From eb8663540cbdf7048e7919c8c1f49bfac33d50fe Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Tue, 25 Jul 2023 17:16:17 -0700 Subject: [PATCH 01/12] updating deployment to merge /api and /web behind a single service --- ecs/ecs.tf | 73 ++----------------------------------- ecs/iam.tf | 66 +-------------------------------- ecs/lambda.tf | 2 +- ecs/maintenance.tf | 2 +- ecs/route53.tf | 12 +----- ecs/vpc.tf | 91 ---------------------------------------------- 6 files changed, 7 insertions(+), 239 deletions(-) diff --git a/ecs/ecs.tf b/ecs/ecs.tf index c5af54b..1329c74 100644 --- a/ecs/ecs.tf +++ b/ecs/ecs.tf @@ -80,73 +80,6 @@ resource "aws_ecs_task_definition" "web" { ] } -# API service. Ashirt clients connect to this directly. - -resource "aws_ecs_service" "ashirt-api" { - name = "${var.app_name}-api" - cluster = aws_ecs_cluster.ashirt.id - task_definition = aws_ecs_task_definition.api.arn - desired_count = 1 - launch_type = "FARGATE" - - load_balancer { - target_group_arn = aws_lb_target_group.api.arn - container_name = "${var.app_name}-api" - container_port = var.app_port - } - - network_configuration { - security_groups = ["${aws_security_group.api-ecs.id}"] - subnets = var.private_subnet ? aws_subnet.private.*.id : aws_subnet.public.*.id - assign_public_ip = var.private_subnet ? false : true - } -} - -resource "aws_ecs_task_definition" "api" { - family = "${var.app_name}-api" - execution_role_arn = aws_iam_role.api.arn - task_role_arn = aws_iam_role.api.arn - container_definitions = jsonencode([ - { - name = "${var.app_name}-api" - image = "ashirt/api:${var.tag}" - cpu = var.cpu - memory = var.mem - essential = true - portMappings = [ - { - containerPort = var.app_port - hostPort = var.app_port - } - ] - logConfiguration = { - logDriver = "awslogs" - options = { - awslogs-group = "/fargate/service/${var.app_name}" - awslogs-region = var.region - awslogs-stream-prefix = "ecs" - } - } - environmentFiles = [ - { - value = "${aws_s3_bucket.env.arn}/app/.env" - type = "s3" - }, - { - value = "${aws_s3_bucket.env.arn}/db/.env" - type = "s3" - } - ] - } - ]) - cpu = var.cpu - memory = var.mem - network_mode = "awsvpc" - requires_compatibilities = [ - "FARGATE" - ] -} - # Frontend service. Nginx serves static content and proxies to web service. resource "aws_ecs_service" "ashirt-frontend" { @@ -218,8 +151,8 @@ resource "aws_ecs_task_definition" "frontend" { resource "aws_ecs_task_definition" "init" { family = "init" - execution_role_arn = aws_iam_role.api.arn - task_role_arn = aws_iam_role.api.arn + execution_role_arn = aws_iam_role.web.arn + task_role_arn = aws_iam_role.web.arn container_definitions = jsonencode([ { name = "${var.app_name}-init" @@ -264,7 +197,7 @@ aws ecs run-task \ --task-definition ${aws_ecs_task_definition.init.arn} \ --cluster ${aws_ecs_cluster.ashirt.arn} \ --launch-type FARGATE \ ---network-configuration 'awsvpcConfiguration={subnets=[${join(",", var.private_subnet ? aws_subnet.private.*.id : aws_subnet.public.*.id)}],securityGroups=[${aws_security_group.api-ecs.id}],assignPublicIp=${var.private_subnet ? "DISABLED" : "ENABLED"}}' \ +--network-configuration 'awsvpcConfiguration={subnets=[${join(",", var.private_subnet ? aws_subnet.private.*.id : aws_subnet.public.*.id)}],securityGroups=[${aws_security_group.web-ecs.id}],assignPublicIp=${var.private_subnet ? "DISABLED" : "ENABLED"}}' \ --region ${var.region} EOT } diff --git a/ecs/iam.tf b/ecs/iam.tf index ca29c84..3039979 100644 --- a/ecs/iam.tf +++ b/ecs/iam.tf @@ -18,33 +18,17 @@ resource "aws_iam_role" "web" { assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json } -resource "aws_iam_role" "api" { - name = "${var.app_name}-api" - path = "/system/" - assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json -} - # Attach ECSTaskExecutionRolePolicy. Allows the container to send logs. resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole-web" { role = aws_iam_role.web.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } -resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole-api" { - role = aws_iam_role.api.