    path     = "/services/collector/health/1.0"
    protocol = "HTTPS"
  }
}

# Attach the instnaces to the ELB
resource "aws_autoscaling_attachment" "hec_asg_attachments" {
  for_each               = toset(var.elb_attachments)
  lb_target_group_arn    = aws_lb_target_group.hec_8088.arn
  autoscaling_group_name = each.key
}