AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
							resource "aws_lb" "openvpn-nlb" {
  name               = "${ var.instance_name }-nlb"
  internal           = false
  load_balancer_type = "network"
  # Not supported for NLB
  #security_groups    = [aws_security_group.openvpn-nlb-sg.id]
  # Note, changing subnets results in recreation of the resource
  subnets            = var.public_subnets
  enable_cross_zone_load_balancing = true

  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.standard_tags, var.tags)
}

#########################
# Listeners
resource "aws_lb_listener" "openvpn-nlb-listener-https" {
  load_balancer_arn = aws_lb.openvpn-nlb.arn
  port              = "443"
  protocol          = "TLS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn
  }
}

# Only alb's can redirect
#resource "aws_lb_listener" "openvpn-nlb-listener-http" {
#  load_balancer_arn = aws_lb.openvpn-nlb.arn
#  port              = "80"
#  protocol          = "HTTP"
#
#  default_action {
#    type             = "redirect"
#
#    redirect {
#      port        = "443"
#      protocol    = "HTTPS"
#      status_code = "HTTP_301"
#    }
#  }
#}

resource "aws_lb_listener" "openvpn-nlb-listener-openvpn" {
  load_balancer_arn = aws_lb.openvpn-nlb.arn
  port              = "1194"
  protocol          = "UDP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn
  }
}


#########################
# Targets
resource "aws_lb_target_group" "openvpn-nlb-target-https" {
  name = "${ var.instance_name }-nlb-target-https"
  port     = 443
  protocol = "TLS"
  target_type = "instance"
  vpc_id   = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "openvpn-nlb-target-https-instance" {
  target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn
  target_id        = aws_instance.instance.id
  port             = 443
}

resource "aws_lb_target_group" "openvpn-nlb-target-openvpn" {
  name = "${ var.instance_name }-nlb-target-openvpn"
  port     = 1194
  protocol = "UDP"
  target_type = "instance"
  vpc_id   = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_lb_target_group_attachment" "openvpn-nlb-target-openvpn-instance" {
  target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn
  target_id        = aws_instance.instance.id
  port             = 1194
}


#########################
# Security Group for NLB
# 
# From tf: 
# Error: error creating network Load Balancer: InvalidConfigurationRequest: Security groups are not supported for load balancers with type 'network'
#resource "aws_security_group" "openvpn-nlb-sg" {
#  name = "openvpn_nlb_sg"
#  description = "Security Group for the OpenVPN NLB"
#  vpc_id = var.vpc_id
#  tags = merge(var.standard_tags, var.tags)
#}
#
#resource "aws_security_group_rule" "openvpn-nlb-in" {
#  type              = "ingress"
#  from_port         = 1194
#  to_port           = 1194
#  protocol          = "udp"
#  cidr_blocks       = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.openvpn-nlb-sg.id
#}
#
#resource "aws_security_group_rule" "openvpn-nlb-https-in" {
#  type              = "ingress"
#  from_port         = 443
#  to_port           = 443
#  protocol          = "tcp"
#  cidr_blocks       = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.openvpn-nlb-sg.id
#}
#
#resource "aws_security_group_rule" "openvpn-nlb-out" {
#  type              = "egress"
#  from_port         = 1194
#  to_port           = 1194
#  protocol          = "udp"
#  # Maybe should limit to the local vpc, but I don't readily have that cidr available
#  cidr_blocks       = [ "10.0.0.0/8" ]
#  security_group_id = aws_security_group.openvpn-nlb-sg.id
#}
#
#resource "aws_security_group_rule" "openvpn-nlb-https-out" {
#  type              = "egress"
#  from_port         = 443
#  to_port           = 443
#  protocol          = "tcp"
#  # Maybe should limit to the local vpc, but I don't readily have that cidr available
#  cidr_blocks       = [ "10.0.0.0/8" ]
#  security_group_id = aws_security_group.openvpn-nlb-sg.id
#}

#########################
# DNS Entry
module "public_dns_record" {
  source = "../../submodules/dns/public_ALIAS_record"

  name = var.instance_name
  target_dns_name = aws_lb.openvpn-nlb.dns_name
  target_zone_id  = aws_lb.openvpn-nlb.zone_id
  dns_info = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}