fix-ecs-apex-redirect

LeoDiazL · LeoDiazL · commit d5cc8a56f83c · 2025-11-20T11:33:19.000-03:00
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
@@ -129,13 +129,13 @@ resource "aws_ecs_service" "ecs_service" {
   dynamic "load_balancer" {
     for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []
     content {
-      target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+      target_group_arn = aws_lb_target_group.lb_targets[count.index].id
       container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
       container_port   = local.aws_ecs_container_port[count.index]
     }
   }
 
-  depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]
+  depends_on = [aws_lb_listener.lb_listener, aws_lb_listener.lb_listener_ssl]
 }
 
 resource "aws_ecs_service" "ecs_service_ignore_definition" {
@@ -156,7 +156,7 @@ resource "aws_ecs_service" "ecs_service_ignore_definition" {
   dynamic "load_balancer" {
     for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []
     content {
-      target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+      target_group_arn = aws_lb_target_group.lb_targets[count.index].id
       container_name   = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"
       container_port   = local.aws_ecs_container_port[count.index]
     }
@@ -166,7 +166,7 @@ resource "aws_ecs_service" "ecs_service_ignore_definition" {
     ignore_changes = [task_definition]
   }
 
-  depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]
+  depends_on = [aws_lb_listener.lb_listener, aws_lb_listener.lb_listener_ssl]
 }
 
 # Cloudwatch config
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf
@@ -4,7 +4,7 @@ locals {
   aws_ecs_lb_port             = var.aws_ecs_lb_port != "" ?  [for n in split(",", var.aws_ecs_lb_port) : tonumber(n)] : local.aws_ecs_container_port
   aws_ecs_sg_lb_port          = distinct(local.aws_ecs_lb_port)
   aws_ecs_lb_container_path          = var.aws_ecs_lb_container_path != "" ? [for n in split(",", var.aws_ecs_lb_container_path) : n ] : []
-  aws_ecs_lb_container_path_redirect = length(aws_alb_listener.https_redirect) > 0 || length(aws_alb_listener.http_redirect) > 0 ? local.aws_ecs_lb_container_path : []
+  aws_ecs_lb_container_path_redirect = length(aws_lb_listener.https_redirect) > 0 || length(aws_lb_listener.http_redirect) > 0 ? local.aws_ecs_lb_container_path : []
 }
 
 # Network part
@@ -35,7 +35,7 @@ resource "aws_security_group_rule" "incoming_alb" {
 
 ### ALB --- Make this optional -- Using ALB name intentionally. (To make clear is an A LB)
 
-resource "aws_alb" "ecs_lb" {
+resource "aws_lb" "ecs_lb" {
   count           = length(local.aws_ecs_sg_container_port) > 0 ? 1 : 0
   name            = var.aws_resource_identifier_supershort
   subnets         = var.aws_selected_subnets
@@ -46,13 +46,13 @@ resource "aws_alb" "ecs_lb" {
   }
 }
 
-data "aws_alb" "selected_lb" {
+data "aws_lb" "selected_lb" {
   count      = length(local.aws_ecs_sg_container_port)
   name       = var.aws_resource_identifier_supershort
-  depends_on = [aws_alb.ecs_lb]
+  depends_on = [aws_lb.ecs_lb]
 }
 
-resource "aws_alb_target_group" "lb_targets" {
+resource "aws_lb_target_group" "lb_targets" {
   count       = length(local.aws_ecs_container_port)
   name        = "${var.aws_resource_identifier_supershort}${count.index}"
   port        = local.aws_ecs_container_port[count.index]
@@ -61,59 +61,59 @@ resource "aws_alb_target_group" "lb_targets" {
   target_type = "ip"
 
   lifecycle { 
-    replace_triggered_by = [aws_security_group.ecs_sg]
+    replace_triggered_by = [aws_security_group.ecs_sg.id]
   }
 }
 
 # Always exists, acts as a safe dependency wrapper
 resource "null_resource" "http_redirect_dep" {
   triggers = {
     id = (
-      length(aws_alb_listener.http_redirect) > 0
-    ) ? aws_alb_listener.http_redirect[0].id : "none"
+      length(aws_lb_listener.http_redirect) > 0
+    ) ? aws_lb_listener.http_redirect[0].id : "none"
   }
 }
 
