AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
							# An NLB to allow for a static IP on the hec

#########################
# DNS Entry
module "public_dns_record_hec_static" {
  source = "../../../submodules/dns/public_ALIAS_record"

  name            = "${var.prefix}-hec"
  target_dns_name = aws_lb.hec_static.dns_name
  target_zone_id  = aws_lb.hec_static.zone_id
  dns_info        = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#########################
# EIP
resource "aws_eip" "hec_static" {
  count = 2
  vpc   = true

  lifecycle {
    prevent_destroy = true # Even if everything else goes away, we want to keep these.
  }

  tags = merge(local.standard_tags, var.tags, { "Name" : "${var.prefix}-hec-static" })
}

#########################
# ELB
resource "aws_lb" "hec_static" {
  name_prefix        = substr("${var.prefix}-hec-static", 0, 6)
  load_balancer_type = "network"
  internal           = false # tfsec:ignore:aws-elb-alb-not-public LB is intentionally public

  subnet_mapping {
    subnet_id     = var.public_subnets[0]
    allocation_id = aws_eip.hec_static[0].id
  }

  subnet_mapping {
    subnet_id     = var.public_subnets[1]
    allocation_id = aws_eip.hec_static[1].id
  }

  # Access logs are a feedback loop. They create logs that are then sent back through the HEC.
  # They should remain disabled.
  #access_logs {
  #  bucket  = "xdr-elb-${ var.environment }"
  #  enabled = true
  #}

  tags = merge(local.standard_tags, var.tags, { "Name" : "${var.prefix}-hec-static" })
}

#resource "aws_lb_listener" "front_end" {
#  load_balancer_arn = aws_lb.front_end.arn
#  port              = "443"
#  protocol          = "TLS"
#  certificate_arn   = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
#  alpn_policy       = "HTTP2Preferred"
#
#  default_action {
#    type             = "forward"
#    target_group_arn = aws_lb_target_group.front_end.arn
#  }
#}

resource "aws_lb_listener" "hec_static_443" {
  count             = anytrue([local.is_moose, var.hec_listen_443]) ? 1 : 0
  load_balancer_arn = aws_lb.hec_static.arn
  port              = 443
  protocol          = "TCP"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_static_8088.arn
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_listener" "hec_static_8088" {
  load_balancer_arn = aws_lb.hec_static.arn
  port              = 8088
  protocol          = "TCP"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_static_8088.arn
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_target_group" "hec_static_8088" {
  name_prefix = substr("${var.prefix}-hec-static-targets", 0, 6)
  port        = 8088
  protocol    = "TCP"
  target_type = "alb"
  vpc_id      = var.vpc_id

  health_check {
    port     = 8088
    protocol = "HTTPS"
    path     = "/services/collector/health/1.0"
    interval = "10"
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags, { "Name" : "${var.prefix}-hec-static" })
}

resource "aws_lb_target_group_attachment" "hec_static" {
  target_group_arn = aws_lb_target_group.hec_static_8088.arn
  target_id        = aws_lb.hec.id
  port             = 8088
}