http redirect listener

2020-04-10 17:49:27 -07:00 · 2020-04-10 17:49:27 -07:00 · 7d77ac588c
parent 326724f39d
commit 7d77ac588c
1 changed files with 23 additions and 6 deletions
--- a/load-balancer.tf
+++ b/load-balancer.tf
@ -51,13 +51,30 @@ resource "aws_lb_target_group" "alb_targets" {
 }

 ## Load Balancer Listeners
-##
-## Note: There is NO HTTP listener.  Yes, the convention is to set one up and
-## then force a redirect to HTTPS.  However, this presents a scenario where
-## some genius sends up a requet with their token or credentials over HTTP
-## and is then redirected to HTTPS.  During that redirect, the credentials
-## would be exposed.

+### Redirect to HTTPS
+resource "aws_lb_listener" "alb_http_redirect" {
+  load_balancer_arn = aws_lb.alb.arn
+  port = 80
+  protocol = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    // For information on the below reserved keywords
+    // https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-action-types
+    redirect {
+      host = "#{host}"
+      path = "/#{path}"
+      port = 443
+      protocol = "HTTPS"
+      query = "#{query}"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+### HTTPS
 resource "aws_lb_listener" "alb_https" {
  load_balancer_arn = aws_lb.alb.arn
  port = 443