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" -} - resource "aws_iam_role_policy_attachment" "ecsLambdaExecutionRole-web" { role = aws_iam_role.web.name policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaRole" } -resource "aws_iam_role_policy_attachment" "ecsLambdaExecutionRole-api" { - role = aws_iam_role.api.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaRole" -} - # Give nginx and the web service access to environment variable files resource "aws_iam_policy" "webenv" { @@ -83,44 +67,7 @@ resource "aws_iam_role_policy_attachment" "env-web" { policy_arn = aws_iam_policy.webenv.arn } -# Give api service access to environment variable files - -resource "aws_iam_policy" "apienv" { - name = "${var.app_name}-apienv-policy" - path = "/" - description = ".env.web policy" - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = [ - "s3:GetObject" - ], - Resource = [ - "${aws_s3_bucket.env.arn}/app/.env", - "${aws_s3_bucket.env.arn}/db/.env" - ] - }, - { - Effect = "Allow", - Action = [ - "s3:GetBucketLocation" - ], - Resource = [ - aws_s3_bucket.env.arn - ] - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "env-api" { - role = aws_iam_role.api.name - policy_arn = aws_iam_policy.apienv.arn -} - -# Give web and api service full access to data bucket +# Give web service full access to data bucket resource "aws_iam_policy" "appdata" { name = "${var.app_name}-appdata-policy" @@ -145,11 +92,6 @@ resource "aws_iam_policy" "appdata" { }) } -resource "aws_iam_role_policy_attachment" "data-api" { - role = aws_iam_role.api.name - policy_arn = aws_iam_policy.appdata.arn -} - resource "aws_iam_role_policy_attachment" "data-web" { role = aws_iam_role.web.name policy_arn = aws_iam_policy.appdata.arn @@ -179,12 +121,6 @@ resource "aws_iam_policy" "appdatakms" { }) } -resource "aws_iam_role_policy_attachment" "kms-api" { - count = var.kms ? 1 : 0 - role = aws_iam_role.api.name - policy_arn = aws_iam_policy.appdatakms[count.index].arn -} - resource "aws_iam_role_policy_attachment" "kms-web" { count = var.kms ? 1 : 0 role = aws_iam_role.web.name diff --git a/ecs/lambda.tf b/ecs/lambda.tf index 1e7abf2..339b410 100644 --- a/ecs/lambda.tf +++ b/ecs/lambda.tf @@ -90,7 +90,7 @@ resource "aws_lambda_function" "ocr" { variables = { ASHIRT_ACCESS_KEY = var.WORKER_ACCESS_KEY, ASHIRT_BACKEND_PORT = "443", - ASHIRT_BACKEND_URL = aws_route53_record.api.name, + ASHIRT_BACKEND_URL = aws_route53_record.frontend.name, ASHIRT_SECRET_KEY = var.WORKER_SECRET_KEY } } diff --git a/ecs/maintenance.tf b/ecs/maintenance.tf index f15c341..77a216e 100644 --- a/ecs/maintenance.tf +++ b/ecs/maintenance.tf @@ -76,5 +76,5 @@ resource "aws_security_group_rule" "allow-ingress-maintenance" { } output "maintenance_ssh" { - value = var.maintenance_mode ? "ssh -i maintenance.pem ubuntu@${aws_instance.maintenance.0.public_ip}" : null + value = var.maintenance_mode ? "ssh -fN -i maintenance-${var.app_name}.pem -L 127.0.0.1:3306:${aws_rds_cluster.ashirt.endpoint}:3306 ubuntu@${aws_instance.maintenance.0.public_ip}" : null } diff --git a/ecs/route53.tf b/ecs/route53.tf index 9eed920..8f919b5 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -30,7 +30,7 @@ resource "aws_route53_record" "ashirt-cert" { zone_id = data.aws_route53_zone.ashirt.zone_id } -# Web ui for the browser +# Target for the browser and ashirt application resource "aws_route53_record" "frontend" { zone_id = data.aws_route53_zone.ashirt.zone_id @@ -39,13 +39,3 @@ resource "aws_route53_record" "frontend" { ttl = "300" records = [aws_lb.frontend.dns_name] } - -# API, what ashirt client connects to - -resource "aws_route53_record" "api" { - zone_id = data.aws_route53_zone.ashirt.zone_id - name = "api.${var.domain}" - type = "CNAME" - ttl = "300" - records = [aws_lb.api.dns_name] -} diff --git a/ecs/vpc.tf b/ecs/vpc.tf index 8becd03..173cff5 100644 --- a/ecs/vpc.tf +++ b/ecs/vpc.tf @@ -153,16 +153,6 @@ resource "aws_lb" "web" { } } -resource "aws_lb" "api" { - name = "${var.app_name}-api" - internal = false - subnets = aws_subnet.public.