From 451ee714c5f9f76b19b10a26d6cfb4d13b88a5b3 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 2 Dec 2025 11:23:38 -0300 Subject: [PATCH 01/76] add-alb-and-waf-to-ec2 --- action.yaml | 52 +++++ .../generate/generate_vars_terraform.sh | 30 +++ .../deployment/terraform/aws/aws_variables.tf | 74 ++++++- .../deployment/terraform/aws/bitovi_main.tf | 64 ++++++ .../terraform/modules/aws/lb/aws_lb.tf | 186 ++++++++++++++++++ .../modules/aws/lb/aws_lb_providers.tf | 8 + .../terraform/modules/aws/lb/aws_lb_vars.tf | 24 +++ 7 files changed, 437 insertions(+), 1 deletion(-) create mode 100644 operations/deployment/terraform/modules/aws/lb/aws_lb.tf create mode 100644 operations/deployment/terraform/modules/aws/lb/aws_lb_providers.tf create mode 100644 operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf diff --git a/action.yaml b/action.yaml index 7caf8b74d..b564328e1 100644 --- a/action.yaml +++ b/action.yaml @@ -280,6 +280,44 @@ inputs: description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' required: false + # AWS ALB + aws_alb_create: + description: "Global toggle for ALB creation" + required: false + aws_alb_security_group_name: + description: "Name of the security group to use for ALB" + required: false + aws_alb_app_port: + description: "Comma-separated list of application ports for ALB target group" + required: false + aws_alb_app_protocol: + description: "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)" + required: false + aws_alb_listen_port: + description: "Comma-separated list of listener ports for ALB" + required: false + aws_alb_listen_protocol: + description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)" + required: false + aws_alb_healthcheck_path: + description: "Health check path for ALB target group" + required: false + aws_alb_healthcheck_protocol: + description: "Health check protocol for ALB target group" + required: false + aws_alb_ssl_policy: + description: "SSL policy for HTTPS listeners" + required: false + aws_alb_access_log_enabled: + description: "Enable ALB access logs" + required: false + aws_alb_access_log_bucket_name: + description: "S3 bucket name to store the ALB access logs" + required: false + aws_alb_access_log_expire: + description: "Delete the access logs after this amount of days" + required: false + # AWS WAF aws_waf_enable: description: 'Enable WAF for load balancer.' @@ -1307,6 +1345,20 @@ runs: AWS_ELB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_elb_access_log_expire }} AWS_ELB_ADDITIONAL_TAGS: ${{ inputs.aws_elb_additional_tags }} + # AWS ALB + AWS_ALB_CREATE: ${{ inputs.aws_alb_create }} + AWS_ALB_SECURITY_GROUP_NAME: ${{ inputs.aws_alb_security_group_name }} + AWS_ALB_APP_PORT: ${{ inputs.aws_alb_app_port }} + AWS_ALB_APP_PROTOCOL: ${{ inputs.aws_alb_app_protocol }} + AWS_ALB_LISTEN_PORT: ${{ inputs.aws_alb_listen_port }} + AWS_ALB_LISTEN_PROTOCOL: ${{ inputs.aws_alb_listen_protocol }} + AWS_ALB_HEALTHCHECK_PATH: ${{ inputs.aws_alb_healthcheck_path }} + AWS_ALB_HEALTHCHECK_PROTOCOL: ${{ inputs.aws_alb_healthcheck_protocol }} + AWS_ALB_SSL_POLICY: ${{ inputs.aws_alb_ssl_policy }} + AWS_ALB_ACCESS_LOG_ENABLED: ${{ inputs.aws_alb_access_log_enabled }} + AWS_ALB_ACCESS_LOG_BUCKET_NAME: ${{ inputs.aws_alb_access_log_bucket_name }} + AWS_ALB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_alb_access_log_expire }} + # AWS WAF AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }} AWS_WAF_LOGGING_ENABLE: ${{ inputs.aws_waf_logging_enable }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index f36fd40e2..7c8f736a5 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -132,6 +132,22 @@ if [[ $(alpha_only "$AWS_ELB_CREATE") == true ]]; then aws_elb_additional_tags=$(generate_var aws_elb_additional_tags $AWS_ELB_ADDITIONAL_TAGS) fi +#-- AWS ALB --# +if [[ $(alpha_only "$AWS_ALB_CREATE") == true ]]; then + aws_alb_create=$(generate_var aws_alb_create $AWS_ALB_CREATE) + aws_alb_security_group_name=$(generate_var aws_alb_security_group_name $AWS_ALB_SECURITY_GROUP_NAME) + aws_alb_app_port=$(generate_var aws_alb_app_port $AWS_ALB_APP_PORT) + aws_alb_app_protocol=$(generate_var aws_alb_app_protocol $AWS_ALB_APP_PROTOCOL) + aws_alb_listen_port=$(generate_var aws_alb_listen_port $AWS_ALB_LISTEN_PORT) + aws_alb_listen_protocol=$(generate_var aws_alb_listen_protocol $AWS_ALB_LISTEN_PROTOCOL) + aws_alb_healthcheck_path=$(generate_var aws_alb_healthcheck_path $AWS_ALB_HEALTHCHECK_PATH) + aws_alb_healthcheck_protocol=$(generate_var aws_alb_healthcheck_protocol $AWS_ALB_HEALTHCHECK_PROTOCOL) + aws_alb_ssl_policy=$(generate_var aws_alb_ssl_policy $AWS_ALB_SSL_POLICY) + aws_alb_access_log_enabled=$(generate_var aws_alb_access_log_enabled $AWS_ALB_ACCESS_LOG_ENABLED) + aws_alb_access_log_bucket_name=$(generate_var aws_alb_access_log_bucket_name $AWS_ALB_ACCESS_LOG_BUCKET_NAME) + aws_alb_access_log_expire=$(generate_var aws_alb_access_log_expire $AWS_ALB_ACCESS_LOG_EXPIRE) +fi + #-- AWS WAF --# if [[ $(alpha_only "$AWS_WAF_ENABLE") == true ]]; then aws_waf_enable=$(generate_var aws_waf_enable $AWS_WAF_ENABLE) @@ -509,6 +525,20 @@ $aws_elb_access_log_expire $aws_elb_access_log_bucket_name $aws_elb_additional_tags +#-- ALB --# +$aws_alb_create +$aws_alb_security_group_name +$aws_alb_app_port +$aws_alb_app_protocol +$aws_alb_listen_port +$aws_alb_listen_protocol +$aws_alb_healthcheck_path +$aws_alb_healthcheck_protocol +$aws_alb_ssl_policy +$aws_alb_access_log_enabled +$aws_alb_access_log_bucket_name +$aws_alb_access_log_expire + #-- WAF --# $aws_waf_enable $aws_waf_logging_enable diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 21a0a0793..191c98191 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -327,7 +327,79 @@ variable "aws_elb_additional_tags" { default = "{}" } -# AWS LB +# AWS ALB +variable "aws_alb_create" { + type = bool + description = "Global toggle for ALB creation" + default = false +} + +variable "aws_alb_security_group_name" { + type = string + description = "Name of the security group to use for ALB" + default = "" +} + +variable "aws_alb_app_port" { + type = string + description = "Comma-separated list of application ports for ALB target group" + default = "" +} + +variable "aws_alb_app_protocol" { + type = string + description = "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)" + default = "" +} + +variable "aws_alb_listen_port" { + type = string + description = "Comma-separated list of listener ports for ALB" + default = "" +} + +variable "aws_alb_listen_protocol" { + type = string + description = "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)" + default = "" +} + +# Healthcheck +variable "aws_alb_healthcheck_path" { + type = string + description = "Health check path for ALB target group" + default = "/" +} + +variable "aws_alb_healthcheck_protocol" { + type = string + description = "Health check protocol for ALB target group" + default = "HTTP" +} + +variable "aws_alb_ssl_policy" { + type = string + description = "SSL policy for HTTPS listeners" + default = null +} +# Logging +variable "aws_alb_access_log_enabled" { + type = bool + description = "Enable ALB access logs" + default = false +} + +variable "aws_alb_access_log_bucket_name" { + type = string + description = "S3 bucket name to store the ALB access logs" + default = "" +} + +variable "aws_alb_access_log_expire" { + type = string + description = "Delete the access logs after this amount of days" + default = "90" +} # AWS WAF variable "aws_waf_enable" { diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 628705b05..2458ac7d2 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -130,6 +130,70 @@ module "aws_elb" { } } +module "aws_lb" { + source = "../modules/aws/lb" + count = var.aws_ec2_instance_create && var.aws_alb_create ? 1 : 0 + # ALB Values + aws_alb_security_group_name = var.aws_alb_security_group_name + aws_alb_app_port = var.aws_alb_app_port + aws_alb_app_protocol = var.aws_alb_app_protocol + aws_alb_listen_port = var.aws_alb_listen_port + aws_alb_listen_protocol = var.aws_alb_listen_protocol + aws_alb_healthcheck_path = var.aws_alb_healthcheck_path + aws_alb_healthcheck_protocol = var.aws_alb_healthcheck_protocol + aws_alb_ssl_policy = var.aws_alb_ssl_policy + # Logging + aws_alb_access_log_enabled = var.aws_alb_access_log_enabled + aws_alb_access_log_bucket_name = var.aws_alb_access_log_bucket_name + aws_alb_access_log_expire = var.aws_alb_access_log_expire + # EC2 + aws_vpc_selected_id = module.vpc.aws_selected_vpc_id + aws_vpc_subnet_selected = module.vpc.aws_vpc_subnet_selected + aws_instance_server_id = module.ec2[0].aws_instance_server_id + aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id + # Certs + aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + # Others + aws_resource_identifier = var.aws_resource_identifier + aws_resource_identifier_supershort = var.aws_resource_identifier_supershort + # Module dependencies + depends_on = [module.vpc, module.ec2] + + providers = { + aws = aws.lb + } +} + +module "aws_waf_ec2_alb" { + source = "../modules/aws/waf" + count = var.aws_waf_enable && var.aws_ec2_instance_create && var.aws_alb_create ? 1 : 0 + aws_waf_enable = var.aws_waf_enable + aws_waf_logging_enable = var.aws_waf_logging_enable + aws_waf_log_retention_days = var.aws_waf_log_retention_days + aws_resource_identifier = var.aws_resource_identifier + # Rules + aws_waf_rule_rate_limit = var.aws_waf_rule_rate_limit + aws_waf_rule_managed_rules = var.aws_waf_rule_managed_rules + aws_waf_rule_managed_bad_inputs = var.aws_waf_rule_managed_bad_inputs + aws_waf_rule_ip_reputation = var.aws_waf_rule_ip_reputation + aws_waf_rule_anonymous_ip = var.aws_waf_rule_anonymous_ip + aws_waf_rule_bot_control = var.aws_waf_rule_bot_control + aws_waf_rule_geo_block_countries = var.aws_waf_rule_geo_block_countries + aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries + aws_waf_rule_user_arn = var.aws_waf_rule_user_arn + aws_waf_rule_sqli = var.aws_waf_rule_sqli + aws_waf_rule_linux = var.aws_waf_rule_linux + aws_waf_rule_unix = var.aws_waf_rule_unix + aws_waf_rule_admin_protection = var.aws_waf_rule_admin_protection + # Incoming + aws_lb_resource_arn = module.aws_lb[0].aws_lb_resource_arn + # Others + depends_on = [module.aws_lb] + providers = { + aws = aws.waf + } +} + module "efs" { source = "../modules/aws/efs" count = var.aws_efs_enable ? 1 : 0 diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf new file mode 100644 index 000000000..3251236f7 --- /dev/null +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -0,0 +1,186 @@ +# Security group for ALB +resource "aws_security_group" "alb_security_group" { + name = var.aws_alb_security_group_name != "" ? var.aws_alb_security_group_name : "SG for ${var.aws_resource_identifier} - ALB" + description = "SG for ${var.aws_resource_identifier} - ALB" + vpc_id = var.aws_vpc_selected_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "${var.aws_resource_identifier}-alb-sg" + } +} + +# Allow all from ALB to target SG +resource "aws_security_group_rule" "incoming_alb" { + type = "ingress" + from_port = 0 + to_port = 0 + protocol = -1 + source_security_group_id = aws_security_group.alb_security_group.id + security_group_id = var.aws_alb_target_sg_id +} + +# Allow incoming connections to the ALB +resource "aws_security_group_rule" "incoming_alb_ports" { + count = local.alb_ports_ammount + type = "ingress" + from_port = local.alb_listen_port[count.index] + to_port = local.alb_listen_port[count.index] + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.alb_security_group.id +} + +# ALB resource (conditionally enable access logs) +resource "aws_lb" "vm_alb" { + name = var.aws_resource_identifier_supershort + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.alb_security_group.id] + subnets = [var.aws_vpc_subnet_selected] + + dynamic "access_logs" { + for_each = var.aws_alb_access_log_enabled ? [1] : [] + content { + bucket = aws_s3_bucket.alb_access_logs[0].id + enabled = true + } + } + + idle_timeout = 400 + + tags = { + Name = "${var.aws_resource_identifier_supershort}-alb" + } +} + +# Target groups for ALB +resource "aws_lb_target_group" "vm_alb_tg" { + count = local.alb_ports_ammount + name = "${var.aws_resource_identifier_supershort}-tg-${local.alb_app_port[count.index]}" + port = local.alb_app_port[count.index] + protocol = local.alb_app_protocol[count.index] + vpc_id = var.aws_vpc_selected_id + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + path = var.aws_alb_healthcheck_path + protocol = var.aws_alb_healthcheck_protocol + interval = 30 + } + + tags = { + Name = "${var.aws_resource_identifier_supershort}-tg-${local.alb_app_port[count.index]}" + } +} + +# Listeners for ALB +resource "aws_lb_listener" "vm_alb_listener" { + count = local.alb_ports_ammount + load_balancer_arn = aws_lb.vm_alb.arn + port = local.alb_listen_port[count.index] + protocol = local.alb_listen_protocol[count.index] + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn + } + # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html + ssl_policy = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_alb_ssl_policy : null + certificate_arn = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_certificates_selected_arn : null +} + +# Attach EC2 instance(s) to target group(s) +resource "aws_lb_target_group_attachment" "vm_alb_attachment" { + count = local.alb_ports_ammount + target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn + target_id = var.aws_instance_server_id + port = local.alb_app_port[count.index] +} + +# Outputs +output "aws_alb_dns_name" { + value = aws_lb.vm_alb.dns_name +} +output "aws_alb_zone_id" { + value = aws_lb.vm_alb.zone_id +} + +# S3 bucket for ALB access logs (created only if logging is enabled) +resource "aws_s3_bucket" "alb_access_logs" { + count = var.aws_alb_access_log_enabled ? 1 : 0 + bucket = var.aws_alb_access_log_bucket_name + force_destroy = true + tags = { + Name = var.aws_alb_access_log_bucket_name + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "alb_access_logs_lifecycle" { + count = var.aws_alb_access_log_enabled && tonumber(var.aws_alb_access_log_expire) > 0 ? 1 : 0 + bucket = aws_s3_bucket.alb_access_logs[0].id + rule { + id = "ExpirationRule" + status = "Enabled" + filter { + prefix = "" + } + expiration { + days = tonumber(var.aws_alb_access_log_expire) + } + } +} + +data "aws_elb_service_account" "main" { + count = var.aws_alb_access_log_enabled ? 1 : 0 +} + +resource "aws_s3_bucket_policy" "allow_access_from_another_account" { + count = var.aws_alb_access_log_enabled ? 1 : 0 + bucket = aws_s3_bucket.alb_access_logs[0].id + policy = < Date: Tue, 2 Dec 2025 11:34:12 -0300 Subject: [PATCH 02/76] Adding missing provider --- operations/_scripts/generate/generate_provider.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/_scripts/generate/generate_provider.sh b/operations/_scripts/generate/generate_provider.sh index 783f2f6ef..0220f142c 100644 --- a/operations/_scripts/generate/generate_provider.sh +++ b/operations/_scripts/generate/generate_provider.sh @@ -74,6 +74,6 @@ provider \"kubernetes\" { }" >> "${GITHUB_ACTION_PATH}/operations/deployment/terraform/$1/bitovi_provider.tf" } -generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr,waf +generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr,waf,lb echo "Done with generate_provider.sh" \ No newline at end of file From f38b38f71ef10aff8dd1fbe807033bc957cf9f89 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 2 Dec 2025 11:39:15 -0300 Subject: [PATCH 03/76] lb_tags --- action.yaml | 4 ++++ operations/_scripts/generate/generate_vars_terraform.sh | 2 ++ operations/deployment/terraform/aws/aws_variables.tf | 6 ++++++ operations/deployment/terraform/aws/bitovi_main.tf | 1 + 4 files changed, 13 insertions(+) diff --git a/action.yaml b/action.yaml index b564328e1..85f5492a7 100644 --- a/action.yaml +++ b/action.yaml @@ -317,6 +317,9 @@ inputs: aws_alb_access_log_expire: description: "Delete the access logs after this amount of days" required: false + aws_alb_additional_tags: + description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' + required: false # AWS WAF aws_waf_enable: @@ -1358,6 +1361,7 @@ runs: AWS_ALB_ACCESS_LOG_ENABLED: ${{ inputs.aws_alb_access_log_enabled }} AWS_ALB_ACCESS_LOG_BUCKET_NAME: ${{ inputs.aws_alb_access_log_bucket_name }} AWS_ALB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_alb_access_log_expire }} + AWS_ALB_ADDITIONAL_TAGS: ${{ inputs.aws_alb_additional_tags }} # AWS WAF AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index 7c8f736a5..a4b1c5bdf 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -146,6 +146,7 @@ if [[ $(alpha_only "$AWS_ALB_CREATE") == true ]]; then aws_alb_access_log_enabled=$(generate_var aws_alb_access_log_enabled $AWS_ALB_ACCESS_LOG_ENABLED) aws_alb_access_log_bucket_name=$(generate_var aws_alb_access_log_bucket_name $AWS_ALB_ACCESS_LOG_BUCKET_NAME) aws_alb_access_log_expire=$(generate_var aws_alb_access_log_expire $AWS_ALB_ACCESS_LOG_EXPIRE) + aws_alb_additional_tags=$(generate_var aws_alb_additional_tags $AWS_ALB_ADDITIONAL_TAGS) fi #-- AWS WAF --# @@ -538,6 +539,7 @@ $aws_alb_ssl_policy $aws_alb_access_log_enabled $aws_alb_access_log_bucket_name $aws_alb_access_log_expire +$aws_alb_additional_tags #-- WAF --# $aws_waf_enable diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 191c98191..591f6a84b 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -401,6 +401,12 @@ variable "aws_alb_access_log_expire" { default = "90" } +variable "aws_alb_additional_tags" { + type = string + description = "A list of strings that will be added to created resources" + default = "{}" +} + # AWS WAF variable "aws_waf_enable" { type = bool diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 2458ac7d2..3a1efae43 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -766,6 +766,7 @@ locals { db_proxy_tags = merge(local.default_tags, jsondecode(var.aws_db_proxy_additional_tags)) redis_tags = merge(local.default_tags, jsondecode(var.aws_redis_additional_tags)) waf_tags = merge(local.default_tags, jsondecode(var.aws_waf_additional_tags)) + lb_tags = merge(local.default_tags, jsondecode(var.aws_alb_additional_tags)) eks_vpc_tags = { // This is needed for k8s to use VPC resources From 06550c242c97ef602d6496b9dc2b3d45b4904e22 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 2 Dec 2025 11:45:30 -0300 Subject: [PATCH 04/76] missing aws_lb_resource_arn output --- .../terraform/modules/aws/lb/aws_lb.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 3251236f7..9f0fa18bb 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -104,13 +104,6 @@ resource "aws_lb_target_group_attachment" "vm_alb_attachment" { port = local.alb_app_port[count.index] } -# Outputs -output "aws_alb_dns_name" { - value = aws_lb.vm_alb.dns_name -} -output "aws_alb_zone_id" { - value = aws_lb.vm_alb.zone_id -} # S3 bucket for ALB access logs (created only if logging is enabled) resource "aws_s3_bucket" "alb_access_logs" { @@ -183,4 +176,15 @@ locals { ) # Optionally, you can pad arrays if needed, but min() is safest for count +} + +# Outputs +output "aws_alb_dns_name" { + value = aws_lb.vm_alb.dns_name +} +output "aws_alb_zone_id" { + value = aws_lb.vm_alb.zone_id +} +output "aws_lb_resource_arn" { + value = aws_lb.vm_alb.arn } \ No newline at end of file From 2033dd3f1f6c7aec71785fb5183eb847331ed6dc Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 2 Dec 2025 12:27:35 -0300 Subject: [PATCH 05/76] Go with all subnets --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 3a1efae43..57a6ee512 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -148,7 +148,7 @@ module "aws_lb" { aws_alb_access_log_expire = var.aws_alb_access_log_expire # EC2 aws_vpc_selected_id = module.vpc.aws_selected_vpc_id - aws_vpc_subnet_selected = module.vpc.aws_vpc_subnet_selected + aws_vpc_subnet_selected = module.vpc.aws_selected_vpc_subnets #module.vpc.aws_vpc_subnet_selected aws_instance_server_id = module.ec2[0].aws_instance_server_id aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id # Certs diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 9f0fa18bb..601b99615 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -41,7 +41,7 @@ resource "aws_lb" "vm_alb" { internal = false load_balancer_type = "application" security_groups = [aws_security_group.alb_security_group.id] - subnets = [var.aws_vpc_subnet_selected] + subnets = var.aws_vpc_subnet_selected dynamic "access_logs" { for_each = var.aws_alb_access_log_enabled ? [1] : [] From 5f15512cd99dc6a9d7fc2f341303fe28c9857c03 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 4 Dec 2025 10:24:30 -0300 Subject: [PATCH 06/76] Temp remove lb dependency --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 57a6ee512..80136cdaa 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -123,7 +123,7 @@ module "aws_elb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.vpc, module.ec2] + #depends_on = [module.vpc, module.ec2] providers = { aws = aws.elb @@ -157,7 +157,7 @@ module "aws_lb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.vpc, module.ec2] + #depends_on = [module.vpc, module.ec2] providers = { aws = aws.lb From 40d88839d894dcadff8cea7dc38a9581410c5fce Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 11:34:53 -0300 Subject: [PATCH 07/76] ALB overtakes ELB R53 - Fix no LB DNS --- .../deployment/terraform/aws/bitovi_main.tf | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 80136cdaa..b7259be45 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -87,8 +87,8 @@ module "aws_route53" { aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy aws_r53_enable_cert = var.aws_r53_enable_cert # ELB - aws_elb_dns_name = try(module.aws_elb[0].aws_elb_dns_name, "") - aws_elb_zone_id = try(module.aws_elb[0].aws_elb_zone_id, "") + aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name,module.aws_elb[0].aws_elb_dns_name,module.ec2[0].instance_public_ip,"") + aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,module.vpc.preferred_az,"") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others @@ -99,9 +99,30 @@ module "aws_route53" { } } +#module "aws_route53_lb" { +# source = "../modules/aws/route53" +# count = var.aws_ec2_instance_create && var.aws_r53_enable && var.aws_r53_domain_name != "" && var.aws_alb_create ? 