adding preserve_host_header

to fix request-header stuff for proxied applications also shifting securitygroups over to networking.tf where they belong
unity-sds · Oct 17, 2024 · 5ce07a4 · 5ce07a4
1 parent 2456de0
commit 5ce07a4
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 56 deletions.
diff --git a/terraform-unity/ecs.tf b/terraform-unity/ecs.tf
@@ -150,59 +150,3 @@ resource "aws_ecs_service" "httpd_service" {
     aws_ssm_parameter.managementproxy_config
   ]
 }
-
-# Find the MC's ALB's security group (created before unity-proxy)
-data "aws_security_group" "mc_alb_sg" {
-  tags = {
-    Name        = "Unity Management Console Load Balancer SG"
-    Venue       = var.venue
-    ServiceArea = "cs"
-    Proj        = var.project
-  }
-}
-
-# Add a new ingress rule to the MC ALB's security group, allowing the ECS instance to connect
-resource "aws_vpc_security_group_ingress_rule" "ecs_mc_alb_ingress_sg_rule" {
-  security_group_id            = data.aws_security_group.mc_alb_sg.id
-  to_port                      = 8080
-  from_port                    = 8080
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = aws_security_group.ecs_sg.id
-}
-
-# Add a new ingress rule to the ECS's security group, allowing the ECS instance to connect
-resource "aws_vpc_security_group_ingress_rule" "ecs_alb_ingress_sg_rule" {
-  security_group_id            = aws_security_group.ecs_sg.id
-  to_port                      = 8080
-  from_port                    = 8080
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = aws_security_group.ecs_alb_sg.id
-}
-
-# Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
-#tfsec:ignore:AVD-AWS-0107
-resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
-  security_group_id = aws_security_group.ecs_alb_sg.id
-  to_port           = 8080
-  from_port         = 8080
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
-
-# Add a new egress rule to the ECS's security group, allowing ECS to fetch the container images/proxy
-resource "aws_vpc_security_group_egress_rule" "ecs_egress_sg_rule" {
-  security_group_id = aws_security_group.ecs_sg.id
-  to_port           = 65535
-  from_port         = 0
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
-
-# Add a new egress rule to the ECS's security group, allowing the ALB to respond to requests
-resource "aws_vpc_security_group_egress_rule" "ecs_alb_egress_sg_rule" {
-  security_group_id = aws_security_group.ecs_alb_sg.id
-  to_port           = 65535
-  from_port         = 0
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
@@ -6,6 +6,7 @@ resource "aws_lb" "httpd_alb" {
   security_groups            = [aws_security_group.ecs_alb_sg.id]
   subnets                    = local.public_subnet_ids
   enable_deletion_protection = false
+  preserve_host_header       = true
   tags = {
     Service = "U-CS"
   }
@@ -79,4 +80,60 @@ resource "aws_ssm_parameter" "management_console_url" {
     landingPageUrl = "https://www.${data.aws_ssm_parameter.shared-service-domain.value}:4443/${var.project}/${var.venue}/management/ui/landing"
     componentName  = "Management Console"
   })
+}
+
+# Find the MC's ALB's security group (created before unity-proxy)
+data "aws_security_group" "mc_alb_sg" {
+  tags = {
+    Name        = "Unity Management Console Load Balancer SG"
+    Venue       = var.venue
+    ServiceArea = "cs"
+    Proj        = var.project
+  }
+}
+
+# Add a new ingress rule to the MC ALB's security group, allowing the ECS instance to connect
+resource "aws_vpc_security_group_ingress_rule" "ecs_mc_alb_ingress_sg_rule" {
+  security_group_id            = data.aws_security_group.mc_alb_sg.id
+  to_port                      = 8080
+  from_port                    = 8080
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.ecs_sg.id
+}
+
+# Add a new ingress rule to the ECS's security group, allowing the ECS instance to connect
+resource "aws_vpc_security_group_ingress_rule" "ecs_alb_ingress_sg_rule" {
+  security_group_id            = aws_security_group.ecs_sg.id
+  to_port                      = 8080
+  from_port                    = 8080
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.ecs_alb_sg.id
+}
+
+# Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
+#tfsec:ignore:AVD-AWS-0107
+resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
+  security_group_id = aws_security_group.ecs_alb_sg.id
+  to_port           = 8080
+  from_port         = 8080
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
+# Add a new egress rule to the ECS's security group, allowing ECS to fetch the container images/proxy
+resource "aws_vpc_security_group_egress_rule" "ecs_egress_sg_rule" {
+  security_group_id = aws_security_group.ecs_sg.id
+  to_port           = 65535
+  from_port         = 0
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
+# Add a new egress rule to the ECS's security group, allowing the ALB to respond to requests
+resource "aws_vpc_security_group_egress_rule" "ecs_alb_egress_sg_rule" {
+  security_group_id = aws_security_group.ecs_alb_sg.id
+  to_port           = 65535
+  from_port         = 0
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
 }