Allow SSL cert and port 443 setup 🔒 (#9)

.github/workflows/trivy.yaml

@@ -23,7 +23,8 @@ jobs:
         with:
           scan-type: 'fs'
           scan-ref: .
-          scanners: 'vuln,secret,config'
+          scanners: 'vuln,secret,misconfig'
+          skip-dirs: '.cache'
           ignore-unfixed: false
           exit-code: '1'
           format: 'table'

_output.tf

@@ -53,8 +53,12 @@ output "alb_listener_arn" {
   value = aws_alb_listener.http.arn
 }
 
-output "alb_listener_rules_arns" {
-  value = { for rule_name, rule in aws_alb_listener_rule.this : rule_name => rule.arn }
+output "http_alb_listener_rules_arns" {
+  value = { for rule_name, rule in aws_alb_listener_rule.http : rule_name => rule.arn }
+}
+
+output "https_alb_listener_rules_arns" {
+  value = { for rule_name, rule in aws_alb_listener_rule.https : rule_name => rule.arn }
 }
 
 output "ecs_security_group_arn" {

_variable.tf

@@ -3,6 +3,7 @@ variable "internal" {
   description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)."
   default     = true
 }
+
 variable "appmesh_name" {
   type        = string
   description = "Name of the AWS App Mesh"
@@ -112,6 +113,12 @@ variable "service_data" {
   default     = {}
 }
 
+variable "certificate_arn" {
+  type        = string
+  description = "ARN of the SSL certificate that enables ssl termination on the ALB"
+  default = ""
+}
+
 variable "vpc_id" {
   type        = string
   description = "ID of the VPC"

alb.tf

@@ -78,13 +78,73 @@ resource "aws_alb_listener" "http" {
 }
 
 # We may want to create this resource without the loop if the path_patterns ever break the pattern of being the name of the service
-resource "aws_alb_listener_rule" "this" {
+resource "aws_alb_listener_rule" "http" {
   for_each = {
     for key, value in aws_alb_target_group.this : key => value
     if local.service_data[key].public == true
   }
   listener_arn = aws_alb_listener.http.arn
 
+  dynamic "action" {
+    for_each = var.certificate_arn != "" ? [] : [each.value]
+    content {
+      type             = "forward"
+      target_group_arn = each.value.arn
+      # terraform will complain that we have a redirect action and a forward action but the issue disappears on a subsequent apply
+    }
+  }
+
+  dynamic "action" {
+    for_each = var.certificate_arn != "" ? [each.value] : []
+    content {
+      type = "redirect"
+      redirect {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+
+  condition {
+    path_pattern {
+      values = ["/${each.key}", "/${each.key}/*"]
+    }
+  }
+  lifecycle {
+    replace_triggered_by = [
+      null_resource.target_groups
+    ]
+  }
+  tags = local.tags
+}
+
+resource "aws_alb_listener" "https" {
+  count            = var.certificate_arn != "" ? 1 : 0
+  load_balancer_arn = aws_alb.ecs.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.certificate_arn
+  default_action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "I care intently about your request but I'm afraid I don't have anything for you right now."
+      status_code  = "404"
+    }
+  }
+  tags = local.tags
+}
+
+# We may want to create this resource without the loop if the path_patterns ever break the pattern of being the name of the service
+resource "aws_alb_listener_rule" "https" {
+  for_each = {
+    for key, value in aws_alb_target_group.this : key => value
+    if local.service_data[key].public == true && var.certificate_arn != ""
+  }
+  listener_arn = aws_alb_listener.https[0].arn
+
   action {
     type             = "forward"
     target_group_arn = each.value.arn