More variable clean up for security groups
Removing traces from previous networking cleanout
This commit is contained in:
parent
e51ebc7251
commit
caf09a63cb
12
infra/data.tf
Normal file
12
infra/data.tf
Normal file
@ -0,0 +1,12 @@
|
||||
data "aws_vpc" "athens" {
|
||||
id = var.vpc_id
|
||||
}
|
||||
|
||||
data "aws_subnet" "delphi" {
|
||||
id = "subnet-0a1943f26e4338cf6"
|
||||
}
|
||||
|
||||
data "aws_subnet" "crete" {
|
||||
id = "subnet-09302319a6678643f"
|
||||
}
|
||||
|
@ -1,8 +0,0 @@
|
||||
# Used to provide internet access for instances in the VPC
|
||||
resource "aws_internet_gateway" "athens_internet_gateway" {
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
|
||||
tags = {
|
||||
Name = "Athens Common Internet Gateway in Olypmus"
|
||||
}
|
||||
}
|
@ -20,19 +20,8 @@ variable "aws_region" {
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
######################### Subnet variables
|
||||
variable "crete_cidr" {
|
||||
description = "CIDR block for the servers themselves"
|
||||
type = string
|
||||
}
|
||||
variable "athens_availability_zone" {
|
||||
description = "Availability zone for Project Bucket"
|
||||
type = string
|
||||
}
|
||||
|
||||
######################### VPC variables
|
||||
variable "athens_cidr" {
|
||||
description = "VPC Subnet CIDR block"
|
||||
variable "vpc_id" {
|
||||
description = "Project Athens VPC ID"
|
||||
type = string
|
||||
}
|
||||
|
||||
@ -80,3 +69,17 @@ variable "resume_shockrah_xyz_bucket" {
|
||||
default = "resume_shockrah_xyz"
|
||||
}
|
||||
|
||||
variable "temper" {
|
||||
type = object({
|
||||
cert_arn = string
|
||||
})
|
||||
}
|
||||
|
||||
variable "sg" {
|
||||
type = object({
|
||||
base_ecs = string
|
||||
ecs_web_ingress = string
|
||||
lb_health_check = string
|
||||
})
|
||||
}
|
||||
|
||||
|
@ -8,10 +8,10 @@ resource "aws_lb" "alpha" {
|
||||
name = "alpha-lb"
|
||||
internal = false
|
||||
load_balancer_type = "application"
|
||||
subnets = [ aws_subnet.delphi.id, aws_subnet.crete_subnet.id ]
|
||||
subnets = [ data.aws_subnet.delphi.id, data.aws_subnet.crete.id ]
|
||||
security_groups = [
|
||||
aws_security_group.ecs_web_ingress.id,
|
||||
aws_security_group.load_balancer_health_check.id
|
||||
var.sg.ecs_web_ingress,
|
||||
var.sg.lb_health_check
|
||||
]
|
||||
# TODO: change this to true later
|
||||
enable_deletion_protection = false
|
||||
@ -25,7 +25,7 @@ resource "aws_lb_target_group" "nginx" {
|
||||
port = var.nginx_port
|
||||
protocol = "HTTP"
|
||||
target_type = "ip"
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
vpc_id = data.aws_vpc.athens.id
|
||||
health_check {
|
||||
interval = local.nginx_hp_check_interval
|
||||
}
|
||||
|
@ -52,12 +52,12 @@ resource "aws_ecs_service" "beta_reverse_proxy" {
|
||||
network_configuration {
|
||||
assign_public_ip = true
|
||||
subnets = [
|
||||
aws_subnet.delphi.id,
|
||||
aws_subnet.crete_subnet.id,
|
||||
data.aws_subnet.delphi.id,
|
||||
data.aws_subnet.crete.id,
|
||||
]
|
||||
security_groups = [
|
||||
aws_security_group.ecs_web_ingress.id,
|
||||
aws_security_group.base_ecs.id,
|
||||
var.sg.ecs_web_ingress,
|
||||
var.sg.base_ecs,
|
||||
]
|
||||
}
|
||||
depends_on = [
|
||||
|
@ -1,23 +0,0 @@
|
||||
# NOTE: local traffic route is implied and does not need to be specified
|
||||
resource "aws_route_table" "crete_route_table" {
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
route {
|
||||
cidr_block = "0.0.0.0/0"
|
||||
gateway_id = aws_internet_gateway.athens_internet_gateway.id
|
||||
}
|
||||
|
||||
tags = {
|
||||
Name = "Crete IGW Route Table"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
