feat: block HTTPS reqeusts except POST

nimisha-gj · nimisha-gj · commit 442484c67ecc · 2024-07-14T15:01:13.000+05:30
diff --git a/modules/alb/main.tf b/modules/alb/main.tf
@@ -3,8 +3,7 @@ resource "aws_lb" "this" {
   internal           = var.load_balancer_internal
   load_balancer_type = var.load_balancer_type
   security_groups    = [aws_security_group.this.id]
-  # subnet-1 , subnet-2
-  subnets = var.public_subnet_ids
+  subnets            = var.public_subnet_ids
 }
 
 resource "aws_security_group" "this" {
diff --git a/modules/ecs/main.tf b/modules/ecs/main.tf
@@ -2,7 +2,6 @@ resource "aws_ecs_cluster" "this" {
   name = var.cluster_name
 }
 
-# extract to iam
 resource "random_pet" "name" {
   length    = 1
   separator = "-"
@@ -22,7 +21,6 @@ resource "aws_iam_instance_profile" "this" {
   name = "${local.iam_instance_profile_name_prefix}-${random_pet.name.id}"
   role = aws_iam_role.instace_role.name
 }
-#
 
 resource "aws_launch_template" "this" {
   name_prefix   = var.launch_template_name_prefix
@@ -36,7 +34,6 @@ echo ECS_CLUSTER=${aws_ecs_cluster.this.name} >> /etc/ecs/ecs.config
 EOF
   )
 
-
   network_interfaces {
     associate_public_ip_address = true
     subnet_id                   = var.private_subnet_ids[0]
@@ -52,7 +49,6 @@ EOF
   }
 }
 
-
 resource "aws_autoscaling_group" "this" {
   desired_capacity    = var.auto_scaling_group_desired_capacity
   max_size            = var.auto_scaling_group_max_size
@@ -98,6 +94,7 @@ resource "aws_ecs_service" "this" {
   }
 
   depends_on = [
+    aws_lb_listener_rule.events_post_rule,
     aws_lb_listener_rule.default_rule,
   ]
 }
@@ -142,8 +139,6 @@ resource "aws_cloudwatch_log_group" "this" {
   retention_in_days = 14
 }
 
-
-
 resource "aws_security_group" "this" {
   name        = "${var.service_name}-ecs-sg"
   description = "${var.service_name} ecs security group"
@@ -200,13 +195,19 @@ resource "aws_lb_target_group" "ip_target" {
   }
 }
 
-resource "aws_lb_listener_rule" "default_rule" {
+resource "aws_lb_listener_rule" "events_post_rule" {
   listener_arn = var.endpoint_details.lb_listener_arn
   priority     = 10
 
   condition {
-    host_header {
-      values = [var.endpoint_details.domain_url]
+    path_pattern {
+      values = ["/events"]
+    }
+  }
+
+  condition {
+    http_request_method {
+      values = ["POST"]
     }
   }
 
@@ -215,3 +216,23 @@ resource "aws_lb_listener_rule" "default_rule" {
     target_group_arn = aws_lb_target_group.ip_target[0].arn
   }
 }
+
+resource "aws_lb_listener_rule" "default_rule" {
+  listener_arn = var.endpoint_details.lb_listener_arn
+  priority     = 20
+
+  condition {
+    path_pattern {
+      values = ["/*"]
+    }
+  }
+
+  action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Not Found"
+      status_code  = "404"
+    }
+  }
+}
diff --git a/modules/network/variables.tf b/modules/network/variables.tf
@@ -16,6 +16,12 @@ variable "private_subnet_cidrs" {
   default     = ["10.0.3.0/24", "10.0.4.0/24"]
 }
 
+variable "region" {
+  description = "Region for creating resources"
+  type        = string
+  default     = "us-east-1"
+}
+
 variable "availability_zones" {
   description = "List of Availability zone where the subnet must reside."
   type        = list(string)

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,7 @@ resource "aws_lb" "this" {`
`3`	`3`	`internal = var.load_balancer_internal`
`4`	`4`	`load_balancer_type = var.load_balancer_type`
`5`	`5`	`security_groups = [aws_security_group.this.id]`
`6`		`- # subnet-1 , subnet-2`
`7`		`- subnets = var.public_subnet_ids`
	`6`	`+ subnets = var.public_subnet_ids`
`8`	`7`	`}`
`9`	`8`
`10`	`9`	`resource "aws_security_group" "this" {`