adding temporary workaround for SPS

unity-sds · Jan 22, 2025 · 2b4dbca · 2b4dbca
1 parent ff8fc11
commit 2b4dbca
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
@@ -1,10 +1,14 @@
 # Create an Application Load Balancer (ALB)
 resource "aws_lb" "httpd_alb" {
   name                       = "${var.project}-${var.venue}-httpd-alb"
-  internal                   = true
+  # temporary switch until SPS tests are fixed
+  #internal                   = true
+  internal                   = false
   load_balancer_type         = "application"
   security_groups            = [aws_security_group.ecs_alb_sg.id]
-  subnets                    = local.subnet_ids
+  # temporary switch until SPS tests are fixed
+  #subnets                    = local.subnet_ids
+  subnets                    = local.public_subnet_ids
   enable_deletion_protection = false
   preserve_host_header       = true
   tags = {
@@ -132,6 +136,7 @@ data "aws_ssm_parameter" "shared-services_security_group" {
   name = "arn:aws:ssm:${data.aws_ssm_parameter.shared_service_region.value}:${data.aws_ssm_parameter.shared_service_account_id.value}:parameter/unity/shared-services/network/httpd_security_group"
 }
 
+# lock down ecs alb to just shared services
 resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
   security_group_id = aws_security_group.ecs_alb_sg.id
   from_port         = 8080
@@ -140,6 +145,16 @@ resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
   referenced_security_group_id = data.aws_ssm_parameter.shared-services_security_group.value
 }
 
+# temporary open until SPS tests are fixed
+#tfsec:ignore:AVD-AWS-0107
+resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule_external" {
+  security_group_id = aws_security_group.ecs_alb_sg.id
+  from_port         = 8080
+  to_port           = 8080
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
 resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
   security_group_id            = aws_security_group.ecs_sg.id
   from_port                    = 0