-resource "aws_alb_listener" "lb_listener_ssl" {
+resource "aws_lb_listener" "lb_listener_ssl" {
   count             = var.aws_certificate_enabled ? length(local.aws_ecs_lb_port) : 0
-  load_balancer_arn = aws_alb.ecs_lb[0].id
+  load_balancer_arn = aws_lb.ecs_lb[0].id
   port              = local.aws_ecs_lb_port[count.index]
   # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
   ssl_policy        = var.aws_ecs_lb_ssl_policy
   protocol          = "HTTPS"
   certificate_arn   = var.aws_certificates_selected_arn
   default_action {
-    target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+    target_group_arn = aws_lb_target_group.lb_targets[count.index].id
     type             = "forward"
   }
   lifecycle {
     replace_triggered_by = [null_resource.http_redirect_dep.id]
   }
-  depends_on = [ aws_alb_listener.http_redirect ]
+  depends_on = [ aws_lb_listener.http_redirect ]
 }
 
-resource "aws_alb_listener" "lb_listener" {
+resource "aws_lb_listener" "lb_listener" {
   count             = var.aws_certificate_enabled ? 0 : length(local.aws_ecs_lb_port)
-  load_balancer_arn = aws_alb.ecs_lb[0].id
+  load_balancer_arn = aws_lb.ecs_lb[0].id
   port              = local.aws_ecs_lb_port[count.index]
   protocol          = "HTTP"
   default_action {
-    target_group_arn = aws_alb_target_group.lb_targets[count.index].id
+    target_group_arn = aws_lb_target_group.lb_targets[count.index].id
     type             = "forward"
   }
   lifecycle {
     replace_triggered_by = [null_resource.http_redirect_dep.id]
   }
-  depends_on = [ aws_alb_listener.http_redirect ]
+  depends_on = [ aws_lb_listener.http_redirect ]
 }
 
-resource "aws_alb_listener_rule" "redirect_based_on_path" {
+resource "aws_lb_listener_rule" "redirect_based_on_path" {
   for_each = { for idx, path in local.aws_ecs_lb_container_path : idx => path if length(path) > 0 }
-  listener_arn = var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].arn : aws_alb_listener.lb_listener[0].arn
+  listener_arn = var.aws_certificate_enabled ? aws_lb_listener.lb_listener_ssl[0].arn : aws_lb_listener.lb_listener[0].arn
 
   action {
     type             = "forward"
-    target_group_arn = aws_alb_target_group.lb_targets[each.key + 1].arn
+    target_group_arn = aws_lb_target_group.lb_targets[each.key + 1].arn
   }
 
   condition {
@@ -123,9 +123,9 @@ resource "aws_alb_listener_rule" "redirect_based_on_path" {
   }
 }
 
-resource "aws_alb_listener" "http_redirect" {
+resource "aws_lb_listener" "http_redirect" {
   count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && var.aws_certificate_enabled ? 1 : 0
-  load_balancer_arn = aws_alb.ecs_lb[0].id
+  load_balancer_arn = aws_lb.ecs_lb[0].id
   port              = "80"
   protocol          = "HTTP"
 
@@ -139,29 +139,29 @@ resource "aws_alb_listener" "http_redirect" {
     }
   }
   depends_on = [
-    aws_alb.ecs_lb,
-    aws_alb_target_group.lb_targets
+    aws_lb.ecs_lb,
+    aws_lb_target_group.lb_targets
   ]
 }
 
-resource "aws_alb_listener" "http_forward" {
-  count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && !var.aws_certificate_enabled ? 1 : 0
-  load_balancer_arn = aws_alb.ecs_lb[0].id
+resource "aws_lb_listener" "http_forward" {
+  count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && !var.aws_certificate_enabled && !var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0
+  load_balancer_arn = aws_lb.ecs_lb[0].id
   port              = "80"
   protocol          = "HTTP"
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_alb_target_group.lb_targets[0].id
+    target_group_arn = aws_lb_target_group.lb_targets[0].id
   }
   depends_on = [
-    aws_alb.ecs_lb,
-    aws_alb_target_group.lb_targets
+    aws_lb.ecs_lb,
+    aws_lb_target_group.lb_targets
   ]
 }
 
 resource "aws_security_group_rule" "incoming_alb_http" {
-  count             = length(aws_alb_listener.http_redirect)
+  count             = length(aws_lb_listener.http_redirect) + length(aws_lb_listener.http_forward) + length(aws_lb_listener.http_www_redirect)
   type              = "ingress"
   from_port         = 80
   to_port           = 80
@@ -170,29 +170,33 @@ resource "aws_security_group_rule" "incoming_alb_http" {
   security_group_id = aws_security_group.ecs_lb_sg.id
 }
 
