AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
							#------------------------------------------------------------------------------
# An external ELB for the indexers for HEC, because acknowledgements
#------------------------------------------------------------------------------

#########################
# DNS Entry
resource "aws_route53_record" "hec-ack" {
  name = "${var.prefix}-hec-ack"
  type = "CNAME"
  zone_id = var.dns_info["legacy_public"]["zone_id"]
  ttl = "600"
  records = [ aws_elb.hec_classiclb.dns_name ]

  provider = aws.legacy
}

#resource "aws_route53_record" "hec-ack-internal" {
#  # the 'private' copy of the msoc.defpoint.com domain
#  name = "${var.prefix}-hec-ack"
#  type = "CNAME"
#  zone_id = var.dns_info["legacy_public_internal"]["zone_id"]
#  ttl = "600"
#  records = [ aws_elb.hec_classiclb.dns_name ]
#
#  provider = aws.legacy
#}

output hec-with-acks-fqdn {
  value = aws_route53_record.hec-ack.fqdn
}

output hec-with-acks-records {
  value = aws_elb.hec_classiclb.dns_name
}

#########################
# Certificate
resource "aws_acm_certificate" "hec_classiclb_cert" {
  domain_name       = "${var.prefix}-hec-ack.${var.dns_info["legacy_public"]["zone"]}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_acm_certificate_validation" "hec_classiclb_cert_validation" {
  certificate_arn         = aws_acm_certificate.hec_classiclb_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.hec_classiclb_cert_validation: record.fqdn]
}

resource "aws_route53_record" "hec_classiclb_cert_validation" {
  provider = aws.legacy

  for_each = {
    for dvo in aws_acm_certificate.hec_classiclb_cert.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = var.dns_info["legacy_public"]["zone_id"]
}


#########################
# ELB
resource "aws_elb" "hec_classiclb" {
  tags = merge(var.standard_tags, var.tags)
  name            = "${var.prefix}-legacy-hec-classic"
  security_groups = [ data.aws_security_group.hec_elb_security_group.id ]
  subnets         = var.public_subnets
  internal        = false

  listener {
    instance_port      = 8088
    instance_protocol  = "https"
    lb_port            = 8088
    lb_protocol        = "https"
    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
  }

  listener {
    instance_port      = 8088
    instance_protocol  = "https"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = aws_acm_certificate.hec_classiclb_cert.arn
  }

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTPS:8088/services/collector/health/1.0"
    interval            = 30
  }

  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }
}

# AWS Firehose / Splunk requirement for ELB cookies to have
# cookie_expiration_period=0.  Terraform does not support that directly
# and expects >=1.  Not specifying an expiration period causes a period
# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_443" {
  name                     = "sticky443-2"
  load_balancer            = aws_elb.hec_classiclb.id
  lb_port                  = 443
}

# AWS Firehose / Splunk requirement for ELB cookies to have
# cookie_expiration_period=0.  Terraform does not support that directly
# and expects >=1.  Not specifying an expiration period causes a period
# of 0.  See https://github.com/terraform-providers/terraform-provider-aws/issues/12678
resource "aws_lb_cookie_stickiness_policy" "hec_classiclb_sticky_8088" {
  name                     = "sticky8088"
  load_balancer            = aws_elb.hec_classiclb.id
  lb_port                  = 8088
}

# Attach the instnaces to the ELB
resource "aws_autoscaling_attachment" "hec_classic_asg_attachments" {
  for_each = toset(var.elb_attachments)
  elb      = aws_elb.hec_classiclb.id
  autoscaling_group_name = each.key
}

# See https://github.com/terraform-providers/terraform-provider-aws/issues/995
resource "aws_load_balancer_policy" "listener_policy-tls-1-2" {
  load_balancer_name = aws_elb.hec_classiclb.name
  policy_name        = "elb-tls-1-2"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }

  # Workaround for bug above.  If changing TLS policy then be
  # prepared to taint the resource.  Tested/working taint commands
  # (as of 2020-06-25) are:
  # terraform taint --module customer.indexer_cluster aws_load_balancer_policy.listener_policy-tls-1-2
  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_443
  # terraform taint --module customer.indexer_cluster aws_load_balancer_listener_policy.hec_classiclb_listener_8088
  #
  # As of this time, w/ terraform 0.11.14, you have to taint all three
  # to effect a change here.
  #
  # 2020-11-04 - Confirmed this is still a bug in 0.13
  lifecycle {
    ignore_changes = [ policy_attribute ]
  }
}

# Have to make sure to add the sticky policy here too or it causes
# the listener to lose the sticky policy set above and terraform
# attempts to re-add it on each apply run
resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_443" {
  load_balancer_name = aws_elb.hec_classiclb.name
  load_balancer_port = 443

  policy_names = [
    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_443.name,
  ]
}

# Have to make sure to add the sticky policy here too or it causes
# the listener to lose the sticky policy set above and terraform
# attempts to re-add it on each apply run
resource "aws_load_balancer_listener_policy" "hec_classiclb_listener_8088" {
  load_balancer_name = aws_elb.hec_classiclb.name
  load_balancer_port = 8088

  policy_names = [
    aws_load_balancer_policy.listener_policy-tls-1-2.policy_name,
    aws_lb_cookie_stickiness_policy.hec_classiclb_sticky_8088.name,
  ]
}