1 : 0 +# # R53 values +# aws_r53_domain_name = var.aws_r53_domain_name +# aws_r53_sub_domain_name = var.aws_r53_sub_domain_name +# aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy +# aws_r53_enable_cert = var.aws_r53_enable_cert +# # ELB +# aws_elb_dns_name = module.aws_lb[0].aws_alb_dns_name +# aws_elb_zone_id = module.aws_lb[0].aws_alb_zone_id +# # Certs +# aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" +# # Others +# fqdn_provided = local.fqdn_provided +# +# providers = { +# aws = aws.r53 +# } +#} + module "aws_elb" { source = "../modules/aws/elb" - count = var.aws_ec2_instance_create && var.aws_elb_create ? 1 : 0 + count = var.aws_ec2_instance_create && var.aws_elb_create && !var.aws_alb_create ? 1 : 0 # ELB Values aws_elb_security_group_name = var.aws_elb_security_group_name aws_elb_app_port = var.aws_elb_app_port From 8c762261fa684cd6042071fd8b325516849dfeb7 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 12:03:51 -0300 Subject: [PATCH 08/76] No-zone-id-for-simple-dns --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index b7259be45..f82db9fee 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -88,7 +88,7 @@ module "aws_route53" { aws_r53_enable_cert = var.aws_r53_enable_cert # ELB aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name,module.aws_elb[0].aws_elb_dns_name,module.ec2[0].instance_public_ip,"") - aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,module.vpc.preferred_az,"") + aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,"","") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others From 1dfd334c170e5df7f88d885ce05cf5ca6932b75c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 12:17:09 -0300 Subject: [PATCH 09/76] null zone --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index f82db9fee..b398e6cfa 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -88,7 +88,7 @@ module "aws_route53" { aws_r53_enable_cert = var.aws_r53_enable_cert # ELB aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name,module.aws_elb[0].aws_elb_dns_name,module.ec2[0].instance_public_ip,"") - aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,"","") + aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,null,"") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others From 12bb4c3f7171f5e804274b71d03fae427c2bc7c4 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 14:30:29 -0300 Subject: [PATCH 10/76] Dynamic records --- .../modules/aws/route53/aws_route53.tf | 33 ++++++++++++------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf index 0dca0bcd9..8fef7b161 100644 --- a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf +++ b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf @@ -9,10 +9,13 @@ resource "aws_route53_record" "dev" { name = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" type = "A" - alias { - name = var.aws_elb_dns_name - zone_id = var.aws_elb_zone_id - evaluate_target_health = true + dynamic "alias" { + for_each = var.aws_elb_zone_id != "" ? [1] : [] + content { + name = var.aws_elb_dns_name + zone_id = var.aws_elb_zone_id + evaluate_target_health = true + } } } @@ -22,10 +25,13 @@ resource "aws_route53_record" "root-a" { name = var.aws_r53_domain_name type = "A" - alias { - name = var.aws_elb_dns_name - zone_id = var.aws_elb_zone_id - evaluate_target_health = true + dynamic "alias" { + for_each = var.aws_elb_zone_id != "" ? [1] : [] + content { + name = var.aws_elb_dns_name + zone_id = var.aws_elb_zone_id + evaluate_target_health = true + } } } @@ -35,10 +41,13 @@ resource "aws_route53_record" "www-a" { name = "www.${var.aws_r53_domain_name}" type = "A" - alias { - name = var.aws_elb_dns_name - zone_id = var.aws_elb_zone_id - evaluate_target_health = true + dynamic "alias" { + for_each = var.aws_elb_zone_id != "" ? [1] : [] + content { + name = var.aws_elb_dns_name + zone_id = var.aws_elb_zone_id + evaluate_target_health = true + } } } From 2510c8e6548a176f7b3ccfda6ed8519740258391 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 17:23:59 -0300 Subject: [PATCH 11/76] Adding record --- .../deployment/terraform/modules/aws/route53/aws_route53.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf index 8fef7b161..10c4508f3 100644 --- a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf +++ b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf @@ -17,6 +17,7 @@ resource "aws_route53_record" "dev" { evaluate_target_health = true } } + records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null } resource "aws_route53_record" "root-a" { @@ -33,6 +34,7 @@ resource "aws_route53_record" "root-a" { evaluate_target_health = true } } + records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null } resource "aws_route53_record" "www-a" { @@ -49,6 +51,7 @@ resource "aws_route53_record" "www-a" { evaluate_target_health = true } } + records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null } locals { From fc50d2b98c39f4fe1510069cc86a6313b55cd349 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 17:48:40 -0300 Subject: [PATCH 12/76] Fix main conditional --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index b398e6cfa..f82db9fee 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -88,7 +88,7 @@ module "aws_route53" { aws_r53_enable_cert = var.aws_r53_enable_cert # ELB aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name,module.aws_elb[0].aws_elb_dns_name,module.ec2[0].instance_public_ip,"") - aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,null,"") + aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,"","") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others From f672f0d89859348fb724062afc9ecc567bffab45 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 8 Dec 2025 17:56:39 -0300 Subject: [PATCH 13/76] ttl --- .../deployment/terraform/modules/aws/route53/aws_route53.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf index 10c4508f3..9b27632f9 100644 --- a/operations/deployment/terraform/modules/aws/route53/aws_route53.tf +++ b/operations/deployment/terraform/modules/aws/route53/aws_route53.tf @@ -18,6 +18,7 @@ resource "aws_route53_record" "dev" { } } records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null + ttl = var.aws_elb_zone_id == "" ? 300 : null } resource "aws_route53_record" "root-a" { @@ -35,6 +36,7 @@ resource "aws_route53_record" "root-a" { } } records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null + ttl = var.aws_elb_zone_id == "" ? 300 : null } resource "aws_route53_record" "www-a" { @@ -52,6 +54,7 @@ resource "aws_route53_record" "www-a" { } } records = var.aws_elb_zone_id == "" ? [var.aws_elb_dns_name] : null + ttl = var.aws_elb_zone_id == "" ? 300 : null } locals { From 06ed67bde1dc62207c461360a8686c6d3398e52e Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 12:20:56 -0300 Subject: [PATCH 14/76] Fixing certificates quirks --- action.yaml | 4 +++ .../generate/generate_vars_terraform.sh | 2 ++ .../deployment/terraform/aws/aws_variables.tf | 6 ++++ .../deployment/terraform/aws/bitovi_main.tf | 1 + .../aws/certificates/aws_certificates.tf | 29 +++++++++++++++---- .../aws/certificates/aws_certificates_vars.tf | 1 + 6 files changed, 38 insertions(+), 5 deletions(-) diff --git a/action.yaml b/action.yaml index 85f5492a7..0799c3d3b 100644 --- a/action.yaml +++ b/action.yaml @@ -244,6 +244,9 @@ inputs: aws_r53_create_sub_cert: description: 'Generates and manage the sub-domain certificate for the application' required: false + aws_r53_export_cert: + description: 'Enables export flag of the certificate.' + required: false aws_r53_additional_tags: description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' required: false @@ -1334,6 +1337,7 @@ runs: AWS_R53_CERT_ARN: ${{ inputs.aws_r53_cert_arn }} AWS_R53_CREATE_ROOT_CERT: ${{ inputs.aws_r53_create_root_cert }} AWS_R53_CREATE_SUB_CERT: ${{ inputs.aws_r53_create_sub_cert }} + AWS_R53_EXPORT_CERT: ${{ inputs.aws_r53_export_cert }} AWS_R53_ADDITIONAL_TAGS: ${{ inputs.aws_r53_additional_tags }} # AWS ELB diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index a4b1c5bdf..83b7c1dca 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -116,6 +116,7 @@ if [[ $(alpha_only "$AWS_R53_ENABLE_CERT") == true ]]; then aws_r53_cert_arn=$(generate_var aws_r53_cert_arn $AWS_R53_CERT_ARN) aws_r53_create_root_cert=$(generate_var aws_r53_create_root_cert $AWS_R53_CREATE_ROOT_CERT) aws_r53_create_sub_cert=$(generate_var aws_r53_create_sub_cert $AWS_R53_CREATE_SUB_CERT) + aws_r53_export_cert=$(generate_var aws_r53_export_cert $AWS_R53_EXPORT_CERT) fi #-- AWS ELB --# @@ -512,6 +513,7 @@ $aws_r53_enable_cert $aws_r53_cert_arn $aws_r53_create_root_cert $aws_r53_create_sub_cert +$aws_r53_export_cert $aws_r53_additional_tags #-- ELB --# diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 591f6a84b..615d94cf2 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -260,6 +260,12 @@ variable "aws_r53_create_sub_cert" { default = false } +variable "aws_r53_export_cert" { + type = bool + description = "Enables export flag of the certificate." + default = false +} + variable "aws_r53_additional_tags" { type = string description = "A list of strings that will be added to created resources" diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index f82db9fee..3b2817b86 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -67,6 +67,7 @@ module "aws_certificates" { aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert aws_r53_create_sub_cert = var.aws_r53_create_sub_cert + aws_r53_export_cert = var.aws_r53_export_cert # R53 aws_r53_domain_name = var.aws_r53_domain_name aws_r53_sub_domain_name = var.aws_r53_sub_domain_name diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 96e20e67b..350cb3dc3 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -6,12 +6,13 @@ data "aws_route53_zone" "selected" { data "aws_acm_certificate" "issued" { #count = local.is_enabled_and_valid ? (!var.aws_r53_create_root_cert ? (!var.aws_r53_create_sub_cert ? (var.fqdn_provided ? 1 : 0) : 0) : 0) :0 - for_each = local.is_enabled_and_valid ? { - "domain" : var.aws_r53_domain_name, - "wildcard" : "*.${var.aws_r53_domain_name}" - "sub" : "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" + for_each = (!var.aws_r53_create_root_cert && !var.aws_r53_create_sub_cert && local.is_enabled_and_valid) ? { + "domain" = var.aws_r53_domain_name, + "wildcard" = "*.${var.aws_r53_domain_name}", + "sub" = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" } : {} - domain = var.aws_r53_domain_name + domain = each.value + #domain = var.aws_r53_domain_name } # This block will create and validate the root domain and www cert @@ -20,6 +21,15 @@ resource "aws_acm_certificate" "root_domain" { domain_name = var.aws_r53_domain_name subject_alternative_names = ["*.${var.aws_r53_domain_name}", "${var.aws_r53_domain_name}"] validation_method = "DNS" + dynamic "options" { + for_each = var.aws_r53_export_cert ? [1] : [] + content { + export = "ENABLED" + } + } + lifecycle { + create_before_destroy = true + } } resource "aws_route53_record" "root_domain" { @@ -44,6 +54,15 @@ resource "aws_acm_certificate" "sub_domain" { count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 domain_name = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" validation_method = "DNS" + dynamic "options" { + for_each = var.aws_r53_export_cert ? [1] : [] + content { + export = "ENABLED" + } + } + lifecycle { + create_before_destroy = true + } } resource "aws_route53_record" "sub_domain" { diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf index 998d80a8f..f8d2956a9 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf @@ -1,6 +1,7 @@ variable "aws_r53_create_root_cert" {} variable "aws_r53_create_sub_cert" {} variable "aws_r53_cert_arn" {} +variable "aws_r53_export_cert" {} # R53 variable "aws_r53_domain_name" {} variable "aws_r53_sub_domain_name" {} From 12e934f0e0afec341b34849ae50a1e49fabe5eb0 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 12:38:32 -0300 Subject: [PATCH 15/76] remove export option --- action.yaml | 4 ---- .../_scripts/generate/generate_vars_terraform.sh | 2 -- operations/deployment/terraform/aws/aws_variables.tf | 6 ------ operations/deployment/terraform/aws/bitovi_main.tf | 1 - .../modules/aws/certificates/aws_certificates.tf | 12 ------------ .../aws/certificates/aws_certificates_vars.tf | 1 - 6 files changed, 26 deletions(-) diff --git a/action.yaml b/action.yaml index 0799c3d3b..85f5492a7 100644 --- a/action.yaml +++ b/action.yaml @@ -244,9 +244,6 @@ inputs: aws_r53_create_sub_cert: description: 'Generates and manage the sub-domain certificate for the application' required: false - aws_r53_export_cert: - description: 'Enables export flag of the certificate.' - required: false aws_r53_additional_tags: description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' required: false @@ -1337,7 +1334,6 @@ runs: AWS_R53_CERT_ARN: ${{ inputs.aws_r53_cert_arn }} AWS_R53_CREATE_ROOT_CERT: ${{ inputs.aws_r53_create_root_cert }} AWS_R53_CREATE_SUB_CERT: ${{ inputs.aws_r53_create_sub_cert }} - AWS_R53_EXPORT_CERT: ${{ inputs.aws_r53_export_cert }} AWS_R53_ADDITIONAL_TAGS: ${{ inputs.aws_r53_additional_tags }} # AWS ELB diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index 83b7c1dca..a4b1c5bdf 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -116,7 +116,6 @@ if [[ $(alpha_only "$AWS_R53_ENABLE_CERT") == true ]]; then aws_r53_cert_arn=$(generate_var aws_r53_cert_arn $AWS_R53_CERT_ARN) aws_r53_create_root_cert=$(generate_var aws_r53_create_root_cert $AWS_R53_CREATE_ROOT_CERT) aws_r53_create_sub_cert=$(generate_var aws_r53_create_sub_cert $AWS_R53_CREATE_SUB_CERT) - aws_r53_export_cert=$(generate_var aws_r53_export_cert $AWS_R53_EXPORT_CERT) fi #-- AWS ELB --# @@ -513,7 +512,6 @@ $aws_r53_enable_cert $aws_r53_cert_arn $aws_r53_create_root_cert $aws_r53_create_sub_cert -$aws_r53_export_cert $aws_r53_additional_tags #-- ELB --# diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 615d94cf2..591f6a84b 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -260,12 +260,6 @@ variable "aws_r53_create_sub_cert" { default = false } -variable "aws_r53_export_cert" { - type = bool - description = "Enables export flag of the certificate." - default = false -} - variable "aws_r53_additional_tags" { type = string description = "A list of strings that will be added to created resources" diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 3b2817b86..f82db9fee 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -67,7 +67,6 @@ module "aws_certificates" { aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert aws_r53_create_sub_cert = var.aws_r53_create_sub_cert - aws_r53_export_cert = var.aws_r53_export_cert # R53 aws_r53_domain_name = var.aws_r53_domain_name aws_r53_sub_domain_name = var.aws_r53_sub_domain_name diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 350cb3dc3..339ecaf3f 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -21,12 +21,6 @@ resource "aws_acm_certificate" "root_domain" { domain_name = var.aws_r53_domain_name subject_alternative_names = ["*.${var.aws_r53_domain_name}", "${var.aws_r53_domain_name}"] validation_method = "DNS" - dynamic "options" { - for_each = var.aws_r53_export_cert ? [1] : [] - content { - export = "ENABLED" - } - } lifecycle { create_before_destroy = true } @@ -54,12 +48,6 @@ resource "aws_acm_certificate" "sub_domain" { count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 domain_name = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" validation_method = "DNS" - dynamic "options" { - for_each = var.aws_r53_export_cert ? [1] : [] - content { - export = "ENABLED" - } - } lifecycle { create_before_destroy = true } diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf index f8d2956a9..998d80a8f 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf @@ -1,7 +1,6 @@ variable "aws_r53_create_root_cert" {} variable "aws_r53_create_sub_cert" {} variable "aws_r53_cert_arn" {} -variable "aws_r53_export_cert" {} # R53 variable "aws_r53_domain_name" {} variable "aws_r53_sub_domain_name" {} From 955205804640a2710093f55c43add37a635e1153 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 13:21:11 -0300 Subject: [PATCH 16/76] count.index --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 601b99615..4eeb5ae1b 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -61,7 +61,7 @@ resource "aws_lb" "vm_alb" { # Target groups for ALB resource "aws_lb_target_group" "vm_alb_tg" { count = local.alb_ports_ammount - name = "${var.aws_resource_identifier_supershort}-tg-${local.alb_app_port[count.index]}" + name = "${var.aws_resource_identifier_supershort}-${count.index}" port = local.alb_app_port[count.index] protocol = local.alb_app_protocol[count.index] vpc_id = var.aws_vpc_selected_id @@ -76,7 +76,7 @@ resource "aws_lb_target_group" "vm_alb_tg" { } tags = { - Name = "${var.aws_resource_identifier_supershort}-tg-${local.alb_app_port[count.index]}" + Name = "${var.aws_resource_identifier_supershort}-${count.index}-${local.alb_app_port[count.index]}" } } From 6853afd1ec091261fc6e9d620f0bb9d65f259fb5 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 13:34:50 -0300 Subject: [PATCH 17/76] Fix SSL policy issue --- .../terraform/modules/aws/lb/aws_lb.tf | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 4eeb5ae1b..225d5da72 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -92,8 +92,20 @@ resource "aws_lb_listener" "vm_alb_listener" { target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn } # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ssl_policy = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_alb_ssl_policy : null - certificate_arn = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_certificates_selected_arn : null + + dynamic "ssl_policy" { + for_each = local.alb_listen_protocol[count.index] == "HTTPS" ? [1] : [] + content { + ssl_policy = var.aws_alb_ssl_policy + } + } + + dynamic "certificate_arn" { + for_each = local.alb_listen_protocol[count.index] == "HTTPS" ? [1] : [] + content { + certificate_arn = var.aws_certificates_selected_arn + } + } } # Attach EC2 instance(s) to target group(s) From b4dfbac28ba3cfbe316cd10e0081026b97f651ea Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 14:44:07 -0300 Subject: [PATCH 18/76] lifecycle trigger --- .../terraform/modules/aws/lb/aws_lb.tf | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 225d5da72..4206c5679 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -92,19 +92,10 @@ resource "aws_lb_listener" "vm_alb_listener" { target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn } # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - - dynamic "ssl_policy" { - for_each = local.alb_listen_protocol[count.index] == "HTTPS" ? [1] : [] - content { - ssl_policy = var.aws_alb_ssl_policy - } - } - - dynamic "certificate_arn" { - for_each = local.alb_listen_protocol[count.index] == "HTTPS" ? [1] : [] - content { - certificate_arn = var.aws_certificates_selected_arn - } + ssl_policy = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_alb_ssl_policy : null + certificate_arn = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_certificates_selected_arn : null + lifecycle { + replace_triggered_by = [local.alb_listen_protocol[count.index]] } } From c8ee5d18e86c9ef66ffe0d8d79e1f7f16eb0a621 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 15:08:05 -0300 Subject: [PATCH 19/76] Remove lifecycle --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 4206c5679..4eeb5ae1b 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -94,9 +94,6 @@ resource "aws_lb_listener" "vm_alb_listener" { # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html ssl_policy = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_alb_ssl_policy : null certificate_arn = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_certificates_selected_arn : null - lifecycle { - replace_triggered_by = [local.alb_listen_protocol[count.index]] - } } # Attach EC2 instance(s) to target group(s) From 3b69dbdb8c119c1200b4ce970fc1fe73cd809004 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 15:40:18 -0300 Subject: [PATCH 20/76] Change LB trigger var --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 4eeb5ae1b..cd54a6bb0 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -92,8 +92,8 @@ resource "aws_lb_listener" "vm_alb_listener" { target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn } # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ssl_policy = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_alb_ssl_policy : null - certificate_arn = local.alb_listen_protocol[count.index] == "HTTPS" ? var.aws_certificates_selected_arn : null + ssl_policy = var.aws_certificates_selected_arn != "" ? var.aws_alb_ssl_policy : null + certificate_arn = var.aws_certificates_selected_arn != "" ? var.aws_certificates_selected_arn : null } # Attach EC2 instance(s) to target group(s) From daf7b5dc60ece3e26b4f4d64438538fe2563c613 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 17:15:05 -0300 Subject: [PATCH 21/76] Adding features to ALB --- action.yaml | 8 + .../generate/generate_vars_terraform.sh | 4 + .../deployment/terraform/aws/aws_variables.tf | 13 ++ .../deployment/terraform/aws/bitovi_main.tf | 3 + .../terraform/modules/aws/lb/aws_lb.tf | 179 +++++++++++++++++- .../terraform/modules/aws/lb/aws_lb_vars.tf | 5 +- 6 files changed, 203 insertions(+), 9 deletions(-) diff --git a/action.yaml b/action.yaml index 85f5492a7..0f7bb4f35 100644 --- a/action.yaml +++ b/action.yaml @@ -299,6 +299,12 @@ inputs: aws_alb_listen_protocol: description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)" required: false + aws_alb_redirect_enable: + description: "Enable HTTP to HTTPS redirection on ALB" + required: false + aws_alb_www_to_apex_redirect: + description: 'Enable www to apex domain redirection on ALB' + required: false aws_alb_healthcheck_path: description: "Health check path for ALB target group" required: false @@ -1355,6 +1361,8 @@ runs: AWS_ALB_APP_PROTOCOL: ${{ inputs.aws_alb_app_protocol }} AWS_ALB_LISTEN_PORT: ${{ inputs.aws_alb_listen_port }} AWS_ALB_LISTEN_PROTOCOL: ${{ inputs.aws_alb_listen_protocol }} + AWS_ALB_REDIRECT_ENABLE: ${{ inputs.aws_alb_redirect_enable }} + AWS_ALB_WWW_TO_APEX_REDIRECT: ${{ inputs.aws_alb_www_to_apex_redirect }} AWS_ALB_HEALTHCHECK_PATH: ${{ inputs.aws_alb_healthcheck_path }} AWS_ALB_HEALTHCHECK_PROTOCOL: ${{ inputs.aws_alb_healthcheck_protocol }} AWS_ALB_SSL_POLICY: ${{ inputs.aws_alb_ssl_policy }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index a4b1c5bdf..69a813482 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -140,6 +140,8 @@ if [[ $(alpha_only "$AWS_ALB_CREATE") == true ]]; then aws_alb_app_protocol=$(generate_var aws_alb_app_protocol $AWS_ALB_APP_PROTOCOL) aws_alb_listen_port=$(generate_var aws_alb_listen_port $AWS_ALB_LISTEN_PORT) aws_alb_listen_protocol=$(generate_var aws_alb_listen_protocol $AWS_ALB_LISTEN_PROTOCOL) + aws_alb_redirect_enable=$(generate_var aws_alb_redirect_enable $AWS_ALB_REDIRECT_ENABLE) + aws_alb_www_to_apex_redirect=$(generate_var aws_alb_www_to_apex_redirect $AWS_ALB_WWW_TO_APEX_REDIRECT) aws_alb_healthcheck_path=$(generate_var aws_alb_healthcheck_path $AWS_ALB_HEALTHCHECK_PATH) aws_alb_healthcheck_protocol=$(generate_var aws_alb_healthcheck_protocol $AWS_ALB_HEALTHCHECK_PROTOCOL) aws_alb_ssl_policy=$(generate_var aws_alb_ssl_policy $AWS_ALB_SSL_POLICY) @@ -533,6 +535,8 @@ $aws_alb_app_port $aws_alb_app_protocol $aws_alb_listen_port $aws_alb_listen_protocol +$aws_alb_redirect_enable +$aws_alb_www_to_apex_redirect $aws_alb_healthcheck_path $aws_alb_healthcheck_protocol $aws_alb_ssl_policy diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 591f6a84b..6246d7f97 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -364,6 +364,18 @@ variable "aws_alb_listen_protocol" { default = "" } +variable "aws_alb_redirect_enable" { + type = bool + description = "Enable HTTP to HTTPS redirection on ALB" + default = false +} + +variable "aws_alb_www_to_apex_redirect" { + type = bool + description = "Enable www to apex domain redirection on ALB" + default = false +} + # Healthcheck variable "aws_alb_healthcheck_path" { type = string @@ -382,6 +394,7 @@ variable "aws_alb_ssl_policy" { description = "SSL policy for HTTPS listeners" default = null } + # Logging variable "aws_alb_access_log_enabled" { type = bool diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index f82db9fee..c98868bcd 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -160,6 +160,8 @@ module "aws_lb" { aws_alb_app_protocol = var.aws_alb_app_protocol aws_alb_listen_port = var.aws_alb_listen_port aws_alb_listen_protocol = var.aws_alb_listen_protocol + aws_alb_redirect_enable = var.aws_alb_redirect_enable + aws_alb_www_to_apex_redirect = var.aws_alb_www_to_apex_redirect aws_alb_healthcheck_path = var.aws_alb_healthcheck_path aws_alb_healthcheck_protocol = var.aws_alb_healthcheck_protocol aws_alb_ssl_policy = var.aws_alb_ssl_policy @@ -172,6 +174,7 @@ module "aws_lb" { aws_vpc_subnet_selected = module.vpc.aws_selected_vpc_subnets #module.vpc.aws_vpc_subnet_selected aws_instance_server_id = module.ec2[0].aws_instance_server_id aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id + aws_r53_domain_name = var.aws_r53_domain_name # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index cd54a6bb0..ed01b8cf3 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -61,7 +61,7 @@ resource "aws_lb" "vm_alb" { # Target groups for ALB resource "aws_lb_target_group" "vm_alb_tg" { count = local.alb_ports_ammount - name = "${var.aws_resource_identifier_supershort}-${count.index}" + name = "${var.aws_resource_identifier_supershort}${count.index}" port = local.alb_app_port[count.index] protocol = local.alb_app_protocol[count.index] vpc_id = var.aws_vpc_selected_id @@ -75,14 +75,27 @@ resource "aws_lb_target_group" "vm_alb_tg" { interval = 30 } + lifecycle { + replace_triggered_by = [aws_security_group.alb_security_group.id] + } + tags = { Name = "${var.aws_resource_identifier_supershort}-${count.index}-${local.alb_app_port[count.index]}" } } +# Always exists, acts as a safe dependency wrapper +resource "null_resource" "http_redirect_dep" { + triggers = { + id = ( + length(aws_alb_listener.http_redirect) > 0 + ) ? aws_alb_listener.http_redirect[0].id : "none" + } +} + # Listeners for ALB -resource "aws_lb_listener" "vm_alb_listener" { - count = local.alb_ports_ammount +resource "aws_alb_listener" "lb_listener_ssl" { + count = local.alb_ssl_available ? length(local.alb_ports_ammount) : 0 load_balancer_arn = aws_lb.vm_alb.arn port = local.alb_listen_port[count.index] protocol = local.alb_listen_protocol[count.index] @@ -92,8 +105,162 @@ resource "aws_lb_listener" "vm_alb_listener" { target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn } # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ssl_policy = var.aws_certificates_selected_arn != "" ? var.aws_alb_ssl_policy : null - certificate_arn = var.aws_certificates_selected_arn != "" ? var.aws_certificates_selected_arn : null + ssl_policy = var.aws_alb_ssl_policy + certificate_arn = var.aws_certificates_selected_arn + lifecycle { + replace_triggered_by = [null_resource.http_redirect_dep.id] + } + depends_on = [aws_alb_listener.http_redirect] +} + +resource "aws_alb_listener" "lb_listener" { + count = local.alb_ssl_available ? 0 : length(local.alb_ports_ammount) + load_balancer_arn = aws_lb.vm_alb.arn + port = local.alb_listen_port[count.index] + protocol = local.alb_listen_protocol[count.index] + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.vm_alb_tg[count.index].arn + } + lifecycle { + replace_triggered_by = [null_resource.http_redirect_dep.id] + } + depends_on = [aws_alb_listener.http_redirect] +} + +resource "aws_alb_listener" "http_redirect" { + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && local.alb_ssl_available ? 1 : 0 + load_balancer_arn = aws_lb.vm_alb.arn + port = "80" + protocol = "HTTP" + + default_action { + type = "redirect" + + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } + } + depends_on = [ + aws_lb.vm_alb, + aws_lb_target_group.vm_alb_tg + ] +} + +resource "aws_alb_listener" "http_forward" { + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && !var.aws_alb_www_to_apex_redirect ? 1 : 0 + load_balancer_arn = aws_lb.vm_alb.arn + port = "80" + protocol = "HTTP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn + } + depends_on = [ + aws_lb.vm_alb, + aws_lb_target_group.vm_alb_tg + ] +} + +resource "aws_alb_listener" "http_www_redirect" { + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && var.aws_alb_www_to_apex_redirect ? 1 : 0 + load_balancer_arn = aws_lb.vm_alb.arn + port = "80" + protocol = "HTTP" + + default_action { + type = "fixed-response" + + fixed_response { + content_type = "text/plain" + message_body = "Not Found" + status_code = "404" + } + } + depends_on = [ + aws_lb.vm_alb, + aws_lb_target_group.vm_alb_tg + ] +} + +resource "aws_lb_listener_rule" "http_forward_apex" { + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !local.alb_ssl_available && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 + listener_arn = aws_alb_listener.http_www_redirect[0].arn + priority = 20 + + condition { + host_header { + values = [var.aws_r53_domain_name] + } + } + + action { + type = "forward" + target_group_arn = aws_alb_target_group.lb_targets[0].id + } +} + +resource "aws_lb_listener_rule" "redirect_www_to_apex" { + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (local.alb_ssl_available ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + listener_arn = local.alb_ssl_available ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_www_redirect[0].arn + priority = 10 + + condition { + host_header { + values = ["www.${var.aws_r53_domain_name}"] + } + } + + action { + type = "redirect" + + redirect { + port = local.alb_ssl_available ? "443" : "80" + protocol = local.alb_ssl_available ? "HTTPS" : "HTTP" + status_code = "HTTP_301" + host = var.aws_r53_domain_name + path = "/#{path}" + query = "#{query}" + } + } +} + +resource "aws_security_group_rule" "incoming_alb_http" { + count = length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.alb_security_group.id +} + +resource "aws_security_group_rule" "incoming_alb_https" { + count = length(aws_alb_listener.https_redirect) + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.alb_security_group.id +} +### + +resource "aws_alb_listener" "https_redirect" { + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) && local.alb_ssl_available ? 1 : 0 + load_balancer_arn = aws_lb.vm_alb.arn + port = "443" + protocol = "HTTPS" + certificate_arn = var.aws_certificates_selected_arn + ssl_policy = var.aws_certificates_selected_arn != "" ? var.aws_alb_ssl_policy : "" # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html + + default_action { + target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn + type = "forward" + } } # Attach EC2 instance(s) to target group(s) @@ -174,8 +341,6 @@ locals { length(local.alb_listen_protocol), length(local.alb_app_protocol) ) - - # Optionally, you can pad arrays if needed, but min() is safest for count } # Outputs diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf index b89b08729..d40533dc5 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf @@ -4,10 +4,11 @@ variable "aws_alb_app_port" {} variable "aws_alb_app_protocol" {} variable "aws_alb_listen_port" {} variable "aws_alb_listen_protocol" {} +variable "aws_alb_redirect_enable" {} +variable "aws_alb_www_to_apex_redirect" {} variable "aws_alb_healthcheck_path" {} variable "aws_alb_healthcheck_protocol" {} variable "aws_alb_ssl_policy" {} - # Logging variable "aws_alb_access_log_enabled" {} variable "aws_alb_access_log_bucket_name" {} @@ -19,6 +20,6 @@ variable "aws_vpc_subnet_selected" {} variable "aws_instance_server_id" {} variable "aws_certificates_selected_arn" {} variable "aws_alb_target_sg_id" {} - +variable "aws_r53_domain_name" {} variable "aws_resource_identifier" {} variable "aws_resource_identifier_supershort" {} \ No newline at end of file From 2f1a54c486c928c6e524de8848a2396cc2bb6273 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 17:18:25 -0300 Subject: [PATCH 22/76] Fix typo --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index ed01b8cf3..f6e82fefc 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -199,7 +199,7 @@ resource "aws_lb_listener_rule" "http_forward_apex" { action { type = "forward" - target_group_arn = aws_alb_target_group.lb_targets[0].id + target_group_arn = aws_alb_target_group.vm_alb_tg[0].id } } From c7d93a1f851ed6defac30b22228ace6de6f1a3de Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 17:24:26 -0300 Subject: [PATCH 23/76] lb --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index f6e82fefc..bffcaa7a2 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -199,7 +199,7 @@ resource "aws_lb_listener_rule" "http_forward_apex" { action { type = "forward" - target_group_arn = aws_alb_target_group.vm_alb_tg[0].id + target_group_arn = aws_lb_target_group.vm_alb_tg[0].id } } From dd174a21e90cefcf1d86c1965e991922b5ae9d78 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 17:28:55 -0300 Subject: [PATCH 24/76] Fix length --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index bffcaa7a2..90abed04c 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -95,7 +95,7 @@ resource "null_resource" "http_redirect_dep" { # Listeners for ALB resource "aws_alb_listener" "lb_listener_ssl" { - count = local.alb_ssl_available ? length(local.alb_ports_ammount) : 0 + count = local.alb_ssl_available ? local.alb_ports_ammount : 0 load_balancer_arn = aws_lb.vm_alb.arn port = local.alb_listen_port[count.index] protocol = local.alb_listen_protocol[count.index] @@ -114,7 +114,7 @@ resource "aws_alb_listener" "lb_listener_ssl" { } resource "aws_alb_listener" "lb_listener" { - count = local.alb_ssl_available ? 0 : length(local.alb_ports_ammount) + count = local.alb_ssl_available ? 0 : local.alb_ports_ammount load_balancer_arn = aws_lb.vm_alb.arn port = local.alb_listen_port[count.index] protocol = local.alb_listen_protocol[count.index] From b15565ff1a7e2b8aef51ff3e0d6e3547f489fe0f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 9 Dec 2025 18:17:18 -0300 Subject: [PATCH 25/76] Minor tweaks --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index c98868bcd..43222fcb6 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -87,8 +87,8 @@ module "aws_route53" { aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy aws_r53_enable_cert = var.aws_r53_enable_cert # ELB - aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name,module.aws_elb[0].aws_elb_dns_name,module.ec2[0].instance_public_ip,"") - aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id,module.aws_elb[0].aws_elb_zone_id,"","") + aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name, module.aws_elb[0].aws_elb_dns_name, module.ec2[0].instance_public_ip, "") + aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id, module.aws_elb[0].aws_elb_zone_id, "", "") # Certs aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" # Others diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 90abed04c..0c4e4ff75 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -129,7 +129,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && local.alb_ssl_available ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn != "" ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -150,7 +150,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && !var.aws_alb_www_to_apex_redirect ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn == "" && !var.aws_alb_www_to_apex_redirect ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -166,7 +166,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && !local.alb_ssl_available && var.aws_alb_www_to_apex_redirect ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn == "" && var.aws_alb_www_to_apex_redirect ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -250,7 +250,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) && local.alb_ssl_available ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) && local.alb_ssl_available ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From 235c7e75c0bae4ae206a8bb7e2b26c3c1b800959 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 11:23:36 -0300 Subject: [PATCH 26/76] Add LB dependency --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 43222fcb6..6d5843c7c 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -181,7 +181,7 @@ module "aws_lb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - #depends_on = [module.vpc, module.ec2] + depends_on = [module.vpc, module.ec2, module.aws_certificates] providers = { aws = aws.lb From 5316a812a7c53afa36d6a0c55986ec1b14c1ed79 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 11:52:25 -0300 Subject: [PATCH 27/76] Cleanup conditionals --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 0c4e4ff75..b67a08cdf 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -129,7 +129,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn != "" ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 #&& var.aws_certificates_selected_arn != "" ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -150,7 +150,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn == "" && !var.aws_alb_www_to_apex_redirect ? 1 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 # && var.aws_certificates_selected_arn == "" ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -166,7 +166,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) && var.aws_certificates_selected_arn == "" && var.aws_alb_www_to_apex_redirect ? 1 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 #&& var.aws_certificates_selected_arn == "" ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -250,7 +250,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) && local.alb_ssl_available ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) ? 