From 009f5c8a783ff1eb2d31262e60a11d9c481b00ee Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 20 Oct 2025 19:58:47 +0800 Subject: [PATCH 1/5] add "disable_tls" input to provide an option to use https within the VPC --- terraform/040-id-broker/README.md | 1 + terraform/040-id-broker/main.tf | 7 ++++--- terraform/040-id-broker/variables.tf | 6 ++++++ terraform/050-pw-manager/README.md | 1 + terraform/050-pw-manager/main.tf | 7 ++++--- terraform/050-pw-manager/variables.tf | 6 ++++++ terraform/060-simplesamlphp/README.md | 1 + terraform/060-simplesamlphp/main.tf | 7 ++++--- terraform/060-simplesamlphp/variables.tf | 6 ++++++ 9 files changed, 33 insertions(+), 9 deletions(-) diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md index 73d074c0..f78140c7 100644 --- a/terraform/040-id-broker/README.md +++ b/terraform/040-id-broker/README.md @@ -49,6 +49,7 @@ Note 2: `internal_alb_listener_arn` can be omitted if `alb_listener_arn` is prov - `cpu_cron` - How much CPU (AWS CPU units, 1000 = 1 cpu) to allocate to cron service. Default: `128` - `cpu_email` - Amount of CPU (AWS CPU units, 1000 = 1 cpu) to allocate to email container. Default: `64` - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` + - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` - `email_brand_color` - The CSS color to use for branding in emails (e.g. `rgb(0, 93, 154)`). Required for idp-id-broker version 8.0.0 or higher. Default: `"#005D99"` (blue) - `email_brand_logo` - The fully qualified URL to an image for use as logo in emails. Required for idp-id-broker version 8.0.0 or higher. Default: `""` (email header will show a "broken link" icon) - `email_repeat_delay_days` - Don't resend the same type of email to the same user for X days. Default: `31` diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 4ab1cbbc..3c0e8566 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -10,7 +10,7 @@ locals { resource "aws_alb_target_group" "broker" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) port = "80" - protocol = "HTTP" + protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" @@ -19,8 +19,9 @@ resource "aws_alb_target_group" "broker" { } health_check { - path = "/site/status" - matcher = "200,204" + path = "/site/status" + matcher = "200,204" + protocol = var.disable_tls ? "HTTP" : "HTTPS" } } diff --git a/terraform/040-id-broker/variables.tf b/terraform/040-id-broker/variables.tf index e1b7bf4b..120639ac 100644 --- a/terraform/040-id-broker/variables.tf +++ b/terraform/040-id-broker/variables.tf @@ -233,6 +233,12 @@ variable "alb_listener_arn" { default = "" } +variable "disable_tls" { + description = "Set to \"true\" to use HTTP within the VPC" + type = bool + default = true +} + variable "internal_alb_dns_name" { description = <<-EOT The DNS name for the IdP-in-a-Box's internal Application Load Balancer. This can be omitted if `alb_dns_name` is diff --git a/terraform/050-pw-manager/README.md b/terraform/050-pw-manager/README.md index b51ee0e4..9ecf4b20 100644 --- a/terraform/050-pw-manager/README.md +++ b/terraform/050-pw-manager/README.md @@ -54,6 +54,7 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl - `alerts_email_enabled` - Enable or disabled alert notification emails. Default: `true` - `code_length` - Number of digits in reset code. Default: `"6"` - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` + - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` - `extra_hosts` - Extra hosts for the API task definition, e.g. "\["hostname":"host.example.com","ipAddress":"192.168.1.1"\]" - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `true` - `password_rule_maxlength` - Maximum password length. Default: `"255"` diff --git a/terraform/050-pw-manager/main.tf b/terraform/050-pw-manager/main.tf