*.id - security_groups = [aws_security_group.api-lb.id] - tags = { - Name = var.app_name - } -} - resource "aws_lb" "frontend" { name = "${var.app_name}-frontend" internal = false @@ -194,28 +184,6 @@ resource "aws_lb_listener" "web" { } } -resource "aws_lb_target_group" "api" { - name = "${var.app_name}-api-tg" - port = var.app_port - protocol = "HTTP" - vpc_id = aws_vpc.ashirt.id - target_type = "ip" - health_check { - matcher = "200,401,404" - } -} - -resource "aws_lb_listener" "api" { - load_balancer_arn = aws_lb.api.id - port = 443 - protocol = "HTTPS" - certificate_arn = aws_acm_certificate.ashirt.arn - default_action { - target_group_arn = aws_lb_target_group.api.id - type = "forward" - } -} - resource "aws_lb_target_group" "frontend" { name = "${var.app_name}-frontend-tg" port = var.nginx_port @@ -250,15 +218,6 @@ resource "aws_security_group" "web-lb" { } } -resource "aws_security_group" "api-lb" { - name = "ashirt-api-lb" - description = "Allow TLS inbound traffic" - vpc_id = aws_vpc.ashirt.id - tags = { - Name = "ashirt-api-sg" - } -} - resource "aws_security_group" "frontend-lb" { name = "ashirt-frontend-lb" description = "Allow TLS inbound traffic to frontend" @@ -277,15 +236,6 @@ resource "aws_security_group_rule" "allow-egress-web-lb" { security_group_id = aws_security_group.web-lb.id } -resource "aws_security_group_rule" "allow-egress-api-lb" { - type = "egress" - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - security_group_id = aws_security_group.api-lb.id -} - resource "aws_security_group_rule" "allow-egress-frontend-lb" { type = "egress" to_port = 0 @@ -295,14 +245,6 @@ resource "aws_security_group_rule" "allow-egress-frontend-lb" { security_group_id = aws_security_group.frontend-lb.id } -resource "aws_security_group_rule" "allow-ingress-api-lb" { - type = "ingress" - to_port = 443 - protocol = "TCP" - cidr_blocks = var.allow_api_cidrs - from_port = 443 - security_group_id = aws_security_group.api-lb.id -} resource "aws_security_group_rule" "allow-ingress-web-lb" { type = "ingress" @@ -337,15 +279,6 @@ resource "aws_security_group_rule" "allow-web-rds" { source_security_group_id = aws_security_group.web-ecs.id } -resource "aws_security_group_rule" "allow-api-rds" { - type = "ingress" - to_port = 3306 - protocol = "TCP" - from_port = 3306 - security_group_id = aws_security_group.rds.id - source_security_group_id = aws_security_group.api-ecs.id -} - resource "aws_security_group" "web-ecs" { name = "${var.app_name}-web-ecs" description = "allow traffic to ecs" @@ -370,30 +303,6 @@ resource "aws_security_group_rule" "allow-egress-web-ecs" { security_group_id = aws_security_group.web-ecs.id } -resource "aws_security_group" "api-ecs" { - name = "${var.app_name}-api-ecs" - description = "allow traffic to ecs" - vpc_id = aws_vpc.ashirt.id -} - -resource "aws_security_group_rule" "allow-ingress-api-ecs" { - type = "ingress" - to_port = var.app_port - protocol = "TCP" - from_port = var.app_port - source_security_group_id = aws_security_group.api-lb.id - security_group_id = aws_security_group.api-ecs.id -} - -resource "aws_security_group_rule" "allow-egress-api-ecs" { - type = "egress" - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - security_group_id = aws_security_group.api-ecs.id -} - resource "aws_security_group" "frontend-ecs" { name = "${var.app_name}-frontend-ecs" description = "allow traffic to ecs" From 548b9903f0af73455767da209a4f50e9dfdf53f3 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 14:45:08 -0700 Subject: [PATCH 02/12] consolidating env config files --- ecs/appconfig.tf | 18 +----------------- ecs/ecs.tf | 10 +--------- ecs/iam.tf | 2 -- 3 files changed, 2 insertions(+), 28 deletions(-) diff --git a/ecs/appconfig.tf b/ecs/appconfig.tf index eef0d8b..093f42f 100644 --- a/ecs/appconfig.tf +++ b/ecs/appconfig.tf @@ -47,22 +47,6 @@ EMAIL_FROM_ADDRESS=ashirt@${aws_route53_record.frontend.name} EMAIL_USER_NAME= EMAIL_PASSWORD= EMAIL_SMTP_AUTH_TYPE=login +DB_URI=ashirt:${random_password.db_password.result}@tcp(${aws_rds_cluster.ashirt.endpoint}:3306)/ashirt EOT } - -resource "aws_s3_object" "appenv" { - bucket = aws_s3_bucket.env.id - key = "app/.env" - content = < Date: Wed, 26 Jul 2023 16:51:10 -0700 Subject: [PATCH 03/12] environment name for RDS --- ecs/rds.