-resource "aws_alb_listener" "https_redirect" {
+resource "aws_lb_listener" "https_redirect" {
   count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) && var.aws_certificate_enabled ? 1 : 0
   #count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,443) ? var.aws_certificates_selected_arn != "" ? 1 : 0 : 0
   #count             = var.aws_ecs_lb_redirect_enable && var.aws_certificates_selected_arn != "" && !contains(local.aws_ecs_lb_port,443) ? 1 : 0
-  load_balancer_arn = "${aws_alb.ecs_lb[0].id}"
+  load_balancer_arn = aws_lb.ecs_lb[0].id
   port              = "443"
   protocol          = "HTTPS"
   certificate_arn   = var.aws_certificates_selected_arn
-  ssl_policy        = var.aws_certificates_selected_arn != "" ? "ELBSecurityPolicy-TLS13-1-2-2021-06" : "" # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
+  ssl_policy        = var.aws_certificates_selected_arn != "" ? var.aws_ecs_lb_ssl_policy : "" # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
 
   default_action {
-    target_group_arn = aws_alb_target_group.lb_targets[0].id
+    target_group_arn = aws_lb_target_group.lb_targets[0].id
     type             = "forward"
   }
 }
 
-resource "aws_alb_listener_rule" "redirect_based_on_path_for_http" {
+resource "aws_lb_listener_rule" "redirect_based_on_path_for_http" {
   for_each = { for idx, path in local.aws_ecs_lb_container_path_redirect : idx => path if length(path) > 0 }
-  listener_arn = var.aws_certificates_selected_arn != "" ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirect[0].arn
-
+  #listener_arn = var.aws_certificates_selected_arn != "" ? aws_lb_listener.https_redirect[0].arn : aws_lb_listener.http_redirect[0].arn
+  listener_arn = var.aws_certificate_enabled ? aws_lb_listener.https_redirect[0].arn : (
+    length(aws_lb_listener.http_redirect) > 0 ? aws_lb_listener.http_redirect[0].arn : (
+      length(aws_lb_listener.http_forward) > 0 ? aws_lb_listener.http_forward[0].arn : aws_lb_listener.http_www_redirect[0].arn
+    )
+  )
   action {
     type             = "forward"
-    target_group_arn = aws_alb_target_group.lb_targets[each.key + 1].arn
+    target_group_arn = aws_lb_target_group.lb_targets[each.key + 1].arn
   }
 
   condition {
@@ -202,9 +206,47 @@ resource "aws_alb_listener_rule" "redirect_based_on_path_for_http" {
   }
 }
 
+resource "aws_lb_listener" "http_www_redirect" {
+  count             = var.aws_ecs_lb_redirect_enable && !contains(local.aws_ecs_lb_port,80) && !var.aws_certificate_enabled && var.aws_ecs_lb_www_to_apex_redirect ? 1 : 0
+  load_balancer_arn = aws_lb.ecs_lb[0].id
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "fixed-response"
+    
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Not Found"
+      status_code  = "404"
+    }
+  }
+  depends_on = [
+    aws_lb.ecs_lb,
+    aws_lb_target_group.lb_targets
+  ]
+}
+
+resource "aws_lb_listener_rule" "http_forward_apex" {
+  count        = var.aws_ecs_lb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled ? 1 : 0
+  listener_arn = aws_lb_listener.http_www_redirect[0].arn
+  priority     = 20
+
+  condition {
+    host_header {
+      values = [var.aws_r53_domain_name]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.lb_targets[0].id
+  }
+}
+
 resource "aws_lb_listener_rule" "redirect_www_to_apex" {
   count        = var.aws_ecs_lb_www_to_apex_redirect && var.aws_r53_domain_name != "" ? 1 : 0
-  listener_arn = var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].arn : aws_alb_listener.lb_listener[0].arn
+  listener_arn = var.aws_certificate_enabled ? aws_lb_listener.https_redirect[0].arn : aws_lb_listener.http_www_redirect[0].arn
   priority     = 10
 
   condition {
@@ -220,15 +262,15 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" {
       port        = var.aws_certificate_enabled ? "443" : "80"
       protocol    = var.aws_certificate_enabled ? "HTTPS" : "HTTP"
       status_code = "HTTP_301"
-      host        = "${var.aws_r53_domain_name}"
+      host        = var.aws_r53_domain_name
       path        = "/#{path}"
       query       = "#{query}"
     }
   }
 }
 
