From 449193e61d60356f7ff62eba46d6cf8fe7c1dbf5 Mon Sep 17 00:00:00 2001
From: ranchodeluxe <greg.corradini@gmail.com>
Date: Tue, 7 Mar 2023 05:28:20 -0800
Subject: [PATCH] add DNS, cert and HTTPS

---
 terraform/veda-wfs3/dns.tf           | 32 +++++++++
 terraform/veda-wfs3/init.tf          |  5 ++
 terraform/veda-wfs3/load_balancer.tf | 98 +++++++++++++++++++---------
 3 files changed, 103 insertions(+), 32 deletions(-)
 create mode 100644 terraform/veda-wfs3/dns.tf

diff --git a/terraform/veda-wfs3/dns.tf b/terraform/veda-wfs3/dns.tf
new file mode 100644
index 0000000..b359d47
--- /dev/null
+++ b/terraform/veda-wfs3/dns.tf
@@ -0,0 +1,32 @@
+data "aws_route53_zone" "zone" {
+  provider = aws.west2
+  name     = "delta-backend.com"
+}
+
+resource "aws_acm_certificate" "cert" {
+  domain_name               = "*.${data.aws_route53_zone.zone.name}"
+  validation_method         = "DNS"
+  tags                      = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "subdomain_record" {
+  provider = aws.west2
+  name     = "firenrt.${data.aws_route53_zone.zone.name}"
+  zone_id  = data.aws_route53_zone.zone.id
+  type     = "A"
+
+  alias {
+    name                   = aws_alb.alb_ecs.dns_name
+    zone_id                = aws_alb.alb_ecs.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_lb_listener_certificate" "cert" {
+  listener_arn    = aws_alb_listener.alb_listener_ecs.arn
+  certificate_arn = aws_acm_certificate.cert.arn
+}
\ No newline at end of file
diff --git a/terraform/veda-wfs3/init.tf b/terraform/veda-wfs3/init.tf
index 92f857a..b10cbd1 100644
--- a/terraform/veda-wfs3/init.tf
+++ b/terraform/veda-wfs3/init.tf
@@ -2,6 +2,11 @@ provider "aws" {
   region = "us-west-1"
 }
 
+provider "aws" {
+  alias  = "west2"
+  region = "us-west-2"
+}
+
 terraform {
   required_version = "1.3.9"
   required_providers {
diff --git a/terraform/veda-wfs3/load_balancer.tf b/terraform/veda-wfs3/load_balancer.tf
index b2475be..3a22e4a 100644
--- a/terraform/veda-wfs3/load_balancer.tf
+++ b/terraform/veda-wfs3/load_balancer.tf
@@ -1,30 +1,3 @@
-resource "aws_alb_target_group" "alb_target_group" {
-  name                 = "tf-${var.project_name}-${var.env}-tgroup"
-  port                 = var.service_port
-  protocol             = "HTTP"
-  vpc_id               = module.networking.vpc_id
-  target_type          = "ip"
-  deregistration_delay = 60
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  health_check {
-    interval            = 60
-    path                = "/conformance"
-    port                = var.service_port
-    protocol            = "HTTP"
-    matcher             = "200"
-    timeout             = 5
-    healthy_threshold   = 2
-    unhealthy_threshold = 4
-  }
-
-  depends_on = [
-    aws_alb.alb_ecs
-  ]
-}
 
 /* security group for ALB */
 resource "aws_security_group" "web_inbound_sg" {
@@ -33,8 +6,8 @@ resource "aws_security_group" "web_inbound_sg" {
   vpc_id      = module.networking.vpc_id
 
   ingress {
-    from_port   = var.service_port
-    to_port     = var.service_port
+    from_port   = 80
+    to_port     = 80
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
@@ -58,20 +31,81 @@ resource "aws_security_group" "web_inbound_sg" {
   }
 }
 
+resource "aws_security_group" "https_web_inbound_sg" {
+  name        = "tf-${var.project_name}-${var.env}-https-web-inbound-sg"
+  description = "Allow HTTPS from Anywhere into ALB"
+  vpc_id      = module.networking.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 8
+    to_port     = 8
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "tf-${var.project_name}-${var.env}-https-web-inbound-sg"
+  }
+}
+
 resource "aws_alb" "alb_ecs" {
   name            = "tf-${var.project_name}-${var.env}-alb"
   subnets         = module.networking.public_subnets_id
-  security_groups = concat(module.networking.security_groups_ids, [aws_security_group.web_inbound_sg.id])
+  security_groups = concat(module.networking.security_groups_ids, [aws_security_group.https_web_inbound_sg.id])
 
   tags = merge({
     Name        = "tf-${var.project_name}-alb"
   }, var.tags)
 }
 
+resource "aws_alb_target_group" "alb_target_group" {
+  name                 = "tf-${var.project_name}-${var.env}-tgroup"
+  port                 = var.service_port
+  protocol             = "HTTP"
+  vpc_id               = module.networking.vpc_id
+  target_type          = "ip"
+  deregistration_delay = 60
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    interval            = 60
+    path                = "/conformance"
+    port                = var.service_port
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = 5
+    healthy_threshold   = 2
+    unhealthy_threshold = 4
+  }
+
+  depends_on = [
+    aws_alb.alb_ecs
+  ]
+}
+
 resource "aws_alb_listener" "alb_listener_ecs" {
   load_balancer_arn = aws_alb.alb_ecs.arn
-  port              = var.service_port
-  protocol          = "HTTP"
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate.cert.arn
   depends_on        = [aws_alb_target_group.alb_target_group]
 
   default_action {