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs/rds.tf b/ecs/rds.tf index 460d24b..3fbb691 100644 --- a/ecs/rds.tf +++ b/ecs/rds.tf @@ -6,7 +6,7 @@ resource "random_password" "db_password" { } resource "aws_rds_cluster" "ashirt" { - cluster_identifier = "ashirt" + cluster_identifier = "${var.app_name}-ecs" engine = "aurora-mysql" database_name = "ashirt" master_username = "ashirt" From 2a9f05c614b1b61daa898d6614d55bdcc7896cbe Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:06:05 -0700 Subject: [PATCH 04/12] correcting key name --- ecs/maintenance.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs/maintenance.tf b/ecs/maintenance.tf index 77a216e..db67217 100644 --- a/ecs/maintenance.tf +++ b/ecs/maintenance.tf @@ -41,7 +41,7 @@ resource "aws_key_pair" "maintenance" { key_name = "${var.app_name}-maintenance" # Create "myKey" to AWS!! public_key = tls_private_key.maintenance[count.index].public_key_openssh provisioner "local-exec" { - command = "echo '${tls_private_key.maintenance[count.index].private_key_pem}' > ./maintenance.pem; chmod 400 maintenance.pem" + command = "echo '${tls_private_key.maintenance[count.index].private_key_pem}' > ./maintenance-${var.app_name}.pem; chmod 400 maintenance.pem" } } From 6727d91b1f63757bd34ae99e8627d939a851704d Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:47:51 -0700 Subject: [PATCH 05/12] adding s3 permissions for backup --- ecs/backup.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ecs/backup.tf b/ecs/backup.tf index bc7e759..9a95e0c 100644 --- a/ecs/backup.tf +++ b/ecs/backup.tf @@ -35,11 +35,16 @@ resource "aws_iam_role" "backup" { POLICY } -resource "aws_iam_role_policy_attachment" "backup" { +resource "aws_iam_role_policy_attachment" "backup-rds" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" role = aws_iam_role.backup.name } +resource "aws_iam_role_policy_attachment" "backup-s3" { + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForS3Backup" + role = aws_iam_role.backup.name +} + resource "aws_backup_selection" "backup" { iam_role_arn = aws_iam_role.backup.arn name = "ashirt" From 1f8dc78d31aa9d40c452ca7f282ddea84a0d8325 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:54:48 -0700 Subject: [PATCH 06/12] adding bucket versioning --- ecs/backup.tf | 2 +- ecs/s3.tf | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ecs/backup.tf b/ecs/backup.tf index 9a95e0c..9019d2d 100644 --- a/ecs/backup.tf +++ b/ecs/backup.tf @@ -41,7 +41,7 @@ resource "aws_iam_role_policy_attachment" "backup-rds" { } resource "aws_iam_role_policy_attachment" "backup-s3" { - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForS3Backup" + policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup" role = aws_iam_role.backup.name } diff --git a/ecs/s3.tf b/ecs/s3.tf index f3b9e68..33344dd 100644 --- a/ecs/s3.tf +++ b/ecs/s3.tf @@ -27,6 +27,13 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "env" { } } +resource "aws_s3_bucket_versioning" "env" { + bucket = aws_s3_bucket.env.id + versioning_configuration { + status = "Enabled" + } +} + resource "aws_s3_bucket_server_side_encryption_configuration" "data" { count = var.kms ? 1 : 0 bucket = aws_s3_bucket.data.id @@ -37,3 +44,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "data" { } } } + +resource "aws_s3_bucket_versioning" "data" { + bucket = aws_s3_bucket.data.id + versioning_configuration { + status = "Enabled" + } +} From 5ce4d8a8282b48c60f20fffed20d19cadafceed7 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:07:57 -0700 Subject: [PATCH 07/12] fixing pem output --- ecs/maintenance.