1 : 0 #&& local.alb_ssl_available ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From 849819a456cb173c8f8173cf24d407caaf61dd3c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 11:58:36 -0300 Subject: [PATCH 28/76] Simplify listen port conditional --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index b67a08cdf..9e5f8de81 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -329,8 +329,8 @@ POLICY locals { alb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false - alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : (local.alb_ssl_available ? [443] : [80]) - alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : (local.alb_ssl_available ? ["HTTPS"] : ["HTTP"]) + alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : (var.aws_certificates_selected_arn != "" ? [443] : [80]) + alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : (var.aws_certificates_selected_arn != "" ? ["HTTPS"] : ["HTTP"]) alb_app_port = var.aws_alb_app_port != "" ? [for n in split(",", var.aws_alb_app_port) : tonumber(n)] : local.alb_listen_port alb_app_protocol = var.aws_alb_app_protocol != "" ? [for n in split(",", var.aws_alb_app_protocol) : n] : [for _ in local.alb_app_port : "HTTP"] From 8f5ca4d15f84b3d1c20e9cdbcc9a61f70e3735f7 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 12:20:51 -0300 Subject: [PATCH 29/76] Reducing conditionals --- .../deployment/terraform/aws/bitovi_main.tf | 3 +- .../terraform/modules/aws/lb/aws_lb.tf | 37 ++++++++++--------- 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 6d5843c7c..2c8a96928 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -176,7 +176,8 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + #aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, "") # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 9e5f8de81..6edb0b302 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -1,3 +1,22 @@ +# Locals for ALB +locals { + alb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false + + alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : var.aws_certificates_selected_arn != "" ? [443] : [80] + alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : var.aws_certificates_selected_arn != "" ? ["HTTPS"] : ["HTTP"] + alb_app_port = var.aws_alb_app_port != "" ? [for n in split(",", var.aws_alb_app_port) : tonumber(n)] : local.alb_listen_port + alb_app_protocol = var.aws_alb_app_protocol != "" ? [for n in split(",", var.aws_alb_app_protocol) : n] : [for _ in local.alb_app_port : "HTTP"] + + # Ensure all arrays have the same length + alb_ports_ammount = min( + length(local.alb_listen_port), + length(local.alb_app_port), + length(local.alb_listen_protocol), + length(local.alb_app_protocol) + ) +} + + # Security group for ALB resource "aws_security_group" "alb_security_group" { name = var.aws_alb_security_group_name != "" ? var.aws_alb_security_group_name : "SG for ${var.aws_resource_identifier} - ALB" @@ -325,24 +344,6 @@ POLICY } } -# Locals for ALB -locals { - alb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false - - alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : (var.aws_certificates_selected_arn != "" ? [443] : [80]) - alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : (var.aws_certificates_selected_arn != "" ? ["HTTPS"] : ["HTTP"]) - alb_app_port = var.aws_alb_app_port != "" ? [for n in split(",", var.aws_alb_app_port) : tonumber(n)] : local.alb_listen_port - alb_app_protocol = var.aws_alb_app_protocol != "" ? [for n in split(",", var.aws_alb_app_protocol) : n] : [for _ in local.alb_app_port : "HTTP"] - - # Ensure all arrays have the same length - alb_ports_ammount = min( - length(local.alb_listen_port), - length(local.alb_app_port), - length(local.alb_listen_protocol), - length(local.alb_app_protocol) - ) -} - # Outputs output "aws_alb_dns_name" { value = aws_lb.vm_alb.dns_name From 7dbf8d41cf0826d97dd44410e49a910204a5dcc6 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 12:26:07 -0300 Subject: [PATCH 30/76] reorder conditionals --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 6edb0b302..b6bdc57c8 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,7 +148,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 #&& var.aws_certificates_selected_arn != "" ? 1 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn != "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -169,7 +169,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 # && var.aws_certificates_selected_arn == "" ? 1 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -185,7 +185,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 #&& var.aws_certificates_selected_arn == "" ? 1 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -269,7 +269,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 443) ? 1 : 0 #&& local.alb_ssl_available ? 1 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From 32151360bdd91f173d54f4056ada54db0b19a53d Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 12:33:35 -0300 Subject: [PATCH 31/76] Go for it --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index b6bdc57c8..40639c358 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,7 +148,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn != "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn != "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -169,7 +169,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -185,7 +185,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -269,7 +269,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn == "" ? !contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From a9015c621c410eb6539b08c500226a772234cadc Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 14:38:29 -0300 Subject: [PATCH 32/76] shotcut cert var --- operations/deployment/terraform/aws/bitovi_main.tf | 3 ++- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- .../deployment/terraform/modules/aws/lb/aws_lb_vars.tf | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 2c8a96928..679273188 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -177,12 +177,13 @@ module "aws_lb" { aws_r53_domain_name = var.aws_r53_domain_name # Certs #aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificate_enabled = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, "") # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.vpc, module.ec2, module.aws_certificates] + #depends_on = [module.vpc, module.ec2, module.aws_certificates] providers = { aws = aws.lb diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 40639c358..fed80f0a5 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,7 +148,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn != "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -169,7 +169,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -185,7 +185,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -269,7 +269,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificates_selected_arn == "" ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf index d40533dc5..d3d1807a8 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb_vars.tf @@ -18,6 +18,7 @@ variable "aws_alb_access_log_expire" {} variable "aws_vpc_selected_id" {} variable "aws_vpc_subnet_selected" {} variable "aws_instance_server_id" {} +variable "aws_certificate_enabled" {} variable "aws_certificates_selected_arn" {} variable "aws_alb_target_sg_id" {} variable "aws_r53_domain_name" {} From 478ff592df2d57a3545e4ed29ac017466af49756 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 15:02:13 -0300 Subject: [PATCH 33/76] Adding promise --- .../deployment/terraform/modules/aws/lb/aws_lb.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index fed80f0a5..9523375d7 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -114,7 +114,7 @@ resource "null_resource" "http_redirect_dep" { # Listeners for ALB resource "aws_alb_listener" "lb_listener_ssl" { - count = local.alb_ssl_available ? local.alb_ports_ammount : 0 + count = var.aws_certificate_enabled ? local.alb_ports_ammount : 0 load_balancer_arn = aws_lb.vm_alb.arn port = local.alb_listen_port[count.index] protocol = local.alb_listen_protocol[count.index] @@ -133,7 +133,7 @@ resource "aws_alb_listener" "lb_listener_ssl" { } resource "aws_alb_listener" "lb_listener" { - count = local.alb_ssl_available ? 0 : local.alb_ports_ammount + count = var.aws_certificate_enabled ? 0 : local.alb_ports_ammount load_balancer_arn = aws_lb.vm_alb.arn port = local.alb_listen_port[count.index] protocol = local.alb_listen_protocol[count.index] @@ -185,7 +185,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -206,7 +206,7 @@ resource "aws_alb_listener" "http_www_redirect" { } resource "aws_lb_listener_rule" "http_forward_apex" { - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !local.alb_ssl_available && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 listener_arn = aws_alb_listener.http_www_redirect[0].arn priority = 20 @@ -223,8 +223,8 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (local.alb_ssl_available ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - listener_arn = local.alb_ssl_available ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_www_redirect[0].arn + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_www_redirect[0].arn priority = 10 condition { From b472a44dd382d353de78c90742f892e4c8a14c16 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 15:14:38 -0300 Subject: [PATCH 34/76] Rolling back contains --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 9523375d7..a60e25d30 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,7 +148,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -169,7 +169,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -269,7 +269,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From e0f0226f6f0c05784c874dba58b691e28d53c721 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 10 Dec 2025 17:40:42 -0300 Subject: [PATCH 35/76] strip list --- .../deployment/terraform/modules/aws/lb/aws_lb.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index a60e25d30..2f52755eb 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -2,6 +2,8 @@ locals { alb_ssl_available = var.aws_certificates_selected_arn != "" ? true : false + alb_listen_port_list = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : [] + alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : var.aws_certificates_selected_arn != "" ? [443] : [80] alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : var.aws_certificates_selected_arn != "" ? ["HTTPS"] : ["HTTP"] alb_app_port = var.aws_alb_app_port != "" ? [for n in split(",", var.aws_alb_app_port) : tonumber(n)] : local.alb_listen_port @@ -148,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -169,7 +171,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -185,7 +187,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port_list, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -269,7 +271,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From bdbc737bc6723c1bbc3764376d08592961f162d5 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 09:25:02 -0300 Subject: [PATCH 36/76] Avoid dupe rule creation --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 2f52755eb..cf93f0809 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -250,7 +250,7 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" { } resource "aws_security_group_rule" "incoming_alb_http" { - count = length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) + count = !contains(local.alb_listen_port_list, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 type = "ingress" from_port = 80 to_port = 80 @@ -260,7 +260,7 @@ resource "aws_security_group_rule" "incoming_alb_http" { } resource "aws_security_group_rule" "incoming_alb_https" { - count = length(aws_alb_listener.https_redirect) + count = !contains(local.alb_listen_port_list, 443) ? length(aws_alb_listener.https_redirect) : 0 type = "ingress" from_port = 443 to_port = 443 From 41c6d0d19be5e2ddb956de6ccb884740fbb96c31 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 10:12:27 -0300 Subject: [PATCH 37/76] Fix list check --- .../terraform/modules/aws/lb/aws_lb.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index cf93f0809..1901e322a 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -4,8 +4,8 @@ locals { alb_listen_port_list = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : [] - alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : var.aws_certificates_selected_arn != "" ? [443] : [80] - alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : var.aws_certificates_selected_arn != "" ? ["HTTPS"] : ["HTTP"] + alb_listen_port = var.aws_alb_listen_port != "" ? [for n in split(",", var.aws_alb_listen_port) : tonumber(n)] : var.aws_certificate_enabled ? [443] : [80] + alb_listen_protocol = var.aws_alb_listen_protocol != "" ? [for n in split(",", var.aws_alb_listen_protocol) : n] : var.aws_certificate_enabled ? ["HTTPS"] : ["HTTP"] alb_app_port = var.aws_alb_app_port != "" ? [for n in split(",", var.aws_alb_app_port) : tonumber(n)] : local.alb_listen_port alb_app_protocol = var.aws_alb_app_protocol != "" ? [for n in split(",", var.aws_alb_app_protocol) : n] : [for _ in local.alb_app_port : "HTTP"] @@ -150,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -171,7 +171,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -187,7 +187,7 @@ resource "aws_alb_listener" "http_forward" { } resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port_list, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -250,7 +250,7 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" { } resource "aws_security_group_rule" "incoming_alb_http" { - count = !contains(local.alb_listen_port_list, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 + count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 type = "ingress" from_port = 80 to_port = 80 @@ -260,7 +260,7 @@ resource "aws_security_group_rule" "incoming_alb_http" { } resource "aws_security_group_rule" "incoming_alb_https" { - count = !contains(local.alb_listen_port_list, 443) ? length(aws_alb_listener.https_redirect) : 0 + count = !contains(local.alb_listen_port, 443) ? length(aws_alb_listener.https_redirect) : 0 type = "ingress" from_port = 443 to_port = 443 @@ -271,7 +271,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port_list, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From 078ac0a341f3c56c1ac795d8dab434b0ec37bb37 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 17:36:40 -0300 Subject: [PATCH 38/76] Dual lb --- .../deployment/terraform/aws/bitovi_main.tf | 23 +------------------ 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 679273188..6ec7ffb57 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -99,30 +99,9 @@ module "aws_route53" { } } -#module "aws_route53_lb" { -# source = "../modules/aws/route53" -# count = var.aws_ec2_instance_create && var.aws_r53_enable && var.aws_r53_domain_name != "" && var.aws_alb_create ? 1 : 0 -# # R53 values -# aws_r53_domain_name = var.aws_r53_domain_name -# aws_r53_sub_domain_name = var.aws_r53_sub_domain_name -# aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy -# aws_r53_enable_cert = var.aws_r53_enable_cert -# # ELB -# aws_elb_dns_name = module.aws_lb[0].aws_alb_dns_name -# aws_elb_zone_id = module.aws_lb[0].aws_alb_zone_id -# # Certs -# aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" -# # Others -# fqdn_provided = local.fqdn_provided -# -# providers = { -# aws = aws.r53 -# } -#} - module "aws_elb" { source = "../modules/aws/elb" - count = var.aws_ec2_instance_create && var.aws_elb_create && !var.aws_alb_create ? 1 : 0 + count = var.aws_ec2_instance_create && var.aws_elb_create ? 1 : 0 # ELB Values aws_elb_security_group_name = var.aws_elb_security_group_name aws_elb_app_port = var.aws_elb_app_port From ed793ba8a7dd5b0b2d373113adc64ee3aafd47e8 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 18:04:30 -0300 Subject: [PATCH 39/76] Fix outputs --- operations/deployment/terraform/aws/bitovi_main.tf | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 6ec7ffb57..b74ca94d9 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -155,7 +155,6 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - #aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" aws_certificate_enabled = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, "") # Others @@ -787,11 +786,13 @@ locals { ) : false ) + protocol = var.aws_r53_enable_cert ? module.aws_certificates[0].selected_arn != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null - ec2_endpoint = var.aws_ec2_instance_create ? (local.ec2_public_endpoint != null ? "http://${local.ec2_public_endpoint}" : "http://${local.ec2_private_endpoint}") : null - elb_url = try(module.aws_elb[0].aws_elb_dns_name, null) != null ? "http://${module.aws_elb[0].aws_elb_dns_name}" : null + ec2_endpoint = var.aws_ec2_instance_create ? (local.ec2_public_endpoint != null ? "${local.protocol}${local.ec2_public_endpoint}" : "${local.protocol}${local.ec2_private_endpoint}") : null + elb_url = try(module.aws_elb[0].aws_elb_dns_name, null) != null ? "${local.protocol}${module.aws_elb[0].aws_elb_dns_name}" : null + alb_url = try(module.aws_alb[0].aws_alb_dns_name, null) != null ? "${local.protocol}${module.aws_alb[0].aws_alb_dns_name}" : null } # VPC @@ -839,13 +840,18 @@ output "aws_elb_dns_name" { value = try(module.aws_elb[0].aws_elb_dns_name, null) } +output "aws_alb_dns_name" { + description = "Public DNS address of the ALB" + value = try(module.aws_alb[0].aws_alb_dns_name, null) +} + output "application_public_dns" { description = "Public DNS address for the application or load balancer public DNS" value = try(module.aws_route53[0].vm_url, null) } output "vm_url" { - value = try(module.aws_route53[0].vm_url, local.elb_url) + value = try(module.aws_route53[0].vm_url, local.alb_url, local.elb_url) } # EFS From 5470e4fa69cee59f16db00dfcdfd07b83838130f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 18:50:23 -0300 Subject: [PATCH 40/76] Fix module name --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index b74ca94d9..d81527705 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -792,7 +792,7 @@ locals { ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null ec2_endpoint = var.aws_ec2_instance_create ? (local.ec2_public_endpoint != null ? "${local.protocol}${local.ec2_public_endpoint}" : "${local.protocol}${local.ec2_private_endpoint}") : null elb_url = try(module.aws_elb[0].aws_elb_dns_name, null) != null ? "${local.protocol}${module.aws_elb[0].aws_elb_dns_name}" : null - alb_url = try(module.aws_alb[0].aws_alb_dns_name, null) != null ? "${local.protocol}${module.aws_alb[0].aws_alb_dns_name}" : null + alb_url = try(module.aws_lb[0].aws_alb_dns_name, null) != null ? "${local.protocol}${module.aws_lb[0].aws_alb_dns_name}" : null } # VPC @@ -842,7 +842,7 @@ output "aws_elb_dns_name" { output "aws_alb_dns_name" { description = "Public DNS address of the ALB" - value = try(module.aws_alb[0].aws_alb_dns_name, null) + value = try(module.aws_lb[0].aws_alb_dns_name, null) } output "application_public_dns" { From 22e2849e79f1d2d6de856589c8add555659b41ff Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Thu, 11 Dec 2025 19:01:14 -0300 Subject: [PATCH 41/76] Try arn --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index d81527705..c2a6407d7 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -786,7 +786,7 @@ locals { ) : false ) - protocol = var.aws_r53_enable_cert ? module.aws_certificates[0].selected_arn != "" ? "https://" : "http://" : "http://" + protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn,"") != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null From 3bc2c9a27c360cdfd52a85630f8eeef3caa621a3 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 10:51:04 -0300 Subject: [PATCH 42/76] Adding README and rules priorities variables --- README.md | 67 ++++++++++++---- action.yaml | 52 ++++++++++++ .../deployment/terraform/aws/aws_variables.tf | 78 ++++++++++++++++++ .../deployment/terraform/aws/bitovi_main.tf | 80 ++++++++++++------- .../terraform/modules/aws/waf/aws_waf.tf | 26 +++--- .../terraform/modules/aws/waf/aws_waf_vars.tf | 39 ++++++--- 6 files changed, 274 insertions(+), 68 deletions(-) diff --git a/README.md b/README.md index dbb15d0bb..59dbd544b 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,8 @@ jobs: 1. [EC2](#ec2-inputs) 1. [VPC](#vpc-inputs) 1. [AWS Route53 Domains and Certificates](#aws-route53-domains-and-certificate-inputs) -1. [Load Balancer](#load-balancer-inputs) +1. [Load Balancer](#load-balancer-inputs-classic-elb) +1. [Application Load Balancer Inputs (ALB)](#application-load-balancer-inputs-alb) 1. [WAF](#waf) 1. [EFS](#efs-inputs) 1. [RDS](#rds-inputs) @@ -195,7 +196,7 @@ The following inputs can be used as `step.with` keys

-#### **Load Balancer Inputs** +#### **Load Balancer Inputs (Classic ELB)** | Name | Type | Description | |------------------|---------|------------------------------------| | `aws_elb_create` | Boolean | Toggles the creation of a load balancer and map ports to the EC2 instance. Defaults to `false`.| @@ -211,25 +212,61 @@ The following inputs can be used as `step.with` keys

