-
Notifications
You must be signed in to change notification settings - Fork 0
/
lb.tf
158 lines (140 loc) · 4.98 KB
/
lb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
// First We create a Network Loadbalancer with Elastics IPs for Vault. In some vault usecases;
// e.g. TLS cert Auth Method, TLS is not offloaded to the loadbalancer hence the need of a Network
// loadbalancer.
resource "aws_lb" "vault" {
name_prefix = "vault"
internal = false
load_balancer_type = "network"
enable_cross_zone_load_balancing = true
tags = local.tags
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "${local.bucket_prefix}-network"
enabled = true
}
dynamic "subnet_mapping" {
for_each = local.subnets
content {
subnet_id = subnet_mapping.value
allocation_id = aws_eip.lb_ip[subnet_mapping.value].id
}
}
lifecyle {
create_before_destroy = true
}
}
// Depending on Vault Use Case, we could also use an Application Loadbalancer. In this Usecase, TLS can be offloaded
// to the application loadbalancer
resource "aws_lb" "vault_application" {
count = var.offload_tls ? 1:0
name_prefix = "vault"
internal = true
load_balancer_type = "application"
tags = local.tags
security_groups = [ module.vault_alb_sg.security_group_id ]
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "${local.bucket_prefix}-application"
enabled = true
}
subnets = local.subnets
lifecycle {
create_before_destroy = true
}
}
data "aws_acm_certificate" "vault" {
count = var.offload_tls ? 1 : 0
domain = local.cert_name
statuses = ["ISSUED"]
most_recent = true
}
data "aws_route53_zone" "vault" {
count = local.create_dns_entry
name = local.zone
}
resource "aws_route53_record" "vault" {
count = local.create_dns_entry
zone_id = data.aws_route53_zone.vault[count.index].zone_id
name = local.dns_name
type = "CNAME"
ttl = 30
records = [aws_lb.vault.dns_name]
lifecycle {
ignore_changes = [name]
}
}
data "aws_elb_service_account" "main" {
}
data "aws_iam_policy_document" "lb_logs" {
statement {
sid = "AWSLogDeliveryWrite"
actions = [
"s3:putObject",
]
resources = formatlist("arn:aws:s3:::${aws_s3_bucket.lb_logs.bucket}/%s/AWSLogs/*",
["${local.bucket_prefix}-application", "${local.bucket_prefix}-network"])
principal {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
principal {
type = "AWS"
identifiers = [data.aws_elb_service_account.main.arn]
}
}
statement {
sid = "AWSLogDeliveryCheck"
principals {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.lb_logs.bucket}",
]
}
}
// Single entrypoint for all connections. Will forward to target groups for the ALB or the instance depending on
// TLS termination
resource "aws_lb_listener" "vault_nlb" {
load_balancer_arn = aws_lb.vault.arn
port = "443"
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = var.offload_tls ? aws_lb_target.vault_nlb_forward[0].arn : aws_lb_target_group.vault_tcp_8200[0].arn
}
}
// Temination TLS on loadbalancer mean we need HTTPS listeners
resource "aws_lb_listener" "vault_application" {
count = var.offload_tls ? 1: 0
load_balancer_arn = aws_lb_vault.application[count.index].arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecuritypolicy-2016-08"
certificate_arn = data.aws_acm_certificate.vault[count.index].arn
default_action {
type = "forward"
target_group_arn = aws_lb_target.vault_http_8200[count.index].arn
}
}
// Create S3 bucket for loadbalancer logs
resource "aws_s3_bucket" "lb_logs" {
bucket = "${local.name_prefix}-lb"
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AE256"
}
}
}
tags = local.tags
}
// Attach policy above to logs bucket
resource "aws_s3_bucket_policy" "lb_logs" {
bucket = aws_s3_bucket.lb_logs.bucket
policy = data.aws_iam_policy_document.lb_logs.json
}