AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186
							#------------------------------------------------------------------------------
# An external ELB for the indexers for HEC, because acknowledgements
#------------------------------------------------------------------------------

#### NOTE:
####  Firehose/Kinesis requires a Classic ELB. An ALB is not supported.
####  See "Data Not Delivered to Splunk" at https://docs.aws.amazon.com/firehose/latest/dev/troubleshooting.html
####
####  "If you use an AWS load balancer, make sure that it is a Classic Load Balancer. Kinesis Data Firehose does
####   not support Application Load Balancers or Network Load Balancers."


#########################
# DNS Entry
module "public_dns_record_hec_ack" {
  source = "../../../submodules/dns/public_ALIAS_record"

  name            = "${var.prefix}-hec-ack"
  target_dns_name = aws_elb.hec_classiclb.dns_name
  target_zone_id  = aws_elb.hec_classiclb.zone_id
  dns_info        = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#########################
# Certificate
resource "aws_acm_certificate" "hec_classiclb_cert" {
  domain_name       = "${var.prefix}-hec-ack.${var.dns_info["public"]["zone"]}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_acm_certificate_validation" "hec_classiclb_cert_validation" {
  certificate_arn         = aws_acm_certificate.hec_classiclb_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.hec_classiclb_cert_validation : record.fqdn]
}

resource "aws_route53_record" "hec_classiclb_cert_validation" {
  provider = aws.mdr-common-services-commercial

  for_each = {
    for dvo in aws_acm_certificate.hec_classiclb_cert.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = var.dns_info["public"]["zone_id"]
}


#########################
# ELB
resource "aws_elb" "hec_classiclb" {
  tags            = merge(local.standard_tags, var.tags)
  name            = "${var.prefix}-hec-classic"
  security_groups = [aws_security_group.hec_elb_security_group.id]
  # tflint-ignore: aws_elb_invalid_subnet - Incorrectly errors out that these are invalid
  subnets  = var.public_subnets
  internal = false # tfsec:ignore:aws-elb-alb-not-public This is intentionally public

  listener {
    instance_port      = 8088
    instance_protocol  = "https"
    lb_port            = 8088
    lb_protocol        = "https"
    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
  }

  listener {
    instance_port      = 8088
    instance_protocol  = "https"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
  }

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTPS:8088/services/collector/health/1.0"
    interval            = 30
  }

  # Access logs are a feedback loop. They create logs that are then sent back through the HEC.
  # They should remain disabled.
  #access_logs {
  #  bucket  = "xdr-elb-${ var.environment }"
  #  enabled = true
  #}
}

# AWS Firehose / Splunk requirement for ELB cookies to have
# cookie_expiration_period=0.  Terraform does not support that directly
# and expects >=1.  Not specifying an expiration period causes a period
# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_443" {
  name          = "sticky443-2"
  load_balancer = aws_elb.hec_classiclb.id
  lb_port       = 443
}

# AWS Firehose / Splunk requirement for ELB cookies to have
# cookie_expiration_period=0.  Terraform does not support that directly
# and expects >=1.  Not specifying an expiration period causes a period
# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_8088" {
  name          = "sticky8088"
  load_balancer = aws_elb.hec_classiclb.id
  lb_port       = 8088
}

# Attach the instnaces to the ELB
resource "aws_autoscaling_attachment" "hec_classic_asg_attachments" {
  for_each               = toset([module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0]])
  elb                    = aws_elb.hec_classiclb.id
  autoscaling_group_name = each.key
}

# See https://github.com/terraform-providers/terraform-provider-aws/issues/995
resource "aws_load_balancer_policy" "listener_policy-tls-1-2" {
  load_balancer_name = aws_elb.hec_classiclb.name
  policy_name        = "elb-tls-1-2"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01" # PFS, TLS1.2, and GCM; most "restrictive" policy
  }

  # Workaround for bug above.  If changing TLS policy then be
  # prepared to taint the resource.  Tested/working taint commands
  # (as of 2020-06-25) are:
  # terraform taint --module customer.indexer_cluster aws_load_balancer_policy.listener_policy-tls-1-2
  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_443
  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_8088
  #
  # As of this time, w/ terraform 0.11.14, you have to taint all three
  # to effect a change here.
  #
  # 2020-11-04 - Confirmed this is still a bug in 0.13
  lifecycle {
    ignore_changes = [policy_attribute]
  }
}

# Have to make sure to add the sticky policy here too or it causes
# the listener to lose the sticky policy set above and terraform
# attempts to re-add it on each apply run
resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_443" {
  load_balancer_name = aws_elb.hec_classiclb.name
  load_balancer_port = 443

  policy_names = [
    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_443.name,
  ]
}

# Have to make sure to add the sticky policy here too or it causes
# the listener to lose the sticky policy set above and terraform
# attempts to re-add it on each apply run
resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_8088" {
  load_balancer_name = aws_elb.hec_classiclb.name
  load_balancer_port = 8088

  policy_names = [
    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_8088.name,
  ]
}