+#### **Application Load Balancer Inputs (ALB)** +| Name | Type | Description | +|------------------|---------|------------------------------------| +| `aws_alb_create` | Boolean | Global toggle for ALB creation. Defaults to `false` | +| `aws_alb_security_group_name` | String | Name of the security group to use for ALB. Defaults to `` | +| `aws_alb_app_port` | String | Comma-separated list of application ports for ALB target group. Defaults to `` | +| `aws_alb_app_protocol` | String | Comma-separated list of protocols for ALB target group (HTTP/HTTPS). Defaults to `` | +| `aws_alb_listen_port` | String | Comma-separated list of listener ports for ALB. Defaults to `` | +| `aws_alb_listen_protocol` | String | Comma-separated list of listener protocols for ALB (HTTP/HTTPS). Defaults to `""` | +| `aws_alb_redirect_enable` | Boolean | Enable HTTP to HTTPS redirection on ALB. Defaults to `false` | +| `aws_alb_www_to_apex_redirect` | Boolean | Enable www to apex domain redirection on ALB. Defaults to `false` | +# Healthcheck +| `aws_alb_healthcheck_path` | String | Health check path for ALB target group. Defaults to `"/"` | +| `aws_alb_healthcheck_protocol` | String | Health check protocol for ALB target group. Defaults to `"HTTP"` | +| `aws_alb_ssl_policy` | String | SSL policy for HTTPS listeners. Defaults to `null` | +| `aws_alb_additional_tags`| String | A list of strings that will be added to created resources. Example: `{"key1": "value1", "key2": "value2"}`. Default `"{}"` | + + +| `aws_alb_additional_tags` |description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' + required: false +
+
+ #### **WAF** | Name | Type | Description | |------------------|---------|------------------------------------| | `aws_waf_enable` | Boolean | Enable WAF for load balancer (LB only - NOT ELB). Default is `false` | | `aws_waf_logging_enable`| Boolean | Enable WAF logging to CloudWatch. Default `false` | | `aws_waf_log_retention_days`| Number | CloudWatch log retention period for WAF logs. Default `30` | -| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000` | -| `aws_waf_rule_managed_rules`| Boolean | Enable common managed rule groups to use. Default `false` | -| `aws_waf_rule_managed_bad_inputs`| Boolean | Enable managed rule for bad inputs. Default `false` | -| `aws_waf_rule_ip_reputation`| Boolean | Enable managed rule for IP reputation. Default `false` | -| `aws_waf_rule_anonymous_ip`| Boolean | Enable managed rule for anonymous IP. Default `false` | -| `aws_waf_rule_bot_control`| Boolean | Enable managed rule for bot control (costs extra). Default `false` | -| `aws_waf_rule_geo_block_countries`| String | Comma separated list of countries to block. | -| `aws_waf_rule_geo_allow_only_countries`| String | Comma separated list of countries to allow. | -| `aws_waf_rule_sqli`| Boolean | Enable managed rule for SQL injection. Default `false` | -| `aws_waf_rule_linux`| Boolean | Enable managed rule for Linux. Default `false` | -| `aws_waf_rule_unix`| Boolean | Enable managed rule for Unix. Default `false` | -| `aws_waf_rule_admin_protection`| Boolean | Enable managed rule for admin protection. Default `false` | -| `aws_waf_rule_user_arn`| String | String of the user created ARN set of rules. | +| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000`. | +| `aws_waf_rule_rate_limit_priority` | Number | Priority for rate limit rule. Defaults to `10`. | +| `aws_waf_rule_managed_rules` | Boolean | Enable common managed rule groups to use. Defaults to `false`. | +| `aws_waf_rule_managed_rules_priority` | Number | Priority for managed rules. Defaults to `20`. | +| `aws_waf_rule_managed_bad_inputs` | Boolean | Enable managed rule for bad inputs. Defaults to `false`. | +| `aws_waf_rule_managed_bad_inputs_priority` | Number | Priority for bad inputs rule. Defaults to `30`. | +| `aws_waf_rule_ip_reputation` | Boolean | Enable managed rule for IP reputation. Defaults to `false`. | +| `aws_waf_rule_ip_reputation_priority` | Number | Priority for IP reputation rule. Defaults to `40`. | +| `aws_waf_rule_anonymous_ip` | Boolean | Enable managed rule for anonymous IP. Defaults to `false`. | +| `aws_waf_rule_anonymous_ip_priority` | Number | Priority for anonymous IP rule. Defaults to `50`. | +| `aws_waf_rule_bot_control` | Boolean | Enable managed rule for bot control (costs extra). Defaults to `false`. | +| `aws_waf_rule_bot_control_priority` | Number | Priority for bot control rule. Defaults to `60`. | +| `aws_waf_rule_geo_block_countries` | String | Comma separated list of countries to block. Defaults to ``. | +| `aws_waf_rule_geo_block_countries_priority` | Number | Priority for geo block countries rule. Defaults to `70`. | +| `aws_waf_rule_geo_allow_only_countries` | String | Comma separated list of countries to allow. Defaults to ``. | +| `aws_waf_rule_geo_allow_only_countries_priority` | Number | Priority for geo allow only countries rule. Defaults to `75`. | +| `aws_waf_rule_sqli` | Boolean | Enable managed rule for SQL injection. Defaults to `false`. | +| `aws_waf_rule_sqli_priority` | Number | Priority for SQL injection rule. Defaults to `85`. | +| `aws_waf_rule_linux` | Boolean | Enable managed rule for Linux. Defaults to `false`. | +| `aws_waf_rule_linux_priority` | Number | Priority for Linux rule. Defaults to `90`. | +| `aws_waf_rule_unix` | Boolean | Enable managed rule for Unix. Defaults to `false`. | +| `aws_waf_rule_unix_priority` | Number | Priority for Unix rule. Defaults to `95`. | +| `aws_waf_rule_admin_protection` | Boolean | Enable managed rule for admin protection. Defaults to `false`. | +| `aws_waf_rule_admin_protection_priority` | Number | Priority for admin protection rule. Defaults to `100`. | +| `aws_waf_rule_user_arn` | String | ARN of the user rule. Defaults to ``. | +| `aws_waf_rule_user_arn_priority` | Number | Priority for user ARN rule. Defaults to `80`. | | `aws_waf_additional_tags`| String | A list of strings that will be added to created resources. Default `"{}"` |

diff --git a/action.yaml b/action.yaml index 0f7bb4f35..839bdec41 100644 --- a/action.yaml +++ b/action.yaml @@ -340,42 +340,81 @@ inputs: aws_waf_rule_rate_limit: description: 'Rate limit for WAF rules.' required: false + aws_waf_rule_rate_limit_priority: + description: 'Priority for rate limit rule.' + required: false aws_waf_rule_managed_rules: description: 'Enable common managed rule groups to use.' required: false + aws_waf_rule_managed_rules_priority: + description: 'Priority for managed rules group.' + required: false aws_waf_rule_managed_bad_inputs: description: 'Enable managed rule for bad inputs.' required: false + aws_waf_rule_managed_bad_inputs_priority: + description: 'Priority for bad inputs managed rule.' + required: false aws_waf_rule_ip_reputation: description: 'Enable managed rule for IP reputation.' required: false + aws_waf_rule_ip_reputation_priority: + description: 'Priority for IP reputation managed rule.' + required: false aws_waf_rule_anonymous_ip: description: 'Enable managed rule for anonymous IP.' required: false + aws_waf_rule_anonymous_ip_priority: + description: 'Priority for anonymous IP managed rule.' + required: false aws_waf_rule_bot_control: description: 'Enable managed rule for bot control (costs extra).' required: false + aws_waf_rule_bot_control_priority: + description: 'Priority for bot control managed rule.' + required: false aws_waf_rule_geo_block_countries: description: 'Comma separated list of countries to block.' required: false + aws_waf_rule_geo_block_countries_priority: + description: 'Priority for geo block countries managed rule.' + required: false aws_waf_rule_geo_allow_only_countries: description: 'Comma separated list of countries to allow.' required: false + aws_waf_rule_geo_allow_only_countries_priority: + description: 'Priority for geo allow only countries managed rule.' + required: false aws_waf_rule_sqli: description: 'Enable managed rule for SQL injection.' required: false + aws_waf_rule_sqli_priority: + description: 'Priority for SQL injection managed rule.' + required: false aws_waf_rule_linux: description: 'Enable managed rule for Linux.' required: false + aws_waf_rule_linux_priority: + description: 'Priority for Linux managed rule.' + required: false aws_waf_rule_unix: description: 'Enable managed rule for Unix.' required: false + aws_waf_rule_unix_priority: + description: 'Priority for Unix managed rule.' + required: false aws_waf_rule_admin_protection: description: 'Enable managed rule for admin protection.' required: false + aws_waf_rule_admin_protection_priority: + description: 'Priority for admin protection managed rule.' + required: false aws_waf_rule_user_arn: description: 'ARN of the user rule.' required: false + aws_waf_rule_user_arn_priority: + description: 'Priority for user defined rule.' + required: false aws_waf_additional_tags: description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' required: false @@ -1377,18 +1416,31 @@ runs: AWS_WAF_LOG_RETENTION_DAYS: ${{ inputs.aws_waf_log_retention_days }} AWS_WAF_ADDITIONAL_TAGS: ${{ inputs.aws_waf_additional_tags }} AWS_WAF_RULE_RATE_LIMIT: ${{ inputs.aws_waf_rule_rate_limit }} + AWS_WAF_RULE_RATE_LIMIT_PRIORITY: ${{ inputs.aws_waf_rule_rate_limit_priority }} AWS_WAF_RULE_MANAGED_RULES: ${{ inputs.aws_waf_rule_managed_rules }} + AWS_WAF_RULE_MANAGED_RULES_PRIORITY: ${{ inputs.aws_waf_rule_managed_rules_priority }} AWS_WAF_RULE_MANAGED_BAD_INPUTS: ${{ inputs.aws_waf_rule_managed_bad_inputs }} + AWS_WAF_RULE_MANAGED_BAD_INPUTS_PRIORITY: ${{ inputs.aws_waf_rule_managed_bad_inputs_priority }} AWS_WAF_RULE_IP_REPUTATION: ${{ inputs.aws_waf_rule_ip_reputation }} + AWS_WAF_RULE_IP_REPUTATION_PRIORITY: ${{ inputs.aws_waf_rule_ip_reputation_priority }} AWS_WAF_RULE_ANONYMOUS_IP: ${{ inputs.aws_waf_rule_anonymous_ip }} + AWS_WAF_RULE_ANONYMOUS_IP_PRIORITY: ${{ inputs.aws_waf_rule_anonymous_ip_priority }} AWS_WAF_RULE_BOT_CONTROL: ${{ inputs.aws_waf_rule_bot_control }} + AWS_WAF_RULE_BOT_CONTROL_PRIORITY: ${{ inputs.aws_waf_rule_bot_control_priority }} AWS_WAF_RULE_GEO_BLOCK_COUNTRIES: ${{ inputs.aws_waf_rule_geo_block_countries }} + AWS_WAF_RULE_GEO_BLOCK_COUNTRIES_PRIORITY: ${{ inputs.aws_waf_rule_geo_block_countries_priority }} AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES: ${{ inputs.aws_waf_rule_geo_allow_only_countries }} + AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES_PRIORITY: ${{ inputs.aws_waf_rule_geo_allow_only_countries_priority }} AWS_WAF_RULE_USER_ARN: ${{ inputs.aws_waf_rule_user_arn }} + AWS_WAF_RULE_USER_ARN_PRIORITY: ${{ inputs.aws_waf_rule_user_arn_priority }} AWS_WAF_RULE_SQLI: ${{ inputs.aws_waf_rule_sqli }} + AWS_WAF_RULE_SQLI_PRIORITY: ${{ inputs.aws_waf_rule_sqli_priority }} AWS_WAF_RULE_LINUX: ${{ inputs.aws_waf_rule_linux }} + AWS_WAF_RULE_LINUX_PRIORITY: ${{ inputs.aws_waf_rule_linux_priority }} AWS_WAF_RULE_UNIX: ${{ inputs.aws_waf_rule_unix }} + AWS_WAF_RULE_UNIX_PRIORITY: ${{ inputs.aws_waf_rule_unix_priority }} AWS_WAF_RULE_ADMIN_PROTECTION: ${{ inputs.aws_waf_rule_admin_protection }} + AWS_WAF_RULE_ADMIN_PROTECTION_PRIORITY: ${{ inputs.aws_waf_rule_admin_protection_priority }} # AWS EFS AWS_EFS_CREATE: ${{ inputs.aws_efs_create }} diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 6246d7f97..1ed683682 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -451,78 +451,156 @@ variable "aws_waf_rule_rate_limit" { default = "2000" } +variable "aws_waf_rule_rate_limit_priority" { + type = number + description = "Priority for rate limit rule" + default = 10 +} + variable "aws_waf_rule_managed_rules" { type = bool description = "Enable common managed rule groups to use" default = false } +variable "aws_waf_rule_managed_rules_priority" { + type = number + description = "Priority for managed rules" + default = 20 +} + variable "aws_waf_rule_managed_bad_inputs" { type = bool description = "Enable managed rule for bad inputs" default = false } +variable "aws_waf_rule_managed_bad_inputs_priority" { + type = number + description = "Priority for bad inputs rule" + default = 30 +} + variable "aws_waf_rule_ip_reputation" { type = bool description = "Enable managed rule for IP reputation" default = false } +variable "aws_waf_rule_ip_reputation_priority" { + type = number + description = "Priority for IP reputation rule" + default = 40 +} + variable "aws_waf_rule_anonymous_ip" { type = bool description = "Enable managed rule for anonymous IP" default = false } +variable "aws_waf_rule_anonymous_ip_priority" { + type = number + description = "Priority for anonymous IP rule" + default = 50 +} + variable "aws_waf_rule_bot_control" { type = bool description = "Enable managed rule for bot control (costs extra)" default = false } +variable "aws_waf_rule_bot_control_priority" { + type = number + description = "Priority for bot control rule" + default = 60 +} + variable "aws_waf_rule_geo_block_countries" { type = string description = "Comma separated list of countries to block" default = "" } +variable "aws_waf_rule_geo_block_countries_priority" { + type = number + description = "Priority for geo block countries rule" + default = 70 +} + variable "aws_waf_rule_geo_allow_only_countries" { type = string description = "Comma separated list of countries to allow" default = "" } +variable "aws_waf_rule_geo_allow_only_countries_priority" { + type = number + description = "Priority for geo allow only countries rule" + default = 75 +} + variable "aws_waf_rule_sqli" { type = bool description = "Enable managed rule for SQL injection" default = false } +variable "aws_waf_rule_sqli_priority" { + type = number + description = "Priority for SQL injection rule" + default = 85 +} + variable "aws_waf_rule_linux" { type = bool description = "Enable managed rule for Linux" default = false } +variable "aws_waf_rule_linux_priority" { + type = number + description = "Priority for Linux rule" + default = 90 +} + variable "aws_waf_rule_unix" { type = bool description = "Enable managed rule for Unix" default = false } +variable "aws_waf_rule_unix_priority" { + type = number + description = "Priority for Unix rule" + default = 95 +} + variable "aws_waf_rule_admin_protection" { type = bool description = "Enable managed rule for admin protection" default = false } +variable "aws_waf_rule_admin_protection_priority" { + type = number + description = "Priority for admin protection rule" + default = 100 +} + variable "aws_waf_rule_user_arn" { type = string description = "ARN of the user rule" default = "" } +variable "aws_waf_rule_user_arn_priority" { + type = number + description = "Priority for user ARN rule" + default = 80 +} + # AWS EFS ### This variable is hidden for the end user. Is built in deploy.sh based on the next 3 variables. diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index c2a6407d7..66db0b88a 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -176,19 +176,32 @@ module "aws_waf_ec2_alb" { aws_waf_log_retention_days = var.aws_waf_log_retention_days aws_resource_identifier = var.aws_resource_identifier # Rules - aws_waf_rule_rate_limit = var.aws_waf_rule_rate_limit - aws_waf_rule_managed_rules = var.aws_waf_rule_managed_rules - aws_waf_rule_managed_bad_inputs = var.aws_waf_rule_managed_bad_inputs - aws_waf_rule_ip_reputation = var.aws_waf_rule_ip_reputation - aws_waf_rule_anonymous_ip = var.aws_waf_rule_anonymous_ip - aws_waf_rule_bot_control = var.aws_waf_rule_bot_control - aws_waf_rule_geo_block_countries = var.aws_waf_rule_geo_block_countries - aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries - aws_waf_rule_user_arn = var.aws_waf_rule_user_arn - aws_waf_rule_sqli = var.aws_waf_rule_sqli - aws_waf_rule_linux = var.aws_waf_rule_linux - aws_waf_rule_unix = var.aws_waf_rule_unix - aws_waf_rule_admin_protection = var.aws_waf_rule_admin_protection + aws_waf_rule_rate_limit = var.aws_waf_rule_rate_limit + aws_waf_rule_rate_limit_priority = var.aws_waf_rule_rate_limit_priority + aws_waf_rule_managed_rules = var.aws_waf_rule_managed_rules + aws_waf_rule_managed_rules_priority = var.aws_waf_rule_managed_rules_priority + aws_waf_rule_managed_bad_inputs = var.aws_waf_rule_managed_bad_inputs + aws_waf_rule_managed_bad_inputs_priority = var.aws_waf_rule_managed_bad_inputs_priority + aws_waf_rule_ip_reputation = var.aws_waf_rule_ip_reputation + aws_waf_rule_ip_reputation_priority = var.aws_waf_rule_ip_reputation_priority + aws_waf_rule_anonymous_ip = var.aws_waf_rule_anonymous_ip + aws_waf_rule_anonymous_ip_priority = var.aws_waf_rule_anonymous_ip_priority + aws_waf_rule_bot_control = var.aws_waf_rule_bot_control + aws_waf_rule_bot_control_priority = var.aws_waf_rule_bot_control_priority + aws_waf_rule_geo_block_countries = var.aws_waf_rule_geo_block_countries + aws_waf_rule_geo_block_countries_priority = var.aws_waf_rule_geo_block_countries_priority + aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries + aws_waf_rule_geo_allow_only_countries_priority = var.aws_waf_rule_geo_allow_only_countries_priority + aws_waf_rule_user_arn = var.aws_waf_rule_user_arn + aws_waf_rule_user_arn_priority = var.aws_waf_rule_user_arn_priority + aws_waf_rule_sqli = var.aws_waf_rule_sqli + aws_waf_rule_sqli_priority = var.aws_waf_rule_sqli_priority + aws_waf_rule_linux = var.aws_waf_rule_linux + aws_waf_rule_linux_priority = var.aws_waf_rule_linux_priority + aws_waf_rule_unix = var.aws_waf_rule_unix + aws_waf_rule_unix_priority = var.aws_waf_rule_unix_priority + aws_waf_rule_admin_protection = var.aws_waf_rule_admin_protection + aws_waf_rule_admin_protection_priority = var.aws_waf_rule_admin_protection_priority # Incoming aws_lb_resource_arn = module.aws_lb[0].aws_lb_resource_arn # Others @@ -625,19 +638,32 @@ module "aws_waf_ecs" { aws_waf_log_retention_days = var.aws_waf_log_retention_days aws_resource_identifier = var.aws_resource_identifier # Rules - aws_waf_rule_rate_limit = var.aws_waf_rule_rate_limit - aws_waf_rule_managed_rules = var.aws_waf_rule_managed_rules - aws_waf_rule_managed_bad_inputs = var.aws_waf_rule_managed_bad_inputs - aws_waf_rule_ip_reputation = var.aws_waf_rule_ip_reputation - aws_waf_rule_anonymous_ip = var.aws_waf_rule_anonymous_ip - aws_waf_rule_bot_control = var.aws_waf_rule_bot_control - aws_waf_rule_geo_block_countries = var.aws_waf_rule_geo_block_countries - aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries - aws_waf_rule_user_arn = var.aws_waf_rule_user_arn - aws_waf_rule_sqli = var.aws_waf_rule_sqli - aws_waf_rule_linux = var.aws_waf_rule_linux - aws_waf_rule_unix = var.aws_waf_rule_unix - aws_waf_rule_admin_protection = var.aws_waf_rule_admin_protection + aws_waf_rule_rate_limit = var.aws_waf_rule_rate_limit + aws_waf_rule_rate_limit_priority = var.aws_waf_rule_rate_limit_priority + aws_waf_rule_managed_rules = var.aws_waf_rule_managed_rules + aws_waf_rule_managed_rules_priority = var.aws_waf_rule_managed_rules_priority + aws_waf_rule_managed_bad_inputs = var.aws_waf_rule_managed_bad_inputs + aws_waf_rule_managed_bad_inputs_priority = var.aws_waf_rule_managed_bad_inputs_priority + aws_waf_rule_ip_reputation = var.aws_waf_rule_ip_reputation + aws_waf_rule_ip_reputation_priority = var.aws_waf_rule_ip_reputation_priority + aws_waf_rule_anonymous_ip = var.aws_waf_rule_anonymous_ip + aws_waf_rule_anonymous_ip_priority = var.aws_waf_rule_anonymous_ip_priority + aws_waf_rule_bot_control = var.aws_waf_rule_bot_control + aws_waf_rule_bot_control_priority = var.aws_waf_rule_bot_control_priority + aws_waf_rule_geo_block_countries = var.aws_waf_rule_geo_block_countries + aws_waf_rule_geo_block_countries_priority = var.aws_waf_rule_geo_block_countries_priority + aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries + aws_waf_rule_geo_allow_only_countries_priority = var.aws_waf_rule_geo_allow_only_countries_priority + aws_waf_rule_user_arn = var.aws_waf_rule_user_arn + aws_waf_rule_user_arn_priority = var.aws_waf_rule_user_arn_priority + aws_waf_rule_sqli = var.aws_waf_rule_sqli + aws_waf_rule_sqli_priority = var.aws_waf_rule_sqli_priority + aws_waf_rule_linux = var.aws_waf_rule_linux + aws_waf_rule_linux_priority = var.aws_waf_rule_linux_priority + aws_waf_rule_unix = var.aws_waf_rule_unix + aws_waf_rule_unix_priority = var.aws_waf_rule_unix_priority + aws_waf_rule_admin_protection = var.aws_waf_rule_admin_protection + aws_waf_rule_admin_protection_priority = var.aws_waf_rule_admin_protection_priority # Incoming aws_lb_resource_arn = module.aws_ecs[0].load_balancer_arn # Others @@ -786,7 +812,7 @@ locals { ) : false ) - protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn,"") != "" ? "https://" : "http://" : "http://" + protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, "") != