AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384
							#----------------------------------------------------------------------------
# EXTERNAL LB
#----------------------------------------------------------------------------
resource "aws_lb" "external" {
  name_prefix                = substr("${var.name}-ext-lb", 0, 6)
  security_groups            = concat([aws_security_group.lb_server_external.id], aws_security_group.extra_security_groups[*].id)
  internal                   = false # tfsec:ignore:aws-elb-alb-not-public
  subnets                    = var.public_subnets
  load_balancer_type         = "application"
  drop_invalid_header_fields = true

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    enabled = true
  }

  tags = merge(var.tags, { Name = "${var.name}-lb-external-${var.environment}" })
}

# Create a new target group
resource "aws_lb_target_group" "external" {
  name_prefix = substr("${var.name}-ext-lb", 0, 6)
  port        = var.target_port
  protocol    = var.target_protocol
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id = var.vpc_id

  health_check {
    protocol = local.healthcheck_protocol
    port     = local.healthcheck_port
    path     = var.healthcheck_path
    matcher  = var.healthcheck_matcher
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = var.stickiness
  }

  tags = merge(var.tags, { Name = "${var.name}-lb-external-${var.environment}" })
}

resource "aws_lb_target_group_attachment" "external" {
  for_each = var.target_ids

  target_group_arn = aws_lb_target_group.external.arn
  target_id        = each.value
  port             = var.target_port
}

# Create a new alb listener
resource "aws_lb_listener" "https_external" {
  load_balancer_arn = aws_lb.external.arn
  port              = var.listener_port
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert_public.arn

  default_action {
    target_group_arn = aws_lb_target_group.external.arn
    type             = "forward"
  }
}

# If primary port is 443, redirect 80 to 443
resource "aws_lb_listener" "portal_https_redirect" {
  count = var.redirect_80 ? 1 : 0

  load_balancer_arn = aws_lb.external.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = var.listener_port
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}