!+ Sigma Instance

This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename
2021-11-25 20:44:00 -08:00 · 2021-11-25 20:44:00 -08:00 · 82d039369c
commit 82d039369c
parent 6579935310
6 changed files with 68 additions and 8 deletions
--- a/infra/alpha.tf
+++ b/infra/alpha.tf
@ -20,7 +20,7 @@ resource "aws_instance" "alpha" {
  key_name = var.alpha_ssh_key_name

  security_groups = [ 
-    aws_security_group.basic_web_sec.id,
+    aws_security_group.general_web_req.id,
    aws_security_group.internal_ssh_recv.id
  ]
  subnet_id = aws_subnet.crete_subnet.id
--- a/infra/beta.tf
+++ b/infra/beta.tf
@ -18,7 +18,7 @@ resource "aws_instance" "beta" {
  key_name = var.beta_public_key_path

  security_groups = [
-    aws_security_group.basic_web_sec.id,
+    aws_security_group.general_web_req.id,
    aws_security_group.internal_ssh_recv.id
  ]

--- a/infra/eip.tf
+++ b/infra/eip.tf
@ -1,9 +1,17 @@
-# Beta will basically always be the static web server
-# hence why we explicitly setup an EIP for it alone like this
-resource "aws_eip" "beta_eip" {
-  instance = aws_instance.beta.id
+resource "aws_eip" "sigma_eip" {
+  instance = aws_instance.sigma.id
  vpc = true
  tags = {
-    Name = "Beta Elastic IP"
+    Name = "Sigma(Web Load Balancer) EIP"
  }
 }
+
+# It's important to note that this instance is not going to up all the time
+resource "aws_eip" "gamma_eip" {
+  instance = aws_instance.gamma.id
+  vpc = true
+  tags = {
+    Name = "Ansible host Elastic IP"
+  }
+}
+
--- a/infra/gamma.tf
+++ b/infra/gamma.tf
@ -16,5 +16,9 @@ resource "aws_instance" "gamma" {
  key_name = var.gamma_ssh_key_name

  security_groups = [ aws_security_group.gamma_sec.id  ]
+  subnet_id = aws_subnet.crete_subnet.id
+  tags = {
+    Name = "Gamma Host"
+  }
 }

--- a/infra/security-groups.tf
+++ b/infra/security-groups.tf
@ -1,6 +1,6 @@
 # Here are general definitions for security rulesets

-resource "aws_security_group" "basic_web_sec" {
+resource "aws_security_group" "general_web_req" {
  name = "Athens General web server ruleset"
  description = "Allowing strictly web traffic"
  vpc_id = aws_vpc.athens_vpc.id
@ -11,6 +11,12 @@ resource "aws_security_group" "basic_web_sec" {
    to_port = 443
    protocol = "tcp"
  }
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+  }
  # WARN: Due to the usage of debian based images this rule
  # is effectively required in order to properly update
  # the system as apt mostly talks over port 443(maybe port 80 too?)
@ -20,6 +26,15 @@ resource "aws_security_group" "basic_web_sec" {
    to_port = 443
    protocol = "tcp"
  }
+  # WARN: like 99% certrain apt falls back to port 80 on occasion
+  # which means we kinda need egress in to not break when requesting
+  # from shitty repos ...
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+  }
 }

 resource "aws_security_group" "internal_ssh_recv" {
--- a/infra/sigma.tf
+++ b/infra/sigma.tf
@ -0,0 +1,33 @@
+# Sigma is the system that sits between the internally hosted web services 
+# and the outside world it's job is basically to act as a router for
+# outside incoming traffic and the web servers
+
+variable "sigma_ssh_key_name" {}
+variable "sigma_public_key_path" {}
+
+variable "sigma_instance_type" {}
+variable "sigma_ami_id" {}
+
+resource "aws_key_pair" "sigma_ssh" {
+  key_name = var.sigma_ssh_key_name
+  public_key = file(var.sigma_public_key_path)
+}
+
+resource "aws_instance" "sigma" {
+  ami = var.sigma_ami_id
+  instance_type = var.sigma_instance_type
+
+  key_name = var.sigma_ssh_key_name
+
+  security_groups = [
+    aws_security_group.internal_ssh_recv.id,
+    aws_security_group.general_web_req.id,
+  ]
+
+  subnet_id = aws_subnet.crete_subnet.id
+
+  tags = {
+    Name = "Sigma Host"
+  }
+}
+