3 files changed, 115 insertions, 87 deletions

diff --git a/org-buetow-base/network.tf b/org-buetow-base/network.tf
index ad95ff4..97e0bd8 100644
--- a/org-buetow-base/network.tf
+++ b/org-buetow-base/network.tf
@@ -97,13 +97,14 @@ resource "aws_security_group" "allow_web" {
     ipv6_cidr_blocks = ["::/0"]
   }
 
-  ingress {
-    from_port        = 8080
-    to_port          = 8080
-    protocol         = "tcp"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
+  # syncthing testing. TODO: Remove?
+  #  ingress {
+  #  from_port        = 8384
+  #  to_port          = 8384
+  #  protocol         = "tcp"
+  #  cidr_blocks      = ["0.0.0.0/0"]
+  #  ipv6_cidr_blocks = ["::/0"]
+  #}
 
   ingress {
     from_port        = 443
@@ -112,14 +113,6 @@ resource "aws_security_group" "allow_web" {
     cidr_blocks      = ["0.0.0.0/0"]
     ipv6_cidr_blocks = ["::/0"]
   }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
 }
 
 resource "aws_security_group" "allow_outbound" {
@@ -128,9 +121,10 @@ resource "aws_security_group" "allow_outbound" {
   vpc_id      = aws_vpc.vpc.id
 
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"          # -1 means all protocols
-    cidr_blocks = ["0.0.0.0/0"] # Allows outbound traffic to all IP addresses
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"          # -1 means all protocols
+    cidr_blocks      = ["0.0.0.0/0"] # Allows outbound traffic to all IP addresses
+    ipv6_cidr_blocks = ["::/0"]
   }
 }
diff --git a/org-buetow-ecs/syncthingservice.tf b/org-buetow-ecs/syncthingservice.tf
index 6389d6d..4aa3fb3 100644
--- a/org-buetow-ecs/syncthingservice.tf
+++ b/org-buetow-ecs/syncthingservice.tf
@@ -3,6 +3,9 @@ resource "aws_lb" "syncthing_nlb" {
   internal           = false
   load_balancer_type = "network"
   ip_address_type    = "dualstack"
+  security_groups = [
+    aws_security_group.syncthing.id,
+  ]
   subnets = [
     data.terraform_remote_state.base.outputs.public_subnet_a_id,
     data.terraform_remote_state.base.outputs.public_subnet_b_id,
@@ -10,22 +13,22 @@ resource "aws_lb" "syncthing_nlb" {
   ]
 }
 
-resource "aws_lb_listener" "syncthing_8384" {
+resource "aws_lb_listener" "syncthing_data_tcp" {
   load_balancer_arn = aws_lb.syncthing_nlb.arn
   protocol          = "TCP"
-  port              = 8384
+  port              = 22000
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.syncthing_ui.arn
+    target_group_arn = aws_lb_target_group.syncthing_data_tcp.arn
   }
 }
 
-resource "aws_lb_target_group" "syncthing_ui" {
-  name     = "syncthing-ui-tg"
-  port     = 8384
-  protocol = "TCP"
-  vpc_id   = data.terraform_remote_state.base.outputs.vpc_id
+resource "aws_lb_target_group" "syncthing_data_tcp" {
+  name        = "syncthing-data-tcp"
+  port        = 22000
+  protocol    = "TCP"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc_id
   target_type = "ip"
 }
 
@@ -35,8 +38,8 @@ resource "aws_route53_record" "a_record_syncthing" {
   type    = "A"
 
   alias {
-    name                   = aws_lb.syncthing_nlb.dns_name
-    zone_id                = aws_lb.syncthing_nlb.zone_id
+    name                   = data.terraform_remote_state.elb.outputs.alb_dns_name
+    zone_id                = data.terraform_remote_state.elb.outputs.alb_zone_id
     evaluate_target_health = true
   }
 }
@@ -47,6 +50,66 @@ resource "aws_route53_record" "aaaa_record_syncthing" {
   type    = "AAAA"
 
