| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 |
- #------------------------------------------------------------------------------
- # An external ALB for the indexers for HEC
- #------------------------------------------------------------------------------
- #########################
- # DNS Entry
- module "private_dns_record_hec_pvt" {
- source = "../../../submodules/dns/private_CNAME_record"
- enabled = local.splunk_private_hec ? true : false
- name = "${var.prefix}-hec"
- target_dns_names = local.splunk_private_hec ? [aws_lb.hec_pvt[0].dns_name] : ["na"]
- dns_info = var.dns_info
- providers = {
- aws.c2 = aws.c2
- }
- }
- #########################
- # Certificate - NOTE: Public certificate for a private HEC
- resource "aws_acm_certificate" "hec_pvt_cert" {
- count = local.splunk_private_hec ? 1 : 0
- domain_name = "${var.prefix}-hec.${var.dns_info["private"]["zone"]}"
- validation_method = "DNS"
- lifecycle {
- create_before_destroy = true
- }
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_acm_certificate_validation" "hec_pvt_cert_validation" {
- count = local.splunk_private_hec ? 1 : 0
- certificate_arn = aws_acm_certificate.hec_pvt_cert[count.index].arn
- validation_record_fqdns = [for record in aws_route53_record.hec_pvt_cert_validation : record.fqdn] # will be empty if not moose
- }
- resource "aws_route53_record" "hec_pvt_cert_validation" {
- provider = aws.mdr-common-services-commercial
- for_each = (local.splunk_private_hec ? {
- for dvo in aws_acm_certificate.hec_pvt_cert[0].domain_validation_options : dvo.domain_name => {
- name = dvo.resource_record_name
- record = dvo.resource_record_value
- type = dvo.resource_record_type
- }
- } : {}
- ) # Empty map if not moose
- allow_overwrite = true
- name = each.value.name
- records = [each.value.record]
- ttl = 60
- type = each.value.type
- zone_id = var.dns_info["public"]["zone_id"]
- }
- #########################
- # ELB
- resource "aws_lb" "hec_pvt" {
- count = local.splunk_private_hec ? 1 : 0
- tags = merge(local.standard_tags, var.tags)
- name = "${var.prefix}-hec-private"
- load_balancer_type = "application"
- security_groups = [aws_security_group.hec_pvt_elb_security_group[0].id]
- subnets = var.private_subnets
- internal = true
- drop_invalid_header_fields = true
- }
- resource "aws_lb_listener" "hec_pvt_443" {
- count = local.splunk_private_hec ? 1 : 0
- load_balancer_arn = aws_lb.hec_pvt[0].arn
- port = 443
- protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
- certificate_arn = aws_acm_certificate.hec_pvt_cert[0].arn
- default_action {
- type = "forward"
- target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
- }
- }
- resource "aws_lb_listener" "hec_pvt_8088" {
- count = local.splunk_private_hec ? 1 : 0
- load_balancer_arn = aws_lb.hec_pvt[0].arn
- port = 8088
- protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
- certificate_arn = aws_acm_certificate.hec_pvt_cert[0].arn
- default_action {
- type = "forward"
- target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
- }
- }
- resource "aws_lb_target_group" "hec_pvt_8088" {
- count = local.splunk_private_hec ? 1 : 0
- name = "${var.prefix}-hec-pvt-targets"
- port = 8088
- protocol = "HTTPS"
- target_type = "instance"
- vpc_id = var.vpc_id
- health_check {
- path = "/services/collector/health/1.0"
- protocol = "HTTPS"
- }
- }
- # Attach the instances to the ELB
- resource "aws_autoscaling_attachment" "hec_pvt_asg_attachments" {
- for_each = local.splunk_private_hec ? toset([module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0]]) : []
- lb_target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
- autoscaling_group_name = each.key
- }
|
