Merge pull request #31 from sil-org/disable-cloudflare-sg

briskt · web-flow · commit 016c7942a17f · 2025-11-18T22:44:14.000+08:00
add option to NOT use the Cloudflare security group
diff --git a/variables.tf b/variables.tf
@@ -184,6 +184,12 @@ variable "health_check" {
   }
 }
 
+variable "use_cloudflare_sg" {
+  description = "Use the Cloudflare security group to block all traffic except from Cloudflare."
+  type        = bool
+  default     = "true"
+}
+
 
 /*
  * Database configuration
diff --git a/vpc.tf b/vpc.tf
@@ -101,12 +101,39 @@ module "alb" {
   disable_public_ipv4 = var.disable_public_ipv4
   internal            = "false"
   vpc_id              = module.vpc.id
-  security_groups     = [module.vpc.vpc_default_sg_id, module.cloudflare-sg.id]
-  subnets             = module.vpc.public_subnet_ids
-  certificate_arn     = data.aws_acm_certificate.default.arn
-  tg_name             = "default-${var.app_name}-${var.app_env}"
+  security_groups = [
+    module.vpc.vpc_default_sg_id,
+    var.use_cloudflare_sg ? module.cloudflare-sg.id : aws_security_group.public_https.id
+  ]
+  subnets         = module.vpc.public_subnet_ids
+  certificate_arn = data.aws_acm_certificate.default.arn
+  tg_name         = "default-${var.app_name}-${var.app_env}"
 }
 
+
+/*
+ * Create security group to allow public access to HTTPS. Used when var.use_cloudflare_sg is false.
+ */
+resource "aws_security_group" "public_https" {
+  name        = "public-https"
+  description = "Allow HTTPS traffic from public"
+  vpc_id      = module.vpc.id
+  tags = {
+    Name = "public-https-${local.app_name_and_env}"
+  }
+}
+
+resource "aws_security_group_rule" "public_https" {
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.public_https.id
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+
 /*
  * Create ECS Cluster and Auto-Scaling Group
  * https://registry.terraform.io/modules/sil-org/ecs-asg/aws

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,12 @@ variable "health_check" {`
`184`	`184`	`}`
`185`	`185`	`}`
`186`	`186`
	`187`	`+variable "use_cloudflare_sg" {`
	`188`	`+ description = "Use the Cloudflare security group to block all traffic except from Cloudflare."`
	`189`	`+ type = bool`
	`190`	`+ default = "true"`
	`191`	`+}`
	`192`	`+`
`187`	`193`
`188`	`194`	`/*`
`189`	`195`	`* Database configuration`