xdr-terraform-modules/base/teleport-single-instance/alb.tf

#----------------------------------------------------------------------------
# EXTERNAL APPLICATION LB
#----------------------------------------------------------------------------

resource "aws_alb" "external" {
  name                       = "${var.instance_name}-alb-external-${var.environment}"
  security_groups            = [aws_security_group.alb_server_external.id]
  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
  subnets                    = var.subnets
  load_balancer_type         = "application"
  drop_invalid_header_fields = true

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags, { Name = "${var.instance_name}-alb-external-${var.environment}" })
}

# Create a new target group
resource "aws_alb_target_group" "external" {
  # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
  # otherwise, you get stuck in `destroying` during routine changes.
  name_prefix = substr(var.instance_name, 0, 6)
  port        = 3080
  protocol    = "HTTPS"
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id = var.vpc_id

  health_check {
    protocol = "HTTPS"
    port     = "3080"
    path     = "/web/login"
    matcher  = "200-400"
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags)
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_target_group_attachment" "external" {
  target_group_arn = aws_alb_target_group.external.arn
  target_id        = aws_instance.instance.id
  port             = 3080
}

# Create a new alb listener
resource "aws_alb_listener" "https_external" {
  load_balancer_arn = aws_alb.external.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    target_group_arn = aws_alb_target_group.external.arn
    type             = "forward"
  }
}

resource "aws_alb_listener" "alb_3080_external" {
  load_balancer_arn = aws_alb.external.arn
  port              = "3080"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    target_group_arn = aws_alb_target_group.external.arn
    type             = "forward"
  }
}

resource "aws_lb_listener" "http_external" {
  load_balancer_arn = aws_alb.external.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

# #########################
# # DNS Entry
module "public_dns_record_for_alb" {
  source = "../../submodules/dns/public_ALIAS_record"

  name            = var.instance_name
  target_dns_name = aws_alb.external.dns_name
  target_zone_id  = aws_alb.external.zone_id
  dns_info        = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#----------------------------------------------------------------------------
# ALB Security Group
#----------------------------------------------------------------------------

resource "aws_security_group" "alb_server_external" {
  vpc_id = var.vpc_id
  # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
  # otherwise, you get stuck in `destroying` during routine changes.
  name_prefix = "${var.instance_name}-alb-sg-external"
  description = "Teleport LB SG"
  tags        = merge(local.standard_tags, var.tags)
  lifecycle {
    create_before_destroy = true
  }
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "alb-http-in" {
  description       = "HTTPS In"
  type              = "ingress"
  from_port         = "80"
  to_port           = "80"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.alb_server_external.id
}

resource "aws_security_group_rule" "alb-https-in" {
  description       = "HTTPS In"
  type              = "ingress"
  from_port         = "443"
  to_port           = "443"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.alb_server_external.id
}

resource "aws_security_group_rule" "alb-3080-in" {
  description       = "3080 In"
  type              = "ingress"
  from_port         = "3080"
  to_port           = "3080"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.alb_server_external.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------

resource "aws_security_group_rule" "alb_to_server" {
  type                     = "egress"
  from_port                = 3080
  to_port                  = 3080
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.instance.id
  description              = "Allows the ALB to talk to the Sensu servers"
  security_group_id        = aws_security_group.alb_server_external.id
}