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs/maintenance.tf b/ecs/maintenance.tf index db67217..e8ba26c 100644 --- a/ecs/maintenance.tf +++ b/ecs/maintenance.tf @@ -41,7 +41,7 @@ resource "aws_key_pair" "maintenance" { key_name = "${var.app_name}-maintenance" # Create "myKey" to AWS!! public_key = tls_private_key.maintenance[count.index].public_key_openssh provisioner "local-exec" { - command = "echo '${tls_private_key.maintenance[count.index].private_key_pem}' > ./maintenance-${var.app_name}.pem; chmod 400 maintenance.pem" + command = "echo '${tls_private_key.maintenance[count.index].private_key_pem}' > ./maintenance-${var.app_name}.pem; chmod 400 maintenance-${var.app_name}.pem" } } From 15430e2685d0a4e818eb424f855dd4dc6e15ed0a Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:36:24 -0700 Subject: [PATCH 08/12] allowing cert to host under a subdomain or the base domain --- ecs/route53.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ecs/route53.tf b/ecs/route53.tf index 8f919b5..a812c79 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -7,8 +7,9 @@ data "aws_route53_zone" "ashirt" { # ACM cert and deps resource "aws_acm_certificate" "ashirt" { - domain_name = "*.${var.domain}" - validation_method = "DNS" + domain_name = var.domain + subject_alternative_names = "*.${var.domain}" + validation_method = "DNS" lifecycle { create_before_destroy = true } From 60e6c8cf48ae10328bd45d908601eb4ad35777f6 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:37:19 -0700 Subject: [PATCH 09/12] allowing cert to host under a subdomain or the base domain --- ecs/route53.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecs/route53.tf b/ecs/route53.tf index a812c79..ebd9191 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -8,7 +8,7 @@ data "aws_route53_zone" "ashirt" { resource "aws_acm_certificate" "ashirt" { domain_name = var.domain - subject_alternative_names = "*.${var.domain}" + subject_alternative_names = ["ashirt.${var.domain}", "api.${var.domain}"] validation_method = "DNS" lifecycle { create_before_destroy = true From 34aeb87b385315b87fe11baa60ba3021a9019345 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:53:47 -0700 Subject: [PATCH 10/12] moving combined services to root of domain --- ecs/route53.tf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ecs/route53.tf b/ecs/route53.tf index ebd9191..1f1457c 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -35,8 +35,12 @@ resource "aws_route53_record" "ashirt-cert" { resource "aws_route53_record" "frontend" { zone_id = data.aws_route53_zone.ashirt.zone_id - name = "ashirt.${var.domain}" - type = "CNAME" + name = var.domain + type = "A" ttl = "300" - records = [aws_lb.frontend.dns_name] + alias { + name = aws_lb.frontend.dns_name + zone_id = aws_lb.frontend.zone_id + evaluate_target_health = true + } } From 5951a1bb98de7b7a110a7ac736eb0d2582f2fe92 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:54:47 -0700 Subject: [PATCH 11/12] moving combined services to root of domain --- ecs/route53.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/ecs/route53.tf b/ecs/route53.tf index 1f1457c..836d02b 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -36,8 +36,6 @@ resource "aws_route53_record" "ashirt-cert" { resource "aws_route53_record" "frontend" { zone_id = data.aws_route53_zone.ashirt.zone_id name = var.domain - type = "A" - ttl = "300" alias { name = aws_lb.frontend.dns_name zone_id = aws_lb.frontend.zone_id From 17002c6784c9f7bb1e32a0858d19531005484b3b Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:55:08 -0700 Subject: [PATCH 12/12] moving combined services to root of domain --- ecs/route53.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/ecs/route53.tf b/ecs/route53.tf index 836d02b..274f763 100644 --- a/ecs/route53.tf +++ b/ecs/route53.tf @@ -36,6 +36,7 @@ resource "aws_route53_record" "ashirt-cert" { resource "aws_route53_record" "frontend" { zone_id = data.aws_route53_zone.ashirt.zone_id name = var.domain + type = "A" alias { name = aws_lb.frontend.dns_name zone_id = aws_lb.frontend.zone_id