91 lines
2.0 KiB
HCL
91 lines
2.0 KiB
HCL
# Here are general definitions for security rulesets
|
|
|
|
resource "aws_security_group" "ecs_web_ingress" {
|
|
name = "Alpha-Web-Ingress"
|
|
description = "Allow web traffic into the host"
|
|
vpc_id = aws_vpc.athens_vpc.id
|
|
ingress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
}
|
|
ingress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "base_ecs" {
|
|
vpc_id = aws_vpc.athens_vpc.id
|
|
egress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
}
|
|
egress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
}
|
|
egress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 2049
|
|
to_port = 2049
|
|
protocol = "tcp"
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "load_balancer_health_check" {
|
|
name = "Load Balancer Health check"
|
|
vpc_id = aws_vpc.athens_vpc.id
|
|
egress {
|
|
cidr_blocks = ["10.0.0.0/8"]
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "general_web_req" {
|
|
name = "Athens General web server ruleset"
|
|
description = "Allowing strictly web traffic"
|
|
vpc_id = aws_vpc.athens_vpc.id
|
|
# Intake of web requests(only serving TLS enabled traffic)
|
|
ingress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
}
|
|
ingress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
}
|
|
# WARN: Due to the usage of debian based images this rule
|
|
# is effectively required in order to properly update
|
|
# the system as apt mostly talks over port 443(maybe port 80 too?)
|
|
egress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 443
|
|
to_port = 443
|
|
protocol = "tcp"
|
|
}
|
|
# WARN: like 99% certrain apt falls back to port 80 on occasion
|
|
# which means we kinda need egress in to not break when requesting
|
|
# from shitty repos ...
|
|
egress {
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
from_port = 80
|
|
to_port = 80
|
|
protocol = "tcp"
|
|
}
|
|
}
|
|
|