| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 |
- # lb ports
- locals {
- alb_listener_ports = {
- ui = "8000"
- api = "8080"
- agent = "8081"
- }
- }
- #----------------------------------------------------------------------------
- # INTERNAL LB
- #----------------------------------------------------------------------------
- resource "aws_alb" "sensu_internal" {
- name = "sensu-alb-internal-${var.environment}"
- security_groups = [aws_security_group.sensu_alb_server_internal.id]
- internal = true
- subnets = var.private_subnets
- load_balancer_type = "application"
- access_logs {
- bucket = "xdr-elb-${var.environment}"
- enabled = true
- }
- tags = merge(var.standard_tags, var.tags, { Name = "sensu-alb-internal-${var.environment}" })
- }
- resource "aws_alb_target_group" "sensu_internal" {
- for_each = local.alb_listener_ports
- name = "sensu-alb-targets-${each.key}"
- port = each.value
- protocol = "HTTPS"
- #deregistration_delay = "${local.lb_deregistration_delay}"
- vpc_id = var.vpc_id
- health_check {
- protocol = "HTTPS"
- port = "8080"
- path = "/health"
- matcher = "200"
- timeout = "4"
- interval = "5"
- }
- stickiness {
- type = "lb_cookie"
- enabled = false
- }
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_lb_target_group_attachment" "sensu_internal" {
- for_each = local.alb_listener_ports
- target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn
- target_id = aws_instance.instance.id
- port = each.value
- }
- # Create a new alb listener
- resource "aws_alb_listener" "sensu_internal" {
- for_each = local.alb_listener_ports
- load_balancer_arn = aws_alb.sensu_internal.arn
- port = each.value
- protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
- certificate_arn = aws_acm_certificate.cert.arn
- default_action {
- target_group_arn = aws_alb_target_group.sensu_internal[each.key].arn
- type = "forward"
- }
- }
- #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. )
- resource "aws_route53_record" "sensu_internal" {
- zone_id = var.dns_info["private"]["zone_id"]
- name = var.instance_name
- type = "CNAME"
- records = [aws_alb.sensu_internal.dns_name]
- ttl = "60"
- provider = aws.c2
- }
- #----------------------------------------------------------------------------
- # ALB Security Group
- #----------------------------------------------------------------------------
- resource "aws_security_group" "sensu_alb_server_internal" {
- vpc_id = var.vpc_id
- name = "sensu-alb-sg-internal"
- description = "Sensu Internal LB SG"
- tags = merge(var.standard_tags, var.tags)
- }
- #----------------------------------------------------------------------------
- # INGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "sensu_from_vpc" {
- for_each = local.alb_listener_ports
- type = "ingress"
- from_port = each.value
- to_port = each.value
- protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
- description = "Sensu ${each.key}"
- security_group_id = aws_security_group.sensu_alb_server_internal.id
- }
- #----------------------------------------------------------------------------
- # EGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "sensu_from_alb" {
- for_each = local.alb_listener_ports
- type = "egress"
- from_port = each.value
- to_port = each.value
- protocol = "tcp"
- source_security_group_id = aws_security_group.instance_security_group.id
- description = "Sensu ${each.key}"
- security_group_id = aws_security_group.sensu_alb_server_internal.id
- }
|
