Add discrete change-password rules

PRX · Oct 27, 2023 · 0611eb7 · 0611eb7
1 parent 0ca78ef
commit 0611eb7
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 4 deletions.
diff --git a/spire/templates/apps/metrics.yml b/spire/templates/apps/metrics.yml
@@ -33,6 +33,27 @@ Conditions:
   IsProduction: !Equals [!Ref EnvironmentType, Production]
 
 Resources:
+  ChangePasswordListenerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - RedirectConfig:
+            Host: !Ref IdHostname
+            Port: "443"
+            Path: /.well-known/change-password
+            Protocol: HTTPS
+            Query: ""
+            StatusCode: HTTP_302
+          Type: redirect
+      Conditions:
+        - Field: host-header
+          Values:
+            - metrics.dovetail.*
+        - Field: path-pattern
+          Values:
+            - /.well-known/change-password
+      ListenerArn: !Ref AlbHttpsListenerArn
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "10"]]
   HostHeaderListenerRule:
     Type: AWS::ElasticLoadBalancingV2::ListenerRule
     Properties:
@@ -44,7 +65,7 @@ Resources:
           Values:
             - metrics.dovetail.*
       ListenerArn: !Ref AlbHttpsListenerArn
-      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "00"]]
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "20"]]
   RedirectHostHeaderListenerRule:
     Type: AWS::ElasticLoadBalancingV2::ListenerRule
     Properties:
@@ -62,7 +83,7 @@ Resources:
           Values:
             - metrics.*
       ListenerArn: !Ref AlbHttpsListenerArn
-      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "02"]]
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "30"]]
 
   TargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup

diff --git a/spire/templates/apps/networks.yml b/spire/templates/apps/networks.yml
@@ -140,6 +140,27 @@ Resources:
 
   # INTERNET-FACING WEB SERVER #################################################
 
+  PublicWebHostChangePasswordListenerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - RedirectConfig:
+            Host: !Ref IdHostname
+            Port: "443"
+            Path: /.well-known/change-password
+            Protocol: HTTPS
+            Query: ""
+            StatusCode: HTTP_302
+          Type: redirect
+      Conditions:
+        - Field: host-header
+          Values:
+            - networks.*
+        - Field: path-pattern
+          Values:
+            - /.well-known/change-password
+      ListenerArn: !Ref AlbHttpsListenerArn
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "10"]]
   PublicWebHostHeaderSharedAlbListenerRule:
     Type: AWS::ElasticLoadBalancingV2::ListenerRule
     Properties:
@@ -151,7 +172,7 @@ Resources:
           Values:
             - networks.*
       ListenerArn: !Ref AlbHttpsListenerArn
-      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "01"]]
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "20"]]
 
   PublicWebTargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup

diff --git a/spire/templates/apps/publish.yml b/spire/templates/apps/publish.yml
@@ -41,6 +41,27 @@ Conditions:
   IsProduction: !Equals [!Ref EnvironmentType, Production]
 
 Resources:
+  ChangePasswordListenerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - RedirectConfig:
+            Host: !Ref IdHostname
+            Port: "443"
+            Path: /.well-known/change-password
+            Protocol: HTTPS
+            Query: ""
+            StatusCode: HTTP_302
+          Type: redirect
+      Conditions:
+        - Field: host-header
+          Values:
+            - publish.*
+        - Field: path-pattern
+          Values:
+            - /.well-known/change-password
+      ListenerArn: !Ref AlbHttpsListenerArn
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "10"]]
   HostHeaderListenerRule:
     Type: AWS::ElasticLoadBalancingV2::ListenerRule
     Properties:
@@ -52,7 +73,7 @@ Resources:
           Values:
             - publish.*
       ListenerArn: !Ref AlbHttpsListenerArn
-      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "01"]]
+      Priority: !Join ["", [!Ref AlbListenerRulePriorityPrefix, "20"]]
 
   TargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup