xdr-terraform-modules/base/customer_portal/elb.tf

locals {
    #allow some users to view test portal
    portal_test_whitelist = [
    "12.245.107.250/32",   # DPS Office Legato
    "12.204.167.162/32",   # DPS Office San Antonio
    "54.86.98.62/32",      # DPS AWS User VPN
    "75.138.227.80/32",    # Duane Waddle
    "24.11.231.98/32",     # George Starcher
    "99.151.37.185/32",    # Wesley Leonard
    "70.106.200.157/32",   # John Reuther
    "73.10.53.113/32",     # Rick Page Home
    "50.21.207.50/32",     # Brad Poulton
    "70.160.60.248/32",    # Brandon Naughton 
    "99.56.213.129/32",    # Frederick Damstra
  ]

}

# ---------------------------------------------------------------------------------------------------------------------
# LOAD BALANCER FOR PORTAL
# ---------------------------------------------------------------------------------------------------------------------
data "aws_caller_identity" "current" {}

resource "aws_alb" "portal" {
  name            = "portal-alb-${var.environment}"
  security_groups = [ aws_security_group.customer_portal_alb.id, ]
  internal        = false 
  subnets         = var.subnets

  tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })

  access_logs {
    bucket = "xdr-elb-${ var.environment }"
    prefix = ""
    enabled = true
  }
}

# Create a new target group
resource "aws_alb_target_group" "portal" {
  name                 = "portal-alb-targets-${var.environment}"
  port                 = 443 
  protocol             = "HTTPS"
  vpc_id               = var.vpc_id

  health_check {
    protocol = "HTTPS"
    path    = "/"
    matcher = "200-400"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = false 
  }

  tags = merge( var.standard_tags, var.tags, )
}

resource "aws_autoscaling_attachment" "portal" {
  autoscaling_group_name = module.customer_portal_asg.this_autoscaling_group_name
  alb_target_group_arn   = aws_alb_target_group.portal.arn
}

# Create a new alb listener ( certificate_arn wait for DNS cut over )
resource "aws_alb_listener" "portal_https" {
  load_balancer_arn = aws_alb.portal.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  #certificate_arn   = aws_acm_certificate_validation.portal_cert.certificate_arn

  default_action {
    target_group_arn = aws_alb_target_group.portal.arn
    type             = "forward"
  }
}

# resource "aws_alb_listener_certificate" "portal_https_cert" {
#   certificate_arn   = data.aws_acm_certificate.portal_cert_v2.arn
#   listener_arn      = aws_alb_listener.portal_https.arn
# }
 


# HTTPs Redirect
resource "aws_lb_listener" "portal_https_redirect" {
  load_balancer_arn = aws_alb.portal.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

#resource "aws_route53_record" "portal_cert_validation" {
#  name    = "${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_name}"
#  type    = "${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_type}"
#  zone_id = "${data.terraform_remote_state.infra.public_zone}"
#  records = ["${aws_acm_certificate.portal_cert.domain_validation_options.0.resource_record_value}"]
#  ttl     = 60
#}

#resource "aws_acm_certificate" "portal_cert" {
#  domain_name       = "portal.${data.terraform_remote_state.infra.private_zone2_name}"
#  validation_method = "DNS"
#
#  tags = {
#    Name = "portal-cert-${terraform.workspace}"
#    Environment = "${terraform.workspace}"
#  }
#}

#data "aws_acm_certificate" "portal_cert_v2" {
#  domain = "portal.${terraform.workspace == "test" ? "xdrtest" : "xdr" }.accenturefederalcyber.com"
#  most_recent = true
#}

#resource "aws_acm_certificate_validation" "portal_cert" {
#  certificate_arn         = "${aws_acm_certificate.portal_cert.arn}"
#  validation_record_fqdns = ["${aws_route53_record.portal_cert_validation.fqdn}"]
#}

#Wait to transfer the DNS until you are 100% ready!
# DNS Alias for the LB
# resource "aws_route53_record" "portal" {
#   zone_id = var.dns_info["public"]["zone_id"]
#   name    = "portal.${var.dns_info["public"]["zone_id"]}"
#   records = [ aws_alb.portal.dns_name, ]
#   type    = "CNAME"
#   ttl     = 60
# }

# resource "aws_route53_record" "portal_private" {
#   zone_id = var.dns_info["private"]["zone_id"]
#   name    = "portal.${var.dns_info["private"]["zone_id"]}" 
#   type    = "CNAME" 
#   records = [ aws_alb.portal.dns_name, ]
#   ttl     = 60
# }

#------------------------------------
# Security Group
#------------------------------------

resource "aws_security_group" "customer_portal_alb" {
  name        = "customer_portal_alb_inbound_sg"
  description = "Allow Customer Portal ALB HTTP Traffic Inbound"
  vpc_id      = var.vpc_id

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0",  ]
  }

  #Allow viewing of test portal from home. We don't want world to view test portal. 
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = flatten(local.portal_test_whitelist)
  }

  ## Needed for HTTPs redirect
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
  }
}

resource "aws_security_group_rule" "customer_portal_alb" {
  protocol                 = "tcp"
  type                     = "egress"
  from_port                = 443
  to_port                  = 443
  security_group_id        = aws_security_group.customer_portal_alb.id
  source_security_group_id = aws_security_group.customer_portal.id
}