More variable clean up for security groups

Removing traces from previous networking cleanout
This commit is contained in:
shockrah 2023-10-03 19:38:27 -07:00
parent e51ebc7251
commit caf09a63cb
9 changed files with 37 additions and 177 deletions

12
infra/data.tf Normal file
View File

@ -0,0 +1,12 @@
data "aws_vpc" "athens" {
id = var.vpc_id
}
data "aws_subnet" "delphi" {
id = "subnet-0a1943f26e4338cf6"
}
data "aws_subnet" "crete" {
id = "subnet-09302319a6678643f"
}

View File

@ -1,8 +0,0 @@
# Used to provide internet access for instances in the VPC
resource "aws_internet_gateway" "athens_internet_gateway" {
vpc_id = aws_vpc.athens_vpc.id
tags = {
Name = "Athens Common Internet Gateway in Olypmus"
}
}

View File

@ -20,19 +20,8 @@ variable "aws_region" {
sensitive = true sensitive = true
} }
######################### Subnet variables variable "vpc_id" {
variable "crete_cidr" { description = "Project Athens VPC ID"
description = "CIDR block for the servers themselves"
type = string
}
variable "athens_availability_zone" {
description = "Availability zone for Project Bucket"
type = string
}
######################### VPC variables
variable "athens_cidr" {
description = "VPC Subnet CIDR block"
type = string type = string
} }
@ -80,3 +69,17 @@ variable "resume_shockrah_xyz_bucket" {
default = "resume_shockrah_xyz" default = "resume_shockrah_xyz"
} }
variable "temper" {
type = object({
cert_arn = string
})
}
variable "sg" {
type = object({
base_ecs = string
ecs_web_ingress = string
lb_health_check = string
})
}

View File

@ -8,10 +8,10 @@ resource "aws_lb" "alpha" {
name = "alpha-lb" name = "alpha-lb"
internal = false internal = false
load_balancer_type = "application" load_balancer_type = "application"
subnets = [ aws_subnet.delphi.id, aws_subnet.crete_subnet.id ] subnets = [ data.aws_subnet.delphi.id, data.aws_subnet.crete.id ]
security_groups = [ security_groups = [
aws_security_group.ecs_web_ingress.id, var.sg.ecs_web_ingress,
aws_security_group.load_balancer_health_check.id var.sg.lb_health_check
] ]
# TODO: change this to true later # TODO: change this to true later
enable_deletion_protection = false enable_deletion_protection = false
@ -25,7 +25,7 @@ resource "aws_lb_target_group" "nginx" {
port = var.nginx_port port = var.nginx_port
protocol = "HTTP" protocol = "HTTP"
target_type = "ip" target_type = "ip"
vpc_id = aws_vpc.athens_vpc.id vpc_id = data.aws_vpc.athens.id
health_check { health_check {
interval = local.nginx_hp_check_interval interval = local.nginx_hp_check_interval
} }

View File

@ -52,12 +52,12 @@ resource "aws_ecs_service" "beta_reverse_proxy" {
network_configuration { network_configuration {
assign_public_ip = true assign_public_ip = true
subnets = [ subnets = [
aws_subnet.delphi.id, data.aws_subnet.delphi.id,
aws_subnet.crete_subnet.id, data.aws_subnet.crete.id,
] ]
security_groups = [ security_groups = [
aws_security_group.ecs_web_ingress.id, var.sg.ecs_web_ingress,
aws_security_group.base_ecs.id, var.sg.base_ecs,
] ]
} }
depends_on = [ depends_on = [

View File

@ -1,23 +0,0 @@
# NOTE: local traffic route is implied and does not need to be specified
resource "aws_route_table" "crete_route_table" {
vpc_id = aws_vpc.athens_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.athens_internet_gateway.id
}
tags = {
Name = "Crete IGW Route Table"
}
}
resource "aws_route_table_association" "crete_gateway_association" {
subnet_id = aws_subnet.crete_subnet.id
route_table_id = aws_route_table.crete_route_table.id
}
resource "aws_route_table_association" "delphi_gateway_association" {
subnet_id = aws_subnet.delphi.id
route_table_id = aws_route_table.crete_route_table.id
}

View File

@ -1,90 +0,0 @@
# Here are general definitions for security rulesets
resource "aws_security_group" "ecs_web_ingress" {
name = "Alpha-Web-Ingress"
description = "Allow web traffic into the host"
vpc_id = aws_vpc.athens_vpc.id
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 443
to_port = 443
protocol = "tcp"
}
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
}
resource "aws_security_group" "base_ecs" {
vpc_id = aws_vpc.athens_vpc.id
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 443
to_port = 443
protocol = "tcp"
}
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 2049
to_port = 2049
protocol = "tcp"
}
}
resource "aws_security_group" "load_balancer_health_check" {
name = "Load Balancer Health check"
vpc_id = aws_vpc.athens_vpc.id
egress {
cidr_blocks = ["10.0.0.0/8"]
from_port = 80
to_port = 80
protocol = "tcp"
}
}
resource "aws_security_group" "general_web_req" {
name = "Athens General web server ruleset"
description = "Allowing strictly web traffic"
vpc_id = aws_vpc.athens_vpc.id
# Intake of web requests(only serving TLS enabled traffic)
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 443
to_port = 443
protocol = "tcp"
}
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
# WARN: Due to the usage of debian based images this rule
# is effectively required in order to properly update
# the system as apt mostly talks over port 443(maybe port 80 too?)
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 443
to_port = 443
protocol = "tcp"
}
# WARN: like 99% certrain apt falls back to port 80 on occasion
# which means we kinda need egress in to not break when requesting
# from shitty repos ...
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
}

View File

@ -1,23 +0,0 @@
# This script represents the subnet structure for Crete(primary subnet)
resource "aws_subnet" "crete_subnet" {
vpc_id = aws_vpc.athens_vpc.id
# 10.0.1.0/24
cidr_block = var.crete_cidr
availability_zone = var.athens_availability_zone
tags = {
Name = "Crete Subnet"
Description = "Main subnet for EC2 and Alpha-LB"
}
}
resource "aws_subnet" "delphi" {
vpc_id = aws_vpc.athens_vpc.id
cidr_block = "10.0.2.0/24"
availability_zone = "us-west-1c"
tags = {
Name = "Delphi Subnet"
Description = "Secondary subnet for the Alpha-LB mostly"
}
}

View File

@ -1,11 +0,0 @@
resource "aws_vpc" "athens_vpc" {
cidr_block = var.athens_cidr
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "Project Athens VPC"
}
}