Skip to content

Add HTTPS support for aws.javabin.no redirect#112

Merged
Alexanderamiri merged 1 commit into
mainfrom
feat/sso-redirect-https
Mar 27, 2026
Merged

Add HTTPS support for aws.javabin.no redirect#112
Alexanderamiri merged 1 commit into
mainfrom
feat/sso-redirect-https

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Mar 27, 2026

Summary

  • Adds ACM certificate in us-east-1 with DNS validation for aws.javabin.no
  • CloudFront distribution fronts the S3 redirect bucket with HTTPS
  • Route53 alias now points to CloudFront instead of S3 directly
  • Adds AAAA record for IPv6 support

Test plan

  • CI plan passes
  • After apply, curl -I https://aws.javabin.no returns 301 to https://javabin.awsapps.com/start
  • Note: CloudFront distribution takes ~5 min to deploy, ACM cert validation takes a few minutes

@Alexanderamiri
Add HTTPS support for aws.javabin.no via CloudFront + ACM
06ceebb 
Adds ACM certificate (us-east-1), CloudFront distribution, and IPv6
support for the SSO portal redirect. Both HTTP and HTTPS on
aws.javabin.no now redirect to javabin.awsapps.com/start.
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner March 27, 2026 00:10
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 27, 2026

Terraform Plan

🚧 Changes detected — Plan: 6 to add, 1 to change, 0 to destroy.

Plan output 
Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # module.cost_analytics.aws_bcmdataexports_export.cur will be created
  + resource "aws_bcmdataexports_export" "cur" {
      + id       = (known after apply)
      + tags_all = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }

      + export {
          + export_arn = (known after apply)
          + name       = "javabin-cur"

          + data_query {
              + query_statement      = "SELECT * FROM COST_AND_USAGE_REPORT"
              + table_configurations = {
                  + "COST_AND_USAGE_REPORT" = {
                      + "INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY" = "FALSE"
                      + "INCLUDE_RESOURCES"                     = "TRUE"
                      + "INCLUDE_SPLIT_COST_ALLOCATION_DATA"    = "FALSE"
                      + "TIME_GRANULARITY"                      = "DAILY"
                    }
                }
            }

          + destination_configurations {
              + s3_destination {
                  + s3_bucket = "javabin-cur-553637109631"
                  + s3_prefix = "cur"
                  + s3_region = "eu-central-1"

                  + s3_output_configurations {
                      + compression = "PARQUET"
                      + format      = "PARQUET"
                      + output_type = "CUSTOM"
                      + overwrite   = "OVERWRITE_REPORT"
                    }
                }
            }

          + refresh_cadence {
              + frequency = "SYNCHRONOUS"
            }
        }
    }

  # module.dns.aws_acm_certificate.sso_redirect will be created
  + resource "aws_acm_certificate" "sso_redirect" {
      + arn                       = (known after apply)
      + domain_name               = "aws.javabin.no"
      + domain_validation_options = [
          + {
              + domain_name           = "aws.javabin.no"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      + id                        = (known after apply)
      + key_algorithm             = (known after apply)
      + not_after                 = (known after apply)
      + not_before                = (known after apply)
      + pending_renewal           = (known after apply)
      + renewal_eligibility       = (known after apply)
      + renewal_summary           = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = [
          + "aws.javabin.no",
        ]
      + tags                      = {
          + "Name" = "aws.javabin.no"
        }
      + tags_all                  = {
          + "Name"        = "aws.javabin.no"
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }
      + type                      = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # module.dns.aws_acm_certificate_validation.sso_redirect will be created
  + resource "aws_acm_certificate_validation" "sso_redirect" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)
    }

  # module.dns.aws_cloudfront_distribution.sso_redirect will be created
  + resource "aws_cloudfront_distribution" "sso_redirect" {
      + aliases                         = [
          + "aws.javabin.no",
        ]
      + arn                             = (known after apply)
      + caller_reference                = (known after apply)
      + comment                         = "aws.javabin.no → SSO portal redirect"
      + continuous_deployment_policy_id = (known after apply)
      + domain_name                     = (known after apply)
      + enabled                         = true
      + etag                            = (known after apply)
      + hosted_zone_id                  = (known after apply)
      + http_version                    = "http2"
      + id                              = (known after apply)
      + in_progress_validation_batches  = (known after apply)
      + is_ipv6_enabled                 = true
      + last_modified_time              = (known after apply)
      + price_class                     = "PriceClass_100"
      + retain_on_delete                = false
      + staging                         = false
      + status                          = (known after apply)
      + tags                            = {
          + "Name" = "aws.javabin.no-redirect"
        }
      + tags_all                        = {
          + "Name"        = "aws.javabin.no-redirect"
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }
      + trusted_key_groups              = (known after apply)
      + trusted_signers                 = (known after apply)
      + wait_for_deployment             = true

