Merge pull request #155 from mdr-engineering/feature/ftd_MSOCI-1680_LetsEncryptAccess

Allows Port 80 for LetsEncrypt

base/github/elbclassic.tf

@@ -37,6 +37,13 @@ resource "aws_elb" "external" {
         ssl_certificate_id = aws_acm_certificate.cert_public.arn
     }
 
+    listener {
+        instance_port      = 80
+        instance_protocol  = "HTTP"
+        lb_port            = 80
+        lb_protocol        = "HTTP"
+    }
+
     listener {
         instance_port     = 23
         instance_protocol = "TCP"

base/github/securitygroup-server.tf

@@ -47,6 +47,16 @@ resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_23" {
   description              = "Inbound tcp/23 from internal ELBs"
 }
 
+resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" {
+  security_group_id        = aws_security_group.ghe_server.id
+  source_security_group_id = aws_security_group.ghe_elb_external.id
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "Inbound HTTP from external ELBs for LetsEncrypt"
+}
+
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" {
   security_group_id        = aws_security_group.ghe_server.id
   type                     = "ingress"
@@ -158,8 +168,28 @@ resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444"
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Outbound access
 #-----------------------------------------------------------------
+resource "aws_security_group_rule" "ghe_server_outbound_http" {
+  security_group_id        = aws_security_group.ghe_server.id
+  type                     = "egress"
+  cidr_blocks              = [ "0.0.0.0/0" ]
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "Outbound http for letsencrypt"
+}
+
+resource "aws_security_group_rule" "ghe_server_outbound_https" {
+  security_group_id        = aws_security_group.ghe_server.id
+  type                     = "egress"
+  cidr_blocks              = [ "0.0.0.0/0" ]
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  description              = "Outbound https for letsencrypt"
+}
+
 resource "aws_security_group_rule" "ghe_server_outbound_syslog" {
   security_group_id        = aws_security_group.ghe_server.id
   type                     = "egress"
@@ -169,3 +199,5 @@ resource "aws_security_group_rule" "ghe_server_outbound_syslog" {
   protocol                 = "tcp"
   description              = "Outbound syslog"
 }
+
+

base/github/securitygroups-load-balancers.tf

@@ -18,6 +18,16 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
   description              = "Inbound git"
 }
 
+resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
+  security_group_id        = aws_security_group.ghe_elb_external.id
+  type                     = "ingress"
+  cidr_blocks              = [ "0.0.0.0/0" ]
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "Inbound http to ELB"
+}
+
 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
@@ -39,6 +49,16 @@ resource "aws_security_group_rule" "ghe_elb_external_outbound_ssh" {
   description              = "Outbound ssh (PROXY) from ELB to GH servers"
 }
 
+resource "aws_security_group_rule" "ghe_elb_external_outbound_http" {
+  security_group_id        = aws_security_group.ghe_elb_external.id
+  type                     = "egress"
+  source_security_group_id = aws_security_group.ghe_server.id
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "Outbound HTTP from ELB to GH servers for LetsEncrypt on GHE"
+}
+
 resource "aws_security_group_rule" "ghe_elb_external_outbound_https" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "egress"