Merge pull request #23 from davidsilva/feature/frontend-to-https

Update README.md and package.json re HTTPS

Author: davidsilva

Diff for: README.md

@@ -71,7 +71,7 @@ services:
 
 ## Frontend
 
-The frontend app, which uses Angular 18, is simple in terms of features: it allows listing, creating and editing users and products.
+The frontend app, which uses Angular 18, is simple in terms of features: it allows listing, creating and editing users and products. It is accessible via an HTTPS connection.
 
 What are some technical aspects of Angular, Angular Material and RxJS that it demonstrates?
 
@@ -143,10 +143,10 @@ The diagram above illustrates the major parts of the application infrastructure.
 * **Interview Prep VPC**: "The Virtual Private Cloud (VPC) is a logically isolated network within the AWS cloud where we can launch and manage AWS resources. It provides a secure environment to group and connect related resources and services, such as EC2 instances, RDS databases, and ECS clusters. The VPC allows us to define our own IP address range, create subnets, and configure route tables and network gateways, ensuring that our infrastructure is both secure and scalable." (GitHub Copilot came up with such a great explanation here that I'm just going to use it as-is.)
 * **Availability zones A and B**: `us-east-1a` and `us-east-1b`. These zones, along with their corresponding public and private subnets, enhance the app's resilience. Currently, one task each for the ECS frontend and backend is deployed, but this can be scaled to distribute tasks across both availability zones.
 * **Public subnets A and B**: The load balancer, bastion host, NAT gateway and Internet gateway are in the public subnets. At the moment there isn't any real load balancing going on. 
-* **Load balancer**: We're not doing any real load balancing at the moment as there's only one instance of the frontend and backend but we could easily scale up, e.g., by making the `desired_count` greater than 1 in the ECS module. Right now, the load balancer serves to connect the `dev.interviewprep.onyxdevtutorials.com` domain to the frontend ECS service, and the API gateway (`api.dev.interviewprep.onyxdevtutorials.com`) to the backend ECS service.
+* **Load balancer**: We're not doing any real load balancing at the moment as there's only one instance of the frontend and backend but we could easily scale up, e.g., by making the `desired_count` greater than 1 in the ECS module. Right now, the load balancer serves to connect the `dev.interviewprep.onyxdevtutorials.com` domain to the frontend ECS service, and the API gateway (`api.dev.interviewprep.onyxdevtutorials.com`) to the backend ECS service. The load balancer also handles SSL termination, ensuring that all traffic to the frontend and API is encrypted using HTTPS.
 * **Bastion host**: This is an EC2 instance that isn't strictly necessary but provides a relatively secure way for SSH access to application services such as the database that are in the private subnet. I have a bastion security group that allows only SSH (port 22) access and only from my dedicated VPN IP address. With this I can, for example, SSH into the bastion and then run psql commands on the RDS-hosted Postgres database (see the `bastion_sg` security group and the `allow_bastion_to_db` rule in the Terraform security groups module).
 * **Private subnets A and B**: The frontend and backend apps and ECS services, and the Postgres database, all run in the private subnets.
-* **Security groups**: There are multiple security groups defining the ingress and egress for the various services, i.e., what can access what and via which ports. At present, we're using only http (port 80 for the frontend, port 3000 for the backend). Soon we'll make the whole thing https and add authorization for accessing the API.
+* **Security groups**: There are multiple security groups defining the ingress and egress for the various services, i.e., what can access what and via which ports. At present, we're using HTTPS (port 443 for the frontend and API). Authorization for accessing the API will be added in the future.
 * **Public route table**: The public routing table is associated with the public subnets and directs traffic to the internet through the Internet Gateway. This allows resources in the public subnets, such as the load balancer and bastion host, to communicate with the internet.
 * **Private route table**: The private routing table is associated with the private subnets and directs traffic to the internet through the NAT Gateway. This allows resources in the private subnets, such as the ECS services and RDS database, to access the internet for updates and patches while keeping them isolated from direct internet access.
 * **Internet gateway**: Allows resources within the VPC to communicate with the internet.
@@ -296,6 +296,12 @@ Assuming CWD is `backend`, `npx knex migrate:make <migration-file-name> --knexfi
 
 ## Version History
 
+### 0.1.4
+- Used Terraform to obtain an SSL certificate from AWS Certificate Manager (ACM).
+- Configured the Application Load Balancer (ALB) to handle SSL termination.
+- Updated the Terraform configuration to manage SSL certificates and ALB listeners.
+- Ensured all HTTP traffic is redirected to HTTPS for secure communication.
+
 ### 0.1.3
 - Added optimistic locking. (Alternatives: Pessimistic Locking, Automatic Conflict Resolution, Eventual Consistency.)
 - Added load testing to the GitHub workflow.

Diff for: package.json

@@ -1,5 +1,5 @@
 {
     "name": "interview-prep",
-    "version": "0.1.3",
+    "version": "0.1.4",
     "private": true
 }

Diff for: terraform/modules/dns/main.tf

@@ -22,6 +22,7 @@ resource "aws_route53_record" "backend" {
   }
 }
 
+# Request an SSL certificate for the frontend domain using AWS Certificate Manager (ACM)
 resource "aws_acm_certificate" "frontend_cert" {
   domain_name       = var.frontend_record_name
   validation_method = "DNS"
@@ -32,7 +33,9 @@ resource "aws_acm_certificate" "frontend_cert" {
   }
 }
 
+# Create DNS validation records for the SSL certificate
 resource "aws_route53_record" "frontend_cert_validation" {
+  # Iterate over the domain validation options for the ACM certificate for the frontend domain. The result is then accessible via the `each` object.
   for_each = {
     for dvo in aws_acm_certificate.frontend_cert.domain_validation_options : dvo.domain_name => {
       name         = dvo.resource_record_name
@@ -52,6 +55,8 @@ resource "aws_route53_record" "frontend_cert_validation" {
   }
 }
 
+# Validate the SSL certificate using the DNS records created above
+# fqdn: Fully Qualified Domain Name, i.e., dev.interviewprep.onyxdevtutorials.com
 resource "aws_acm_certificate_validation" "frontend_cert_validation" {
   certificate_arn         = aws_acm_certificate.frontend_cert.arn
   validation_record_fqdns = [for record in aws_route53_record.frontend_cert_validation : record.fqdn]

Diff for: terraform/modules/load_balancer/main.tf

@@ -1,3 +1,4 @@
+# Create an Application Load Balancer (ALB) to route incoming traffic to the frontend and backend services.
 resource "aws_lb" "this" {
   name               = "${var.environment}-interview-prep-lb"
   internal           = false # Set to false to create an internet-facing load balancer
@@ -63,8 +64,9 @@ resource "aws_lb_listener" "https_frontend" {
   load_balancer_arn = aws_lb.this.arn
   port              = 443
   protocol          = "HTTPS"
+  # ELBSecurityPolicy-2016-08 is a security policy that includes a set of SSL/TLS protocols and ciphers that are considered secure as of August 2016. It is designed to provide a balance between compatibility with older clients and security.
   ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = var.frontend_cert_arn
+  certificate_arn   = var.frontend_cert_arn # Refer to the DNS module to see how the certificate ARN is passed to the load balancer.
 
   default_action {
     type             = "forward"