!+ Sigma Instance

This will be the web host reverse proxy (for alpha & beta)
!+ More sec groups for port 80 for apt's request fallback
Only because Apt blows

* Renaming sec-group::basic_web_sec -> sec-group::general_web_req
Should be clearer w/  this rename
This commit is contained in:
shockrah 2021-11-25 20:44:00 -08:00
parent 6579935310
commit 82d039369c
6 changed files with 68 additions and 8 deletions

View File

@ -20,7 +20,7 @@ resource "aws_instance" "alpha" {
key_name = var.alpha_ssh_key_name key_name = var.alpha_ssh_key_name
security_groups = [ security_groups = [
aws_security_group.basic_web_sec.id, aws_security_group.general_web_req.id,
aws_security_group.internal_ssh_recv.id aws_security_group.internal_ssh_recv.id
] ]
subnet_id = aws_subnet.crete_subnet.id subnet_id = aws_subnet.crete_subnet.id

View File

@ -18,7 +18,7 @@ resource "aws_instance" "beta" {
key_name = var.beta_public_key_path key_name = var.beta_public_key_path
security_groups = [ security_groups = [
aws_security_group.basic_web_sec.id, aws_security_group.general_web_req.id,
aws_security_group.internal_ssh_recv.id aws_security_group.internal_ssh_recv.id
] ]

View File

@ -1,9 +1,17 @@
# Beta will basically always be the static web server resource "aws_eip" "sigma_eip" {
# hence why we explicitly setup an EIP for it alone like this instance = aws_instance.sigma.id
resource "aws_eip" "beta_eip" {
instance = aws_instance.beta.id
vpc = true vpc = true
tags = { tags = {
Name = "Beta Elastic IP" Name = "Sigma(Web Load Balancer) EIP"
} }
} }
# It's important to note that this instance is not going to up all the time
resource "aws_eip" "gamma_eip" {
instance = aws_instance.gamma.id
vpc = true
tags = {
Name = "Ansible host Elastic IP"
}
}

View File

@ -16,5 +16,9 @@ resource "aws_instance" "gamma" {
key_name = var.gamma_ssh_key_name key_name = var.gamma_ssh_key_name
security_groups = [ aws_security_group.gamma_sec.id ] security_groups = [ aws_security_group.gamma_sec.id ]
subnet_id = aws_subnet.crete_subnet.id
tags = {
Name = "Gamma Host"
}
} }

View File

@ -1,6 +1,6 @@
# Here are general definitions for security rulesets # Here are general definitions for security rulesets
resource "aws_security_group" "basic_web_sec" { resource "aws_security_group" "general_web_req" {
name = "Athens General web server ruleset" name = "Athens General web server ruleset"
description = "Allowing strictly web traffic" description = "Allowing strictly web traffic"
vpc_id = aws_vpc.athens_vpc.id vpc_id = aws_vpc.athens_vpc.id
@ -11,6 +11,12 @@ resource "aws_security_group" "basic_web_sec" {
to_port = 443 to_port = 443
protocol = "tcp" protocol = "tcp"
} }
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
# WARN: Due to the usage of debian based images this rule # WARN: Due to the usage of debian based images this rule
# is effectively required in order to properly update # is effectively required in order to properly update
# the system as apt mostly talks over port 443(maybe port 80 too?) # the system as apt mostly talks over port 443(maybe port 80 too?)
@ -20,6 +26,15 @@ resource "aws_security_group" "basic_web_sec" {
to_port = 443 to_port = 443
protocol = "tcp" protocol = "tcp"
} }
# WARN: like 99% certrain apt falls back to port 80 on occasion
# which means we kinda need egress in to not break when requesting
# from shitty repos ...
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
} }
resource "aws_security_group" "internal_ssh_recv" { resource "aws_security_group" "internal_ssh_recv" {

33
infra/sigma.tf Normal file
View File

@ -0,0 +1,33 @@
# Sigma is the system that sits between the internally hosted web services
# and the outside world it's job is basically to act as a router for
# outside incoming traffic and the web servers
variable "sigma_ssh_key_name" {}
variable "sigma_public_key_path" {}
variable "sigma_instance_type" {}
variable "sigma_ami_id" {}
resource "aws_key_pair" "sigma_ssh" {
key_name = var.sigma_ssh_key_name
public_key = file(var.sigma_public_key_path)
}
resource "aws_instance" "sigma" {
ami = var.sigma_ami_id
instance_type = var.sigma_instance_type
key_name = var.sigma_ssh_key_name
security_groups = [
aws_security_group.internal_ssh_recv.id,
aws_security_group.general_web_req.id,
]
subnet_id = aws_subnet.crete_subnet.id
tags = {
Name = "Sigma Host"
}
}