Support change-password as ALB rule

PRX · Oct 24, 2023 · 3a15352 · 3a15352
1 parent 362be48
commit 3a15352
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/spire/templates/root.yml b/spire/templates/root.yml
@@ -340,6 +340,7 @@ Resources:
         CloudWatchAlarmTaggerServiceToken: !GetAtt CustomResourcesStack.Outputs.CloudWatchAlarmTaggerServiceToken
         SharedGlueDatabaseName: !GetAtt SharedGlueDatabaseStack.Outputs.SharedGlueDatabaseName
         LatencyGroupDomain: !Sub spire-shared-alb-latency-group.${EnvironmentTypeAbbreviation}.prx.tech
+        IdHostname: !GetAtt Constants2.Outputs.IdHostname
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
         - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }

diff --git a/spire/templates/shared-alb.yml b/spire/templates/shared-alb.yml
@@ -69,6 +69,7 @@ Parameters:
   SharedGlueDatabaseName: { Type: String }
   LatencyGroupDomain: { Type: String }
   MaintenanceMode: { Type: String, Default: "Off" }
+  IdHostname: { Type: String }
 
 Conditions:
   IsProduction: !Equals [!Ref EnvironmentType, Production]
@@ -355,6 +356,25 @@ Resources:
       Protocol: HTTPS
       SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
 
+  ChangePasswordListenerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - RedirectConfig:
+            Host: !Ref IdHostname
+            Port: "443"
+            Path: "/.well-known/change-password"
+            Protocol: HTTPS
+            Query: ""
+            StatusCode: HTTP_302
+          Type: redirect
+      Conditions:
+        - Field: path-pattern
+          Values:
+            - "/.well-known/change-password"
+      ListenerArn: !Ref HttpsListener
+      Priority: 10
+
   MaintenanceModeListenerRule:
     Type: AWS::ElasticLoadBalancingV2::ListenerRule
     Condition: IsMaintenanceMode