xdr-terraform-modules/submodules/load_balancer/public_alb/elb.tf

#----------------------------------------------------------------------------
# EXTERNAL LB
#----------------------------------------------------------------------------
resource "aws_lb" "server_external" {
  name_prefix                = local.prefix
  security_groups            = [aws_security_group.alb.id]
  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
  subnets                    = var.subnets
  load_balancer_type         = "application"
  drop_invalid_header_fields = true

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    enabled = true
  }

  idle_timeout = 1200

  tags = merge(local.tags, { "Name" : local.name })
}

# Create a new target group
resource "aws_lb_target_group" "server_external" {
  name_prefix = local.prefix
  port        = var.server_port
  protocol    = var.server_protocol
  vpc_id      = var.vpc_id

  health_check {
    protocol            = var.server_protocol
    port                = var.server_port
    path                = var.health_check_path
    matcher             = "200,302"
    timeout             = "4"
    interval            = "5"
    unhealthy_threshold = 2
    healthy_threshold   = 2
  }

  dynamic "stickiness" {
    for_each = var.sticky_sessions == true ? toset([1]) : toset([])

    content {
      type    = "lb_cookie"
      enabled = true
    }
  }

  tags = merge(local.tags, { "Name" : local.name })
}

resource "aws_lb_target_group_attachment" "server_external" {
  # This needs explanation.
  # If I were to for_each over var.target_servers, then we get the annoying warning:
  #
  #   │ The "for_each" value depends on resource attributes that cannot be
  #   │ determined until apply, so Terraform cannot predict how many instances will
  #   │ be created. To work around this, use the -target argument to first apply
  #   │ only the resources that the for_each depends on.
  #
  # If instead we pass in a list and a count, we avoid this, and we can do it all in one
  # atomic apply, making us happier engineers.
  count = var.target_count

  target_group_arn = aws_lb_target_group.server_external.arn
  target_id        = var.target_servers[count.index]
  port             = var.server_port
}

# Create a new alb listener
resource "aws_lb_listener" "server_https_external" {
  load_balancer_arn = aws_lb.server_external.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert_public.arn

  default_action {
    target_group_arn = aws_lb_target_group.server_external.arn
    type             = "forward"
  }

  tags = merge(local.tags, { "Name" : local.name })
}

resource "aws_lb_listener" "jira_server_listener_http" {
  load_balancer_arn = aws_lb.server_external.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }

  tags = merge(local.tags, { "Name" : local.name })
}