[PLT-1312] AB2D listeners and target groups should use HTTPS #1639
Conversation
… to ab2d" This reverts commit 3eec5fb.
|
@juliareynolds-nava Semi-related to this PR, I'm working on updating the terraform to remove the properties service in the remove-properties-service branch. Feel free to update anything in your PR to support removing the properties service as it relates to your PR (I trust you more than me!). |
gsf
left a comment
gsf
left a comment
There was a problem hiding this comment.
Looks like a great start but my guess is that the actions checks are not adequately checking whether this new infrastructure works. I believe we'll run into issues with the app using https and requiring TLS certs. Has this configuration been tested in a lower environment?
|
|
||
| data "aws_acm_certificate" "this" { | ||
| domain = local.parent_env == "prod" ? "api.ab2d.cms.gov" : "${local.parent_env}.ab2d.cms.gov" | ||
| } |
There was a problem hiding this comment.
Hmm, so we're using the same certificate for the internal and external load balancers? I suppose that's fine as long as nothing is checking the validity of the certificate on the internal load balancer. I think we need to discuss further about which certificates we're using across these internal resources.
🎫 Ticket
https://jira.cms.gov/browse/PLT-1312
🛠 Changes
AB2D currently uses HTTP target groups, which allows traffic to flow unencrypted from the load balancers to the groups. These groups should be recreated and configured to use HTTPS.
Furthermore, the listeners associated with the internal load balancers 'ab2d--microservices' use HTTP, which allows traffic to flow unencrypted from internal clients to the load balancers. These listeners should be recreated and configured to use HTTPS.
ℹ️ Context
To ensure that ab2d traffic is encrypted at all points.
🧪 Validation
See checks.