AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
							#----------------------------------------------------------------------------
# INTERNAL LB
#----------------------------------------------------------------------------
resource "aws_alb" "vmray_internal" {
  name                       = "vmray-alb-internal-${var.environment}"
  security_groups            = [aws_security_group.vmray_alb_internal.id]
  internal                   = true
  subnets                    = var.public_subnets
  load_balancer_type         = "application"
  drop_invalid_header_fields = true

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    enabled = true
  }

  idle_timeout = 1200

  tags = merge(local.standard_tags, var.tags, { Name = "vmray-alb-internal-${var.environment}" })
}

# Create a new target group
resource "aws_alb_target_group" "vmray_internal" {
  name     = "vmray-alb-targets"
  port     = 443
  protocol = "HTTPS"
  vpc_id   = var.vpc_id

  health_check {
    protocol            = "HTTPS"
    port                = "443"
    path                = "/"
    matcher             = "200,302"
    timeout             = "4"
    interval            = "5"
    unhealthy_threshold = 2
    healthy_threshold   = 2
  }

  #stickiness {
  #  type    = "lb_cookie"
  #  enabled = false 
  #}

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "vmray_internal" {
  target_group_arn = aws_alb_target_group.vmray_internal.arn
  target_id        = aws_instance.vmray-server-instance.id
  port             = 443
}

# Create a new alb listener
resource "aws_alb_listener" "vmray_https_internal" {
  load_balancer_arn = aws_alb.vmray_internal.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert_private.arn

  default_action {
    target_group_arn = aws_alb_target_group.vmray_internal.arn
    type             = "forward"
  }
}

resource "aws_lb_listener" "vmray_listener_http" {
  load_balancer_arn = aws_alb.vmray_internal.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

# #########################
# # DNS Entry
module "private_dns_record" {
  source = "../../submodules/dns/private_CNAME_record"

  name             = "vmray"
  target_dns_names = [aws_alb.vmray_internal.dns_name]
  dns_info         = var.dns_info

  providers = {
    aws.c2 = aws.c2
  }
}

#----------------------------------------------------------------------------
# VMRAY ALB Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "vmray_alb_internal" {
  vpc_id      = var.vpc_id
  name        = "vmray-alb-sg-internal"
  description = "ALB for Phantom"
  tags        = merge(local.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "http_from_local" {
  type              = "ingress"
  description       = "HTTP - Inbound from Internet"
  from_port         = "80"
  to_port           = "80"
  protocol          = "tcp"
  cidr_blocks       = concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"])
  security_group_id = aws_security_group.vmray_alb_internal.id
}

resource "aws_security_group_rule" "https_from_local" {
  type              = "ingress"
  description       = "HTTPS - Inbound from Internet"
  from_port         = "443"
  to_port           = "443"
  protocol          = "tcp"
  cidr_blocks       = concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"])
  security_group_id = aws_security_group.vmray_alb_internal.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "vmray_alb_to_server" {
  type                     = "egress"
  description              = "HTTPS to the Server"
  from_port                = "443"
  to_port                  = "443"
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id        = aws_security_group.vmray_alb_internal.id
}