| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- # ---------------------------------------------------------------------------------------------------------------------
- # LOAD BALANCER FOR PORTAL
- # ---------------------------------------------------------------------------------------------------------------------
- resource "aws_alb" "portal" {
- name = "portal-alb-${var.environment}"
- security_groups = [ aws_security_group.customer_portal_alb.id, ]
- internal = false
- subnets = var.public_subnets
- tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })
- access_logs {
- bucket = "xdr-elb-${ var.environment }"
- prefix = ""
- enabled = true
- }
- }
- # Create a new target group
- resource "aws_alb_target_group" "portal" {
- name = "portal-alb-targets-${var.environment}"
- port = 443
- protocol = "HTTPS"
- vpc_id = var.vpc_id
- health_check {
- protocol = "HTTPS"
- path = "/api/health/"
- matcher = "200-400"
- }
- stickiness {
- type = "lb_cookie"
- enabled = false
- }
- tags = merge( var.standard_tags, var.tags, )
- }
- # Create a new alb listener ( certificate_arn wait for DNS cut over )
- resource "aws_alb_listener" "portal_https" {
- load_balancer_arn = aws_alb.portal.arn
- port = "443"
- protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
- certificate_arn = aws_acm_certificate.cert.arn
- default_action {
- target_group_arn = aws_alb_target_group.portal.arn
- type = "forward"
- }
- }
- # HTTPs Redirect
- resource "aws_lb_listener" "portal_https_redirect" {
- load_balancer_arn = aws_alb.portal.arn
- port = "80"
- protocol = "HTTP"
- default_action {
- type = "redirect"
- redirect {
- port = "443"
- protocol = "HTTPS"
- status_code = "HTTP_301"
- }
- }
- }
- #----------
- # DNS Entry
- #----------
- module "public_dns_record" {
- source = "../../submodules/dns/public_ALIAS_record"
- name = "portal"
- target_dns_name = aws_alb.portal.dns_name
- target_zone_id = aws_alb.portal.zone_id
- dns_info = var.dns_info
- providers = {
- aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
- }
- }
- #------------------------------------
- # Security Group
- #------------------------------------
- resource "aws_security_group" "customer_portal_alb" {
- name = "customer_portal_alb_inbound_sg"
- description = "Allow Customer Portal ALB HTTP Traffic Inbound"
- vpc_id = var.vpc_id
- }
- resource "aws_security_group_rule" "customer_portal_alb_https" {
- protocol = "tcp"
- type = "ingress"
- from_port = 443
- to_port = 443
- security_group_id = aws_security_group.customer_portal_alb.id
- cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
- }
- #Allow viewing of test portal from home. We don't want world to view test portal.
- resource "aws_security_group_rule" "customer_portal_alb_https_test" {
- protocol = "tcp"
- type = "ingress"
- from_port = 443
- to_port = 443
- security_group_id = aws_security_group.customer_portal_alb.id
- cidr_blocks = flatten(var.portal_test_whitelist)
- }
- ## Needed for HTTPs redirect
- resource "aws_security_group_rule" "customer_portal_alb_http" {
- protocol = "tcp"
- type = "ingress"
- from_port = 80
- to_port = 80
- security_group_id = aws_security_group.customer_portal_alb.id
- cidr_blocks = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
- }
- resource "aws_security_group_rule" "customer_portal_alb" {
- protocol = "tcp"
- type = "egress"
- from_port = 443
- to_port = 443
- security_group_id = aws_security_group.customer_portal_alb.id
- source_security_group_id = aws_security_group.customer_portal.id
- }
|
