AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275
							# lb ports
locals {
  alb_listener_ports = {
       ui    = "8000"
       api   = "8080"
       agent = "8081"
      }
}

#----------------------------------------------------------------------------
# INTERNAL LB
#----------------------------------------------------------------------------

resource "aws_alb" "sensu_internal" {
  name               = "sensu-alb-internal-${var.environment}"
  security_groups    = [ aws_security_group.sensu_alb_server_internal.id ]
  internal           = true 
  subnets            = var.private_subnets
  load_balancer_type = "application"


  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.standard_tags, var.tags, { Name = "sensu-alb-internal-${var.environment}" })
}

resource "aws_alb_target_group" "sensu_internal" {
  for_each = local.alb_listener_ports
  name                 = "sensu-alb-targets-${each.key}"
  port                 = each.value 
  protocol             = "HTTPS"
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id               = var.vpc_id

  health_check {
    protocol = "HTTPS"
    port     = "8080"
    path     = "/health"
    matcher  = "200"
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = false 
  }

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "sensu_internal" {
  for_each = local.alb_listener_ports
  target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn
  target_id        = aws_instance.instance.id
  port             = each.value
}

# Create a new alb listener
resource "aws_alb_listener" "sensu_internal" {
  for_each = local.alb_listener_ports
  load_balancer_arn = aws_alb.sensu_internal.arn
  port              = each.value
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn
    type             = "forward"
  }
}

#DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. )
resource "aws_route53_record" "sensu_internal" {
  zone_id = var.dns_info["private"]["zone_id"]
  name    = var.instance_name 
  type    = "CNAME" 
  records = [aws_alb.sensu_internal.dns_name]
  ttl = "60"
  provider = aws.c2
}

#----------------------------------------------------------------------------
# ALB Security Group
#----------------------------------------------------------------------------

resource "aws_security_group" "sensu_alb_server_internal" {
  vpc_id      = var.vpc_id
  name        = "sensu-alb-sg-internal"
  description = "Sensu Internal LB SG"
  tags = merge(var.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------


resource "aws_security_group_rule" "sensu_from_vpc" {
  for_each = local.alb_listener_ports
  type              = "ingress"
  from_port         = each.value
  to_port           = each.value
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  description       = "Sensu ${each.key}"
  security_group_id = aws_security_group.sensu_alb_server_internal.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------

resource "aws_security_group_rule" "sensu_from_alb" {
  for_each = local.alb_listener_ports
  type              = "egress"
  from_port         = each.value
  to_port           = each.value
  protocol          = "tcp"
  source_security_group_id = aws_security_group.instance_security_group.id
  description       = "Sensu ${each.key}"
  security_group_id = aws_security_group.sensu_alb_server_internal.id
}

#----------------------------------------------------------------------------
# EXTERNAL LB
#----------------------------------------------------------------------------

resource "aws_alb" "sensu_external" {
  name               = "sensu-alb-external-${var.environment}"
  security_groups    = [ aws_security_group.sensu_alb_server_external.id ]
  internal           = false 
  subnets            = var.public_subnets
  load_balancer_type = "application"


  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.standard_tags, var.tags, { Name = "sensu-alb-external-${var.environment}" })
}

# Create a new target group
resource "aws_alb_target_group" "sensu_external" {
  name                 = "sensu-alb-targets-agent-external"
  port                 = 8081
  protocol             = "HTTPS"
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id               = var.vpc_id

  health_check {
    protocol = "HTTPS"
    port     = "8080"
    path     = "/health"
    matcher  = "200"
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = false 
  }

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "sensu_external" {
  target_group_arn = aws_alb_target_group.sensu_external.arn
  target_id        = aws_instance.instance.id
  port             = 8081
}

# Create a new alb listener
resource "aws_alb_listener" "sensu_https_external" {
  load_balancer_arn = aws_alb.sensu_external.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert_public.arn

  default_action {
    target_group_arn = aws_alb_target_group.sensu_external.arn
    type             = "forward"
  }
}

# #########################
# # DNS Entry
module "public_dns_record" {
  source = "../../submodules/dns/public_ALIAS_record"

  name = var.instance_name
  target_dns_name = aws_alb.sensu_external.dns_name
  target_zone_id  = aws_alb.sensu_external.zone_id
  dns_info = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#----------------------------------------------------------------------------
# ALB Security Group
#----------------------------------------------------------------------------

resource "aws_security_group" "sensu_alb_server_external" {
  vpc_id      = var.vpc_id
  name        = "sensu-alb-sg-external"
  description = "Sensu LB SG"
  tags = merge(var.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------

resource "aws_security_group_rule" "sensu-external-ips" {

  # This deserves some explanation.  Terraform "for_each" expects to be
  # getting as input a map of values to iterate over as part of the foreach.
  # The keys of the map are used to name each of these objects created.  Looking
  # in the terraform plan output of a for_each you'll see things like:
  #
  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
  #
  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
  # makes a new thing that is a map of maps, where the key value is the description with
  # blanks removed.
  #
  # We could have made the variable more natively-friendly to for_each but this seemed
  # like a better solution for what we were trying to accomplish.
  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }

  description = "Sensu - ${each.value.description}"
  type = "ingress"
  from_port = "443"
  to_port = "443"
  protocol = "tcp"
  cidr_blocks = each.value.cidr_blocks
  security_group_id = aws_security_group.sensu_alb_server_external.id
}


#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------

resource "aws_security_group_rule" "alb_to_sensu_server" {
  type              = "egress"
  from_port         = 8081
  to_port           = 8081
  protocol          = "tcp"
  source_security_group_id = aws_security_group.instance_security_group.id
  description       = "Allows the ALB to talk to the Sensu servers"
  security_group_id = aws_security_group.sensu_alb_server_external.id
}

resource "aws_security_group_rule" "alb_to_sensu_health" {
  type              = "egress"
  from_port         = 8080
  to_port           = 8080
  protocol          = "tcp"
  source_security_group_id = aws_security_group.instance_security_group.id
  description       = "Allows the ALB to talk to the Sensu Health check"
  security_group_id = aws_security_group.sensu_alb_server_external.id
}