AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
							resource "aws_alb" "vault" {
  name            = "vault-alb-${var.environment}"
  security_groups = [ aws_security_group.vault_ALB_server.id ]
  internal        = true 
  subnets         = var.subnets


  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.standard_tags, var.tags, { Name = "vault-alb-${var.environment}" })
}

# Create a new target group
resource "aws_alb_target_group" "vault" {
  name                 = "vault-alb-targets-https-${var.environment}"
  port                 = 443 
  protocol             = "HTTPS"
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id               = var.vpc_id

  health_check {
    protocol = "HTTPS"
    path     = "/v1/sys/health"
    matcher  = "200"
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = false 
  }

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "vault" {
  for_each = toset(var.instance_count)
  target_group_arn = aws_alb_target_group.vault.arn
  target_id        = aws_instance.instance[each.key].id
  port             = 443
}

# Create a new alb listener
resource "aws_alb_listener" "vault_https" {
  load_balancer_arn = aws_alb.vault.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    target_group_arn = aws_alb_target_group.vault.arn
    type             = "forward"
  }
}

# #########################
# # DNS Entry
# module "public_dns_record" {
#   source = "../../submodules/dns/public_ALIAS_record"

#   name = var.instance_name
#   target_dns_name = aws_lb.openvpn-nlb.dns_name
#   target_zone_id  = aws_lb.openvpn-nlb.zone_id
#   dns_info = var.dns_info

#   providers = {
#     aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
#   }
# }

#DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. )
resource "aws_route53_record" "vault_internal" {
  zone_id = var.dns_info["private"]["zone_id"]
  name    = var.instance_name 
  type    = "CNAME" 
  records = [aws_alb.vault.dns_name]
  ttl = "60"
  provider = aws.c2
}

#----------------------------------------------------------------------------
# Vault ALB Security Group
#----------------------------------------------------------------------------

resource "aws_security_group" "vault_ALB_server" {
  vpc_id      = var.vpc_id
  name        = "vault-alb-sg"
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vault_server_from_vpc" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  description       = "Allows the server to receive traffic from everywhere"
  security_group_id = aws_security_group.vault_ALB_server.id
}

resource "aws_security_group_rule" "alb_to_vault_server" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  source_security_group_id = aws_security_group.instance_security_group.id
  description       = "Allows the ALB to talk to the vault servers"
  security_group_id = aws_security_group.vault_ALB_server.id
}