diff --git a/infra/alpha.tf b/infra/alpha.tf index 5372db9..d554e6a 100644 --- a/infra/alpha.tf +++ b/infra/alpha.tf @@ -20,7 +20,7 @@ resource "aws_instance" "alpha" { key_name = var.alpha_ssh_key_name security_groups = [ - aws_security_group.basic_web_sec.id, + aws_security_group.general_web_req.id, aws_security_group.internal_ssh_recv.id ] subnet_id = aws_subnet.crete_subnet.id diff --git a/infra/beta.tf b/infra/beta.tf index 0cc147c..9a916cf 100644 --- a/infra/beta.tf +++ b/infra/beta.tf @@ -18,7 +18,7 @@ resource "aws_instance" "beta" { key_name = var.beta_public_key_path security_groups = [ - aws_security_group.basic_web_sec.id, + aws_security_group.general_web_req.id, aws_security_group.internal_ssh_recv.id ] diff --git a/infra/eip.tf b/infra/eip.tf index 433c3dd..5b4d452 100644 --- a/infra/eip.tf +++ b/infra/eip.tf @@ -1,9 +1,17 @@ -# Beta will basically always be the static web server -# hence why we explicitly setup an EIP for it alone like this -resource "aws_eip" "beta_eip" { - instance = aws_instance.beta.id +resource "aws_eip" "sigma_eip" { + instance = aws_instance.sigma.id vpc = true tags = { - Name = "Beta Elastic IP" + Name = "Sigma(Web Load Balancer) EIP" } } + +# It's important to note that this instance is not going to up all the time +resource "aws_eip" "gamma_eip" { + instance = aws_instance.gamma.id + vpc = true + tags = { + Name = "Ansible host Elastic IP" + } +} + diff --git a/infra/gamma.tf b/infra/gamma.tf index f097197..191802b 100644 --- a/infra/gamma.tf +++ b/infra/gamma.tf @@ -16,5 +16,9 @@ resource "aws_instance" "gamma" { key_name = var.gamma_ssh_key_name security_groups = [ aws_security_group.gamma_sec.id ] + subnet_id = aws_subnet.crete_subnet.id + tags = { + Name = "Gamma Host" + } } diff --git a/infra/security-groups.tf b/infra/security-groups.tf index 6a32a49..e026e6d 100644 --- a/infra/security-groups.tf +++ b/infra/security-groups.tf @@ -1,6 +1,6 @@ # Here are general definitions for security rulesets -resource "aws_security_group" "basic_web_sec" { +resource "aws_security_group" "general_web_req" { name = "Athens General web server ruleset" description = "Allowing strictly web traffic" vpc_id = aws_vpc.athens_vpc.id @@ -11,6 +11,12 @@ resource "aws_security_group" "basic_web_sec" { to_port = 443 protocol = "tcp" } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } # WARN: Due to the usage of debian based images this rule # is effectively required in order to properly update # the system as apt mostly talks over port 443(maybe port 80 too?) @@ -20,6 +26,15 @@ resource "aws_security_group" "basic_web_sec" { to_port = 443 protocol = "tcp" } + # WARN: like 99% certrain apt falls back to port 80 on occasion + # which means we kinda need egress in to not break when requesting + # from shitty repos ... + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } } resource "aws_security_group" "internal_ssh_recv" { diff --git a/infra/sigma.tf b/infra/sigma.tf new file mode 100644 index 0000000..d5de08e --- /dev/null +++ b/infra/sigma.tf @@ -0,0 +1,33 @@ +# Sigma is the system that sits between the internally hosted web services +# and the outside world it's job is basically to act as a router for +# outside incoming traffic and the web servers + +variable "sigma_ssh_key_name" {} +variable "sigma_public_key_path" {} + +variable "sigma_instance_type" {} +variable "sigma_ami_id" {} + +resource "aws_key_pair" "sigma_ssh" { + key_name = var.sigma_ssh_key_name + public_key = file(var.sigma_public_key_path) +} + +resource "aws_instance" "sigma" { + ami = var.sigma_ami_id + instance_type = var.sigma_instance_type + + key_name = var.sigma_ssh_key_name + + security_groups = [ + aws_security_group.internal_ssh_recv.id, + aws_security_group.general_web_req.id, + ] + + subnet_id = aws_subnet.crete_subnet.id + + tags = { + Name = "Sigma Host" + } +} +