toggle between rule sets for public and private access

terraform/environment/region/modules/app/alb.tf

@@ -154,6 +154,14 @@ data "aws_ip_ranges" "route53_healthchecks" {
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
@@ -201,7 +209,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.app_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "app_loadbalancer_public_access_ingress" {

terraform/environment/region/modules/mock_onelogin/alb.tf

@@ -90,11 +90,20 @@ data "aws_ip_ranges" "route53_healthchecks" {
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_port_80_redirect_ingress" {
+  count             = var.public_access_enabled ? 0 : 1
   description       = "Port 80 ingress for redirection to port 443"
   type              = "ingress"
   from_port         = 80
@@ -111,6 +120,7 @@ resource "aws_security_group_rule" "mock_onelogin_loadbalancer_port_80_redirect_
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_ingress" {
+  count             = var.public_access_enabled ? 0 : 1
   description       = "Port 443 ingress from the allow list to the application load balancer"
   type              = "ingress"
   from_port         = 443
@@ -135,7 +145,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.mock_onelogin_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "mock_onelogin_loadbalancer_public_access_ingress" {

terraform/environment/region/modules/mock_pay/alb.tf

@@ -90,6 +90,14 @@ data "aws_ip_ranges" "route53_healthchecks" {
   provider = aws.region
 }
 
+resource "terraform_data" "route53_healthchecks_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
+}
+
+resource "terraform_data" "route53_healthchecks_ipv6_cidr_blocks" {
+  input = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
+}
+
 resource "terraform_data" "ingress_allow_list_cidr" {
   input = var.ingress_allow_list_cidr
 }
@@ -135,7 +143,13 @@ resource "aws_security_group_rule" "loadbalancer_ingress_route53_healthchecks" {
   cidr_blocks       = data.aws_ip_ranges.route53_healthchecks.cidr_blocks
   ipv6_cidr_blocks  = data.aws_ip_ranges.route53_healthchecks.ipv6_cidr_blocks
   security_group_id = aws_security_group.mock_pay_loadbalancer.id
-  provider          = aws.region
+  lifecycle {
+    replace_triggered_by = [
+      terraform_data.route53_healthchecks_cidr_blocks,
+      terraform_data.route53_healthchecks_ipv6_cidr_blocks
+    ]
+  }
+  provider = aws.region
 }
 
 resource "aws_security_group_rule" "mock_pay_loadbalancer_public_access_ingress" {