Infrastructure: Per-IdP ALB listener rules

[danielbowne]

Infrastructure: Per-IdP ALB listener rules

Epic: Multi-IdP Authentication (#150)
Blocked by: Landing page sub-task (for full E2E testing, but can be developed in parallel)

Summary

Create separate ALB listener rules for each identity provider so that /login/okta triggers Okta OIDC and /login/entra triggers Entra ID OIDC. Resolve the /api/* route auth strategy since ALB only supports one OIDC config per listener rule.

Current State

Both ALB listener rules in alb-internal.tf use the same local.oidc_options:

• Priority 1: /login* → authenticate-oidc (Okta) → redirect /
• Priority 2: /api/* → authenticate-oidc (Okta) → forward to API

local.oidc_options is a single JSON secret decoded in locals.tf.

Requirements

Secrets Manager

• Add a second secret for Entra ID OIDC configuration (same JSON structure as ztmf_va_trust_provider)
• Add data.aws_secretsmanager_secret_version for Entra ID secret
• Add local.oidc_options_entra (or similar) in locals.tf

ALB Listener Rules

• Replace single /login* rule with two provider-specific rules:
  • /login/okta* → authenticate-oidc (Okta config) → redirect /
  • /login/entra* → authenticate-oidc (Entra config) → redirect /
• Decide and implement /api/* auth strategy (see options below)

API Route Auth Strategy

ALB can only have one authenticate-oidc action per rule. For /api/* we need to handle tokens from either IdP. Options:

Option A — ALB per IdP: Separate paths (/api/okta/*, /api/entra/*). Adds frontend routing complexity.

Option B — Move API auth to backend (recommended):

• Change /api/* rule on_unauthenticated_request to "allow"
• Backend validates JWT from either IdP based on iss claim
• ALB still handles OIDC login dance on /login/* paths

Option C — CloudFront + Lambda@Edge: Cookie-based routing to different ALB rules. High complexity.

• Team decides on approach
• Implement chosen approach

Terraform Variables

• Add Entra ID secret ARN/name to tfvars/dev.tfvars and tfvars/prod.tfvars
• Parameterize provider-specific values

Files to Modify

• infrastructure/locals.tf — add oidc_options_entra
• infrastructure/alb-internal.tf — new listener rules, modify API rule
• infrastructure/secrets.tf — add Entra ID secret data source
• infrastructure/tfvars/dev.tfvars — Entra ID secret reference
• infrastructure/tfvars/prod.tfvars — Entra ID secret reference

Acceptance Criteria

• /login/okta triggers Okta OIDC flow and redirects to / on success
• /login/entra triggers Entra ID OIDC flow and redirects to / on success
• /api/* requests authenticated by either IdP are forwarded to the backend
• terraform plan shows clean, expected changes
• Existing Okta-only users experience no disruption
• tflint passes with no errors