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null diff --git a/operations/deployment/terraform/modules/aws/waf/aws_waf.tf b/operations/deployment/terraform/modules/aws/waf/aws_waf.tf index 125ad504a..5dc11a9ab 100644 --- a/operations/deployment/terraform/modules/aws/waf/aws_waf.tf +++ b/operations/deployment/terraform/modules/aws/waf/aws_waf.tf @@ -24,7 +24,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_rate_limit != "" ? [1] : [] content { name = "RateLimitRule" - priority = 10 + priority = var.aws_waf_rule_rate_limit_priority action { block {} @@ -50,7 +50,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_managed_rules ? [1] : [] content { name = "AWSManagedRulesCommonRuleSet" - priority = 20 + priority = var.aws_waf_rule_managed_rules_priority override_action { none {} @@ -76,7 +76,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_managed_bad_inputs ? [1] : [] content { name = "AWSManagedRulesKnownBadInputsRuleSet" - priority = 30 + priority = var.aws_waf_rule_managed_bad_inputs_priority override_action { none {} @@ -102,7 +102,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_ip_reputation ? [1] : [] content { name = "AWSManagedRulesAmazonIpReputationList" - priority = 40 + priority = var.aws_waf_rule_ip_reputation_priority override_action { none {} @@ -128,7 +128,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_anonymous_ip ? [1] : [] content { name = "AWSManagedRulesAnonymousIpList" - priority = 50 + priority = var.aws_waf_rule_anonymous_ip_priority override_action { none {} @@ -154,7 +154,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_bot_control ? [1] : [] content { name = "AWSManagedRulesBotControlRuleSet" - priority = 60 + priority = var.aws_waf_rule_bot_control_priority override_action { none {} @@ -180,7 +180,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = length(local.aws_waf_rule_geo_block_countries) > 0 ? [1] : [] content { name = "GeoBlockRule" - priority = 70 + priority = var.aws_waf_rule_geo_block_countries_priority action { block {} @@ -205,7 +205,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = length(local.aws_waf_rule_geo_allow_only_countries) > 0 ? [1] : [] content { name = "GeoAllowOnlyRule" - priority = 75 + priority = var.aws_waf_rule_geo_allow_only_countries_priority action { block {} @@ -234,7 +234,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_user_arn != "" ? [1] : [] content { name = "UserDefinedRuleGroup" - priority = 80 + priority = var.aws_waf_rule_user_arn_priority override_action { none {} @@ -259,7 +259,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_sqli ? [1] : [] content { name = "AWSManagedRulesSQLiRuleSet" - priority = 85 + priority = var.aws_waf_rule_sqli_priority override_action { none {} @@ -285,7 +285,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_linux ? [1] : [] content { name = "AWSManagedRulesLinuxRuleSet" - priority = 90 + priority = var.aws_waf_rule_linux_priority override_action { none {} @@ -311,7 +311,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_unix ? [1] : [] content { name = "AWSManagedRulesUnixRuleSet" - priority = 95 + priority = var.aws_waf_rule_unix_priority override_action { none {} @@ -337,7 +337,7 @@ resource "aws_wafv2_web_acl" "waf" { for_each = var.aws_waf_rule_admin_protection ? [1] : [] content { name = "AWSManagedRulesAdminProtectionRuleSet" - priority = 100 + priority = var.aws_waf_rule_admin_protection_priority override_action { none {} diff --git a/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf b/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf index 4dbbea14f..5f187813a 100644 --- a/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf +++ b/operations/deployment/terraform/modules/aws/waf/aws_waf_vars.tf @@ -5,16 +5,29 @@ variable "aws_waf_logging_enable" {} variable "aws_waf_log_retention_days" {} variable "aws_resource_identifier" {} -variable "aws_waf_rule_rate_limit" {} # - Rate limit (requests per 5 minutes) -variable "aws_waf_rule_managed_rules" {} # - Managed rule groups -variable "aws_waf_rule_managed_bad_inputs" {} # - Known bad inputs rule -variable "aws_waf_rule_ip_reputation" {} # - IP reputation rule -variable "aws_waf_rule_anonymous_ip" {} # - Anonymous IPs rule -variable "aws_waf_rule_bot_control" {} # - Bot control rule -variable "aws_waf_rule_geo_block_countries" {} # - List of countries to block -variable "aws_waf_rule_geo_allow_only_countries" {} # - List of countries to allow only -variable "aws_waf_rule_user_arn" {} # - ARN of the user-defined rule group -variable "aws_waf_rule_sqli" {} # - SQL injection rule -variable "aws_waf_rule_linux" {} # - Linux rule -variable "aws_waf_rule_unix" {} # - Unix rule -variable "aws_waf_rule_admin_protection" {} # - Admin protection rule \ No newline at end of file +variable "aws_waf_rule_rate_limit" {} # - Rate limit (requests per 5 minutes) +variable "aws_waf_rule_rate_limit_priority" {} # - Priority for rate limit rule +variable "aws_waf_rule_managed_rules" {} # - Managed rule groups +variable "aws_waf_rule_managed_rules_priority" {} # - Priority for managed rules +variable "aws_waf_rule_managed_bad_inputs" {} # - Known bad inputs rule +variable "aws_waf_rule_managed_bad_inputs_priority" {} # - Priority for known bad inputs rule +variable "aws_waf_rule_ip_reputation" {} # - IP reputation rule +variable "aws_waf_rule_ip_reputation_priority" {} # - Priority for IP reputation rule +variable "aws_waf_rule_anonymous_ip" {} # - Anonymous IPs rule +variable "aws_waf_rule_anonymous_ip_priority" {} # - Priority for anonymous IPs rule +variable "aws_waf_rule_bot_control" {} # - Bot control rule +variable "aws_waf_rule_bot_control_priority" {} # - Priority for bot control rule +variable "aws_waf_rule_geo_block_countries" {} # - List of countries to block +variable "aws_waf_rule_geo_block_countries_priority" {} # - Priority for geo block rule +variable "aws_waf_rule_geo_allow_only_countries" {} # - List of countries to allow only +variable "aws_waf_rule_geo_allow_only_countries_priority" {} # - Priority for geo allow only rule +variable "aws_waf_rule_user_arn" {} # - ARN of the user-defined rule group +variable "aws_waf_rule_user_arn_priority" {} # - Priority for user-defined rule group +variable "aws_waf_rule_sqli" {} # - SQL injection rule +variable "aws_waf_rule_sqli_priority" {} # - Priority for SQL injection rule +variable "aws_waf_rule_linux" {} # - Linux rule +variable "aws_waf_rule_linux_priority" {} # - Priority for Linux rule +variable "aws_waf_rule_unix" {} # - Unix rule +variable "aws_waf_rule_unix_priority" {} # - Priority for Unix rule +variable "aws_waf_rule_admin_protection" {} # - Admin protection rule +variable "aws_waf_rule_admin_protection_priority" {} # - Priority for admin protection rule \ No newline at end of file From 8778ef4ad78a2a60361c6631f735babd01995a7c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 10:53:48 -0300 Subject: [PATCH 43/76] README fix --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 59dbd544b..fa876ca68 100644 --- a/README.md +++ b/README.md @@ -228,10 +228,6 @@ The following inputs can be used as `step.with` keys | `aws_alb_healthcheck_protocol` | String | Health check protocol for ALB target group. Defaults to `"HTTP"` | | `aws_alb_ssl_policy` | String | SSL policy for HTTPS listeners. Defaults to `null` | | `aws_alb_additional_tags`| String | A list of strings that will be added to created resources. Example: `{"key1": "value1", "key2": "value2"}`. Default `"{}"` | - - -| `aws_alb_additional_tags` |description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' - required: false

From e68263b49901077f34fc645059534b3de6ad1481 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 11:18:02 -0300 Subject: [PATCH 44/76] Fixing ALB README --- README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index fa876ca68..e4daa7d04 100644 --- a/README.md +++ b/README.md @@ -216,17 +216,16 @@ The following inputs can be used as `step.with` keys | Name | Type | Description | |------------------|---------|------------------------------------| | `aws_alb_create` | Boolean | Global toggle for ALB creation. Defaults to `false` | -| `aws_alb_security_group_name` | String | Name of the security group to use for ALB. Defaults to `` | -| `aws_alb_app_port` | String | Comma-separated list of application ports for ALB target group. Defaults to `` | -| `aws_alb_app_protocol` | String | Comma-separated list of protocols for ALB target group (HTTP/HTTPS). Defaults to `` | -| `aws_alb_listen_port` | String | Comma-separated list of listener ports for ALB. Defaults to `` | -| `aws_alb_listen_protocol` | String | Comma-separated list of listener protocols for ALB (HTTP/HTTPS). Defaults to `""` | +| `aws_alb_security_group_name` | String | Name of the security group to use for ALB. Defaults to `SG for ${aws_resource_identifier} - ALB`| +| `aws_alb_app_port` | String | Comma-separated list of application ports for ALB target group. If none defined, will use `aws_alb_listen_port` ones. | +| `aws_alb_app_protocol` | String | Comma-separated list of protocols for ALB target group (HTTP/HTTPS). Defaults to `HTTP`. | +| `aws_alb_listen_port` | String | Comma-separated list of listener ports for ALB. Depending on certificate, defaults to `80` or `443`. | +| `aws_alb_listen_protocol` | String | Comma-separated list of listener protocols for ALB (HTTP/HTTPS). Defaults to Depending on certificate, defaults to `HTTP` or `HTTPS`. | | `aws_alb_redirect_enable` | Boolean | Enable HTTP to HTTPS redirection on ALB. Defaults to `false` | | `aws_alb_www_to_apex_redirect` | Boolean | Enable www to apex domain redirection on ALB. Defaults to `false` | -# Healthcheck | `aws_alb_healthcheck_path` | String | Health check path for ALB target group. Defaults to `"/"` | | `aws_alb_healthcheck_protocol` | String | Health check protocol for ALB target group. Defaults to `"HTTP"` | -| `aws_alb_ssl_policy` | String | SSL policy for HTTPS listeners. Defaults to `null` | +| `aws_alb_ssl_policy` | String | SSL policy for HTTPS listeners. More [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) | | `aws_alb_additional_tags`| String | A list of strings that will be added to created resources. Example: `{"key1": "value1", "key2": "value2"}`. Default `"{}"` |

From 59eb43edb551e9e9465b61bf270def50ce027a09 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 11:36:49 -0300 Subject: [PATCH 45/76] Adding waf priorities to generator --- .../generate/generate_vars_terraform.sh | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index 69a813482..26a329c3c 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -158,18 +158,31 @@ if [[ $(alpha_only "$AWS_WAF_ENABLE") == true ]]; then aws_waf_log_retention_days=$(generate_var aws_waf_log_retention_days $AWS_WAF_LOG_RETENTION_DAYS) aws_waf_additional_tags=$(generate_var aws_waf_additional_tags $AWS_WAF_ADDITIONAL_TAGS) aws_waf_rule_rate_limit=$(generate_var aws_waf_rule_rate_limit $AWS_WAF_RULE_RATE_LIMIT) + aws_waf_rule_rate_limit_priority=$(generate_var aws_waf_rule_rate_limit_priority $AWS_WAF_RULE_RATE_LIMIT_PRIORITY) aws_waf_rule_managed_rules=$(generate_var aws_waf_rule_managed_rules $AWS_WAF_RULE_MANAGED_RULES) + aws_waf_rule_managed_rules_priority=$(generate_var aws_waf_rule_managed_rules_priority $AWS_WAF_RULE_MANAGED_RULES_PRIORITY) aws_waf_rule_managed_bad_inputs=$(generate_var aws_waf_rule_managed_bad_inputs $AWS_WAF_RULE_MANAGED_BAD_INPUTS) + aws_waf_rule_managed_bad_inputs_priority=$(generate_var aws_waf_rule_managed_bad_inputs_priority $AWS_WAF_RULE_MANAGED_BAD_INPUTS_PRIORITY) aws_waf_rule_ip_reputation=$(generate_var aws_waf_rule_ip_reputation $AWS_WAF_RULE_IP_REPUTATION) + aws_waf_rule_ip_reputation_priority=$(generate_var aws_waf_rule_ip_reputation_priority $AWS_WAF_RULE_IP_REPUTATION_PRIORITY) aws_waf_rule_anonymous_ip=$(generate_var aws_waf_rule_anonymous_ip $AWS_WAF_RULE_ANONYMOUS_IP) + aws_waf_rule_anonymous_ip_priority=$(generate_var aws_waf_rule_anonymous_ip_priority $AWS_WAF_RULE_ANONYMOUS_IP_PRIORITY) aws_waf_rule_bot_control=$(generate_var aws_waf_rule_bot_control $AWS_WAF_RULE_BOT_CONTROL) + aws_waf_rule_bot_control_priority=$(generate_var aws_waf_rule_bot_control_priority $AWS_WAF_RULE_BOT_CONTROL_PRIORITY) aws_waf_rule_geo_block_countries=$(generate_var aws_waf_rule_geo_block_countries $AWS_WAF_RULE_GEO_BLOCK_COUNTRIES) + aws_waf_rule_geo_block_countries_priority=$(generate_var aws_waf_rule_geo_block_countries_priority $AWS_WAF_RULE_GEO_BLOCK_COUNTRIES_PRIORITY) aws_waf_rule_geo_allow_only_countries=$(generate_var aws_waf_rule_geo_allow_only_countries $AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES) + aws_waf_rule_geo_allow_only_countries_priority=$(generate_var aws_waf_rule_geo_allow_only_countries_priority $AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES_PRIORITY) aws_waf_rule_user_arn=$(generate_var aws_waf_rule_user_arn $AWS_WAF_RULE_USER_ARN) + aws_waf_rule_user_arn_priority=$(generate_var aws_waf_rule_user_arn_priority $AWS_WAF_RULE_USER_ARN_PRIORITY) aws_waf_rule_sqli=$(generate_var aws_waf_rule_sqli $AWS_WAF_RULE_SQLI) + aws_waf_rule_sqli_priority=$(generate_var aws_waf_rule_sqli_priority $AWS_WAF_RULE_SQLI_PRIORITY) aws_waf_rule_linux=$(generate_var aws_waf_rule_linux $AWS_WAF_RULE_LINUX) + aws_waf_rule_linux_priority=$(generate_var aws_waf_rule_linux_priority $AWS_WAF_RULE_LINUX_PRIORITY) aws_waf_rule_unix=$(generate_var aws_waf_rule_unix $AWS_WAF_RULE_UNIX) + aws_waf_rule_unix_priority=$(generate_var aws_waf_rule_unix_priority $AWS_WAF_RULE_UNIX_PRIORITY) aws_waf_rule_admin_protection=$(generate_var aws_waf_rule_admin_protection $AWS_WAF_RULE_ADMIN_PROTECTION) + aws_waf_rule_admin_protection_priority=$(generate_var aws_waf_rule_admin_protection_priority $AWS_WAF_RULE_ADMIN_PROTECTION_PRIORITY) fi #-- AWS EFS --# @@ -551,18 +564,31 @@ $aws_waf_logging_enable $aws_waf_log_retention_days $aws_waf_additional_tags $aws_waf_rule_rate_limit +$aws_waf_rule_rate_limit_priority $aws_waf_rule_managed_rules +$aws_waf_rule_managed_rules_priority $aws_waf_rule_managed_bad_inputs +$aws_waf_rule_managed_bad_inputs_priority $aws_waf_rule_ip_reputation +$aws_waf_rule_ip_reputation_priority $aws_waf_rule_anonymous_ip +$aws_waf_rule_anonymous_ip_priority $aws_waf_rule_bot_control +$aws_waf_rule_bot_control_priority $aws_waf_rule_geo_block_countries +$aws_waf_rule_geo_block_countries_priority $aws_waf_rule_geo_allow_only_countries +$aws_waf_rule_geo_allow_only_countries_priority $aws_waf_rule_user_arn +$aws_waf_rule_user_arn_priority $aws_waf_rule_sqli +$aws_waf_rule_sqli_priority $aws_waf_rule_linux +$aws_waf_rule_linux_priority $aws_waf_rule_unix +$aws_waf_rule_unix_priority $aws_waf_rule_admin_protection +$aws_waf_rule_admin_protection_priority #-- EFS --# $aws_efs_enable From 99e4081bd5e42e7041b4fa2265ac7d89e62aeee3 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 12:19:33 -0300 Subject: [PATCH 46/76] Better use of aws_r53_enable_cert --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 66db0b88a..6b62d1199 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -62,7 +62,7 @@ module "efs_to_ec2_sg" { module "aws_certificates" { source = "../modules/aws/certificates" - count = (var.aws_ec2_instance_create || var.aws_ecs_enable) && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 + count = (var.aws_ec2_instance_create || var.aws_ecs_enable || var.aws_r53_cert_arn != "" ) && var.aws_r53_enable_cert ? 1 : 0 # && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 # Cert aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert From 7ee924563196fc8be680135b5485a219afdd0553 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 12:26:22 -0300 Subject: [PATCH 47/76] playing with cert fire --- .../terraform/modules/aws/certificates/aws_certificates.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 339ecaf3f..0c2d2a75a 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -1,5 +1,6 @@ # Lookup for main domain. data "aws_route53_zone" "selected" { + count = var.aws_r53_domain_name != "" ? 1 : 0 name = "${var.aws_r53_domain_name}." private_zone = false } @@ -32,7 +33,7 @@ resource "aws_route53_record" "root_domain" { name = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_value] type = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_type - zone_id = data.aws_route53_zone.selected.zone_id + zone_id = data.aws_route53_zone.selected[0].zone_id ttl = 60 } @@ -59,7 +60,7 @@ resource "aws_route53_record" "sub_domain" { name = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value] type = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_type - zone_id = data.aws_route53_zone.selected.zone_id + zone_id = data.aws_route53_zone.selected[0].zone_id ttl = 60 } From a5c332315d236bed4c957c263d792ce1967d402d Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 13:54:44 -0300 Subject: [PATCH 48/76] Fixing certificates module --- .../deployment/terraform/aws/bitovi_main.tf | 2 +- .../aws/certificates/aws_certificates.tf | 44 ++++++------------- 2 files changed, 15 insertions(+), 31 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 6b62d1199..ddbda2468 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -161,7 +161,7 @@ module "aws_lb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - #depends_on = [module.vpc, module.ec2, module.aws_certificates] + depends_on = [module.aws_certificates] providers = { aws = aws.lb diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 0c2d2a75a..babde21ff 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -6,8 +6,7 @@ data "aws_route53_zone" "selected" { } data "aws_acm_certificate" "issued" { - #count = local.is_enabled_and_valid ? (!var.aws_r53_create_root_cert ? (!var.aws_r53_create_sub_cert ? (var.fqdn_provided ? 1 : 0) : 0) : 0) :0 - for_each = (!var.aws_r53_create_root_cert && !var.aws_r53_create_sub_cert && local.is_enabled_and_valid) ? { + for_each = (!var.aws_r53_create_root_cert && !var.aws_r53_create_sub_cert && var.aws_r53_domain_name != "") ? { "domain" = var.aws_r53_domain_name, "wildcard" = "*.${var.aws_r53_domain_name}", "sub" = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" @@ -18,7 +17,7 @@ data "aws_acm_certificate" "issued" { # This block will create and validate the root domain and www cert resource "aws_acm_certificate" "root_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_root_cert ? (var.aws_r53_domain_name != "" ? 1 : 0) : 0) : 0 + count = var.aws_r53_domain_name != "" && var.aws_r53_create_root_cert ? 1 : 0 domain_name = var.aws_r53_domain_name subject_alternative_names = ["*.${var.aws_r53_domain_name}", "${var.aws_r53_domain_name}"] validation_method = "DNS" @@ -28,7 +27,7 @@ resource "aws_acm_certificate" "root_domain" { } resource "aws_route53_record" "root_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_root_cert ? (var.aws_r53_domain_name != "" ? 1 : 0) : 0) : 0 + count = var.aws_r53_domain_name != "" && var.aws_r53_create_root_cert ? 1 : 0 allow_overwrite = true name = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_value] @@ -38,7 +37,7 @@ resource "aws_route53_record" "root_domain" { } resource "aws_acm_certificate_validation" "root_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_root_cert ? (var.aws_r53_domain_name != "" ? 1 : 0) : 0) : 0 + count = var.aws_r53_domain_name != "" && var.aws_r53_create_root_cert ? 1 : 0 certificate_arn = aws_acm_certificate.root_domain[0].arn validation_record_fqdns = [for record in aws_route53_record.root_domain : record.fqdn] } @@ -46,7 +45,7 @@ resource "aws_acm_certificate_validation" "root_domain" { # This block will create and validate the sub domain cert ONLY resource "aws_acm_certificate" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 + count = var.aws_r53_create_sub_cert && !var.aws_r53_create_root_cert && var.aws_r53_domain_name != "" && var.aws_r53_sub_domain_name != "" ? 1 : 0 domain_name = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}" validation_method = "DNS" lifecycle { @@ -55,7 +54,7 @@ resource "aws_acm_certificate" "sub_domain" { } resource "aws_route53_record" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0 + count = var.aws_r53_create_sub_cert && !var.aws_r53_create_root_cert && var.aws_r53_domain_name != "" && var.aws_r53_sub_domain_name != "" ? 1 : 0 allow_overwrite = true name = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value] @@ -65,36 +64,21 @@ resource "aws_route53_record" "sub_domain" { } resource "aws_acm_certificate_validation" "sub_domain" { - count = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0 + count = var.aws_r53_create_sub_cert && !var.aws_r53_create_root_cert && var.aws_r53_domain_name != "" && var.aws_r53_sub_domain_name != "" ? 