infra/infra/security-groups.tf

# Here are general definitions for security rulesets

resource "aws_security_group" "general_web_req" {
  name = "Athens General web server ruleset"
  description = "Allowing strictly web traffic"
  vpc_id = aws_vpc.athens_vpc.id
  # Intake of web requests(only serving TLS enabled traffic)
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
  # WARN: Due to the usage of debian based images this rule
  # is effectively required in order to properly update
  # the system as apt mostly talks over port 443(maybe port 80 too?)
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  # WARN: like 99% certrain apt falls back to port 80 on occasion
  # which means we kinda need egress in to not break when requesting
  # from shitty repos ...
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
}

resource "aws_security_group" "internal_ssh_recv" {
  name = "Athens Internal SSH RECV"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = [var.crete_cidr]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
}

# Main role: SSH host/dev box(not to be up 24/7)
# Note this one is kinda special because the dev box
# itself is _kinda_ special(?)
resource "aws_security_group" "gamma_sec" {
  name = "Athens Gamma Sec"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
  egress {
    cidr_blocks = [ var.crete_cidr ]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
  # Again this is for APT to update repo's when needed
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
}