Adding features to ALB

Author: LeoDiazL

action.yaml

@@ -299,6 +299,12 @@ inputs:
   aws_alb_listen_protocol:
     description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)"
     required: false
+  aws_alb_redirect_enable:
+    description: "Enable HTTP to HTTPS redirection on ALB"
+    required: false
+  aws_alb_www_to_apex_redirect:
+    description: 'Enable www to apex domain redirection on ALB'
+    required: false
   aws_alb_healthcheck_path:
     description: "Health check path for ALB target group"
     required: false
@@ -1355,6 +1361,8 @@ runs:
         AWS_ALB_APP_PROTOCOL: ${{ inputs.aws_alb_app_protocol }}
         AWS_ALB_LISTEN_PORT: ${{ inputs.aws_alb_listen_port }}
         AWS_ALB_LISTEN_PROTOCOL: ${{ inputs.aws_alb_listen_protocol }}
+        AWS_ALB_REDIRECT_ENABLE: ${{ inputs.aws_alb_redirect_enable }}
+        AWS_ALB_WWW_TO_APEX_REDIRECT: ${{ inputs.aws_alb_www_to_apex_redirect }}
         AWS_ALB_HEALTHCHECK_PATH: ${{ inputs.aws_alb_healthcheck_path }}
         AWS_ALB_HEALTHCHECK_PROTOCOL: ${{ inputs.aws_alb_healthcheck_protocol }}
         AWS_ALB_SSL_POLICY: ${{ inputs.aws_alb_ssl_policy }}

operations/_scripts/generate/generate_vars_terraform.sh

@@ -140,6 +140,8 @@ if [[ $(alpha_only "$AWS_ALB_CREATE") == true ]]; then
   aws_alb_app_protocol=$(generate_var aws_alb_app_protocol $AWS_ALB_APP_PROTOCOL)
   aws_alb_listen_port=$(generate_var aws_alb_listen_port $AWS_ALB_LISTEN_PORT)
   aws_alb_listen_protocol=$(generate_var aws_alb_listen_protocol $AWS_ALB_LISTEN_PROTOCOL)
+  aws_alb_redirect_enable=$(generate_var aws_alb_redirect_enable $AWS_ALB_REDIRECT_ENABLE)
+  aws_alb_www_to_apex_redirect=$(generate_var aws_alb_www_to_apex_redirect $AWS_ALB_WWW_TO_APEX_REDIRECT)
   aws_alb_healthcheck_path=$(generate_var aws_alb_healthcheck_path $AWS_ALB_HEALTHCHECK_PATH)
   aws_alb_healthcheck_protocol=$(generate_var aws_alb_healthcheck_protocol $AWS_ALB_HEALTHCHECK_PROTOCOL)
   aws_alb_ssl_policy=$(generate_var aws_alb_ssl_policy $AWS_ALB_SSL_POLICY)
@@ -533,6 +535,8 @@ $aws_alb_app_port
 $aws_alb_app_protocol
 $aws_alb_listen_port
 $aws_alb_listen_protocol
+$aws_alb_redirect_enable
+$aws_alb_www_to_apex_redirect
 $aws_alb_healthcheck_path
 $aws_alb_healthcheck_protocol
 $aws_alb_ssl_policy

operations/deployment/terraform/aws/aws_variables.tf

@@ -364,6 +364,18 @@ variable "aws_alb_listen_protocol" {
   default     = ""
 }
 
+variable "aws_alb_redirect_enable" {
+  type        = bool
+  description = "Enable HTTP to HTTPS redirection on ALB"
+  default     = false
+}
+
+variable "aws_alb_www_to_apex_redirect" {
+  type        = bool
+  description = "Enable www to apex domain redirection on ALB"
+  default     = false
+}
+
 # Healthcheck
 variable "aws_alb_healthcheck_path" {
   type        = string
@@ -382,6 +394,7 @@ variable "aws_alb_ssl_policy" {
   description = "SSL policy for HTTPS listeners"
   default     = null
 }
+
 # Logging
 variable "aws_alb_access_log_enabled" {
   type        = bool

