From c2759edae4daae5ba4d5db3fe7c547ed80ef6785 Mon Sep 17 00:00:00 2001 From: Joseph Yousefpour Date: Thu, 13 Nov 2025 20:14:43 -0500 Subject: [PATCH 1/2] fix alb rules --- deployment/ecs/envs/bo/main.tf | 1 + deployment/ecs/envs/bo/terraform.tfvars | 3 +- deployment/ecs/envs/bo/variables.tf | 5 +- deployment/ecs/modules/ecs/main.tf | 66 ++++++++++++++++++++----- deployment/ecs/modules/ecs/variables.tf | 7 ++- 5 files changed, 67 insertions(+), 15 deletions(-) diff --git a/deployment/ecs/envs/bo/main.tf b/deployment/ecs/envs/bo/main.tf index b8ef6ab57..14f4fc616 100644 --- a/deployment/ecs/envs/bo/main.tf +++ b/deployment/ecs/envs/bo/main.tf @@ -75,6 +75,7 @@ module "ecs_service" { health_check_path = var.health_check_path mpath_exec = var.mpath_exec readonly_root_filesystem = true + custom_domain_name = var.custom_domain_name environment_variables = { RAILS_ENV = "production" RAILS_SERVE_STATIC_FILES = "true" diff --git a/deployment/ecs/envs/bo/terraform.tfvars b/deployment/ecs/envs/bo/terraform.tfvars index df1361ffc..18a8a1dce 100644 --- a/deployment/ecs/envs/bo/terraform.tfvars +++ b/deployment/ecs/envs/bo/terraform.tfvars @@ -48,4 +48,5 @@ tags = { db_secret_arn = aws_secretsmanager_secret.db.arn twingate_exec = false -mpath_exec = false \ No newline at end of file +mpath_exec = false +custom_domain_name = "mpath-ecs-bo.microhealthllc.com" \ No newline at end of file diff --git a/deployment/ecs/envs/bo/variables.tf b/deployment/ecs/envs/bo/variables.tf index 5f0ec3873..0b188e872 100644 --- a/deployment/ecs/envs/bo/variables.tf +++ b/deployment/ecs/envs/bo/variables.tf @@ -310,4 +310,7 @@ variable "mpath_exec" { default = false } - +variable "custom_domain_name" { + description = "The domain allowed to access the ALB" + type = string +} diff --git a/deployment/ecs/modules/ecs/main.tf b/deployment/ecs/modules/ecs/main.tf index b8201920e..75effeb82 100644 --- a/deployment/ecs/modules/ecs/main.tf +++ b/deployment/ecs/modules/ecs/main.tf @@ -241,7 +241,6 @@ resource "aws_security_group" "ecs_service" { lifecycle { create_before_destroy = true } } - # ALB SG resource "aws_security_group" "alb" { count = local.do_alb ? 1 : 0 @@ -249,14 +248,6 @@ resource "aws_security_group" "alb" { vpc_id = var.vpc_id description = "ALB SG for ${var.service_name}" - ingress { - description = "HTTP" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - ingress { description = "HTTPS" from_port = 443 @@ -287,7 +278,7 @@ resource "aws_lb" "this" { tags = var.tags } -# Target Group (ALB -> ECS tasks) +# Target Group resource "aws_lb_target_group" "ecs" { count = local.do_alb ? 1 : 0 name = "${var.service_name}-tg" @@ -311,7 +302,7 @@ resource "aws_lb_target_group" "ecs" { tags = var.tags } -# HTTPS listener (443) with TLS termination +# HTTPS listener (443) resource "aws_lb_listener" "https" { count = local.do_alb ? 1 : 0 load_balancer_arn = aws_lb.this[0].arn @@ -320,13 +311,63 @@ resource "aws_lb_listener" "https" { ssl_policy = var.ssl_policy certificate_arn = var.acm_certificate_arn + # DEFAULT: Redirect EVERY request unless a rule overrides it default_action { + type = "redirect" + + redirect { + host = var.custom_domain_name + protocol = "HTTPS" + port = "443" + status_code = "HTTP_301" + } + } +} + +# Rule 1: Allow only the custom domain → forward to ECS +resource "aws_lb_listener_rule" "allow_only_custom_domain" { + count = local.do_alb ? 1 : 0 + listener_arn = aws_lb_listener.https[0].arn + priority = 1 + + condition { + host_header { + values = [var.custom_domain_name] + } + } + + action { type = "forward" target_group_arn = aws_lb_target_group.ecs[0].arn } } -# HTTP -> HTTPS redirect +# Rule 2: Redirect ALB DNS → clean redirect +resource "aws_lb_listener_rule" "redirect_alb_dns_to_custom_domain" { + count = local.do_alb ? 1 : 0 + listener_arn = aws_lb_listener.https[0].arn + priority = 2 + + condition { + host_header { + values = [ + aws_lb.this[0].dns_name + ] + } + } + + action { + type = "redirect" + redirect { + host = var.custom_domain_name + protocol = "HTTPS" + port = "443" + status_code = "HTTP_301" + } + } +} + +# HTTP → HTTPS redirect resource "aws_lb_listener" "http" { count = local.do_alb ? 1 : 0 load_balancer_arn = aws_lb.this[0].arn @@ -343,6 +384,7 @@ resource "aws_lb_listener" "http" { } } + locals { effective_tg_arn = var.target_group_arn != null ? var.target_group_arn : (local.do_alb ? aws_lb_target_group.ecs[0].arn : null) } diff --git a/deployment/ecs/modules/ecs/variables.tf b/deployment/ecs/modules/ecs/variables.tf index 44637af08..5615b5bd8 100644 --- a/deployment/ecs/modules/ecs/variables.tf +++ b/deployment/ecs/modules/ecs/variables.tf @@ -207,4 +207,9 @@ variable "mpath_exec" { description = "Enable exec" type = bool default = false -} \ No newline at end of file +} + +variable "custom_domain_name" { + description = "The domain allowed to access the ALB" + type = string +} From 5499022fb983f69468fd21685095d362e52082f7 Mon Sep 17 00:00:00 2001 From: Joseph Yousefpour Date: Thu, 13 Nov 2025 20:20:32 -0500 Subject: [PATCH 2/2] tightening up alb rules --- deployment/ecs/modules/ecs/main.tf | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/deployment/ecs/modules/ecs/main.tf b/deployment/ecs/modules/ecs/main.tf index 75effeb82..553d61654 100644 --- a/deployment/ecs/modules/ecs/main.tf +++ b/deployment/ecs/modules/ecs/main.tf @@ -367,24 +367,6 @@ resource "aws_lb_listener_rule" "redirect_alb_dns_to_custom_domain" { } } -# HTTP → HTTPS redirect -resource "aws_lb_listener" "http" { - count = local.do_alb ? 1 : 0 - load_balancer_arn = aws_lb.this[0].arn - port = 80 - protocol = "HTTP" - - default_action { - type = "redirect" - redirect { - port = "443" - protocol = "HTTPS" - status_code = "HTTP_301" - } - } -} - - locals { effective_tg_arn = var.target_group_arn != null ? var.target_group_arn : (local.do_alb ? aws_lb_target_group.ecs[0].arn : null) }