| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 | resource "aws_lb" "alsi-alb-hec" {  count              = var.alsi_hec_alb ? 1 : 0  name               = "${var.prefix}-alsi-alb-hec"  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure  load_balancer_type = "application"  # Not supported for NLB  security_groups = [aws_security_group.alsi-alb-hec-sg.id]  # Note, changing subnets results in recreation of the resource  subnets                          = var.subnets  enable_cross_zone_load_balancing = true  access_logs {    bucket  = "xdr-elb-${var.environment}"    enabled = true  }  tags = merge(var.standard_tags, var.tags)}########################## Listenersresource "aws_lb_listener" "alsi-alb-hec-listener-https" {  count             = var.alsi_hec_alb ? 1 : 0  load_balancer_arn = aws_lb.alsi-alb-hec[count.index].arn  port              = "443"  protocol          = "HTTPS"  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy  certificate_arn   = aws_acm_certificate.cert_hec[count.index].arn  default_action {    type             = "forward"    target_group_arn = aws_lb_target_group.alsi-alb-hec-target-8088[count.index].arn  }}# Only alb's can redirectresource "aws_lb_listener" "alsi-alb-hec-listener-http" {  count             = var.alsi_hec_alb ? 1 : 0  load_balancer_arn = aws_lb.alsi-alb-hec[count.index].arn  port              = "80"  protocol          = "HTTP"  default_action {    type = "redirect"    redirect {      port        = "443"      protocol    = "HTTPS"      status_code = "HTTP_301"    }  }}########################## Targetsresource "aws_lb_target_group" "alsi-alb-hec-target-8088" {  count       = var.alsi_hec_alb ? 1 : 0  name        = "${var.prefix}-alsi-hec-8088"  port        = 8088  protocol    = "HTTPS"  target_type = "instance"  vpc_id      = var.vpc_id  tags        = merge(var.standard_tags, var.tags)  health_check {    enabled  = true    path     = "/api/v1/health"    port     = 9000    protocol = "HTTPS"  }  # sure would be nice to check the actual port  #health_check {  #  enabled = true  #  path = "/"  #  port = 9000  #  protocol = "HTTPS"  #}}resource "aws_lb_target_group_attachment" "alsi-alb-hec-target-8088-instance" {  count            = var.alsi_workers * (var.alsi_hec_alb ? 1 : 0)  target_group_arn = aws_lb_target_group.alsi-alb-hec-target-8088[0].arn  target_id        = aws_instance.worker[count.index].id  port             = 8088}########################## Security Group for ALBresource "aws_security_group" "alsi-alb-hec-sg" {  name_prefix = "${var.prefix}-alsi-alb-hec-sg"  lifecycle { create_before_destroy = true } # handle updates gracefully  description = "Security Group for the Cribl ALB for hec"  vpc_id      = var.vpc_id  tags        = merge(var.standard_tags, var.tags)}resource "aws_security_group_rule" "alsi-alb-hec-https-in" {  type              = "ingress"  from_port         = 443  to_port           = 443  protocol          = "tcp"  cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], var.trusted_ips, var.splunk_data_sources))  security_group_id = aws_security_group.alsi-alb-hec-sg.id}resource "aws_security_group_rule" "alsi-elastic-http-in" {  # Port 80 is open as a redirect to 443  type              = "ingress"  from_port         = 80  to_port           = 80  protocol          = "tcp"  cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], var.trusted_ips, var.splunk_data_sources))  security_group_id = aws_security_group.alsi-alb-hec-sg.id}resource "aws_security_group_rule" "alsi-alb-hec-8088-out" {  type                     = "egress"  from_port                = 8088  to_port                  = 8088  protocol                 = "tcp"  source_security_group_id = aws_security_group.alsi_worker_security_group.id  security_group_id        = aws_security_group.alsi-alb-hec-sg.id}########################## DNS Entryresource "aws_route53_record" "alsi-alb-hec" {  count    = var.alsi_hec_alb ? 1 : 0  zone_id  = var.dns_info["public"]["zone_id"]  name     = "${var.prefix}-alsi-hec"  type     = "CNAME"  records  = [aws_lb.alsi-alb-hec[count.index].dns_name]  ttl      = "60"  provider = aws.mdr-common-services-commercial}
 |