1 : 0 certificate_arn = aws_acm_certificate.sub_domain[0].arn validation_record_fqdns = [for record in aws_route53_record.sub_domain : record.fqdn] } locals { - is_enabled_and_valid = var.aws_r53_domain_name != "" ? true : false + acm_arn = try(data.aws_acm_certificate.issued["domain"].arn, try(data.aws_acm_certificate.issued["wildcard"].arn, data.aws_acm_certificate.issued["sub"].arn, "")) + selected_arn = ( - local.is_enabled_and_valid ? - (var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn : - (!var.aws_r53_create_root_cert ? - (!var.aws_r53_create_sub_cert ? - (var.fqdn_provided ? local.acm_arn : "") - : aws_acm_certificate.sub_domain[0].arn - ) : aws_acm_certificate.root_domain[0].arn - ) - ) : "" + var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn : + var.aws_r53_create_root_cert ? aws_acm_certificate.root_domain[0].arn : + var.aws_r53_create_sub_cert ? aws_acm_certificate.sub_domain[0].arn : + var.fqdn_provided ? local.acm_arn : + "" ) - cert_available = ( - local.is_enabled_and_valid ? - (var.aws_r53_cert_arn != "" ? true : - (!var.aws_r53_create_root_cert ? - (!var.aws_r53_create_sub_cert ? - (var.fqdn_provided ? true : false) - : true - ) : true - ) - ) : false - ) - acm_arn = try(data.aws_acm_certificate.issued["domain"].arn, try(data.aws_acm_certificate.issued["wildcard"].arn, data.aws_acm_certificate.issued["sub"].arn, "")) } output "selected_arn" { From 6ca7825894509e6f4278e390a816da05cc352ce7 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 14:01:01 -0300 Subject: [PATCH 49/76] Fixing formatting --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- .../modules/aws/certificates/aws_certificates.tf | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index ddbda2468..d281b7ae2 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -62,7 +62,7 @@ module "efs_to_ec2_sg" { module "aws_certificates" { source = "../modules/aws/certificates" - count = (var.aws_ec2_instance_create || var.aws_ecs_enable || var.aws_r53_cert_arn != "" ) && var.aws_r53_enable_cert ? 1 : 0 # && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 + count = (var.aws_ec2_instance_create || var.aws_ecs_enable || var.aws_r53_cert_arn != "") && var.aws_r53_enable_cert ? 1 : 0 # && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 # Cert aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index babde21ff..71bdf0d8b 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -54,7 +54,7 @@ resource "aws_acm_certificate" "sub_domain" { } resource "aws_route53_record" "sub_domain" { - count = var.aws_r53_create_sub_cert && !var.aws_r53_create_root_cert && var.aws_r53_domain_name != "" && var.aws_r53_sub_domain_name != "" ? 1 : 0 + count = var.aws_r53_create_sub_cert && !var.aws_r53_create_root_cert && var.aws_r53_domain_name != "" && var.aws_r53_sub_domain_name != "" ? 1 : 0 allow_overwrite = true name = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value] @@ -73,10 +73,10 @@ locals { acm_arn = try(data.aws_acm_certificate.issued["domain"].arn, try(data.aws_acm_certificate.issued["wildcard"].arn, data.aws_acm_certificate.issued["sub"].arn, "")) selected_arn = ( - var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn : + var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn : var.aws_r53_create_root_cert ? aws_acm_certificate.root_domain[0].arn : - var.aws_r53_create_sub_cert ? aws_acm_certificate.sub_domain[0].arn : - var.fqdn_provided ? local.acm_arn : + var.aws_r53_create_sub_cert ? aws_acm_certificate.sub_domain[0].arn : + var.fqdn_provided ? local.acm_arn : "" ) } From 4e4c4f4cdff0bb93789e2b8c19ca3e704a0ba61f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 15:08:37 -0300 Subject: [PATCH 50/76] redo cert logic --- .../deployment/terraform/aws/bitovi_main.tf | 20 +++++++++---------- .../aws/certificates/aws_certificates.tf | 5 ++--- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index d281b7ae2..3026b68dd 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -62,7 +62,7 @@ module "efs_to_ec2_sg" { module "aws_certificates" { source = "../modules/aws/certificates" - count = (var.aws_ec2_instance_create || var.aws_ecs_enable || var.aws_r53_cert_arn != "") && var.aws_r53_enable_cert ? 1 : 0 # && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0 + count = (var.aws_ec2_instance_create || var.aws_ecs_enable ) && var.aws_r53_enable_cert && var.aws_r53_cert_arn == "" ? 1 : 0 # Cert aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert @@ -90,7 +90,7 @@ module "aws_route53" { aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name, module.aws_elb[0].aws_elb_dns_name, module.ec2[0].instance_public_ip, "") aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id, module.aws_elb[0].aws_elb_zone_id, "", "") # Certs - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" # Others fqdn_provided = local.fqdn_provided @@ -118,7 +118,7 @@ module "aws_elb" { aws_instance_server_id = module.ec2[0].aws_instance_server_id aws_elb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id # Certs - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort @@ -155,13 +155,13 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - aws_certificate_enabled = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false - aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, "") + aws_certificate_enabled = var.aws_r53_enable_cert + aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.aws_certificates] + #depends_on = [module.aws_certificates] providers = { aws = aws.lb @@ -597,8 +597,8 @@ module "aws_ecs" { aws_selected_subnets = module.vpc.aws_selected_vpc_subnets # Others aws_r53_domain_name = var.aws_r53_enable && var.aws_r53_domain_name != "" ? var.aws_r53_domain_name : "" - aws_certificate_enabled = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificate_enabled = var.aws_r53_enable_cert + aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort app_repo_name = var.app_repo_name @@ -621,7 +621,7 @@ module "aws_route53_ecs" { aws_elb_dns_name = module.aws_ecs[0].load_balancer_dns aws_elb_zone_id = module.aws_ecs[0].load_balancer_zone_id # Certs - aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : "" + aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" # Others fqdn_provided = local.fqdn_provided depends_on = [module.aws_certificates] @@ -812,7 +812,7 @@ locals { ) : false ) - protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, "") != "" ? "https://" : "http://" : "http://" + protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf index 71bdf0d8b..c1f2d6b6b 100644 --- a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf +++ b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf @@ -1,6 +1,5 @@ # Lookup for main domain. data "aws_route53_zone" "selected" { - count = var.aws_r53_domain_name != "" ? 1 : 0 name = "${var.aws_r53_domain_name}." private_zone = false } @@ -32,7 +31,7 @@ resource "aws_route53_record" "root_domain" { name = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_value] type = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_type - zone_id = data.aws_route53_zone.selected[0].zone_id + zone_id = data.aws_route53_zone.selected.zone_id ttl = 60 } @@ -59,7 +58,7 @@ resource "aws_route53_record" "sub_domain" { name = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name records = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value] type = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_type - zone_id = data.aws_route53_zone.selected[0].zone_id + zone_id = data.aws_route53_zone.selected.zone_id ttl = 60 } From 9770729d055717b598ffdba12a2f587cbb603f37 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 20:28:09 -0300 Subject: [PATCH 51/76] Fixing certificates conditional --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 3026b68dd..6bd539e4e 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -62,7 +62,7 @@ module "efs_to_ec2_sg" { module "aws_certificates" { source = "../modules/aws/certificates" - count = (var.aws_ec2_instance_create || var.aws_ecs_enable ) && var.aws_r53_enable_cert && var.aws_r53_cert_arn == "" ? 1 : 0 + count = (var.aws_ec2_instance_create || var.aws_ecs_enable) && var.aws_r53_enable_cert && var.aws_r53_cert_arn == "" && var.aws_r53_domain_name != "" ? 1 : 0 # Cert aws_r53_cert_arn = var.aws_r53_cert_arn aws_r53_create_root_cert = var.aws_r53_create_root_cert @@ -812,7 +812,7 @@ locals { ) : false ) - protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") != "" ? "https://" : "http://" : "http://" + protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null From 7ad7d18d7c0084370c54207fb107e431bad6392f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 21:30:52 -0300 Subject: [PATCH 52/76] Fixing protocol from output --- operations/deployment/terraform/aws/bitovi_main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 6bd539e4e..dfb3d37a0 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -812,7 +812,7 @@ locals { ) : false ) - protocol = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") != "" ? "https://" : "http://" : "http://" + protocol = var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? "https://" : try(module.aws_certificates[0].selected_arn, "") != "" ? "https://" : "http://" : "http://" create_efs = var.aws_efs_create == true ? true : (var.aws_efs_create_ha == true ? true : false) ec2_public_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_public_dns != null ? module.ec2[0].instance_public_dns : module.ec2[0].instance_public_ip) : null ec2_private_endpoint = var.aws_ec2_instance_create ? (module.ec2[0].instance_private_dns != null ? module.ec2[0].instance_private_dns : module.ec2[0].instance_private_ip) : null @@ -820,7 +820,6 @@ locals { elb_url = try(module.aws_elb[0].aws_elb_dns_name, null) != null ? "${local.protocol}${module.aws_elb[0].aws_elb_dns_name}" : null alb_url = try(module.aws_lb[0].aws_alb_dns_name, null) != null ? "${local.protocol}${module.aws_lb[0].aws_alb_dns_name}" : null } - # VPC output "aws_vpc_id" { value = module.vpc.aws_selected_vpc_id From 61b719d0dd423c785d5c473a8948cfd682cafe90 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 21:34:48 -0300 Subject: [PATCH 53/76] Adding local.ec2_endpoint to the vm_url try --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index dfb3d37a0..9d37eba0d 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -876,7 +876,7 @@ output "application_public_dns" { } output "vm_url" { - value = try(module.aws_route53[0].vm_url, local.alb_url, local.elb_url) + value = try(module.aws_route53[0].vm_url, local.alb_url, local.elb_url, local.ec2_endpoint) } # EFS From 8d35d075428598a27491e720e313bb93a2bde82e Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 12 Dec 2025 22:22:54 -0300 Subject: [PATCH 54/76] Double-checking enable-cert --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 9d37eba0d..5e1497612 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -85,7 +85,7 @@ module "aws_route53" { aws_r53_domain_name = var.aws_r53_domain_name aws_r53_sub_domain_name = var.aws_r53_sub_domain_name aws_r53_root_domain_deploy = var.aws_r53_root_domain_deploy - aws_r53_enable_cert = var.aws_r53_enable_cert + aws_r53_enable_cert = var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false # ELB aws_elb_dns_name = try(module.aws_lb[0].aws_alb_dns_name, module.aws_elb[0].aws_elb_dns_name, module.ec2[0].instance_public_ip, "") aws_elb_zone_id = try(module.aws_lb[0].aws_alb_zone_id, module.aws_elb[0].aws_elb_zone_id, "", "") @@ -155,7 +155,7 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - aws_certificate_enabled = var.aws_r53_enable_cert + aws_certificate_enabled = var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" # Others aws_resource_identifier = var.aws_resource_identifier From c3cece9b009b4250ce4beeefa4625bcfacee6a7a Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:23:15 -0300 Subject: [PATCH 55/76] add dependency --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 5e1497612..596560f89 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -161,7 +161,7 @@ module "aws_lb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - #depends_on = [module.aws_certificates] + depends_on = [module.aws_certificates] providers = { aws = aws.lb From 8bdeff396bf2bdecf7d7042655e1d3b53a648421 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:33:21 -0300 Subject: [PATCH 56/76] Split conditional --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 1901e322a..94576a0f1 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -150,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" From 8c69b604596b16f2e52d9860823da30203ffa1f7 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:40:01 -0300 Subject: [PATCH 57/76] testing checks --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 94576a0f1..1377cfab4 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -150,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? var.aws_certificate_enabled ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -171,7 +171,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 # && !var.aws_certificate_enabled && #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" From 21e89d2ebf82fd6bda877961978c86e350252a4b Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:47:04 -0300 Subject: [PATCH 58/76] Simplify options --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 596560f89..78fa9d89e 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -156,7 +156,7 @@ module "aws_lb" { aws_r53_domain_name = var.aws_r53_domain_name # Certs aws_certificate_enabled = var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false - aws_certificates_selected_arn = var.aws_r53_enable_cert ? try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn) : "" + aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 1377cfab4..43592129c 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -150,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? var.aws_certificate_enabled ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? var.aws_certificates_selected_arn != "" ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" From e4ee6c860ea139c2040be91c41e464e354e308dd Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:52:43 -0300 Subject: [PATCH 59/76] Another take on boolean --- operations/deployment/terraform/aws/bitovi_main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 78fa9d89e..8f5747c5c 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -155,8 +155,9 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - aws_certificate_enabled = var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false + aws_certificate_enabled = var.aws_ec2_instance_create && var.aws_r53_enable_cert && ( var.aws_r53_cert_arn != "" || var.aws_r53_domain_name != "" ) ? true : false #var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") + # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort From 25268aaff1dda2836f53e9c6cc0a6868e40c18a9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 00:59:18 -0300 Subject: [PATCH 60/76] Cleanup LB --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 43592129c..27c3b4b87 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -150,7 +150,7 @@ resource "aws_alb_listener" "lb_listener" { } resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? var.aws_certificates_selected_arn != "" ? 1 : 0 : 0 #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -171,7 +171,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !contains(local.alb_listen_port, 80) ? 1 : 0 # && !var.aws_certificate_enabled && #!contains(local.alb_listen_port, 80) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" @@ -271,7 +271,7 @@ resource "aws_security_group_rule" "incoming_alb_https" { ### resource "aws_alb_listener" "https_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 443) ? 1 : 0 #!contains(local.alb_listen_port, 443) ? 1 : 0 : 0 + count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 443) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "443" protocol = "HTTPS" From 60399d758b62dba74f5afe80115ef81be7b22ca1 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Sat, 13 Dec 2025 01:03:50 -0300 Subject: [PATCH 61/76] Cleanup dependencies --- operations/deployment/terraform/aws/bitovi_main.tf | 8 ++++---- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 8f5747c5c..eed64eeb2 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -155,14 +155,14 @@ module "aws_lb" { aws_alb_target_sg_id = module.ec2[0].aws_security_group_ec2_sg_id aws_r53_domain_name = var.aws_r53_domain_name # Certs - aws_certificate_enabled = var.aws_ec2_instance_create && var.aws_r53_enable_cert && ( var.aws_r53_cert_arn != "" || var.aws_r53_domain_name != "" ) ? true : false #var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false + aws_certificate_enabled = var.aws_ec2_instance_create && var.aws_r53_enable_cert && (var.aws_r53_cert_arn != "" || var.aws_r53_domain_name != "") ? true : false #var.aws_r53_enable_cert ? var.aws_r53_cert_arn != "" ? true : try(module.aws_certificates[0].selected_arn, "") != "" ? true : false : false aws_certificates_selected_arn = try(module.aws_certificates[0].selected_arn, var.aws_r53_cert_arn, "") - + # Others aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - depends_on = [module.aws_certificates] + #depends_on = [module.aws_certificates] providers = { aws = aws.lb @@ -206,7 +206,7 @@ module "aws_waf_ec2_alb" { # Incoming aws_lb_resource_arn = module.aws_lb[0].aws_lb_resource_arn # Others - depends_on = [module.aws_lb] + #depends_on = [module.aws_lb] providers = { aws = aws.waf } diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 27c3b4b87..591d930ed 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -171,7 +171,7 @@ resource "aws_alb_listener" "http_redirect" { } resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 + count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" From 407149ba998f36564ce3b46d840b6940467db51f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 11:30:56 -0300 Subject: [PATCH 62/76] Adding listeners dependency --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 591d930ed..1c2aee0f5 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -146,7 +146,11 @@ resource "aws_alb_listener" "lb_listener" { lifecycle { replace_triggered_by = [null_resource.http_redirect_dep.id] } - depends_on = [aws_alb_listener.http_redirect] + depends_on = [ + aws_alb_listener.http_redirect, + aws_alb_listener.http_forward, + aws_alb_listener.http_www_redirect + ] } resource "aws_alb_listener" "http_redirect" { From 765aa76e80518304febb6fb77acb3253f778f265 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:04:32 -0300 Subject: [PATCH 63/76] Rollback dep --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 1c2aee0f5..defa3fac7 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -146,11 +146,6 @@ resource "aws_alb_listener" "lb_listener" { lifecycle { replace_triggered_by = [null_resource.http_redirect_dep.id] } - depends_on = [ - aws_alb_listener.http_redirect, - aws_alb_listener.http_forward, - aws_alb_listener.http_www_redirect - ] } resource "aws_alb_listener" "http_redirect" { From 916027f274534126eee30068a0ce9e8561d632eb Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:19:11 -0300 Subject: [PATCH 64/76] Cross-80-dependency --- .../deployment/terraform/modules/aws/lb/aws_lb.