From 1d91ef6d064d76ae60e197f588fe4e13124a2eeb Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Fri, 27 Mar 2026 01:02:20 +0100
Subject: [PATCH] Add aws.javabin.no redirect to IAM Identity Center SSO portal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

S3 bucket with website redirect sends aws.javabin.no → javabin.awsapps.com/start.
Route53 alias record points to the S3 website endpoint.
---
 terraform/platform/dns/main.tf      | 46 +++++++++++++++++++++++++++++
 terraform/platform/dns/variables.tf | 11 +++++++
 terraform/platform/main.tf          |  1 +
 3 files changed, 58 insertions(+)

diff --git a/terraform/platform/dns/main.tf b/terraform/platform/dns/main.tf
index d46fdfe..320f908 100644
--- a/terraform/platform/dns/main.tf
+++ b/terraform/platform/dns/main.tf
@@ -402,3 +402,49 @@ resource "aws_route53_record" "teknologihuset_no_carddav_txt" {
   ttl     = 3600
   records = ["path=/"]
 }
+
+# ==============================================================================
+# aws.javabin.no → IAM Identity Center SSO portal redirect
+#
+# S3 website hosting bucket configured to redirect all requests to the
+# Identity Center portal. Route53 alias points to the S3 website endpoint.
+# This only handles HTTP — browsers follow the 301 to the HTTPS portal.
+# ==============================================================================
+
+resource "aws_s3_bucket" "sso_redirect" {
+  bucket = "aws.javabin.no"
+
+  tags = {
+    Name = "aws.javabin.no-redirect"
+  }
+}
+
+resource "aws_s3_bucket_website_configuration" "sso_redirect" {
+  bucket = aws_s3_bucket.sso_redirect.id
+
+  redirect_all_requests_to {
+    host_name = "javabin.awsapps.com"
+    protocol  = "https"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "sso_redirect" {
+  bucket = aws_s3_bucket.sso_redirect.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_route53_record" "sso_redirect" {
+  zone_id = aws_route53_zone.javabin_no.zone_id
+  name    = "aws.javabin.no"
+  type    = "A"
+
+  alias {
+    name                   = aws_s3_bucket_website_configuration.sso_redirect.website_domain
+    zone_id                = aws_s3_bucket.sso_redirect.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
diff --git a/terraform/platform/dns/variables.tf b/terraform/platform/dns/variables.tf
index 816629d..5f74e75 100644
--- a/terraform/platform/dns/variables.tf
+++ b/terraform/platform/dns/variables.tf
@@ -2,3 +2,14 @@ variable "project" {
   description = "Project name for tagging"
   type        = string
 }
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "sso_portal_url" {
+  description = "IAM Identity Center portal URL to redirect aws.javabin.no to"
+  type        = string
+  default     = "https://javabin.awsapps.com/start"
+}
diff --git a/terraform/platform/main.tf b/terraform/platform/main.tf
index f006134..b6a32b8 100644
--- a/terraform/platform/main.tf
+++ b/terraform/platform/main.tf
@@ -112,4 +112,5 @@ module "identity" {
 module "dns" {
   source  = "./dns"
   project = var.project
+  region  = var.region
 }