From b11c5aa6f6e06da3b63433212f6688cc34a8ddc8 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Tue, 31 Mar 2026 00:08:22 +0200 Subject: [PATCH] Fix SSO redirect: 302 instead of 301, add trailing slash, remove S3 bucket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Switch from 301 to 302 to prevent browsers permanently caching the redirect. Stale cached 301s cannot be cleared remotely. - Add trailing slash to /start/ to avoid an extra 302 hop from AWS. - Set cache-control: no-cache instead of max-age=86400. - Remove the S3 bucket, website config, and public access block — they were dead weight since the CloudFront Function handles everything. Replace with dummy origin (invalid.invalid). --- terraform/platform/dns/main.tf | 42 ++++++----------------------- terraform/platform/dns/variables.tf | 2 +- 2 files changed, 9 insertions(+), 35 deletions(-) diff --git a/terraform/platform/dns/main.tf b/terraform/platform/dns/main.tf index 5392612..80d681a 100644 --- a/terraform/platform/dns/main.tf +++ b/terraform/platform/dns/main.tf @@ -406,36 +406,10 @@ resource "aws_route53_record" "teknologihuset_no_carddav_txt" { # ============================================================================== # aws.javabin.no → IAM Identity Center SSO portal redirect # -# CloudFront + ACM for HTTPS, S3 website hosting for the redirect. -# Both HTTP and HTTPS on aws.javabin.no redirect to the SSO portal. +# CloudFront + ACM for HTTPS. CloudFront Function handles the 302 redirect. +# No S3 bucket needed — dummy origin since the function intercepts all requests. # ============================================================================== -resource "aws_s3_bucket" "sso_redirect" { - bucket = "aws.javabin.no" - - tags = { - Name = "aws.javabin.no-redirect" - } -} - -resource "aws_s3_bucket_website_configuration" "sso_redirect" { - bucket = aws_s3_bucket.sso_redirect.id - - redirect_all_requests_to { - host_name = "javabin.awsapps.com" - protocol = "https" - } -} - -resource "aws_s3_bucket_public_access_block" "sso_redirect" { - bucket = aws_s3_bucket.sso_redirect.id - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - # ACM certificate in us-east-1 (required for CloudFront) resource "aws_acm_certificate" "sso_redirect" { provider = aws.us_east_1 @@ -482,11 +456,11 @@ resource "aws_cloudfront_function" "sso_redirect" { code = <<-EOF function handler(event) { return { - statusCode: 301, - statusDescription: 'Moved Permanently', + statusCode: 302, + statusDescription: 'Found', headers: { location: { value: '${var.sso_portal_url}' }, - 'cache-control': { value: 'max-age=86400' } + 'cache-control': { value: 'no-cache' } } }; } @@ -501,15 +475,15 @@ resource "aws_cloudfront_distribution" "sso_redirect" { is_ipv6_enabled = true price_class = "PriceClass_100" - # Dummy origin — CloudFront requires one but the function handles everything + # Dummy origin — CloudFront requires one but the function intercepts all requests origin { - domain_name = aws_s3_bucket_website_configuration.sso_redirect.website_endpoint + domain_name = "invalid.invalid" origin_id = "dummy" custom_origin_config { http_port = 80 https_port = 443 - origin_protocol_policy = "http-only" + origin_protocol_policy = "https-only" origin_ssl_protocols = ["TLSv1.2"] } } diff --git a/terraform/platform/dns/variables.tf b/terraform/platform/dns/variables.tf index 5f74e75..1e48837 100644 --- a/terraform/platform/dns/variables.tf +++ b/terraform/platform/dns/variables.tf @@ -11,5 +11,5 @@ variable "region" { variable "sso_portal_url" { description = "IAM Identity Center portal URL to redirect aws.javabin.no to" type = string - default = "https://javabin.awsapps.com/start" + default = "https://javabin.awsapps.com/start/" }