Skip to content

Commit

Permalink
added_s3_endoint_&_cleaned_up_sg_rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@jdbass
jdbass committed Mar 7, 2024
1 parent a490ea8 commit 6c56668
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 58 deletions.
150 changes: 93 additions & 57 deletions tofu/modules/fullstack/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_prefix_list" "s3" {
name = "com.amazonaws.${data.aws_region.current.name}.s3"
}

locals {
azs = slice(data.aws_availability_zones.available.names, 0, 2)
Expand Down Expand Up @@ -72,7 +76,7 @@ module "vpc_endpoints" {
policy = data.aws_iam_policy_document.ecr_endpoint.json
security_group_ids = [aws_security_group.ecr_endpoint_sg.id]
tags = merge(local.tags, {
Name = "${local.name_prefix}-ecr-dks"
Name = "${local.name_prefix}-ecr-dkr"
})
},
secrets_manager = {
Expand All @@ -94,6 +98,14 @@ module "vpc_endpoints" {
tags = merge(local.tags, {
Name = "${local.name_prefix}-logs"
})
},
s3 = {
service = "s3"
vpd_id = module.vpc.vpc_id
route_table_ids = module.vpc.private_route_table_ids
tags = merge(local.tags, {
Name = "${local.name_prefix}-s3"
})
}
}
tags = local.tags
Expand Down Expand Up @@ -141,7 +153,7 @@ resource "aws_iam_policy" "appointment_secrets_policy" {
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:768512802988:secret:${var.environment}/appointment/*"
"arn:aws:secretsmanager:${data.aws_region.current.name}:768512802988:secret:${var.environment}/appointment/*"
]
}
]
Expand All @@ -165,7 +177,7 @@ resource "aws_iam_policy" "appointment_logs_policy" {
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:768512802988:log-group:/ecs/${local.name_prefix}:*"
"arn:aws:logs:${data.aws_region.current.name}:768512802988:log-group:/ecs/${local.name_prefix}:*"
]
}
]
Expand Down Expand Up @@ -241,13 +253,13 @@ resource "aws_security_group" "backend_sg" {
})
}

resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_frontend" {
resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
security_group_id = aws_security_group.backend_sg.id
description = "5000 from frontend"
description = "5000 from ALB"
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
referenced_security_group_id = module.backend_alb.security_group_id
}

resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB" {
Expand All @@ -258,19 +270,41 @@ resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB" {
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.rds_sg.id
}
resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_backend" {
security_group_id = aws_security_group.backend_sg.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 80
to_port = 80
ip_protocol = "tcp"

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
security_group_id = aws_security_group.backend_sg.id
description = "TLS to ECR endpoints"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.ecr_endpoint_sg
}
resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_backend" {

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
security_group_id = aws_security_group.backend_sg.id
description = "TLS to logs endpoint"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.logs_endpoint_sg
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
security_group_id = aws_security_group.backend_sg.id
description = "TLS to secrets endpoint"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.secrets_endpoint_sg
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
security_group_id = aws_security_group.backend_sg.id
cidr_ipv4 = "0.0.0.0/0"
description = "TLS to S3 endpoint"
from_port = 443
to_port = 443
ip_protocol = "tcp"
prefix_list_id = [data.aws_prefix_list.s3.id]
}

# Frontend SG
Expand All @@ -282,44 +316,41 @@ resource "aws_security_group" "frontend_sg" {
Name = "${local.name_prefix}-frontend"
})
}
resource "aws_vpc_security_group_ingress_rule" "allow_tls_from_internet" {
security_group_id = aws_security_group.frontend_sg.id
description = "TLS from Internet"
from_port = 443
to_port = 443
ip_protocol = "tcp"
cidr_ipv4 = "0.0.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "allow_http_from_internet" {
security_group_id = aws_security_group.frontend_sg.id
description = "HTTP from Internet"
from_port = 80
to_port = 80
ip_protocol = "tcp"
cidr_ipv4 = "0.0.0.0/0"

resource "aws_vpc_security_group_ingress_rule" "allow_http_from_frontend_alb" {
security_group_id = aws_security_group.frontend_sg.id
description = "HTTP from ALB"
from_port = 80
to_port = 80
ip_protocol = "tcp"
referenced_security_group_id = module.frontend_alb.security_group_id
}

resource "aws_vpc_security_group_egress_rule" "allow_5000_to_backend" {
security_group_id = aws_security_group.frontend_sg.id
description = "5000 to self"
description = "5000 to backend"
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = module.backend_alb.security_group_id
}

resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 80
to_port = 80
ip_protocol = "tcp"
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 443
to_port = 443
ip_protocol = "tcp"
}

resource "aws_vpc_security_group_egress_rule" "allow_smtp_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
cidr_ipv4 = "0.0.0.0/0"
Expand All @@ -337,6 +368,7 @@ resource "aws_security_group" "rds_sg" {
Name = "${local.name_prefix}-rds"
})
}

resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
security_group_id = aws_security_group.rds_sg.id
description = "Allow MySQL from backend"
Expand All @@ -345,11 +377,6 @@ resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
}
resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
security_group_id = aws_security_group.rds_sg.id
cidr_ipv4 = "0.0.0.0/0"
ip_protocol = "-1" # semantically equivalent to all ports
}

