| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 |
- #----------------------------------------------------------------------------
- # INTERNAL LB
- #----------------------------------------------------------------------------
- resource "aws_alb" "vault" {
- name = "vault-alb-${var.environment}"
- security_groups = [aws_security_group.vault_ALB_server.id]
- internal = true
- subnets = var.subnets
- load_balancer_type = "application"
- drop_invalid_header_fields = true
- access_logs {
- bucket = "xdr-elb-${var.environment}"
- enabled = true
- }
- tags = merge(local.standard_tags, var.tags, { Name = "vault-alb-${var.environment}" })
- }
- # Create a new target group
- resource "aws_alb_target_group" "vault" {
- name = "vault-alb-targets-https-${var.environment}"
- port = 443
- protocol = "HTTPS"
- #deregistration_delay = "${local.lb_deregistration_delay}"
- vpc_id = var.vpc_id
- health_check {
- protocol = "HTTPS"
- path = "/v1/sys/health"
- matcher = "200"
- timeout = "4"
- interval = "5"
- }
- stickiness {
- type = "lb_cookie"
- enabled = false
- }
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_lb_target_group_attachment" "vault" {
- for_each = toset(var.instance_count)
- target_group_arn = aws_alb_target_group.vault.arn
- target_id = aws_instance.instance[each.key].id
- port = 443
- }
- # Create a new alb listener
- resource "aws_alb_listener" "vault_https" {
- load_balancer_arn = aws_alb.vault.arn
- port = "443"
- protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
- certificate_arn = aws_acm_certificate.cert.arn
- default_action {
- target_group_arn = aws_alb_target_group.vault.arn
- type = "forward"
- }
- }
- # #########################
- # # DNS Entry
- # module "public_dns_record" {
- # source = "../../submodules/dns/public_ALIAS_record"
- # name = var.instance_name
- # target_dns_name = aws_lb.openvpn-nlb.dns_name
- # target_zone_id = aws_lb.openvpn-nlb.zone_id
- # dns_info = var.dns_info
- # providers = {
- # aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
- # }
- # }
- #----------
- # DNS Entry
- #----------
- #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. )
- resource "aws_route53_record" "vault_internal" {
- zone_id = var.dns_info["private"]["zone_id"]
- name = var.instance_name
- type = "CNAME"
- records = [aws_alb.vault.dns_name]
- ttl = "60"
- provider = aws.c2
- }
- #----------------------------------------------------------------------------
- # Vault ALB Security Group
- #----------------------------------------------------------------------------
- resource "aws_security_group" "vault_ALB_server" {
- vpc_id = var.vpc_id
- name = "vault-alb-sg"
- description = "ALB for Vault"
- tags = merge(local.standard_tags, var.tags)
- }
- #----------------------------------------------------------------------------
- # INGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "vault_server_from_vpc" {
- type = "ingress"
- from_port = 443
- to_port = 443
- protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
- description = "Allows the server to receive traffic from everywhere"
- security_group_id = aws_security_group.vault_ALB_server.id
- }
- #----------------------------------------------------------------------------
- # EGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "alb_to_vault_server" {
- type = "egress"
- from_port = 443
- to_port = 443
- protocol = "tcp"
- source_security_group_id = aws_security_group.instance_security_group.id
- description = "Allows the ALB to talk to the vault servers"
- security_group_id = aws_security_group.vault_ALB_server.id
- }
|
