Moving security groups out to their own folder as they are basically global to everything

infra/sec-groups/Makefile

@@ -0,0 +1,24 @@
+plan=out.plan
+
+SHELL := /bin/bash
+
+$(plan): *.tf
+	source ../secrets/set-env.sh && terraform plan -input=false -out $(plan)
+
+push: build
+	source ../secrets/set-env.sh && terraform apply $(plan)
+
+refresh:
+	source ../secrets/set-env.sh && terraform apply -refresh-only
+
+test:
+	terraform validate
+
+
+rip:
+	source ../secrets/set-env.sh && terraform destroy
+
+clean:
+	rm -f $(plan)
+
+.PHONY: test build clean push rip

infra/sec-groups/backend.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">= 0.13"
+  backend "s3" {
+      bucket  = "project-athens"
+      key     = "infra/sec-groups/state/build.tfstate"
+      region  = "us-west-1"
+      encrypt = true
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.13.0"
+    }
+  }
+}
+
+# Base config for using AWS features w/ Terraform
+provider "aws" {
+  access_key = var.aws_key
+  secret_key = var.aws_secret
+  region = var.aws_region
+  max_retries = 1
+}
+

infra/sec-groups/data.tf

@@ -0,0 +1,3 @@
+data "aws_vpc" "athens" {
+  id = var.vpc_id
+}

infra/sec-groups/ec2-web.tf

@@ -0,0 +1,37 @@
+resource "aws_security_group" "general_web_req" {
+  name = "Athens General web server ruleset"
+  description = "Allowing strictly web traffic"
+  vpc_id = data.aws_vpc.athens.id
+  # Intake of web requests(only serving TLS enabled traffic)
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+  }
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+  }
+  # WARN: Due to the usage of debian based images this rule
+  # is effectively required in order to properly update
+  # the system as apt mostly talks over port 443(maybe port 80 too?)
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+  }
+  # WARN: like 99% certrain apt falls back to port 80 on occasion
+  # which means we kinda need egress in to not break when requesting
+  # from shitty repos ...
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+  }
+}
+

infra/sec-groups/fargate.tf

@@ -0,0 +1,44 @@
+# Here are general definitions for security rulesets
+
+resource "aws_security_group" "ecs_web_ingress" {
+  name = "Alpha-Web-Ingress"
+  description = "Allow web traffic into the host"
+  vpc_id = data.aws_vpc.athens.id
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+  }
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port   = 80
+    protocol  = "tcp"
+  }
+}
+
+resource "aws_security_group" "base_ecs" {
+  vpc_id = data.aws_vpc.athens.id
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 80
+    to_port   = 80
+    protocol  = "tcp"
+  }
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+  }
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port = 2049
+    to_port   = 2049
+    protocol  = "tcp"
+  }
+}
+
+
+

infra/sec-groups/load-balancer.tf

@@ -0,0 +1,11 @@
+resource "aws_security_group" "alpha_health_check" {
+  name = "Load Balancer Health check"
+  vpc_id = data.aws_vpc.athens.id
+  egress {
+    cidr_blocks = ["10.0.0.0/8"]
+    from_port = 80
+    to_port   = 80
+    protocol  = "tcp"
+  }
+}
+

infra/sec-groups/variables.tf

@@ -0,0 +1,25 @@
+# All variables that are used in various places go here
+
+######################### General provider specific values
+
+variable "aws_key" {
+	description = "Access Key for AWS operations"
+	type = string
+	sensitive = true
+}
+
+variable "aws_secret" {
+	description = "Secret Key for AWS operations"
+	type = string
+	sensitive = true
+}
+
+variable "aws_region" {
+	description = "Region where the VPC is located"
+	type = string
+	sensitive = true
+}
+
+variable "vpc_id" {
+  type = string
+}