# ECR Endpoint SG
resource "aws_security_group" "ecr_endpoint_sg" {
Expand All @@ -360,6 +387,7 @@ resource "aws_security_group" "ecr_endpoint_sg" {
Name = "${local.name_prefix}-ecr-endpoint"
})
}

resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_backend" {
security_group_id = aws_security_group.ecr_endpoint_sg.id
description = "TLS from Backend"
Expand All @@ -368,9 +396,10 @@ resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_backend" {
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
}

resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_frontend" {
security_group_id = aws_security_group.ecr_endpoint_sg.id
description = "TLS from Backend"
description = "TLS from Frontend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
Expand All @@ -386,6 +415,7 @@ resource "aws_security_group" "secrets_endpoint_sg" {
Name = "${local.name_prefix}-secrets-endpoint"
})
}

resource "aws_vpc_security_group_ingress_rule" "secrets_allow_tls_from_backend" {
security_group_id = aws_security_group.secrets_endpoint_sg.id
description = "TLS from Backend"
Expand All @@ -404,6 +434,7 @@ resource "aws_security_group" "logs_endpoint_sg" {
Name = "${local.name_prefix}-logs-endpoint"
})
}

resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_backend" {
security_group_id = aws_security_group.logs_endpoint_sg.id
description = "TLS from Backend"
Expand All @@ -412,9 +443,10 @@ resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_backend" {
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
}

resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_frontend" {
security_group_id = aws_security_group.logs_endpoint_sg.id
description = "TLS from Backend"
description = "TLS from Frontend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
Expand All @@ -426,7 +458,7 @@ resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_frontend" {
################################################################################

data "aws_secretsmanager_secret" "db_secrets" {
arn = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-temp-loy40P"
arn = "arn:aws:secretsmanager:${data.aws_region.current.name}:768512802988:secret:staging/appointment/db-temp-loy40P"
}
data "aws_secretsmanager_secret_version" "current" {
secret_id = data.aws_secretsmanager_secret.db_secrets.id
Expand All @@ -442,11 +474,11 @@ module "db" {
instance_class = "db.t3.medium"
allocated_storage = 20

db_name = "appointment"
username = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"]
password = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
db_name = "appointment"
username = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"]
password = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
manage_master_user_password = false
port = "3306"
port = "3306"

iam_database_authentication_enabled = true

Expand All @@ -466,7 +498,7 @@ module "db" {
major_engine_version = "8.0"

# Database Deletion Protection
skip_final_snapshot = true #var.environment != "sandbox" ? false : true
skip_final_snapshot = true #var.environment != "sandbox" ? false : true
deletion_protection = false #var.environment != "sandbox" ? true : false

tags = local.tags
Expand Down Expand Up @@ -507,7 +539,7 @@ resource "aws_ecs_service" "backend_service" {
subnets = module.vpc.private_subnets
}
task_definition = "arn:aws:ecs:us-east-1:768512802988:task-definition/${local.name_prefix}-backend"
task_definition = "arn:aws:ecs:${data.aws_region.current.name}:768512802988:task-definition/${local.name_prefix}-backend"
desired_count = 1
tags = local.tags
}
Expand All @@ -528,17 +560,19 @@ module "backend_alb" {

# Security Group
security_group_ingress_rules = {
all_http = {
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv4 = "0.0.0.0/0"
inbound = {
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
}
}
security_group_egress_rules = {
all = {
ip_protocol = "-1"
cidr_ipv4 = module.vpc.vpc_cidr_block
outbound = {
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
}
}

Expand Down Expand Up @@ -603,7 +637,7 @@ resource "aws_ecs_service" "frontend_service" {
subnets = module.vpc.private_subnets
}
task_definition = "arn:aws:ecs:us-east-1:768512802988:task-definition/${local.name_prefix}-frontend"
task_definition = "arn:aws:ecs:${data.aws_region.current.name}:768512802988:task-definition/${local.name_prefix}-frontend"
desired_count = 1
tags = local.tags
}
Expand Down Expand Up @@ -638,9 +672,11 @@ module "frontend_alb" {
}
}
security_group_egress_rules = {
all = {
ip_protocol = "-1"
cidr_ipv4 = module.vpc.vpc_cidr_block
outbound = {
from_port = 80
to_port = 80
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
}
}

Expand Down
1 change: 0 additions & 1 deletion tofu/sandbox/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,4 @@ module "appointment" {
region = "us-east-1"
vpc_cidr = "10.0.0.0/16"
ssl_cert_arn = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
db_user = "tba_user"
}

0 comments on commit 6c56668

Please sign in to comment.