Add aws.javabin.no redirect to SSO portal

[Alexanderamiri]

Summary

• Creates S3 bucket aws.javabin.no with website redirect to https://javabin.awsapps.com/start
• Route53 alias record in javabin.no zone pointing to S3 website endpoint
• Allows team members to access AWS SSO via aws.javabin.no instead of remembering the awsapps URL

Prerequisites

• Customize the Identity Center portal URL to javabin in the AWS console (Settings → Customize AWS access portal URL)

Test plan

• CI plan shows S3 bucket + website config + Route53 record to add
• After apply, curl -I http://aws.javabin.no returns 301 redirect to https://javabin.awsapps.com/start

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 5 to add, 0 to change, 0 to destroy.

Plan output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.cost_analytics.aws_bcmdataexports_export.cur will be created
  + resource "aws_bcmdataexports_export" "cur" {
      + id       = (known after apply)
      + tags_all = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }

      + export {
          + export_arn = (known after apply)
          + name       = "javabin-cur"

          + data_query {
              + query_statement      = "SELECT * FROM COST_AND_USAGE_REPORT"
              + table_configurations = {
                  + "COST_AND_USAGE_REPORT" = {
                      + "INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY" = "FALSE"
                      + "INCLUDE_RESOURCES"                     = "TRUE"
                      + "INCLUDE_SPLIT_COST_ALLOCATION_DATA"    = "FALSE"
                      + "TIME_GRANULARITY"                      = "DAILY"
                    }
                }
            }

          + destination_configurations {
              + s3_destination {
                  + s3_bucket = "javabin-cur-553637109631"
                  + s3_prefix = "cur"
                  + s3_region = "eu-central-1"

                  + s3_output_configurations {
                      + compression = "PARQUET"
                      + format      = "PARQUET"
                      + output_type = "CUSTOM"
                      + overwrite   = "OVERWRITE_REPORT"
                    }
                }
            }

          + refresh_cadence {
              + frequency = "SYNCHRONOUS"
            }
        }
    }

  # module.dns.aws_route53_record.sso_redirect will be created
  + resource "aws_route53_record" "sso_redirect" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "aws.javabin.no"
      + type            = "A"
      + zone_id         = "Z02029092SCAPZOF62LM0"

      + alias {
          + evaluate_target_health = false
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }
    }

  # module.dns.aws_s3_bucket.sso_redirect will be created
  + resource "aws_s3_bucket" "sso_redirect" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "aws.javabin.no"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags                        = {
          + "Name" = "aws.javabin.no-redirect"
        }
      + tags_all                    = {
          + "Name"        = "aws.javabin.no-redirect"
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # module.dns.aws_s3_bucket_public_access_block.sso_redirect will be created
  + resource "aws_s3_bucket_public_access_block" "sso_redirect" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # module.dns.aws_s3_bucket_website_configuration.sso_redirect will be created
  + resource "aws_s3_bucket_website_configuration" "sso_redirect" {
      + bucket           = (known after apply)
      + id               = (known after apply)
      + routing_rules    = (known after apply)
      + website_domain   = (known after apply)
      + website_endpoint = (known after apply)

      + redirect_all_requests_to {
          + host_name = "javabin.awsapps.com"
          + protocol  = "https"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Plan adds Cost and Usage Report export and creates an S3-based SSO redirect for aws.javabin.no domain with proper security controls.

• ✅ [routine] Creating AWS BCM Data Exports resource for Cost and Usage Report (CUR) with PARQUET format and daily granularity - standard cost analytics infrastructure
• ✅ [routine] Adding S3 bucket website redirect (aws.javabin.no → javabin.awsapps.com) with public access blocks enabled - secure redirect pattern
• ✅ [routine] Route53 alias record created for aws.javabin.no pointing to S3 website endpoint - DNS configuration for SSO redirect
• 💰 [cost] New S3 bucket and BCM Data Exports will incur minimal costs - S3 storage for CUR data and standard export API charges
• 🔒 [security] S3 bucket has public access blocks properly configured (block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets all true) - no public exposure risk