AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
							#------------------------------------------------------------------------------
# An external ALB for the indexers for HEC
#------------------------------------------------------------------------------

#########################
# DNS Entry
module "private_dns_record_hec_pvt" {
  source = "../../../submodules/dns/private_CNAME_record"
  enabled = local.is_moose ? true : false

  name = "${var.prefix}-hec"
  target_dns_names = local.is_moose ? [ aws_lb.hec_pvt[0].dns_name ] : [ "na" ]
  dns_info = var.dns_info

  providers = {
    aws.c2 = aws.c2
  }
}

#########################
# Certificate - NOTE: Public certificate for a private HEC
resource "aws_acm_certificate" "hec_pvt_cert" {
  count = local.is_moose ? 1 : 0

  domain_name       = "${var.prefix}-hec.${var.dns_info["private"]["zone"]}"
  validation_method = "DNS"

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_acm_certificate_validation" "hec_pvt_cert_validation" {
  certificate_arn         = local.is_moose ? aws_acm_certificate.hec_pvt_cert[0].arn : ""
  validation_record_fqdns = [for record in aws_route53_record.hec_pvt_cert_validation: record.fqdn] # will be empty if not moose
}

resource "aws_route53_record" "hec_pvt_cert_validation" {
  provider = aws.mdr-common-services-commercial

  for_each = ( local.is_moose ? {
      for dvo in aws_acm_certificate.hec_pvt_cert[0].domain_validation_options: dvo.domain_name => {
        name   = dvo.resource_record_name
        record = dvo.resource_record_value
        type   = dvo.resource_record_type
      } 
    } : {} 
  )# Empty map if not moose

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = var.dns_info["public"]["zone_id"]
}

#########################
# ELB
resource "aws_lb" "hec_pvt" {
  count = local.is_moose ? 1 : 0

  tags               = merge(var.standard_tags, var.tags)
  name               = "${var.prefix}-hec-private"
  load_balancer_type = "application"
  security_groups    = [ aws_security_group.hec_pvt_elb_security_group[0].id ]
  subnets            = var.private_subnets
  internal           = true
}

resource "aws_lb_listener" "hec_pvt_443" {
  count             = local.is_moose ? 1 : 0

  load_balancer_arn = aws_lb.hec_pvt[0].arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn   = aws_acm_certificate.hec_pvt_cert[0].arn
  default_action {
    type = "forward"
    target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
  }
}

resource "aws_lb_listener" "hec_pvt_8088" {
  count = local.is_moose ? 1 : 0

  load_balancer_arn = aws_lb.hec_pvt[0].arn
  port              = 8088
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn   = aws_acm_certificate.hec_pvt_cert[0].arn
  default_action {
    type = "forward"
    target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
  }
}

resource "aws_lb_target_group" "hec_pvt_8088" {
  count = local.is_moose ? 1 : 0

  name         = "${var.prefix}-hec-pvt-targets"
  port         = 8088
  protocol     = "HTTPS"
  target_type  = "instance"
  vpc_id       = var.vpc_id

  health_check {
    path     = "/services/collector/health/1.0"
    protocol = "HTTPS"
  }
}

# Attach the instnaces to the ELB
resource "aws_autoscaling_attachment" "hec_pvt_asg_attachments" {
  for_each = local.is_moose ? toset([ module.indexer0.asg_name[0], module.indexer1.asg_name[0], module.indexer2.asg_name[0] ]) : []
  alb_target_group_arn = aws_lb_target_group.hec_pvt_8088[0].arn
  autoscaling_group_name = each.key
}