operations/deployment/terraform/aws/bitovi_main.tf

@@ -160,6 +160,8 @@ module "aws_lb" {
   aws_alb_app_protocol         = var.aws_alb_app_protocol
   aws_alb_listen_port          = var.aws_alb_listen_port
   aws_alb_listen_protocol      = var.aws_alb_listen_protocol
+  aws_alb_redirect_enable      = var.aws_alb_redirect_enable
+  aws_alb_www_to_apex_redirect = var.aws_alb_www_to_apex_redirect
   aws_alb_healthcheck_path     = var.aws_alb_healthcheck_path
   aws_alb_healthcheck_protocol = var.aws_alb_healthcheck_protocol
   aws_alb_ssl_policy           = var.aws_alb_ssl_policy
@@ -172,6 +174,7 @@ module "aws_lb" {
   aws_vpc_subnet_selected = module.vpc.aws_selected_vpc_subnets #module.vpc.aws_vpc_subnet_selected
   aws_instance_server_id  = module.ec2[0].aws_instance_server_id
   aws_alb_target_sg_id    = module.ec2[0].aws_security_group_ec2_sg_id
+  aws_r53_domain_name     = var.aws_r53_domain_name
   # Certs
   aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
   # Others

operations/deployment/terraform/modules/aws/lb/aws_lb.tf

@@ -61,7 +61,7 @@ resource "aws_lb" "vm_alb" {
 # Target groups for ALB
 resource "aws_lb_target_group" "vm_alb_tg" {
   count    = local.alb_ports_ammount
-  name     = "${var.aws_resource_identifier_supershort}-${count.index}"
+  name     = "${var.aws_resource_identifier_supershort}${count.index}"
   port     = local.alb_app_port[count.index]
   protocol = local.alb_app_protocol[count.index]
   vpc_id   = var.aws_vpc_selected_id
@@ -75,14 +75,27 @@ resource "aws_lb_target_group" "vm_alb_tg" {
     interval            = 30
   }
 
+  lifecycle {
+    replace_triggered_by = [aws_security_group.alb_security_group.id]
+  }
+
   tags = {
     Name = "${var.aws_resource_identifier_supershort}-${count.index}-${local.alb_app_port[count.index]}"
   }
 }
 
