From fccc0538a1cee33196f81f051f325b53cf247e21 Mon Sep 17 00:00:00 2001 From: Andrew Pepler Date: Mon, 11 Dec 2023 16:57:31 +0000 Subject: [PATCH 1/3] Enable ssl certificate --- .../environments/cdpt-chaps/loadbalancer.tf | 34 +++++++------------ 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/terraform/environments/cdpt-chaps/loadbalancer.tf b/terraform/environments/cdpt-chaps/loadbalancer.tf index a9f6887431f..9e917304f2c 100644 --- a/terraform/environments/cdpt-chaps/loadbalancer.tf +++ b/terraform/environments/cdpt-chaps/loadbalancer.tf @@ -26,14 +26,6 @@ resource "aws_security_group" "chaps_lb_sc" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } - - egress { - description = "allow all outbound traffic for port 443" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } } resource "aws_lb" "chaps_lb" { @@ -81,18 +73,16 @@ resource "aws_lb_listener" "listener" { } } -# resource "aws_lb_listener" "chaps_lb" { -# depends_on = [ -# aws_acm_certificate.external -# ] -# certificate_arn = aws_acm_certificate.external.arn -# load_balancer_arn = aws_lb.chaps_lb.arn -# port = 443 -# protocol = "HTTPS" -# ssl_policy = "ELBSecurityPolicy-2016-08" +resource "aws_lb_listener" "https_listener" { + depends_on = [aws_acm_certificate_validation.external] -# default_action { -# type = "forward" -# target_group_arn = aws_lb_target_group.chaps_target_group.arn -# } -# } + load_balancer_arn = aws_lb.chaps_lb.arn + port = "443" + protocol = "HTTPS" + certificate_arn = format("arn:aws:acm:eu-west-2:%s:certificate/%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].cert_arn) + + default_action { + target_group_arn = aws_lb_target_group.chaps_target_group.id + type = "forward" + } +} From 1ba838567f0298fc3cb335bb1c7a4ccb5fa3214c Mon Sep 17 00:00:00 2001 From: Andrew Pepler Date: Mon, 11 Dec 2023 17:02:33 +0000 Subject: [PATCH 2/3] fix reference --- terraform/environments/cdpt-chaps/loadbalancer.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/loadbalancer.tf b/terraform/environments/cdpt-chaps/loadbalancer.tf index 9e917304f2c..6ad759b141c 100644 --- a/terraform/environments/cdpt-chaps/loadbalancer.tf +++ b/terraform/environments/cdpt-chaps/loadbalancer.tf @@ -79,7 +79,7 @@ resource "aws_lb_listener" "https_listener" { load_balancer_arn = aws_lb.chaps_lb.arn port = "443" protocol = "HTTPS" - certificate_arn = format("arn:aws:acm:eu-west-2:%s:certificate/%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].cert_arn) + certificate_arn = aws_acm_certificate.external.arn default_action { target_group_arn = aws_lb_target_group.chaps_target_group.id From 236dd3f96189ed8c357aed04566482608d764e66 Mon Sep 17 00:00:00 2001 From: Andrew Pepler Date: Mon, 11 Dec 2023 17:17:52 +0000 Subject: [PATCH 3/3] add exceptions --- terraform/environments/cdpt-chaps/loadbalancer.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/cdpt-chaps/loadbalancer.tf b/terraform/environments/cdpt-chaps/loadbalancer.tf index 6ad759b141c..af6557d2bdf 100644 --- a/terraform/environments/cdpt-chaps/loadbalancer.tf +++ b/terraform/environments/cdpt-chaps/loadbalancer.tf @@ -63,6 +63,7 @@ resource "aws_lb_target_group" "chaps_target_group" { } resource "aws_lb_listener" "listener" { + #checkov:skip=CKV_AWS_103 load_balancer_arn = aws_lb.chaps_lb.arn port = 80 protocol = "HTTP" @@ -74,6 +75,7 @@ resource "aws_lb_listener" "listener" { } resource "aws_lb_listener" "https_listener" { + #checkov:skip=CKV_AWS_103 depends_on = [aws_acm_certificate_validation.external] load_balancer_arn = aws_lb.chaps_lb.arn