| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 | 
# ---------------------------------------------------------------------------------------------------------------------# LOAD BALANCER FOR PORTAL# ---------------------------------------------------------------------------------------------------------------------resource "aws_alb" "portal" {  name            = "portal-alb-${var.environment}"  security_groups = [ aws_security_group.customer_portal_alb.id, ]  internal        = false   subnets         = var.public_subnets  tags = merge( var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })  access_logs {    bucket = "xdr-elb-${ var.environment }"    prefix = ""    enabled = true  }}# Create a new target groupresource "aws_alb_target_group" "portal" {  name                 = "portal-alb-targets-${var.environment}"  port                 = 443   protocol             = "HTTPS"  vpc_id               = var.vpc_id  health_check {    protocol = "HTTPS"    path    = "/api/health/"    matcher = "200-400"  }  stickiness {    type    = "lb_cookie"    enabled = false   }  tags = merge( var.standard_tags, var.tags, )}# Create a new alb listener ( certificate_arn wait for DNS cut over )resource "aws_alb_listener" "portal_https" {  load_balancer_arn = aws_alb.portal.arn  port              = "443"  protocol          = "HTTPS"  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"  certificate_arn   = aws_acm_certificate.cert.arn  default_action {    target_group_arn = aws_alb_target_group.portal.arn    type             = "forward"  }}# HTTPs Redirectresource "aws_lb_listener" "portal_https_redirect" {  load_balancer_arn = aws_alb.portal.arn  port              = "80"  protocol          = "HTTP"  default_action {    type = "redirect"    redirect {      port        = "443"      protocol    = "HTTPS"      status_code = "HTTP_301"    }  }}# Attach the instances to the ELBresource "aws_autoscaling_attachment" "customer_portal_asg_attachment" {  alb_target_group_arn = aws_alb_target_group.portal.arn  autoscaling_group_name = aws_autoscaling_group.customer_portal.name}#----------# DNS Entry#----------module "public_dns_record" {  source = "../../submodules/dns/public_ALIAS_record"  name = "portal"  target_dns_name = aws_alb.portal.dns_name  target_zone_id  = aws_alb.portal.zone_id  dns_info = var.dns_info  providers = {    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial  }}#------------------------------------# Security Group#------------------------------------resource "aws_security_group" "customer_portal_alb" {  name        = "customer_portal_alb_inbound_sg"  description = "Allow Customer Portal ALB HTTP Traffic Inbound"  vpc_id      = var.vpc_id}resource "aws_security_group_rule" "customer_portal_alb_https" {  protocol          = "tcp"  type              = "ingress"  from_port         = 443  to_port           = 443  security_group_id = aws_security_group.customer_portal_alb.id  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0",  ]}#Allow viewing of test portal from home. We don't want world to view test portal.resource "aws_security_group_rule" "customer_portal_alb_https_test" {  protocol          = "tcp"  type              = "ingress"  from_port         = 443  to_port           = 443  security_group_id = aws_security_group.customer_portal_alb.id  cidr_blocks       = flatten(var.portal_test_whitelist)}## Needed for HTTPs redirectresource "aws_security_group_rule" "customer_portal_alb_http" {  protocol          = "tcp"  type              = "ingress"  from_port         = 80  to_port           = 80  security_group_id = aws_security_group.customer_portal_alb.id  cidr_blocks       = [ var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]}# Needed for Sensu Check from the proxy in testresource "aws_security_group_rule" "customer_portal_sensu_check" {  count = var.environment == "test" ? 1 : 0  protocol          = "tcp"  type              = "ingress"  from_port         = 443  to_port           = 443  security_group_id = aws_security_group.customer_portal_alb.id  cidr_blocks       = [ "${var.proxy_public_ip}/32", ]}resource "aws_security_group_rule" "customer_portal_alb" {  protocol                 = "tcp"  type                     = "egress"  from_port                = 443  to_port                  = 443  security_group_id        = aws_security_group.customer_portal_alb.id  source_security_group_id = aws_security_group.customer_portal.id}
 |