xdr-terraform-modules/base/splunk_servers/customer_searchhead/elb-auth.tf

resource "aws_lb" "searchhead-auth-alb" {
  name               = "${local.alb_name}-auth"
  internal           = false
  load_balancer_type = "application"
  # Not supported for NLB
  security_groups    = [aws_security_group.searchhead-auth-alb-sg.id]
  # Note, changing subnets results in recreation of the resource
  subnets            = var.public_subnets
  enable_cross_zone_load_balancing = true

  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.standard_tags, var.tags)
}

#########################
# Listeners
resource "aws_lb_listener" "searchhead-auth-alb-listener-https" {
  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert-auth.arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
  }
}

# Redirect HTTP to HTTPS
resource "aws_lb_listener" "searchhead-auth-alb-listener-http" {
  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type             = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

#########################
# Targets
resource "aws_lb_target_group" "searchhead-auth-alb-target-10000" {
  name     = "${local.alb_name}-10000"
  port     = 10000
  protocol = "HTTPS"
  target_type = "instance"
  vpc_id   = var.vpc_id
  tags = merge(var.standard_tags, var.tags)

  health_check {
    enabled = true
    path = "/Saml2IDP/proxy.xml"
    port = 10000
    protocol = "HTTPS"
  }

  # Stickiness is not needed here, but we'll need it if we add SHs
  stickiness {
    type = "lb_cookie"
    cookie_duration = 86400 # 1 day
    enabled = true
  }
}

resource "aws_lb_target_group_attachment" "searchhead-auth-alb-target-10000-instance" {
  target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
  target_id        = aws_instance.instance.id
  port             = 10000
}

#########################
# Security Group for ALB
resource "aws_security_group" "searchhead-auth-alb-sg" {
  name = "${local.alb_name}-customer-auth-alb-sh"
  description = "Security Group for the Customer Searchhead Authorization ALB"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "searchhead-auth-alb-https-in" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = local.alb_clients
  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
}

resource "aws_security_group_rule" "searchhead-auth-http-in" {
  # Port 80 is open as a redirect to 443
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = local.alb_clients
  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
}

resource "aws_security_group_rule" "searchhead-auth-alb-10000-out" {
  type              = "egress"
  from_port         = 10000
  to_port           = 10000
  protocol          = "tcp"
  # Maybe should limit to the local vpc, but I don't readily have that cidr available
  cidr_blocks       = [ var.vpc_cidr ]
  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
}

#########################
# DNS Entry
module "public_dns_record_cust-auth-elb" {
  source = "../../../submodules/dns/public_ALIAS_record"

  name = "${local.auth_short_name}"

  target_dns_name = aws_lb.searchhead-auth-alb.dns_name
  target_zone_id  = aws_lb.searchhead-auth-alb.zone_id
  dns_info = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}