+# Always exists, acts as a safe dependency wrapper
+resource "null_resource" "http_redirect_dep" {
+  triggers = {
+    id = (
+      length(aws_alb_listener.http_redirect) > 0
+    ) ? aws_alb_listener.http_redirect[0].id : "none"
+  }
+}
+
 # Listeners for ALB
-resource "aws_lb_listener" "vm_alb_listener" {
-  count             = local.alb_ports_ammount
+resource "aws_alb_listener" "lb_listener_ssl" {
+  count             = local.alb_ssl_available ? length(local.alb_ports_ammount) : 0
   load_balancer_arn = aws_lb.vm_alb.arn
   port              = local.alb_listen_port[count.index]
   protocol          = local.alb_listen_protocol[count.index]
@@ -92,8 +105,162 @@ resource "aws_lb_listener" "vm_alb_listener" {
     target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn
   }
   # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
-  ssl_policy      = var.aws_certificates_selected_arn != "" ? var.aws_alb_ssl_policy : null
-  certificate_arn = var.aws_certificates_selected_arn != "" ? var.aws_certificates_selected_arn : null
+  ssl_policy      = var.aws_alb_ssl_policy
+  certificate_arn = var.aws_certificates_selected_arn
+  lifecycle {
+    replace_triggered_by = [null_resource.http_redirect_dep.id]
+  }
+  depends_on = [aws_alb_listener.http_redirect]
+}
+
+resource "aws_alb_listener" "lb_listener" {
+  count             = local.alb_ssl_available ? 0 : length(local.alb_ports_ammount)
+  load_balancer_arn = aws_lb.vm_alb.arn
+  port              = local.alb_listen_port[count.index]
+  protocol          = local.alb_listen_protocol[count.index]
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn
+  }
+  lifecycle {
+    replace_triggered_by = [null_resource.http_redirect_dep.id]
+  }
+  depends_on = [aws_alb_listener.http_redirect]
+}
+
+resource "aws_alb_listener" "http_redirect" {
+  count             = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && local.alb_ssl_available ? 1 : 0
+  load_balancer_arn = aws_lb.vm_alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+  depends_on = [
+    aws_lb.vm_alb,
+    aws_lb_target_group.vm_alb_tg
+  ]
+}
+
+resource "aws_alb_listener" "http_forward" {
+  count             = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && !var.aws_alb_www_to_apex_redirect ? 1 : 0
+  load_balancer_arn = aws_lb.vm_alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn
+  }
+  depends_on = [
+    aws_lb.vm_alb,
+    aws_lb_target_group.vm_alb_tg
+  ]
+}
+
+resource "aws_alb_listener" "http_www_redirect" {
+  count             = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && var.aws_alb_www_to_apex_redirect ? 1 : 0
+  load_balancer_arn = aws_lb.vm_alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Not Found"
+      status_code  = "404"
+    }
+  }
+  depends_on = [
+    aws_lb.vm_alb,
+    aws_lb_target_group.vm_alb_tg
+  ]
+}
+
+resource "aws_lb_listener_rule" "http_forward_apex" {
+  count        = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !local.alb_ssl_available && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0
+  listener_arn = aws_alb_listener.http_www_redirect[0].arn
+  priority     = 20
+
+  condition {
+    host_header {
+      values = [var.aws_r53_domain_name]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.lb_targets[0].id
+  }
+}
+
+resource "aws_lb_listener_rule" "redirect_www_to_apex" {
+  count        = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (local.alb_ssl_available ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0
+  listener_arn = local.alb_ssl_available ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_www_redirect[0].arn
+  priority     = 10
+
+  condition {
+    host_header {
+      values = ["www.${var.aws_r53_domain_name}"]
+    }
+  }
+
+  action {
+    type = "redirect"
+
+    redirect {
+      port        = local.alb_ssl_available ? "443" : "80"
+      protocol    = local.alb_ssl_available ? "HTTPS" : "HTTP"
+      status_code = "HTTP_301"
+      host        = var.aws_r53_domain_name
+      path        = "/#{path}"
+      query       = "#{query}"
+    }
+  }
+}
+
+resource "aws_security_group_rule" "incoming_alb_http" {
+  count             = length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect)
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.alb_security_group.id
+}
+
+resource "aws_security_group_rule" "incoming_alb_https" {
+  count             = length(aws_alb_listener.https_redirect)
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.alb_security_group.id
+}
+###
+
+resource "aws_alb_listener" "https_redirect" {
+  count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) && local.alb_ssl_available ? 1 : 0
+  load_balancer_arn = aws_lb.vm_alb.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  certificate_arn   = var.aws_certificates_selected_arn
+  ssl_policy        = var.aws_certificates_selected_arn != "" ? var.aws_alb_ssl_policy : "" # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
+
+  default_action {
+    target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn
+    type             = "forward"
+  }
 }
 
 # Attach EC2 instance(s) to target group(s)
@@ -174,8 +341,6 @@ locals {
     length(local.alb_listen_protocol),
     length(local.alb_app_protocol)
   )
-
-  # Optionally, you can pad arrays if needed, but min() is safest for count
 }
 
 # Outputs

operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf

@@ -4,10 +4,11 @@ variable "aws_alb_app_port" {}
 variable "aws_alb_app_protocol" {}
 variable "aws_alb_listen_port" {}
 variable "aws_alb_listen_protocol" {}
+variable "aws_alb_redirect_enable" {}
+variable "aws_alb_www_to_apex_redirect" {}
 variable "aws_alb_healthcheck_path" {}
 variable "aws_alb_healthcheck_protocol" {}
 variable "aws_alb_ssl_policy" {}
-
 # Logging
 variable "aws_alb_access_log_enabled" {}
 variable "aws_alb_access_log_bucket_name" {}
@@ -19,6 +20,6 @@ variable "aws_vpc_subnet_selected" {}
 variable "aws_instance_server_id" {}
 variable "aws_certificates_selected_arn" {}
 variable "aws_alb_target_sg_id" {}
-
+variable "aws_r53_domain_name" {}
 variable "aws_resource_identifier" {}
 variable "aws_resource_identifier_supershort" {}