index 6e4cfd74..341773ef 100644 --- a/terraform/050-pw-manager/main.tf +++ b/terraform/050-pw-manager/main.tf @@ -11,7 +11,7 @@ locals { resource "aws_alb_target_group" "pwmanager" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) port = "80" - protocol = "HTTP" + protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" @@ -20,8 +20,9 @@ resource "aws_alb_target_group" "pwmanager" { } health_check { - path = "/site/system-status" - matcher = "200" + path = "/site/system-status" + matcher = "200" + protocol = var.disable_tls ? "HTTP" : "HTTPS" } } diff --git a/terraform/050-pw-manager/variables.tf b/terraform/050-pw-manager/variables.tf index d2b84919..91d0cefd 100644 --- a/terraform/050-pw-manager/variables.tf +++ b/terraform/050-pw-manager/variables.tf @@ -118,6 +118,12 @@ variable "desired_count" { default = 1 } +variable "disable_tls" { + description = "Set to \"true\" to use HTTP within the VPC" + type = bool + default = true +} + variable "docker_image" { description = "URL to Docker image" type = string diff --git a/terraform/060-simplesamlphp/README.md b/terraform/060-simplesamlphp/README.md index 09eb0b9b..ddc45ecf 100644 --- a/terraform/060-simplesamlphp/README.md +++ b/terraform/060-simplesamlphp/README.md @@ -45,6 +45,7 @@ This module is used to create an ECS service running [SimpleSAMLphp](https://sim ## Optional Inputs - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` + - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` - `enable_debug` - Enable debug logs. Default: `false` - `logging_level` - Minimum log level to log. DO NOT use DEBUG in production. Allowed values: ERR, WARNING, NOTICE, INFO, DEBUG. Default: `NOTICE` - `mfa_learn_more_url` - URL to learn more about 2SV during profile review. Default: (link not displayed) diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 09af9685..c2d8cc0a 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -10,13 +10,14 @@ locals { resource "aws_alb_target_group" "ssp" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) port = "80" - protocol = "HTTP" + protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" health_check { - path = "/module.php/silauth/status.php" - matcher = "200" + path = "/module.php/silauth/status.php" + matcher = "200" + protocol = var.disable_tls ? "HTTP" : "HTTPS" } } diff --git a/terraform/060-simplesamlphp/variables.tf b/terraform/060-simplesamlphp/variables.tf index 82f077bf..5e341c96 100644 --- a/terraform/060-simplesamlphp/variables.tf +++ b/terraform/060-simplesamlphp/variables.tf @@ -66,6 +66,12 @@ variable "docker_image" { type = string } +variable "disable_tls" { + description = "Set to \"true\" to use HTTP within the VPC" + type = bool + default = true +} + variable "enable_debug" { description = "Enable debug logs." type = bool From ce0b7cc8656ebabe35c03b47cbebcbdfa4b70294 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 20 Oct 2025 20:17:20 +0800 Subject: [PATCH 2/5] set port to 80 or 443 depending on var.disable_tls --- terraform/040-id-broker/main.tf | 3 ++- terraform/040-id-broker/task-definition.json.tftpl | 2 +- terraform/050-pw-manager/main.tf | 3 ++- terraform/050-pw-manager/task-definition-api.json.tftpl | 2 +- terraform/060-simplesamlphp/main.tf | 3 ++- terraform/060-simplesamlphp/task-definition.json.tftpl | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 3c0e8566..a479878f 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -170,6 +170,7 @@ locals { password_mfa_lifespan_extension = var.password_mfa_lifespan_extension password_profile_url = var.password_profile_url password_reuse_limit = var.password_reuse_limit + port = var.disable_tls ? "80" : "443" profile_review_interval = var.profile_review_interval run_task = "" send_get_backup_codes_emails = var.send_get_backup_codes_emails @@ -223,7 +224,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" - lb_container_port = "80" + lb_container_port = var.disable_tls ? "80" : "443" task_role_arn = module.ecs_role.role_arn } diff --git a/terraform/040-id-broker/task-definition.json.tftpl b/terraform/040-id-broker/task-definition.json.tftpl index ba0ae9f9..710ab3b1 100644 --- a/terraform/040-id-broker/task-definition.json.tftpl +++ b/terraform/040-id-broker/task-definition.json.tftpl @@ -8,7 +8,7 @@ "portMappings": [ { "hostPort": 0, - "containerPort": 80, + "containerPort": ${port}, "protocol": "tcp" } ], diff --git a/terraform/050-pw-manager/main.tf b/terraform/050-pw-manager/main.tf index 341773ef..59275ced 100644 --- a/terraform/050-pw-manager/main.tf +++ b/terraform/050-pw-manager/main.tf @@ -102,6 +102,7 @@ locals { password_rule_maxlength = var.password_rule_maxlength password_rule_minlength = var.password_rule_minlength password_rule_minscore = var.password_rule_minscore + port = var.disable_tls ? "80" : "443" recaptcha_secret_key = var.recaptcha_secret recaptcha_site_key = var.recaptcha_key sentry_dsn = var.sentry_dsn @@ -124,7 +125,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.pwmanager.arn lb_container_name = "web" - lb_container_port = "80" + lb_container_port = var.disable_tls ? "80" : "443" ecsServiceRole_arn = var.ecsServiceRole_arn task_role_arn = module.ecs_role.role_arn } diff --git a/terraform/050-pw-manager/task-definition-api.json.tftpl b/terraform/050-pw-manager/task-definition-api.json.tftpl index 4747b0c1..b7306ac2 100644 --- a/terraform/050-pw-manager/task-definition-api.json.tftpl +++ b/terraform/050-pw-manager/task-definition-api.json.tftpl @@ -9,7 +9,7 @@ "portMappings": [ { "hostPort": 0, - "containerPort": 80, + "containerPort": ${port}, "protocol": "tcp" } ], diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index c2d8cc0a..0f3e6b35 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -94,6 +94,7 @@ locals { mysql_password = var.mysql_pass mysql_user = var.mysql_user parameter_store_path = local.parameter_store_path + port = var.disable_tls ? "80" : "443" profile_url = var.profile_url recaptcha_key = var.recaptcha_key recaptcha_secret = var.recaptcha_secret @@ -117,7 +118,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.ssp.arn lb_container_name = "web" - lb_container_port = "80" + lb_container_port = var.disable_tls ? "80" : "443" ecsServiceRole_arn = var.ecsServiceRole_arn task_role_arn = module.ecs_role.role_arn } diff --git a/terraform/060-simplesamlphp/task-definition.json.tftpl b/terraform/060-simplesamlphp/task-definition.json.tftpl index f602f8c5..61a5119f 100644 --- a/terraform/060-simplesamlphp/task-definition.json.tftpl +++ b/terraform/060-simplesamlphp/task-definition.json.tftpl @@ -9,7 +9,7 @@ "portMappings": [ { "hostPort": 0, - "containerPort": 80, + "containerPort": ${port}, "protocol": "tcp" } ], From 47a1840946a6bc82bbb2e21bcba3137d806b5793 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 20 Oct 2025 20:47:33 +0800 Subject: [PATCH 3/5] add a lifecycle rule to trigger replacement on the listener rule --- terraform/040-id-broker/main.tf | 4 ++++ terraform/050-pw-manager/main.tf | 4 ++++ terraform/060-simplesamlphp/main.tf | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index a479878f..51b2112b 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -45,6 +45,10 @@ resource "aws_alb_listener_rule" "broker" { ] } } + + lifecycle { + replace_triggered_by = [aws_alb_target_group.broker] + } } /* diff --git a/terraform/050-pw-manager/main.tf b/terraform/050-pw-manager/main.tf index 59275ced..b008a097 100644 --- a/terraform/050-pw-manager/main.tf +++ b/terraform/050-pw-manager/main.tf @@ -46,6 +46,10 @@ resource "aws_alb_listener_rule" "pwmanager" { ] } } + + lifecycle { + replace_triggered_by = [aws_alb_target_group.pwmanager] + } } /* diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 0f3e6b35..16a573de 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -41,6 +41,10 @@ resource "aws_alb_listener_rule" "ssp" { ] } } + + lifecycle { + replace_triggered_by = [aws_alb_target_group.ssp] + } } /* From 95ef6e3e5d272b51daa94f87a4eb7b2fc03af941 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Mon, 20 Oct 2025 20:51:19 +0800 Subject: [PATCH 4/5] set the target group port to 443 if disable_tls is false --- terraform/040-id-broker/main.tf | 2 +- terraform/050-pw-manager/main.tf | 2 +- terraform/060-simplesamlphp/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index 51b2112b..6c537af7 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -9,7 +9,7 @@ locals { */ resource "aws_alb_target_group" "broker" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = "80" + port = var.disable_tls ? 80 : 443 protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" diff --git a/terraform/050-pw-manager/main.tf b/terraform/050-pw-manager/main.tf index b008a097..af573e22 100644 --- a/terraform/050-pw-manager/main.tf +++ b/terraform/050-pw-manager/main.tf @@ -10,7 +10,7 @@ locals { */ resource "aws_alb_target_group" "pwmanager" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = "80" + port = var.disable_tls ? 80 : 443 protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf index 16a573de..3f35fa15 100644 --- a/terraform/060-simplesamlphp/main.tf +++ b/terraform/060-simplesamlphp/main.tf @@ -9,7 +9,7 @@ locals { */ resource "aws_alb_target_group" "ssp" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = "80" + port = var.disable_tls ? 80 : 443 protocol = var.disable_tls ? "HTTP" : "HTTPS" vpc_id = var.vpc_id deregistration_delay = "30" From 27b67f8009b9c55f5dfe051ce0edb84fd9adc038 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 23 Oct 2025 21:28:36 +0800 Subject: [PATCH 5/5] reverse logic and name the new variable enable_tls --- modules/040-id-broker/README.md | 2 +- modules/040-id-broker/main.tf | 10 +++++----- modules/040-id-broker/variables.tf | 6 +++--- modules/050-pw-manager/README.md | 2 +- modules/050-pw-manager/main.tf | 10 +++++----- modules/050-pw-manager/variables.tf | 6 +++--- modules/060-simplesamlphp/README.md | 2 +- modules/060-simplesamlphp/main.tf | 10 +++++----- modules/060-simplesamlphp/variables.tf | 6 +++--- 9 files changed, 27 insertions(+), 27 deletions(-) diff --git a/modules/040-id-broker/README.md b/modules/040-id-broker/README.md index f78140c7..12637137 100644 --- a/modules/040-id-broker/README.md +++ b/modules/040-id-broker/README.md @@ -49,7 +49,7 @@ Note 2: `internal_alb_listener_arn` can be omitted if `alb_listener_arn` is prov - `cpu_cron` - How much CPU (AWS CPU units, 1000 = 1 cpu) to allocate to cron service. Default: `128` - `cpu_email` - Amount of CPU (AWS CPU units, 1000 = 1 cpu) to allocate to email container. Default: `64` - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` - - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` + - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false` - `email_brand_color` - The CSS color to use for branding in emails (e.g. `rgb(0, 93, 154)`). Required for idp-id-broker version 8.0.0 or higher. Default: `"#005D99"` (blue) - `email_brand_logo` - The fully qualified URL to an image for use as logo in emails. Required for idp-id-broker version 8.0.0 or higher. Default: `""` (email header will show a "broken link" icon) - `email_repeat_delay_days` - Don't resend the same type of email to the same user for X days. Default: `31` diff --git a/modules/040-id-broker/main.tf b/modules/040-id-broker/main.tf index 6c537af7..92f90aab 100644 --- a/modules/040-id-broker/main.tf +++ b/modules/040-id-broker/main.tf @@ -9,8 +9,8 @@ locals { */ resource "aws_alb_target_group" "broker" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = var.disable_tls ? 