resource "aws_route_table_association" "crete_gateway_association" {
|
||||
subnet_id = aws_subnet.crete_subnet.id
|
||||
route_table_id = aws_route_table.crete_route_table.id
|
||||
}
|
||||
|
||||
resource "aws_route_table_association" "delphi_gateway_association" {
|
||||
subnet_id = aws_subnet.delphi.id
|
||||
route_table_id = aws_route_table.crete_route_table.id
|
||||
}
|
@ -1,90 +0,0 @@
|
||||
# Here are general definitions for security rulesets
|
||||
|
||||
resource "aws_security_group" "ecs_web_ingress" {
|
||||
name = "Alpha-Web-Ingress"
|
||||
description = "Allow web traffic into the host"
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
ingress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
}
|
||||
ingress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
protocol = "tcp"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "base_ecs" {
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
egress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
protocol = "tcp"
|
||||
}
|
||||
egress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
}
|
||||
egress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 2049
|
||||
to_port = 2049
|
||||
protocol = "tcp"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "load_balancer_health_check" {
|
||||
name = "Load Balancer Health check"
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
egress {
|
||||
cidr_blocks = ["10.0.0.0/8"]
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
protocol = "tcp"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "general_web_req" {
|
||||
name = "Athens General web server ruleset"
|
||||
description = "Allowing strictly web traffic"
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
# Intake of web requests(only serving TLS enabled traffic)
|
||||
ingress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
}
|
||||
ingress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
protocol = "tcp"
|
||||
}
|
||||
# WARN: Due to the usage of debian based images this rule
|
||||
# is effectively required in order to properly update
|
||||
# the system as apt mostly talks over port 443(maybe port 80 too?)
|
||||
egress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
}
|
||||
# WARN: like 99% certrain apt falls back to port 80 on occasion
|
||||
# which means we kinda need egress in to not break when requesting
|
||||
# from shitty repos ...
|
||||
egress {
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
protocol = "tcp"
|
||||
}
|
||||
}
|
||||
|
@ -1,23 +0,0 @@
|
||||
# This script represents the subnet structure for Crete(primary subnet)
|
||||
|
||||
resource "aws_subnet" "crete_subnet" {
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
# 10.0.1.0/24
|
||||
cidr_block = var.crete_cidr
|
||||
availability_zone = var.athens_availability_zone
|
||||
|
||||
tags = {
|
||||
Name = "Crete Subnet"
|
||||
Description = "Main subnet for EC2 and Alpha-LB"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_subnet" "delphi" {
|
||||
vpc_id = aws_vpc.athens_vpc.id
|
||||
cidr_block = "10.0.2.0/24"
|
||||
availability_zone = "us-west-1c"
|
||||
tags = {
|
||||
Name = "Delphi Subnet"
|
||||
Description = "Secondary subnet for the Alpha-LB mostly"
|
||||
}
|
||||
}
|
11
infra/vpc.tf
11
infra/vpc.tf
@ -1,11 +0,0 @@
|
||||
|
||||
resource "aws_vpc" "athens_vpc" {
|
||||
cidr_block = var.athens_cidr
|
||||
enable_dns_support = true
|
||||
enable_dns_hostnames = true
|
||||
|
||||
tags = {
|
||||
Name = "Project Athens VPC"
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user