backend troubleshooting

tofu/environments/production/services/frontend/terragrunt.hcl

@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {

tofu/environments/stage/services/backend-infra/terragrunt.hcl

@@ -47,5 +47,6 @@ inputs = {
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
   database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
   tags                            = local.tags
 }

tofu/environments/stage/services/frontend/terragrunt.hcl

@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {

tofu/modules/network/vpc/main.tf

@@ -228,6 +228,15 @@ resource "aws_security_group" "ecr_endpoint" {
   })
 }
 
+resource "aws_security_group_rule" "ecr_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.ecr_endpoint.id
+}
+
 # Secrets endpoint SG
 resource "aws_security_group" "secrets_endpoint" {
   name        = "${var.name_prefix}-secrets"
@@ -238,6 +247,15 @@ resource "aws_security_group" "secrets_endpoint" {
   })
 }
 
+resource "aws_security_group_rule" "secrets_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.secrets_endpoint.id
+}
+
 # Logs endpoint SG
 resource "aws_security_group" "logs_endpoint" {
   name        = "${var.name_prefix}-logs"
@@ -247,3 +265,12 @@ resource "aws_security_group" "logs_endpoint" {
     Name = "${var.name_prefix}-logs-endpoint"
   })
 }
+
+resource "aws_security_group_rule" "logs_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.logs_endpoint.id
+}

tofu/modules/services/backend-infra/main.tf

@@ -61,13 +61,17 @@ module "backend_alb" {
   }
 
   listeners = {
-    http = {
-      port     = 5000
-      protocol = "HTTP"
 
-      forward = {
-        target_group_key = local.target_group_key
+    https = {
+      port     = 5000
+      protocol = "HTTPS"
+      certificate_arn = var.ssl_cert
+      fixed_response = {
+        content_type = "text/plain"
+        message_body = ""
+        status_code = 503
       }
+
       rules = {
         custom-header = {
           actions = [{
@@ -87,8 +91,8 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-ecs-backend"
-      protocol                          = "HTTP"
+      name                              = "${var.name_prefix}-backend"
+      protocol                          = "HTTPS"
       port                              = 5000
       target_type                       = "ip"
       deregistration_delay              = 5
@@ -101,7 +105,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/api/v1"
         port                = "traffic-port"
-        protocol            = "HTTP"
+        protocol            = "HTTPS"
         timeout             = 5
         unhealthy_threshold = 2
       }

tofu/modules/services/backend-infra/variables.tf

@@ -52,4 +52,9 @@ variable "backend_image" {
   description = "Backend image ECR URI"
   type = string
   default = "public.ecr.aws/amazonlinux/amazonlinux:minimal"
+}
+
+variable "ssl_cert" {
+  description = "SSL certificate ARN in AWS Certificate Manager"
+  type        = string
 }

tofu/modules/services/frontend/main.tf

@@ -38,16 +38,6 @@ resource "aws_s3_bucket_public_access_block" "public_access" {
   restrict_public_buckets = true
 }
 
-/*resource "aws_s3_bucket_website_configuration" "frontend" {
-  bucket = aws_s3_bucket.frontend.id
-  index_document {
-    suffix = "index.html"
-  }
-  error_document {
-    key = "error.html"
-  }
-}*/
-
 resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
   bucket = aws_s3_bucket.frontend.id
   policy = data.aws_iam_policy_document.allow_access_from_cloudfront.json
@@ -82,6 +72,8 @@ resource "aws_cloudfront_distribution" "appointment" {
   enabled             = true
   default_root_object = "index.html"
 
+  aliases = ["${var.environment}.appointment.day"]
+
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name
@@ -93,7 +85,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     domain_name = var.backend_dns_name
     custom_origin_config {
       http_port              = 80
-      https_port             = 443
+      https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]
     }