AFS
/
xdr-terraform-modules


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
							module "elb" {
  source = "../../submodules/load_balancer/static_nlb_to_alb"

  name                  = "sensu"
  target_ids            = [aws_instance.instance.id]
  listener_port         = 443
  target_port           = 8081
  target_protocol       = "HTTPS"
  target_security_group = aws_security_group.instance_security_group.id
  allow_from_any        = false

  # WAF variables
  waf_enabled = true
  #excluded_rules_AWSManagedRulesCommonRuleSet = [ "SizeRestrictions_BODY" ]
  #excluded_rules_AWSManagedRulesAmazonIpReputationList = []
  #excluded_rules_AWSManagedRulesKnownBadInputsRuleSet = []
  #excluded_rules_AWSManagedRulesSQLiRuleSet = []
  #excluded_rules_AWSManagedRulesLinuxRuleSet = []
  #excluded_rules_AWSManagedRulesUnixRuleSet = []
  #additional_blocked_ips = []
  #allowed_ips = []
  #admin_ips = []

  # Optional Variables
  healthcheck_port     = 8080
  healthcheck_protocol = "HTTPS"
  healthcheck_path     = "/health"
  healthcheck_matcher  = "200"
  stickiness           = false

  # Inherited Variables 
  tags           = merge(local.standard_tags, var.tags)
  dns_info       = var.dns_info
  public_subnets = var.public_subnets
  environment    = var.environment
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
  vpc_id         = var.vpc_id

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
    aws.c2                             = aws.c2
  }
}

resource "aws_security_group_rule" "sensu-external-ips" {
  # This deserves some explanation.  Terraform "for_each" expects to be
  # getting as input a map of values to iterate over as part of the foreach.
  # The keys of the map are used to name each of these objects created.  Looking
  # in the terraform plan output of a for_each you'll see things like:
  #
  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
  #
  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
  # makes a new thing that is a map of maps, where the key value is the description with
  # blanks removed.
  #
  # We could have made the variable more natively-friendly to for_each but this seemed
  # like a better solution for what we were trying to accomplish.
  for_each = { for s in local.c2_services_external_ips : replace(s.description, "/\\s*/", "") => s }

  description       = "Sensu - ${each.value.description}"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
  security_group_id = module.elb.security_group_id
}