Merge pull request #315 from sil-org/https

briskt · web-flow · commit 9ebae7d7244f · 2025-10-23T21:41:28.000+08:00
Release 14.1.0 -- in-transit encryption
diff --git a/modules/040-id-broker/README.md b/modules/040-id-broker/README.md
@@ -49,6 +49,7 @@ Note 2: `internal_alb_listener_arn` can be omitted if `alb_listener_arn` is prov
  - `cpu_cron` - How much CPU (AWS CPU units, 1000 = 1 cpu) to allocate to cron service. Default: `128`
  - `cpu_email` - Amount of CPU (AWS CPU units, 1000 = 1 cpu) to allocate to email container. Default: `64`
  - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true`
+ - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false`
  - `email_brand_color` - The CSS color to use for branding in emails (e.g. `rgb(0, 93, 154)`). Required for idp-id-broker version 8.0.0 or higher. Default: `"#005D99"` (blue)
  - `email_brand_logo` - The fully qualified URL to an image for use as logo in emails. Required for idp-id-broker version 8.0.0 or higher. Default: `""` (email header will show a "broken link" icon)
  - `email_repeat_delay_days` - Don't resend the same type of email to the same user for X days. Default: `31`
diff --git a/modules/040-id-broker/main.tf b/modules/040-id-broker/main.tf
@@ -9,8 +9,8 @@ locals {
  */
 resource "aws_alb_target_group" "broker" {
   name                 = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32)
-  port                 = "80"
-  protocol             = "HTTP"
+  port                 = var.enable_tls ? 443 : 80
+  protocol             = var.enable_tls ? "HTTPS" : "HTTP"
   vpc_id               = var.vpc_id
   deregistration_delay = "30"
 
@@ -19,8 +19,9 @@ resource "aws_alb_target_group" "broker" {
   }
 
   health_check {
-    path    = "/site/status"
-    matcher = "200,204"
+    path     = "/site/status"
+    matcher  = "200,204"
+    protocol = var.enable_tls ? "HTTPS" : "HTTP"
   }
 }
 
@@ -173,6 +174,7 @@ locals {
     password_mfa_lifespan_extension            = var.password_mfa_lifespan_extension
     password_profile_url                       = var.password_profile_url
     password_reuse_limit                       = var.password_reuse_limit
+    port                                       = var.enable_tls ? "443" : "80"
     profile_review_interval                    = var.profile_review_interval
     run_task                                   = ""
     send_get_backup_codes_emails               = var.send_get_backup_codes_emails
@@ -226,7 +228,7 @@ module "ecsservice" {
   desired_count      = var.desired_count
   tg_arn             = aws_alb_target_group.broker.arn
   lb_container_name  = "web"
-  lb_container_port  = "80"
+  lb_container_port  = var.enable_tls ? "443" : "80"
   task_role_arn      = module.ecs_role.role_arn
 }
 
diff --git a/modules/040-id-broker/task-definition.json.tftpl b/modules/040-id-broker/task-definition.json.tftpl
@@ -8,7 +8,7 @@
     "portMappings": [
       {
         "hostPort": 0,
-        "containerPort": 80,
+        "containerPort": ${port},
         "protocol": "tcp"
       }
     ],
diff --git a/modules/040-id-broker/variables.tf b/modules/040-id-broker/variables.tf
@@ -233,6 +233,12 @@ variable "alb_listener_arn" {
   default     = ""
 }
 
+variable "enable_tls" {
+  description = "Set to \"true\" to use HTTPS within the VPC"
+  type        = bool
+  default     = false
+}
+
 variable "internal_alb_dns_name" {
   description = <<-EOT
     The DNS name for the IdP-in-a-Box's internal Application Load Balancer. This can be omitted if `alb_dns_name` is
diff --git a/modules/050-pw-manager/README.md b/modules/050-pw-manager/README.md
@@ -54,6 +54,7 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl
  - `alerts_email_enabled` - Enable or disabled alert notification emails. Default: `true`
  - `code_length` - Number of digits in reset code. Default: `"6"`
  - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true`
+ - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false`
  - `extra_hosts` - Extra hosts for the API task definition, e.g. "\["hostname":"host.example.com","ipAddress":"192.168.1.1"\]"
  - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `true`
  - `password_rule_maxlength` - Maximum password length. Default: `"255"`
diff --git a/modules/050-pw-manager/main.tf b/modules/050-pw-manager/main.tf
@@ -10,8 +10,8 @@ locals {
  */
 resource "aws_alb_target_group" "pwmanager" {
   name                 = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32)
-  port                 = "80"
-  protocol             = "HTTP"
+  port                 = var.enable_tls ? 443 : 80
+  protocol             = var.enable_tls ? "HTTPS" : "HTTP"
   vpc_id               = var.vpc_id
   deregistration_delay = "30"
 
@@ -20,8 +20,9 @@ resource "aws_alb_target_group" "pwmanager" {
   }
 
   health_check {
-    path    = "/site/system-status"
-    matcher = "200"
+    path     = "/site/system-status"
+    matcher  = "200"
+    protocol = var.enable_tls ? "HTTPS" : "HTTP"
   }
 }
 
@@ -105,6 +106,7 @@ locals {
     password_rule_maxlength             = var.password_rule_maxlength
     password_rule_minlength             = var.password_rule_minlength
     password_rule_minscore              = var.password_rule_minscore
+    port                                = var.enable_tls ? "443" : "80"
     recaptcha_secret_key                = var.recaptcha_secret
     recaptcha_site_key                  = var.recaptcha_key
     sentry_dsn                          = var.sentry_dsn
@@ -127,7 +129,7 @@ module "ecsservice" {
   desired_count      = var.desired_count
   tg_arn             = aws_alb_target_group.pwmanager.arn
   lb_container_name  = "web"
-  lb_container_port  = "80"
+  lb_container_port  = var.enable_tls ? "443" : "80"
   ecsServiceRole_arn = var.ecsServiceRole_arn
   task_role_arn      = module.ecs_role.role_arn
 }
diff --git a/modules/050-pw-manager/task-definition-api.json.tftpl b/modules/050-pw-manager/task-definition-api.json.tftpl
@@ -9,7 +9,7 @@
     "portMappings": [
       {
         "hostPort": 0,
-        "containerPort": 80,
+        "containerPort": ${port},
         "protocol": "tcp"
       }
     ],
diff --git a/modules/050-pw-manager/variables.tf b/modules/050-pw-manager/variables.tf
@@ -118,6 +118,12 @@ variable "desired_count" {
   default     = 1
 }
 
+variable "enable_tls" {
+  description = "Set to \"true\" to use HTTPS within the VPC"
+  type        = bool
+  default     = false
+}
+
 variable "docker_image" {
   description = "URL to Docker image"
   type        = string
diff --git a/modules/060-simplesamlphp/README.md b/modules/060-simplesamlphp/README.md
@@ -45,6 +45,7 @@ This module is used to create an ECS service running [SimpleSAMLphp](https://sim
 ## Optional Inputs
 
  - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true`
+ - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false`
  - `enable_debug` - Enable debug logs. Default: `false`
  - `logging_level` - Minimum log level to log. DO NOT use DEBUG in production. Allowed values: ERR, WARNING, NOTICE, INFO, DEBUG. Default: `NOTICE`
  - `mfa_learn_more_url` - URL to learn more about 2SV during profile review. Default: (link not displayed)
diff --git a/modules/060-simplesamlphp/main.tf b/modules/060-simplesamlphp/main.tf
@@ -9,14 +9,15 @@ locals {
  */
 resource "aws_alb_target_group" "ssp" {
   name                 = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32)
-  port                 = "80"
-  protocol             = "HTTP"
+  port                 = var.enable_tls ? 443 : 80
+  protocol             = var.enable_tls ? "HTTPS" : "HTTP"
   vpc_id               = var.vpc_id
   deregistration_delay = "30"
 
   health_check {
-    path    = "/module.php/silauth/status.php"
-    matcher = "200"
+    path     = "/module.php/silauth/status.php"
+    matcher  = "200"
+    protocol = var.enable_tls ? "HTTPS" : "HTTP"
   }
 }
 
@@ -97,6 +98,7 @@ locals {
     mysql_password              = var.mysql_pass
     mysql_user                  = var.mysql_user
     parameter_store_path        = local.parameter_store_path
+    port                        = var.enable_tls ? "443" : "80"
     profile_url                 = var.profile_url
     recaptcha_key               = var.recaptcha_key
     recaptcha_secret            = var.recaptcha_secret
@@ -120,7 +122,7 @@ module "ecsservice" {
   desired_count      = var.desired_count
   tg_arn             = aws_alb_target_group.ssp.arn
   lb_container_name  = "web"
-  lb_container_port  = "80"
+  lb_container_port  = var.enable_tls ? "443" : "80"
   ecsServiceRole_arn = var.ecsServiceRole_arn
   task_role_arn      = module.ecs_role.role_arn
 }
diff --git a/modules/060-simplesamlphp/task-definition.json.tftpl b/modules/060-simplesamlphp/task-definition.json.tftpl
@@ -9,7 +9,7 @@
     "portMappings": [
       {
         "hostPort": 0,
-        "containerPort": 80,
+        "containerPort": ${port},
         "protocol": "tcp"
       }
     ],
diff --git a/modules/060-simplesamlphp/variables.tf b/modules/060-simplesamlphp/variables.tf
@@ -66,6 +66,12 @@ variable "docker_image" {
   type        = string
 }
 
+variable "enable_tls" {
+  description = "Set to \"true\" to use HTTPS within the VPC"
+  type        = bool
+  default     = false
+}
+
 variable "enable_debug" {
   description = "Enable debug logs."
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`"portMappings": [`
`9`	`9`	`{`
`10`	`10`	`"hostPort": 0,`
`11`		`- "containerPort": 80,`
	`11`	`+ "containerPort": ${port},`
`12`	`12`	`"protocol": "tcp"`
`13`	`13`	`}`
`14`	`14`	`],`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"portMappings": [`
`10`	`10`	`{`
`11`	`11`	`"hostPort": 0,`
`12`		`- "containerPort": 80,`
	`12`	`+ "containerPort": ${port},`
`13`	`13`	`"protocol": "tcp"`
`14`	`14`	`}`
`15`	`15`	`],`