From e51ebc72516d71b41d3bb919528f7c66a10530b9 Mon Sep 17 00:00:00 2001 From: shockrah Date: Tue, 3 Oct 2023 19:36:59 -0700 Subject: [PATCH] Moving security groups out to their own folder as they are basically global to everything --- infra/sec-groups/Makefile | 24 +++++++++++++++++ infra/sec-groups/backend.tf | 24 +++++++++++++++++ infra/sec-groups/data.tf | 3 +++ infra/sec-groups/ec2-web.tf | 37 ++++++++++++++++++++++++++ infra/sec-groups/fargate.tf | 44 +++++++++++++++++++++++++++++++ infra/sec-groups/load-balancer.tf | 11 ++++++++ infra/sec-groups/variables.tf | 25 ++++++++++++++++++ 7 files changed, 168 insertions(+) create mode 100644 infra/sec-groups/Makefile create mode 100644 infra/sec-groups/backend.tf create mode 100644 infra/sec-groups/data.tf create mode 100644 infra/sec-groups/ec2-web.tf create mode 100644 infra/sec-groups/fargate.tf create mode 100644 infra/sec-groups/load-balancer.tf create mode 100644 infra/sec-groups/variables.tf diff --git a/infra/sec-groups/Makefile b/infra/sec-groups/Makefile new file mode 100644 index 0000000..cb42529 --- /dev/null +++ b/infra/sec-groups/Makefile @@ -0,0 +1,24 @@ +plan=out.plan + +SHELL := /bin/bash + +$(plan): *.tf + source ../secrets/set-env.sh && terraform plan -input=false -out $(plan) + +push: build + source ../secrets/set-env.sh && terraform apply $(plan) + +refresh: + source ../secrets/set-env.sh && terraform apply -refresh-only + +test: + terraform validate + + +rip: + source ../secrets/set-env.sh && terraform destroy + +clean: + rm -f $(plan) + +.PHONY: test build clean push rip diff --git a/infra/sec-groups/backend.tf b/infra/sec-groups/backend.tf new file mode 100644 index 0000000..451e6ca --- /dev/null +++ b/infra/sec-groups/backend.tf @@ -0,0 +1,24 @@ +terraform { + required_version = ">= 0.13" + backend "s3" { + bucket = "project-athens" + key = "infra/sec-groups/state/build.tfstate" + region = "us-west-1" + encrypt = true + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.13.0" + } + } +} + +# Base config for using AWS features w/ Terraform +provider "aws" { + access_key = var.aws_key + secret_key = var.aws_secret + region = var.aws_region + max_retries = 1 +} + diff --git a/infra/sec-groups/data.tf b/infra/sec-groups/data.tf new file mode 100644 index 0000000..061ec86 --- /dev/null +++ b/infra/sec-groups/data.tf @@ -0,0 +1,3 @@ +data "aws_vpc" "athens" { + id = var.vpc_id +} diff --git a/infra/sec-groups/ec2-web.tf b/infra/sec-groups/ec2-web.tf new file mode 100644 index 0000000..e10c5ea --- /dev/null +++ b/infra/sec-groups/ec2-web.tf @@ -0,0 +1,37 @@ +resource "aws_security_group" "general_web_req" { + name = "Athens General web server ruleset" + description = "Allowing strictly web traffic" + vpc_id = data.aws_vpc.athens.id + # Intake of web requests(only serving TLS enabled traffic) + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } + # WARN: Due to the usage of debian based images this rule + # is effectively required in order to properly update + # the system as apt mostly talks over port 443(maybe port 80 too?) + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + # WARN: like 99% certrain apt falls back to port 80 on occasion + # which means we kinda need egress in to not break when requesting + # from shitty repos ... + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } +} + diff --git a/infra/sec-groups/fargate.tf b/infra/sec-groups/fargate.tf new file mode 100644 index 0000000..8e1ee6e --- /dev/null +++ b/infra/sec-groups/fargate.tf @@ -0,0 +1,44 @@ +# Here are general definitions for security rulesets + +resource "aws_security_group" "ecs_web_ingress" { + name = "Alpha-Web-Ingress" + description = "Allow web traffic into the host" + vpc_id = data.aws_vpc.athens.id + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } +} + +resource "aws_security_group" "base_ecs" { + vpc_id = data.aws_vpc.athens.id + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 2049 + to_port = 2049 + protocol = "tcp" + } +} + + + diff --git a/infra/sec-groups/load-balancer.tf b/infra/sec-groups/load-balancer.tf new file mode 100644 index 0000000..7417bc2 --- /dev/null +++ b/infra/sec-groups/load-balancer.tf @@ -0,0 +1,11 @@ +resource "aws_security_group" "alpha_health_check" { + name = "Load Balancer Health check" + vpc_id = data.aws_vpc.athens.id + egress { + cidr_blocks = ["10.0.0.0/8"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } +} + diff --git a/infra/sec-groups/variables.tf b/infra/sec-groups/variables.tf new file mode 100644 index 0000000..2d547aa --- /dev/null +++ b/infra/sec-groups/variables.tf @@ -0,0 +1,25 @@ +# All variables that are used in various places go here + +######################### General provider specific values + +variable "aws_key" { + description = "Access Key for AWS operations" + type = string + sensitive = true +} + +variable "aws_secret" { + description = "Secret Key for AWS operations" + type = string + sensitive = true +} + +variable "aws_region" { + description = "Region where the VPC is located" + type = string + sensitive = true +} + +variable "vpc_id" { + type = string +}