      + default_cache_behavior {
          + allowed_methods        = [
              + "GET",
              + "HEAD",
            ]
          + cached_methods         = [
              + "GET",
              + "HEAD",
            ]
          + compress               = true
          + default_ttl            = 86400
          + max_ttl                = 86400
          + min_ttl                = 0
          + target_origin_id       = "s3-redirect"
          + trusted_key_groups     = (known after apply)
          + trusted_signers        = (known after apply)
          + viewer_protocol_policy = "redirect-to-https"

          + forwarded_values {
              + headers                 = (known after apply)
              + query_string            = false
              + query_string_cache_keys = (known after apply)

              + cookies {
                  + forward           = "none"
                  + whitelisted_names = (known after apply)
                }
            }
        }

      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = "aws.javabin.no.s3-website.eu-central-1.amazonaws.com"
          + origin_id           = "s3-redirect"

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "http-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1.2",
                ]
            }
        }

      + restrictions {
          + geo_restriction {
              + locations        = (known after apply)
              + restriction_type = "none"
            }
        }

      + viewer_certificate {
          + acm_certificate_arn      = (known after apply)
          + minimum_protocol_version = "TLSv1.2_2021"
          + ssl_support_method       = "sni-only"
        }
    }

  # module.dns.aws_route53_record.sso_redirect will be updated in-place
  ~ resource "aws_route53_record" "sso_redirect" {
        id                               = "Z02029092SCAPZOF62LM0_aws.javabin.no_A"
        name                             = "aws.javabin.no"
        # (6 unchanged attributes hidden)

      ~ alias {
          ~ name                   = "s3-website.eu-central-1.amazonaws.com" -> (known after apply)
          ~ zone_id                = "Z21DNDUVLTQW6Q" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # module.dns.aws_route53_record.sso_redirect_aaaa will be created
  + resource "aws_route53_record" "sso_redirect_aaaa" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "aws.javabin.no"
      + type            = "AAAA"
      + zone_id         = "Z02029092SCAPZOF62LM0"

      + alias {
          + evaluate_target_health = false
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }
    }

  # module.dns.aws_route53_record.sso_redirect_cert_validation["aws.javabin.no"] will be created
  + resource "aws_route53_record" "sso_redirect_cert_validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 300
      + type            = (known after apply)
      + zone_id         = "Z02029092SCAPZOF62LM0"
    }

Plan: 6 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Plan adds new cost analytics export and SSO redirect infrastructure with CloudFront distribution and ACM certificate, with no destructive changes or security concerns.

  • [routine] Creating AWS BCM Data Exports resource for Cost and Usage Report (CUR) export to S3 with PARQUET format and daily granularity - standard cost analytics infrastructure
  • [routine] Adding CloudFront distribution for aws.javabin.no SSO redirect with HTTP-to-HTTPS enforcement and S3 website origin - improves availability and performance
  • [routine] Creating ACM certificate for aws.javabin.no with DNS validation - standard TLS certificate provisioning
  • 💰 [cost] New CloudFront distribution will incur data transfer and request charges; minimal impact given PriceClass_100 configuration and redirect-only use case
  • [routine] Updating Route53 alias record for aws.javabin.no to point to CloudFront distribution instead of S3 website endpoint - expected DNS migration

@Alexanderamiri Alexanderamiri merged commit 0358417 into main Mar 27, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the feat/sso-redirect-https branch March 27, 2026 00:11
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Add HTTPS support for aws.javabin.no redirect (#112)
1050579 
## Summary
- Adds ACM certificate in us-east-1 with DNS validation for
aws.javabin.no
- CloudFront distribution fronts the S3 redirect bucket with HTTPS
- Route53 alias now points to CloudFront instead of S3 directly
- Adds AAAA record for IPv6 support

## Test plan
- [ ] CI plan passes
- [ ] After apply, `curl -I https://aws.javabin.no` returns 301 to
`https://javabin.awsapps.com/start`
- [ ] Note: CloudFront distribution takes ~5 min to deploy, ACM cert
validation takes a few minutes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri