[AWS] Story 4: Networking (ALB + ACM)

[mfittko]

Problem Statement

The ECS services need a secure ingress layer with HTTPS, predictable routing,
and network boundaries that match the deployment architecture.

Scope

In scope:

• Internet-facing ALB
• TLS via ACM
• HTTP to HTTPS redirect
• Path-based routing for proxy and admin traffic
• Security-group tightening for edge access

Out of scope:

• WAF integration
• Multi-region DNS strategy
• Internal service observability policy

Technical Approach

• Create ALB listeners and target groups.
• Support imported or newly requested ACM certificates.
• Route known paths to the correct targets.
• Ensure ECS tasks are reachable only through the ALB path.

Dependencies

Hard dependencies:

• CDK foundation and config contract
• Compute layer
  Blocks:
• Observability layer
• Production readiness gate

Acceptance Criteria

• ALB accessible via HTTPS
• TLS termination with valid certificate
• Path-based routing works correctly
• Health checks pass through ALB
• HTTP redirects to HTTPS
• Security groups properly restrict access

Proposed Definition Of Done

• Route test matrix is attached.
• Certificate validation evidence is attached.
• Redirect behavior evidence is attached.
• Security-group rule summary is attached.

Validation Plan

1. Verify HTTPS listener and successful TLS handshake.
2. Verify HTTP requests redirect consistently to HTTPS.
3. Verify each required path resolves to the expected service.
4. Verify ALB health checks succeed.
5. Verify ECS tasks are not directly reachable from the internet.

Risks And Mitigations

• Risk: Route rules drift from application endpoints.
  • Mitigation: Use a route matrix and validate each path explicitly.
• Risk: Network rules remain too open.
  • Mitigation: Include explicit negative access checks.

Handoff Notes

Observability and readiness should reuse the route matrix and health checks.

AC/DoD Coverage Matrix

Item	Type (AC/DoD/Non-goal)	Status (Met/Partial/Unmet/Unverified)	Evidence (spec/tests/behavior)	Notes
ALB accessible via HTTPS	AC	Unverified	HTTPS check	Source AC
TLS termination with valid certificate	AC	Unverified	Cert validation	Source AC
Path-based routing works correctly	AC	Unverified	Route matrix	Source AC
Health checks pass through ALB	AC	Unverified	ALB health evidence	Source AC
HTTP redirects to HTTPS	AC	Unverified	Redirect test	Source AC
Security groups properly restrict access	AC	Unverified	SG tests	Source AC
Route test matrix is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Certificate validation evidence is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Redirect behavior evidence is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Security-group rule summary is attached.	DoD	Unverified	Issue evidence	Proposed DoD

[mfittko]

Refinement update applied. This issue now has explicit scope, hard dependencies, measurable acceptance criteria, a proposed Definition of Done, a validation plan, and an AC/DoD coverage matrix so it is ready for assignment.