From a8615653804d5ced3f620b82a95a3902dc1b5a09 Mon Sep 17 00:00:00 2001
From: Mike Lonergan <mikethecanuck@gmail.com>
Date: Sat, 21 Sep 2019 17:05:25 -0700
Subject: [PATCH] Addresses Civic-Devops Issue 215

First attempt at introducing a TLS-redirect at the ALB layer (so that none of our services need to be aware of this)
---
 infrastructure/load-balancers.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/infrastructure/load-balancers.yaml b/infrastructure/load-balancers.yaml
index 2322f79..3a137f3 100644
--- a/infrastructure/load-balancers.yaml
+++ b/infrastructure/load-balancers.yaml
@@ -69,6 +69,26 @@ Resources:
                 - Type: forward
                   TargetGroupArn: !Ref DefaultTargetGroup
 
+    # ALB global redirect from HTTP to HTTPS
+
+    PublicLoadBalancerHttpRedirectListener:
+        Type: AWS::ElasticLoadBalancingV2::Listener
+        DependsOn:
+        - LoadBalancer
+        Properties:
+        DefaultActions:
+            - RedirectConfig:
+                Host: "#{host}"
+                Path: "/#{path}"
+                Port: 443
+                Protocol: "HTTPS"
+                Query: "#{query}"
+                StatusCode: HTTP_301
+            Type: redirect
+        LoadBalancerArn: !Ref LoadBalancer # don't know how to construct this - see https://stackoverflow.com/questions/52085478/aws-cloudformation-application-load-balancer-how-to-redirect-http-listener-to/53498717#53498717
+        Port: 80
+        Protocol: HTTP
+
     # We define a default target group here, as this is a mandatory Parameter
     # when creating an Application Load Balancer Listener. 
     # However, this is not used - instead a target group is created per-service