Inicio Explorar Ayuda
Registro Iniciar sesión
AFS
/
xdr-terraform-modules
2
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: 842895b4b6
Ramas Etiquetas
xdr-terraform-m...
/
base
/
splunk_servers
/
customer_searchhead
/
elb.tf

elb.tf 4.0 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. locals {
    2. 

  2.   # alb_clients access the SH
    3. 

  3.   alb_clients = ( 
    4. 

  4.     var.environment == "test" ? 
    5. 

  5.       toset(concat(
    6. 

  6.         [ "10.0.0.0/8" ],
    7. 

  7.         var.portal_test_whitelist,
    8. 

  8.         [ "0.0.0.0/0" ] # 2021-09-16 temporary until zscalar is fixed
    9. 

  9.       ))
    10. 

  10.     :
    11. 

  11.       [ "0.0.0.0/0" ] 
    12. 

  12.   )
    13. 

  13. }
    14. 

  14. 

  15. resource "aws_lb" "searchhead-alb" {
    16. 

  16.   name               = local.alb_name
    17. 

  17.   internal           = false
    18. 

  18.   load_balancer_type = "application"
    19. 

  19.   # Not supported for NLB
    20. 

  20.   security_groups    = [aws_security_group.searchhead-alb-sg.id]
    21. 

  21.   # Note, changing subnets results in recreation of the resource
    22. 

  22.   subnets            = var.public_subnets
    23. 

  23.   enable_cross_zone_load_balancing = true
    24. 

  24. 

  25.   access_logs {
    26. 

  26.     bucket  = "xdr-elb-${ var.environment }"
    27. 

  27.     enabled = true
    28. 

  28.   }
    29. 

  29. 

  30.   tags = merge(var.standard_tags, var.tags)
    31. 

  31. }
    32. 

  32. 

  33. #########################
    34. 

  34. # Listeners
    35. 

  35. resource "aws_lb_listener" "searchhead-alb-listener-https" {
    36. 

  36.   load_balancer_arn = aws_lb.searchhead-alb.arn
    37. 

  37.   port              = "443"
    38. 

  38.   protocol          = "HTTPS"
    39. 

  39.   ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
    40. 

  40.   certificate_arn   = aws_acm_certificate.cert.arn
    41. 

  41. 

  42.   default_action {
    43. 

  43.     type             = "forward"
    44. 

  44.     target_group_arn = aws_lb_target_group.searchhead-alb-target-8000.arn
    45. 

  45.   }
    46. 

  46. }
    47. 

  47. 

  48. # Redirect HTTP to HTTPS
    49. 

  49. resource "aws_lb_listener" "searchhead-alb-listener-http" {
    50. 

  50.   load_balancer_arn = aws_lb.searchhead-alb.arn
    51. 

  51.   port              = "80"
    52. 

  52.   protocol          = "HTTP"
    53. 

  53. 

  54.   default_action {
    55. 

  55.     type             = "redirect"
    56. 

  56. 

  57.     redirect {
    58. 

  58.       port        = "443"
    59. 

  59.       protocol    = "HTTPS"
    60. 

  60.       status_code = "HTTP_301"
    61. 

  61.     }
    62. 

  62.   }
    63. 

  63. }
    64. 

  64. 

  65. #########################
    66. 

  66. # Targets
    67. 

  67. resource "aws_lb_target_group" "searchhead-alb-target-8000" {
    68. 

  68.   name     = "${local.alb_name}-8000"
    69. 

  69.   port     = 8000
    70. 

  70.   protocol = "HTTPS"
    71. 

  71.   target_type = "instance"
    72. 

  72.   vpc_id   = var.vpc_id
    73. 

  73.   tags = merge(var.standard_tags, var.tags)
    74. 

  74. 

  75.   health_check {
    76. 

  76.     enabled = true
    77. 

  77.     path = "/en-US/account/login?return_to=%2Fen-US%2F"
    78. 

  78.     port = 8000
    79. 

  79.     protocol = "HTTPS"
    80. 

  80.   }
    81. 

  81. 

  82.   # Stickiness is not needed here, but we'll need it if we add SHs
    83. 

  83.   stickiness {
    84. 

  84.     type = "lb_cookie"
    85. 

  85.     cookie_duration = 86400 # 1 day
    86. 

  86.     enabled = true
    87. 

  87.   }
    88. 

  88. }
    89. 

  89. 

  90. resource "aws_lb_target_group_attachment" "searchhead-alb-target-8000-instance" {
    91. 

  91.   target_group_arn = aws_lb_target_group.searchhead-alb-target-8000.arn
    92. 

  92.   target_id        = aws_instance.instance.id
    93. 

  93.   port             = 8000
    94. 

  94. }
    95. 

  95. 

  96. #########################
    97. 

  97. # Security Group for ALB
    98. 

  98. resource "aws_security_group" "searchhead-alb-sg" {
    99. 

  99.   name = "${local.alb_name}-customer-alb-sh"
    100. 

  100.   description = "Security Group for the Customer Searchhead ALB"
    101. 

  101.   vpc_id = var.vpc_id
    102. 

  102.   tags = merge(var.standard_tags, var.tags)
    103. 

  103. }
    104. 

  104. 

  105. resource "aws_security_group_rule" "searchhead-alb-https-in" {
    106. 

  106.   type              = "ingress"
    107. 

  107.   from_port         = 443
    108. 

  108.   to_port           = 443
    109. 

  109.   protocol          = "tcp"
    110. 

  110.   cidr_blocks       = local.alb_clients
    111. 

  111.   security_group_id = aws_security_group.searchhead-alb-sg.id
    112. 

  112. }
    113. 

  113. 

  114. resource "aws_security_group_rule" "searchhead-http-in" {
    115. 

  115.   # Port 80 is open as a redirect to 443
    116. 

  116.   type              = "ingress"
    117. 

  117.   from_port         = 80
    118. 

  118.   to_port           = 80
    119. 

  119.   protocol          = "tcp"
    120. 

  120.   cidr_blocks       = local.alb_clients
    121. 

  121.   security_group_id = aws_security_group.searchhead-alb-sg.id
    122. 

  122. }
    123. 

  123. 

  124. resource "aws_security_group_rule" "searchhead-alb-8000-out" {
    125. 

  125.   type              = "egress"
    126. 

  126.   from_port         = 8000
    127. 

  127.   to_port           = 8000
    128. 

  128.   protocol          = "tcp"
    129. 

  129.   # Maybe should limit to the local vpc, but I don't readily have that cidr available
    130. 

  130.   cidr_blocks       = [ var.vpc_cidr ]
    131. 

  131.   security_group_id = aws_security_group.searchhead-alb-sg.id
    132. 

  132. }
    133. 

  133. 

  134. #########################
    135. 

  135. # DNS Entry
    136. 

  136. module "public_dns_record_cust-elb" {
    137. 

  137.   source = "../../../submodules/dns/public_ALIAS_record"
    138. 

  138. 

  139.   name = local.dns_short_name
    140. 

  140. 

  141.   target_dns_name = aws_lb.searchhead-alb.dns_name
    142. 

  142.   target_zone_id  = aws_lb.searchhead-alb.zone_id
    143. 

  143.   dns_info = var.dns_info
    144. 

  144. 

  145.   providers = {
    146. 

  146.     aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
    147. 

  147.   }
    148. 

  148. }
    149.