xdr-terraform-modules/base/github/elb.tf

# Architecture:
# 1. DNS points to an NLB
# 2. NLB:22 forwards to instance:22
# 3. NLB:443 forward to an ALB, which forwards to the instance
# 4. NLB:80 forwards to the same ALB, which forwards to the instance.
#
# The module "static_nlb_to_alb" takes care of #3, but the rest
# we have to handle here.
#
# tfsec:ignore:aws-elb-alb-not-public Purposefully public
module "elb" {
  source = "../../submodules/load_balancer/static_nlb_to_alb"

  name                      = "github"
  subject_alternative_names = ["*.github.${var.dns_info["public"]["zone"]}"]
  target_ids                = aws_instance.ghe[*].id
  listener_port             = 443
  target_port               = 443
  target_protocol           = "HTTPS"
  target_security_group     = aws_security_group.ghe_server.id
  allow_from_any            = true
  redirect_80               = false # GitHub handles port 80, and needs it for LetsEncrypt

  # WAF variables
  waf_enabled = true # TODO: Turn this on
  fqdns       = local.hostnames
  # Set WAF to 'count' for now
  block_settings = {
    "default"                               = true # Default action. False = count
    "custom"                                = true # XDR Custom Rules. False = count
    "admin"                                 = true # Block admin pages.
    "AWSManagedRulesCommonRuleSet"          = true
    "AWSManagedRulesAmazonIpReputationList" = true
    "AWSManagedRulesKnownBadInputsRuleSet"  = true
    "AWSManagedRulesSQLiRuleSet"            = false # Irrelevant, module is disabled
    "AWSManagedRulesLinuxRuleSet"           = false # Irrelevant, module is disabled
    "AWSManagedRulesUnixRuleSet"            = false # Irrelevant, module is disabled
  }

  excluded_rules_AWSManagedRulesCommonRuleSet = [
    "SizeRestrictions_BODY",               # SAML auth
    "RestrictedExtensions_URIPATH",        # Lots of prohibited extensions, e.g. props.conf
    "RestrictedExtensions_QUERYARGUMENTS", # Again, prohibited extensions don't work here
    "CrossSiteScripting_BODY",             # 2022-05-23 George Starcher's legit updates being blocked
    "EC2MetaDataSSRF_BODY",                # 2022-05-23 George Starcher's legit updates being blocked
    "GenericLFI_BODY",                     # 2022-08-01 George Starcher's legit updates being blocked
  ]
  #excluded_rules_AWSManagedRulesAmazonIpReputationList = []
  #excluded_rules_AWSManagedRulesKnownBadInputsRuleSet = []
  #excluded_rules_AWSManagedRulesSQLiRuleSet = [] # Module disabled
  #excluded_rules_AWSManagedRulesLinuxRuleSet = [] # Module disabled
  #excluded_rules_AWSManagedRulesUnixRuleSet = [] # Module disabled

  # Excluded Rulesets
  # There are too many hostnames, so we have to disable some
  excluded_set_AWSManagedRulesCommonRuleSet          = false
  excluded_set_AWSManagedRulesAmazonIpReputationList = false
  excluded_set_AWSManagedRulesKnownBadInputsRuleSet  = false
  excluded_set_AWSManagedRulesSQLiRuleSet            = true
  excluded_set_AWSManagedRulesLinuxRuleSet           = true
  excluded_set_AWSManagedRulesUnixRuleSet            = true
  #additional_blocked_ips = []
  #allowed_ips = []
  admin_ips = local.trusted_ips

  # Optional Variables
  healthcheck_port     = 443
  healthcheck_protocol = "HTTPS"
  healthcheck_path     = "/status"
  healthcheck_matcher  = "200"
  stickiness           = false

  # Inherited Variables 
  tags           = merge(local.standard_tags, var.tags)
  dns_info       = var.dns_info
  public_subnets = var.public_subnets
  environment    = var.environment
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
  vpc_id         = var.vpc_id

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
    aws.c2                             = aws.c2
  }
}

# Github Needs a Wildcard Record
module "public_dns_record_wildcard" {
  source = "../../submodules/dns/public_ALIAS_record"

  name            = "*.github.${var.dns_info["public"]["zone"]}"
  target_dns_name = module.elb.nlb.dns_name
  target_zone_id  = module.elb.nlb.zone_id
  dns_info        = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#################################
# Add port 80 to the ALB and NLB
#
# GHE uses LetsEncrypt, which needs access on port 80.

# ALB side
resource "aws_lb_target_group" "github_alb_80" {
  name_prefix = "gita80"
  port        = 80
  protocol    = "HTTP"
  vpc_id      = var.vpc_id

  health_check {
    protocol = "HTTPS"
    port     = 443
    path     = "/status"
    matcher  = "200"
    timeout  = "4"
    interval = "5"
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "github_alb_80" {
  for_each = toset(aws_instance.ghe[*].id)

  target_group_arn = aws_lb_target_group.github_alb_80.arn
  target_id        = each.value
  port             = 80
}

resource "aws_lb_listener" "github_alb_80" {
  load_balancer_arn = module.elb.alb_id
  port              = "80" # tfsec:ignore:aws-elb-http-not-used HTTP only used for letsencrypt and redirect
  protocol          = "HTTP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.github_alb_80.arn
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_security_group_rule" "github_alb_80" {
  description       = "Github - Allow 80 from any"
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open
  security_group_id = module.elb.security_group_id
}

resource "aws_security_group_rule" "github_alb_80_out" {
  description              = "Github - Allow 80 to the instances"
  type                     = "egress"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.ghe_server.id
  security_group_id        = module.elb.security_group_id
}

# NLB Side
resource "aws_lb_target_group" "github_nlb_80" {
  name_prefix = "gitn80"
  target_type = "alb"
  port        = 80
  protocol    = "TCP"
  vpc_id      = var.vpc_id

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "github_nlb_80" {
  target_group_arn = aws_lb_target_group.github_nlb_80.arn
  target_id        = module.elb.alb_id
  port             = 80
}

resource "aws_lb_listener" "github_nlb_80" {
  load_balancer_arn = module.elb.nlb_id
  port              = "80"
  protocol          = "TCP" # tfsec:ignore:aws-elb-http-not-used HTTP only for letsencrypt and redirects

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.github_nlb_80.arn
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

##########################
# Add port 22 to the NLB
resource "aws_lb_target_group" "github_ssh" {
  name_prefix = "gitssh"
  port        = 22
  protocol    = "TCP"
  vpc_id      = var.vpc_id

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "github_ssh" {
  for_each = toset(aws_instance.ghe[*].id)

  target_group_arn = aws_lb_target_group.github_ssh.arn
  target_id        = each.value
  port             = 22
}

resource "aws_lb_listener" "github_ssh" {
  load_balancer_arn = module.elb.nlb_id
  port              = "22"
  protocol          = "TCP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.github_ssh.arn
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}