   alias {
+    name                   = data.terraform_remote_state.elb.outputs.alb_dns_name
+    zone_id                = data.terraform_remote_state.elb.outputs.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_lb_target_group" "syncthing_ui_tg" {
+  name        = "syncthing-ui-tg"
+  port        = 8384
+  protocol    = "HTTP"
+  vpc_id      = data.terraform_remote_state.base.outputs.vpc_id
+  target_type = "ip"
+
+  health_check {
+    enabled             = true
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    interval            = 30
+    path                = "/" # Modify if your app has a specific health check path
+    protocol            = "HTTP"
+    timeout             = 3
+    matcher             = "200-299"
+  }
+}
+
+resource "aws_lb_listener_rule" "syncthing_ui_https_listener_rule" {
+  listener_arn = data.terraform_remote_state.elb.outputs.alb_https_listener_arn
+  priority     = 104
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.syncthing_ui_tg.arn
+  }
+
+  condition {
+    host_header {
+      values = ["syncthing-ui.buetow.cloud"]
+    }
+  }
+}
+
+
+resource "aws_route53_record" "a_record_syncthing_data" {
+  zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
+  name    = "syncthing-data.buetow.cloud."
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.syncthing_nlb.dns_name
+    zone_id                = aws_lb.syncthing_nlb.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "aaaa_record_syncthing_data" {
+  zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id
+  name    = "syncthing-data.buetow.cloud."
+  type    = "AAAA"
+
+  alias {
     name                   = aws_lb.syncthing_nlb.dns_name
     zone_id                = aws_lb.syncthing_nlb.zone_id
     evaluate_target_health = true
@@ -98,16 +161,6 @@ resource "aws_ecs_task_definition" "syncthing" {
         containerPort = 22000,
         hostPort      = 22000,
         protocol      = "tcp"
-      },
-      {
-        containerPort = 22000,
-        hostPort      = 22000,
-        protocol      = "udp"
-      },
-      {
-        containerPort = 21027,
-        hostPort      = 21027,
-        protocol      = "udp"
       }
     ],
     mountPoints = [
@@ -139,7 +192,7 @@ resource "aws_ecs_task_definition" "syncthing" {
 }
 
 resource "aws_security_group" "syncthing" {
-  name        = "allow_8384"
+  name        = "allow-syncthing"
   description = "Allow traffic on syncthing ports"
   vpc_id      = data.terraform_remote_state.base.outputs.vpc_id
 
@@ -161,23 +214,23 @@ resource "aws_security_group" "syncthing" {
     ipv6_cidr_blocks = ["::/0"]
   }
 
-  ingress {
-    description      = "Allow inbound UDP traffic on port 22000"
-    from_port        = 22000
-    to_port          = 22000
-    protocol         = "udp"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
+  #ingress {
+  #  description      = "Allow inbound UDP traffic on port 22000"
+  #  from_port        = 22000
+  #  to_port          = 22000
+  #  protocol         = "udp"
+  #  cidr_blocks      = ["0.0.0.0/0"]
+  #  ipv6_cidr_blocks = ["::/0"]
+  #}
 
-  ingress {
-    description      = "Allow inbound UDP traffic on port 21027"
-    from_port        = 21027
-    to_port          = 21027
-    protocol         = "udp"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
+  #ingress {
+  #  description      = "Allow inbound UDP traffic on port 21027"
+  #  from_port        = 21027
+  #  to_port          = 21027
+  #  protocol         = "udp"
+  #  cidr_blocks      = ["0.0.0.0/0"]
+  #  ipv6_cidr_blocks = ["::/0"]
+  #}
 
   egress {
     from_port        = 0
@@ -199,11 +252,17 @@ resource "aws_ecs_service" "syncthing" {
   desired_count   = 1
 
   load_balancer {
-    target_group_arn = aws_lb_target_group.syncthing_ui.arn
+    target_group_arn = aws_lb_target_group.syncthing_ui_tg.arn
     container_name   = "syncthing" # Must match the name in your container definition
     container_port   = 8384        # The port your container is listening on
   }
 
+  load_balancer {
+    target_group_arn = aws_lb_target_group.syncthing_data_tcp.arn
+    container_name   = "syncthing" # Must match the name in your container definition
+    container_port   = 22000       # The port your container is listening on
+  }
+
   network_configuration {
     subnets = [
       data.terraform_remote_state.base.outputs.public_subnet_a_id,
diff --git a/org-buetow-elb/alb.tf b/org-buetow-elb/alb.tf
index 71e332e..00d4246 100644
--- a/org-buetow-elb/alb.tf
+++ b/org-buetow-elb/alb.tf
@@ -2,8 +2,11 @@ resource "aws_lb" "alb" {
   name               = "alb"
   internal           = false
   load_balancer_type = "application"
-  security_groups    = [aws_security_group.alb_sg.id]
-  ip_address_type    = "dualstack"
+  security_groups = [
+    data.terraform_remote_state.base.outputs.allow_web_sg_id,
+    data.terraform_remote_state.base.outputs.allow_outbound_sg_id,
+  ]
+  ip_address_type = "dualstack"
   subnets = [
     data.terraform_remote_state.base.outputs.public_subnet_a_id,
     data.terraform_remote_state.base.outputs.public_subnet_b_id,
@@ -11,34 +14,6 @@ resource "aws_lb" "alb" {
   ]
 }
 
-resource "aws_security_group" "alb_sg" {
-  vpc_id = data.terraform_remote_state.base.outputs.vpc_id
-
-  ingress {
-    from_port        = 80
-    to_port          = 80
-    protocol         = "tcp"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
-
-  ingress {
-    from_port        = 443
-    to_port          = 443
-    protocol         = "tcp"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
-
-  egress {
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    cidr_blocks      = ["0.0.0.0/0"]
-    ipv6_cidr_blocks = ["::/0"]
-  }
-}
-
 resource "aws_lb_listener" "http_listener" {
   load_balancer_arn = aws_lb.alb.arn
   port              = "80"