80 : 443 - protocol = var.disable_tls ? "HTTP" : "HTTPS" + port = var.enable_tls ? 443 : 80 + protocol = var.enable_tls ? "HTTPS" : "HTTP" vpc_id = var.vpc_id deregistration_delay = "30" @@ -21,7 +21,7 @@ resource "aws_alb_target_group" "broker" { health_check { path = "/site/status" matcher = "200,204" - protocol = var.disable_tls ? "HTTP" : "HTTPS" + protocol = var.enable_tls ? "HTTPS" : "HTTP" } } @@ -174,7 +174,7 @@ locals { password_mfa_lifespan_extension = var.password_mfa_lifespan_extension password_profile_url = var.password_profile_url password_reuse_limit = var.password_reuse_limit - port = var.disable_tls ? "80" : "443" + port = var.enable_tls ? "443" : "80" profile_review_interval = var.profile_review_interval run_task = "" send_get_backup_codes_emails = var.send_get_backup_codes_emails @@ -228,7 +228,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.broker.arn lb_container_name = "web" - lb_container_port = var.disable_tls ? "80" : "443" + lb_container_port = var.enable_tls ? "443" : "80" task_role_arn = module.ecs_role.role_arn } diff --git a/modules/040-id-broker/variables.tf b/modules/040-id-broker/variables.tf index 120639ac..49afcc20 100644 --- a/modules/040-id-broker/variables.tf +++ b/modules/040-id-broker/variables.tf @@ -233,10 +233,10 @@ variable "alb_listener_arn" { default = "" } -variable "disable_tls" { - description = "Set to \"true\" to use HTTP within the VPC" +variable "enable_tls" { + description = "Set to \"true\" to use HTTPS within the VPC" type = bool - default = true + default = false } variable "internal_alb_dns_name" { diff --git a/modules/050-pw-manager/README.md b/modules/050-pw-manager/README.md index 9ecf4b20..01ffc7cc 100644 --- a/modules/050-pw-manager/README.md +++ b/modules/050-pw-manager/README.md @@ -54,7 +54,7 @@ The password manager UI can be deployed using the [silinternatonal/pages/cloudfl - `alerts_email_enabled` - Enable or disabled alert notification emails. Default: `true` - `code_length` - Number of digits in reset code. Default: `"6"` - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` - - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` + - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false` - `extra_hosts` - Extra hosts for the API task definition, e.g. "\["hostname":"host.example.com","ipAddress":"192.168.1.1"\]" - `password_rule_enablehibp` - Enable haveibeenpwned.com password check. Default: `true` - `password_rule_maxlength` - Maximum password length. Default: `"255"` diff --git a/modules/050-pw-manager/main.tf b/modules/050-pw-manager/main.tf index af573e22..20f7b317 100644 --- a/modules/050-pw-manager/main.tf +++ b/modules/050-pw-manager/main.tf @@ -10,8 +10,8 @@ locals { */ resource "aws_alb_target_group" "pwmanager" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = var.disable_tls ? 80 : 443 - protocol = var.disable_tls ? "HTTP" : "HTTPS" + port = var.enable_tls ? 443 : 80 + protocol = var.enable_tls ? "HTTPS" : "HTTP" vpc_id = var.vpc_id deregistration_delay = "30" @@ -22,7 +22,7 @@ resource "aws_alb_target_group" "pwmanager" { health_check { path = "/site/system-status" matcher = "200" - protocol = var.disable_tls ? "HTTP" : "HTTPS" + protocol = var.enable_tls ? "HTTPS" : "HTTP" } } @@ -106,7 +106,7 @@ locals { password_rule_maxlength = var.password_rule_maxlength password_rule_minlength = var.password_rule_minlength password_rule_minscore = var.password_rule_minscore - port = var.disable_tls ? "80" : "443" + port = var.enable_tls ? "443" : "80" recaptcha_secret_key = var.recaptcha_secret recaptcha_site_key = var.recaptcha_key sentry_dsn = var.sentry_dsn @@ -129,7 +129,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.pwmanager.arn lb_container_name = "web" - lb_container_port = var.disable_tls ? "80" : "443" + lb_container_port = var.enable_tls ? "443" : "80" ecsServiceRole_arn = var.ecsServiceRole_arn task_role_arn = module.ecs_role.role_arn } diff --git a/modules/050-pw-manager/variables.tf b/modules/050-pw-manager/variables.tf index 91d0cefd..a9c6403b 100644 --- a/modules/050-pw-manager/variables.tf +++ b/modules/050-pw-manager/variables.tf @@ -118,10 +118,10 @@ variable "desired_count" { default = 1 } -variable "disable_tls" { - description = "Set to \"true\" to use HTTP within the VPC" +variable "enable_tls" { + description = "Set to \"true\" to use HTTPS within the VPC" type = bool - default = true + default = false } variable "docker_image" { diff --git a/modules/060-simplesamlphp/README.md b/modules/060-simplesamlphp/README.md index ddc45ecf..9e2cea68 100644 --- a/modules/060-simplesamlphp/README.md +++ b/modules/060-simplesamlphp/README.md @@ -45,7 +45,7 @@ This module is used to create an ECS service running [SimpleSAMLphp](https://sim ## Optional Inputs - `create_dns_record` - Controls creation of a DNS CNAME record for the ECS service. Default: `true` - - `disable_tls` - Set to "true" to use HTTP within the VPC. Default: `true` + - `enable_tls` - Set to "true" to use HTTPS within the VPC. Default: `false` - `enable_debug` - Enable debug logs. Default: `false` - `logging_level` - Minimum log level to log. DO NOT use DEBUG in production. Allowed values: ERR, WARNING, NOTICE, INFO, DEBUG. Default: `NOTICE` - `mfa_learn_more_url` - URL to learn more about 2SV during profile review. Default: (link not displayed) diff --git a/modules/060-simplesamlphp/main.tf b/modules/060-simplesamlphp/main.tf index 3f35fa15..58dd8c40 100644 --- a/modules/060-simplesamlphp/main.tf +++ b/modules/060-simplesamlphp/main.tf @@ -9,15 +9,15 @@ locals { */ resource "aws_alb_target_group" "ssp" { name = substr("tg-${var.idp_name}-${var.app_name}-${var.app_env}", 0, 32) - port = var.disable_tls ? 80 : 443 - protocol = var.disable_tls ? "HTTP" : "HTTPS" + port = var.enable_tls ? 443 : 80 + protocol = var.enable_tls ? "HTTPS" : "HTTP" vpc_id = var.vpc_id deregistration_delay = "30" health_check { path = "/module.php/silauth/status.php" matcher = "200" - protocol = var.disable_tls ? "HTTP" : "HTTPS" + protocol = var.enable_tls ? "HTTPS" : "HTTP" } } @@ -98,7 +98,7 @@ locals { mysql_password = var.mysql_pass mysql_user = var.mysql_user parameter_store_path = local.parameter_store_path - port = var.disable_tls ? "80" : "443" + port = var.enable_tls ? "443" : "80" profile_url = var.profile_url recaptcha_key = var.recaptcha_key recaptcha_secret = var.recaptcha_secret @@ -122,7 +122,7 @@ module "ecsservice" { desired_count = var.desired_count tg_arn = aws_alb_target_group.ssp.arn lb_container_name = "web" - lb_container_port = var.disable_tls ? "80" : "443" + lb_container_port = var.enable_tls ? "443" : "80" ecsServiceRole_arn = var.ecsServiceRole_arn task_role_arn = module.ecs_role.role_arn } diff --git a/modules/060-simplesamlphp/variables.tf b/modules/060-simplesamlphp/variables.tf index 5e341c96..c3a050f8 100644 --- a/modules/060-simplesamlphp/variables.tf +++ b/modules/060-simplesamlphp/variables.tf @@ -66,10 +66,10 @@ variable "docker_image" { type = string } -variable "disable_tls" { - description = "Set to \"true\" to use HTTP within the VPC" +variable "enable_tls" { + description = "Set to \"true\" to use HTTPS within the VPC" type = bool - default = true + default = false } variable "enable_debug" {