 resource "aws_security_group_rule" "incoming_alb_https" {
-  count             = length(aws_alb_listener.https_redirect)
+  count             = length(aws_lb_listener.https_redirect)
   type              = "ingress"
   from_port         = 443
   to_port           = 443
@@ -264,24 +306,24 @@ resource "aws_security_group_rule" "incoming_ecs_lb_ports" {
 }
 
 output "load_balancer_dns" {
-  value = length(local.aws_ecs_sg_container_port) > 0 ? aws_alb.ecs_lb[0].dns_name : ""
+  value = length(local.aws_ecs_sg_container_port) > 0 ? aws_lb.ecs_lb[0].dns_name : ""
 }
 
 output "load_balancer_port" {
-  value = length(local.aws_ecs_sg_container_port) > 0 ? (var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].port : aws_alb_listener.lb_listener[0].port) : ""
+  value = length(local.aws_ecs_sg_container_port) > 0 ? (var.aws_certificate_enabled ? aws_lb_listener.lb_listener_ssl[0].port : aws_lb_listener.lb_listener[0].port) : ""
 }
 
 output "load_balancer_protocol" {
-  value = length(local.aws_ecs_sg_container_port) > 0 ? (var.aws_certificate_enabled ? aws_alb_listener.lb_listener_ssl[0].protocol : aws_alb_listener.lb_listener[0].protocol) : ""
+  value = length(local.aws_ecs_sg_container_port) > 0 ? (var.aws_certificate_enabled ? aws_lb_listener.lb_listener_ssl[0].protocol : aws_lb_listener.lb_listener[0].protocol) : ""
 }
 
 output "load_balancer_zone_id" {
-  #value = aws_alb.ecs_lb[0].zone_id
-  value = length(local.aws_ecs_sg_container_port) > 0 ? data.aws_alb.selected_lb[0].zone_id : ""
+  #value = aws_lb.ecs_lb[0].zone_id
+  value = length(local.aws_ecs_sg_container_port) > 0 ? data.aws_lb.selected_lb[0].zone_id : ""
 }
 
 output "load_balancer_arn" {
-  value = length(local.aws_ecs_sg_container_port) > 0 ? aws_alb.ecs_lb[0].arn : ""
+  value = length(local.aws_ecs_sg_container_port) > 0 ? aws_lb.ecs_lb[0].arn : ""
 }
 
 output "ecs_sg_id" {

Original file line number	Diff line number	Diff line change
`@@ -129,13 +129,13 @@ resource "aws_ecs_service" "ecs_service" {`
`129`	`129`	`dynamic "load_balancer" {`
`130`	`130`	`for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []`
`131`	`131`	`content {`
`132`		`- target_group_arn = aws_alb_target_group.lb_targets[count.index].id`
	`132`	`+ target_group_arn = aws_lb_target_group.lb_targets[count.index].id`
`133`	`133`	`container_name = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"`
`134`	`134`	`container_port = local.aws_ecs_container_port[count.index]`
`135`	`135`	`}`
`136`	`136`	`}`
`137`	`137`
`138`		`- depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]`
	`138`	`+ depends_on = [aws_lb_listener.lb_listener, aws_lb_listener.lb_listener_ssl]`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`resource "aws_ecs_service" "ecs_service_ignore_definition" {`
`@@ -156,7 +156,7 @@ resource "aws_ecs_service" "ecs_service_ignore_definition" {`
`156`	`156`	`dynamic "load_balancer" {`
`157`	`157`	`for_each = length(local.aws_ecs_container_port) > 0 ? [1] : []`
`158`	`158`	`content {`
`159`		`- target_group_arn = aws_alb_target_group.lb_targets[count.index].id`
	`159`	`+ target_group_arn = aws_lb_target_group.lb_targets[count.index].id`
`160`	`160`	`container_name = var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}"`
`161`	`161`	`container_port = local.aws_ecs_container_port[count.index]`
`162`	`162`	`}`
`@@ -166,7 +166,7 @@ resource "aws_ecs_service" "ecs_service_ignore_definition" {`
`166`	`166`	`ignore_changes = [task_definition]`
`167`	`167`	`}`
`168`	`168`
`169`		`- depends_on = [aws_alb_listener.lb_listener, aws_alb_listener.lb_listener_ssl]`
	`169`	`+ depends_on = [aws_lb_listener.lb_listener, aws_lb_listener.lb_listener_ssl]`
`170`	`170`	`}`
`171`	`171`
`172`	`172`	`# Cloudwatch config`