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index defa3fac7..49751f92c 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -165,7 +165,9 @@ resource "aws_alb_listener" "http_redirect" { } depends_on = [ aws_lb.vm_alb, - aws_lb_target_group.vm_alb_tg + aws_lb_target_group.vm_alb_tg, + aws_lb_listener.http_forward, + aws_lb_listener.http_www_redirect ] } @@ -181,7 +183,9 @@ resource "aws_alb_listener" "http_forward" { } depends_on = [ aws_lb.vm_alb, - aws_lb_target_group.vm_alb_tg + aws_lb_target_group.vm_alb_tg, + aws_alb_listener.http_redirect, + aws_alb_listener.http_www_redirect ] } @@ -202,7 +206,9 @@ resource "aws_alb_listener" "http_www_redirect" { } depends_on = [ aws_lb.vm_alb, - aws_lb_target_group.vm_alb_tg + aws_lb_target_group.vm_alb_tg, + aws_alb_listener.http_redirect, + aws_alb_listener.http_forward ] } From 80bd0edb27de3ffd21ce52519780913ebff9112c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:30:08 -0300 Subject: [PATCH 65/76] Combining --- .../terraform/modules/aws/lb/aws_lb.tf | 90 ++++++++++++------- 1 file changed, 60 insertions(+), 30 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 49751f92c..18c8035cc 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -166,52 +166,82 @@ resource "aws_alb_listener" "http_redirect" { depends_on = [ aws_lb.vm_alb, aws_lb_target_group.vm_alb_tg, - aws_lb_listener.http_forward, - aws_lb_listener.http_www_redirect ] } -resource "aws_alb_listener" "http_forward" { - count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 +resource "aws_alb_listener" "http_redirector" { + count = var.aws_alb_redirect_enable && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn + dynamic "default_action" { + for_each = var.aws_alb_www_to_apex_redirect ? [1] : [] + content { + type = "fixed-response" + fixed_response { + content_type = "text/plain" + message_body = "Not Found" + status_code = "404" + } + } } - depends_on = [ - aws_lb.vm_alb, - aws_lb_target_group.vm_alb_tg, - aws_alb_listener.http_redirect, - aws_alb_listener.http_www_redirect - ] -} -resource "aws_alb_listener" "http_www_redirect" { - count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 - load_balancer_arn = aws_lb.vm_alb.arn - port = "80" - protocol = "HTTP" - - default_action { - type = "fixed-response" - - fixed_response { - content_type = "text/plain" - message_body = "Not Found" - status_code = "404" + dynamic "default_action" { + for_each = var.aws_alb_www_to_apex_redirect ? [] : [1] + content { + type = "forward" + target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn } } + depends_on = [ aws_lb.vm_alb, aws_lb_target_group.vm_alb_tg, - aws_alb_listener.http_redirect, - aws_alb_listener.http_forward ] } +#resource "aws_alb_listener" "http_forward" { +# count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 +# load_balancer_arn = aws_lb.vm_alb.arn +# port = "80" +# protocol = "HTTP" +# +# default_action { +# type = "forward" +# target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn +# } +# depends_on = [ +# aws_lb.vm_alb, +# aws_lb_target_group.vm_alb_tg, +# aws_alb_listener.http_redirect, +# aws_alb_listener.http_www_redirect +# ] +#} +# +#resource "aws_alb_listener" "http_www_redirect" { +# count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 +# load_balancer_arn = aws_lb.vm_alb.arn +# port = "80" +# protocol = "HTTP" +# +# default_action { +# type = "fixed-response" +# +# fixed_response { +# content_type = "text/plain" +# message_body = "Not Found" +# status_code = "404" +# } +# } +# depends_on = [ +# aws_lb.vm_alb, +# aws_lb_target_group.vm_alb_tg, +# aws_alb_listener.http_redirect, +# aws_alb_listener.http_forward +# ] +#} + resource "aws_lb_listener_rule" "http_forward_apex" { count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 listener_arn = aws_alb_listener.http_www_redirect[0].arn @@ -255,7 +285,7 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" { } resource "aws_security_group_rule" "incoming_alb_http" { - count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 + count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_redirector) : 0 # length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 type = "ingress" from_port = 80 to_port = 80 From 6140fc1d9bd5fc86db2d2f443ed0bfad9cb41da3 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:39:49 -0300 Subject: [PATCH 66/76] Fixing resources --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 18c8035cc..65fdca788 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -243,8 +243,8 @@ resource "aws_alb_listener" "http_redirector" { #} resource "aws_lb_listener_rule" "http_forward_apex" { - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 - listener_arn = aws_alb_listener.http_www_redirect[0].arn + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 #&& length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 + listener_arn = aws_alb_listener.http_redirector #aws_alb_listener.http_www_redirect[0].arn priority = 20 condition { @@ -260,8 +260,8 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_www_redirect[0].arn + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn priority = 10 condition { From 5f0fc3f2e9f58f6ff4aa0a5eed9b3fc41fe6e162 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:47:46 -0300 Subject: [PATCH 67/76] Fixing count --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 65fdca788..25c1dda16 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -243,6 +243,7 @@ resource "aws_alb_listener" "http_redirector" { #} resource "aws_lb_listener_rule" "http_forward_apex" { + #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 #&& length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 listener_arn = aws_alb_listener.http_redirector #aws_alb_listener.http_www_redirect[0].arn priority = 20 @@ -260,7 +261,8 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ? 1 : 0 ) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn priority = 10 From 16650933697c8ee3ad5bdea260e42a5c783145ac Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 12:55:58 -0300 Subject: [PATCH 68/76] Fixing bool/int --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 25c1dda16..b94a7d5c6 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -261,8 +261,8 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ? 1 : 0 ) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn priority = 10 From 23a888cc2de1c66f44d15f9eace2b3c445f25506 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 13:12:25 -0300 Subject: [PATCH 69/76] More merge --- .../terraform/modules/aws/lb/aws_lb.tf | 83 ++++--------------- 1 file changed, 17 insertions(+), 66 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index b94a7d5c6..1ba1bb477 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,35 +148,26 @@ resource "aws_alb_listener" "lb_listener" { } } + resource "aws_alb_listener" "http_redirect" { - count = var.aws_alb_redirect_enable && var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 + count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 load_balancer_arn = aws_lb.vm_alb.arn port = "80" protocol = "HTTP" - default_action { - type = "redirect" - - redirect { - port = "443" - protocol = "HTTPS" - status_code = "HTTP_301" + dynamic "default_action" { + for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [1] : [] + content { + type = "redirect" + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } } } - depends_on = [ - aws_lb.vm_alb, - aws_lb_target_group.vm_alb_tg, - ] -} - -resource "aws_alb_listener" "http_redirector" { - count = var.aws_alb_redirect_enable && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 - load_balancer_arn = aws_lb.vm_alb.arn - port = "80" - protocol = "HTTP" - dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect ? [1] : [] + for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [1] : [] content { type = "fixed-response" fixed_response { @@ -188,7 +179,7 @@ resource "aws_alb_listener" "http_redirector" { } dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect ? [] : [1] + for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [] : [1] content { type = "forward" target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn @@ -201,51 +192,10 @@ resource "aws_alb_listener" "http_redirector" { ] } -#resource "aws_alb_listener" "http_forward" { -# count = var.aws_alb_redirect_enable && !var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled && !contains(local.alb_listen_port, 80) ? 1 : 0 -# load_balancer_arn = aws_lb.vm_alb.arn -# port = "80" -# protocol = "HTTP" -# -# default_action { -# type = "forward" -# target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn -# } -# depends_on = [ -# aws_lb.vm_alb, -# aws_lb_target_group.vm_alb_tg, -# aws_alb_listener.http_redirect, -# aws_alb_listener.http_www_redirect -# ] -#} -# -#resource "aws_alb_listener" "http_www_redirect" { -# count = var.aws_alb_redirect_enable && var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? !contains(local.alb_listen_port, 80) ? 1 : 0 : 0 -# load_balancer_arn = aws_lb.vm_alb.arn -# port = "80" -# protocol = "HTTP" -# -# default_action { -# type = "fixed-response" -# -# fixed_response { -# content_type = "text/plain" -# message_body = "Not Found" -# status_code = "404" -# } -# } -# depends_on = [ -# aws_lb.vm_alb, -# aws_lb_target_group.vm_alb_tg, -# aws_alb_listener.http_redirect, -# aws_alb_listener.http_forward -# ] -#} - resource "aws_lb_listener_rule" "http_forward_apex" { #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 #&& length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 - listener_arn = aws_alb_listener.http_redirector #aws_alb_listener.http_www_redirect[0].arn + listener_arn = aws_alb_listener.http_redirect[0].arn #aws_alb_listener.http_www_redirect[0].arn priority = 20 condition { @@ -263,7 +213,8 @@ resource "aws_lb_listener_rule" "http_forward_apex" { resource "aws_lb_listener_rule" "redirect_www_to_apex" { #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - listener_arn = var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn + listener_arn = aws_alb_listener.http_redirect[0].arn + #listener_arn = #var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn priority = 10 condition { @@ -287,7 +238,7 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" { } resource "aws_security_group_rule" "incoming_alb_http" { - count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) + length(aws_alb_listener.http_redirector) : 0 # length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 + count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) : 0 #+ length(aws_alb_listener.http_redirector) : 0 # length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 type = "ingress" from_port = 80 to_port = 80 From b8c37867e0d4ebef35fd692f084342efeb0ae1e0 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 13:18:02 -0300 Subject: [PATCH 70/76] Fix conditional --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 1ba1bb477..c8f1a1ac9 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -156,7 +156,7 @@ resource "aws_alb_listener" "http_redirect" { protocol = "HTTP" dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [1] : [] + for_each = var.aws_certificate_enabled ? [1] : [] content { type = "redirect" redirect { @@ -166,6 +166,7 @@ resource "aws_alb_listener" "http_redirect" { } } } + dynamic "default_action" { for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [1] : [] content { From 09bec02b568842eafdd9b36d579d2ef079bd93d6 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 15:47:13 -0300 Subject: [PATCH 71/76] Fixing conditional --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index c8f1a1ac9..1422ac166 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -180,7 +180,7 @@ resource "aws_alb_listener" "http_redirect" { } dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [] : [1] + for_each = var.aws_alb_www_to_apex_redirect && var.aws_certificate_enabled ? [] : [1] content { type = "forward" target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn From 8ce5da4d62c041da18007247c5b208b6b0e2ec6f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 15:57:17 -0300 Subject: [PATCH 72/76] Reorder conditionals --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 1422ac166..26cce453f 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -168,7 +168,7 @@ resource "aws_alb_listener" "http_redirect" { } dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect && !var.aws_certificate_enabled ? [1] : [] + for_each = !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? [1] : [] content { type = "fixed-response" fixed_response { @@ -180,7 +180,7 @@ resource "aws_alb_listener" "http_redirect" { } dynamic "default_action" { - for_each = var.aws_alb_www_to_apex_redirect && var.aws_certificate_enabled ? [] : [1] + for_each = !var.aws_certificate_enabled && !var.aws_alb_www_to_apex_redirect ? [1] : [] content { type = "forward" target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn From e2a2807b4dca94559bf11b26693f35a38132e037 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 16:14:26 -0300 Subject: [PATCH 73/76] Adding cert module dependency --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index eed64eeb2..4501de1c8 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -162,7 +162,7 @@ module "aws_lb" { aws_resource_identifier = var.aws_resource_identifier aws_resource_identifier_supershort = var.aws_resource_identifier_supershort # Module dependencies - #depends_on = [module.aws_certificates] + depends_on = [module.aws_certificates] providers = { aws = aws.lb From e3cf8beb6bd65db75079f32a3c925eafbfebd6f6 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 17:39:45 -0300 Subject: [PATCH 74/76] More grouping --- .../terraform/modules/aws/lb/aws_lb.tf | 86 +++++++++++++------ 1 file changed, 62 insertions(+), 24 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 26cce453f..bdf2293b3 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -148,6 +148,9 @@ resource "aws_alb_listener" "lb_listener" { } } +locals { + http_listener_action = var.aws_certificate_enabled ? "redirect" : var.aws_alb_www_to_apex_redirect ? "fixed-response" : "forward" +} resource "aws_alb_listener" "http_redirect" { count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 @@ -155,36 +158,27 @@ resource "aws_alb_listener" "http_redirect" { port = "80" protocol = "HTTP" - dynamic "default_action" { - for_each = var.aws_certificate_enabled ? [1] : [] - content { - type = "redirect" - redirect { + default_action { + type = local.http_listener_action + + dynamic "redirect" { + for_each = local.http_listener_action == "redirect" ? [1] : [] + content { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } - } - dynamic "default_action" { - for_each = !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? [1] : [] - content { - type = "fixed-response" - fixed_response { + dynamic "fixed_response" { + for_each = local.http_listener_action == "fixed-response" ? [1] : [] + content { content_type = "text/plain" message_body = "Not Found" status_code = "404" } } - } - - dynamic "default_action" { - for_each = !var.aws_certificate_enabled && !var.aws_alb_www_to_apex_redirect ? [1] : [] - content { - type = "forward" - target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn - } + target_group_arn = local.http_listener_action == "forward" ? aws_lb_target_group.vm_alb_tg[0].arn : null } depends_on = [ @@ -193,10 +187,54 @@ resource "aws_alb_listener" "http_redirect" { ] } +#resource "aws_alb_listener" "http_redirect" { +# count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 +# load_balancer_arn = aws_lb.vm_alb.arn +# port = "80" +# protocol = "HTTP" +# +# dynamic "default_action" { +# for_each = var.aws_certificate_enabled ? [1] : [] +# content { +# type = "redirect" +# redirect { +# port = "443" +# protocol = "HTTPS" +# status_code = "HTTP_301" +# } +# } +# } +# +# dynamic "default_action" { +# for_each = !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? [1] : [] +# content { +# type = "fixed-response" +# fixed_response { +# content_type = "text/plain" +# message_body = "Not Found" +# status_code = "404" +# } +# } +# } +# +# dynamic "default_action" { +# for_each = !var.aws_certificate_enabled && !var.aws_alb_www_to_apex_redirect ? [1] : [] +# content { +# type = "forward" +# target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn +# } +# } +# +# depends_on = [ +# aws_lb.vm_alb, +# aws_lb_target_group.vm_alb_tg, +# ] +#} + resource "aws_lb_listener_rule" "http_forward_apex" { #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 #&& length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 - listener_arn = aws_alb_listener.http_redirect[0].arn #aws_alb_listener.http_www_redirect[0].arn + listener_arn = aws_alb_listener.http_redirect[0].arn #aws_alb_listener.http_www_redirect[0].arn priority = 20 condition { @@ -212,11 +250,11 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect ) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - listener_arn = aws_alb_listener.http_redirect[0].arn + #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + listener_arn = aws_alb_listener.http_redirect[0].arn #listener_arn = #var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn - priority = 10 + priority = 10 condition { host_header { From b6560c3ccdb2136d872baf15be0c26be295d56c9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 18:05:55 -0300 Subject: [PATCH 75/76] Cleanup+dependency --- .../terraform/modules/aws/lb/aws_lb.tf | 64 ++++--------------- 1 file changed, 11 insertions(+), 53 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index bdf2293b3..704296638 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -16,6 +16,8 @@ locals { length(local.alb_listen_protocol), length(local.alb_app_protocol) ) + + http_listener_action = var.aws_certificate_enabled ? "redirect" : var.aws_alb_www_to_apex_redirect ? "fixed-response" : "forward" } @@ -149,7 +151,6 @@ resource "aws_alb_listener" "lb_listener" { } locals { - http_listener_action = var.aws_certificate_enabled ? "redirect" : var.aws_alb_www_to_apex_redirect ? "fixed-response" : "forward" } resource "aws_alb_listener" "http_redirect" { @@ -185,56 +186,15 @@ resource "aws_alb_listener" "http_redirect" { aws_lb.vm_alb, aws_lb_target_group.vm_alb_tg, ] -} -#resource "aws_alb_listener" "http_redirect" { -# count = var.aws_alb_redirect_enable && !contains(local.alb_listen_port, 80) ? 1 : 0 -# load_balancer_arn = aws_lb.vm_alb.arn -# port = "80" -# protocol = "HTTP" -# -# dynamic "default_action" { -# for_each = var.aws_certificate_enabled ? [1] : [] -# content { -# type = "redirect" -# redirect { -# port = "443" -# protocol = "HTTPS" -# status_code = "HTTP_301" -# } -# } -# } -# -# dynamic "default_action" { -# for_each = !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? [1] : [] -# content { -# type = "fixed-response" -# fixed_response { -# content_type = "text/plain" -# message_body = "Not Found" -# status_code = "404" -# } -# } -# } -# -# dynamic "default_action" { -# for_each = !var.aws_certificate_enabled && !var.aws_alb_www_to_apex_redirect ? [1] : [] -# content { -# type = "forward" -# target_group_arn = aws_lb_target_group.vm_alb_tg[0].arn -# } -# } -# -# depends_on = [ -# aws_lb.vm_alb, -# aws_lb_target_group.vm_alb_tg, -# ] -#} + lifecycle { + replace_triggered_by = [null_resource.http_redirect_dep.id] + } +} resource "aws_lb_listener_rule" "http_forward_apex" { - #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 #&& length(aws_alb_listener.http_www_redirect) > 0 ? 1 : 0 - listener_arn = aws_alb_listener.http_redirect[0].arn #aws_alb_listener.http_www_redirect[0].arn + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && !var.aws_certificate_enabled && var.aws_alb_www_to_apex_redirect ? 1 : 0 + listener_arn = aws_alb_listener.http_redirect[0].arn priority = 20 condition { @@ -250,11 +210,9 @@ resource "aws_lb_listener_rule" "http_forward_apex" { } resource "aws_lb_listener_rule" "redirect_www_to_apex" { - #count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 - count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect) ? 1 : 0 # # length(aws_alb_listener.http_www_redirect) > 0) ? 1 : 0 + count = var.aws_alb_www_to_apex_redirect && var.aws_r53_domain_name != "" && (var.aws_certificate_enabled ? length(aws_alb_listener.https_redirect) > 0 : var.aws_alb_www_to_apex_redirect) ? 1 : 0 listener_arn = aws_alb_listener.http_redirect[0].arn - #listener_arn = #var.aws_certificate_enabled ? aws_alb_listener.https_redirect[0].arn : aws_alb_listener.http_redirector[0].arn ##aws_alb_listener.http_www_redirect[0].arn - priority = 10 + priority = 10 condition { host_header { @@ -277,7 +235,7 @@ resource "aws_lb_listener_rule" "redirect_www_to_apex" { } resource "aws_security_group_rule" "incoming_alb_http" { - count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) : 0 #+ length(aws_alb_listener.http_redirector) : 0 # length(aws_alb_listener.http_forward) + length(aws_alb_listener.http_www_redirect) : 0 + count = !contains(local.alb_listen_port, 80) ? length(aws_alb_listener.http_redirect) : 0 type = "ingress" from_port = 80 to_port = 80 From b4d415575243c2b5351ccd53d2ac979f0f3bf21a Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 15 Dec 2025 18:13:03 -0300 Subject: [PATCH 76/76] Changing replace trigger --- operations/deployment/terraform/modules/aws/lb/aws_lb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf index 704296638..b956d8e10 100644 --- a/operations/deployment/terraform/modules/aws/lb/aws_lb.tf +++ b/operations/deployment/terraform/modules/aws/lb/aws_lb.tf @@ -188,7 +188,7 @@ resource "aws_alb_listener" "http_redirect" { ] lifecycle { - replace_triggered_by = [null_resource.http_redirect_dep.id] + replace_triggered_by = [aws_security_group.alb_security_group.id] } }