fix(deploy): add HTTPS support to ECS Terraform ALB configuration#8505
Open
camgrimsec wants to merge 1 commit intowindmill-labs:mainfrom
Open
fix(deploy): add HTTPS support to ECS Terraform ALB configuration#8505camgrimsec wants to merge 1 commit intowindmill-labs:mainfrom
camgrimsec wants to merge 1 commit intowindmill-labs:mainfrom
Conversation
Add optional HTTPS listener with ACM certificate support to the ALB. When acm_certificate_arn is provided, the ALB: - Terminates TLS on port 443 with TLS 1.3 policy - Redirects HTTP (port 80) to HTTPS with 301 When no certificate is provided (default for development), the ALB falls back to HTTP-only mode with a clear variable description noting this is not recommended for production. This follows Windmill's own self-host guidance which recommends TLS termination at the load balancer level. Security impact: Prevents API tokens, script source code, database credentials, and OAuth tokens from flowing unencrypted between users and the Windmill server.
camgrimsec
requested review from
alpetric,
hugocasa and
rubenfiszel
as code owners
rubenfiszel
reviewed
Mar 24, 2026
Contributor
rubenfiszel
left a comment
rubenfiszel
left a comment
There was a problem hiding this comment.
Bug: Security group missing port 443 ingress rule
The security group (security_group.tf) only allows inbound traffic on port 80. When HTTPS is enabled, the ALB listens on port 443, but there is no ingress rule for port 443 — HTTPS traffic will be blocked and the listener will be unreachable.
Suggested fix — add to security_group.tf:
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add optional HTTPS listener with ACM certificate support to the ALB. When acm_certificate_arn is provided, the ALB:
When no certificate is provided (default for development), the ALB falls back to HTTP-only mode with a clear variable description noting this is not recommended for production.
This follows Windmill's own self-host guidance which recommends TLS termination at the load balancer level.
Security impact: Prevents API tokens, script source code, database credentials, and OAuth tokens from flowing unencrypted between users and the Windmill server.