From 6c56668eb300c9e977d3e3ffe5642dd7d659bc32 Mon Sep 17 00:00:00 2001 From: Joseph Bass Date: Thu, 7 Mar 2024 12:07:28 -0500 Subject: [PATCH] added_s3_endoint_&_cleaned_up_sg_rules --- tofu/modules/fullstack/main.tf | 150 ++++++++++++++++++++------------- tofu/sandbox/main.tf | 1 - 2 files changed, 93 insertions(+), 58 deletions(-) diff --git a/tofu/modules/fullstack/main.tf b/tofu/modules/fullstack/main.tf index e00bfc8f..d2e81444 100644 --- a/tofu/modules/fullstack/main.tf +++ b/tofu/modules/fullstack/main.tf @@ -1,4 +1,8 @@ data "aws_availability_zones" "available" {} +data "aws_region" "current" {} +data "aws_prefix_list" "s3" { + name = "com.amazonaws.${data.aws_region.current.name}.s3" +} locals { azs = slice(data.aws_availability_zones.available.names, 0, 2) @@ -72,7 +76,7 @@ module "vpc_endpoints" { policy = data.aws_iam_policy_document.ecr_endpoint.json security_group_ids = [aws_security_group.ecr_endpoint_sg.id] tags = merge(local.tags, { - Name = "${local.name_prefix}-ecr-dks" + Name = "${local.name_prefix}-ecr-dkr" }) }, secrets_manager = { @@ -94,6 +98,14 @@ module "vpc_endpoints" { tags = merge(local.tags, { Name = "${local.name_prefix}-logs" }) + }, + s3 = { + service = "s3" + vpd_id = module.vpc.vpc_id + route_table_ids = module.vpc.private_route_table_ids + tags = merge(local.tags, { + Name = "${local.name_prefix}-s3" + }) } } tags = local.tags @@ -141,7 +153,7 @@ resource "aws_iam_policy" "appointment_secrets_policy" { "secretsmanager:GetSecretValue" ], "Resource": [ - "arn:aws:secretsmanager:us-east-1:768512802988:secret:${var.environment}/appointment/*" + "arn:aws:secretsmanager:${data.aws_region.current.name}:768512802988:secret:${var.environment}/appointment/*" ] } ] @@ -165,7 +177,7 @@ resource "aws_iam_policy" "appointment_logs_policy" { "logs:CreateLogGroup" ], "Resource": [ - "arn:aws:logs:us-east-1:768512802988:log-group:/ecs/${local.name_prefix}:*" + "arn:aws:logs:${data.aws_region.current.name}:768512802988:log-group:/ecs/${local.name_prefix}:*" ] } ] @@ -241,13 +253,13 @@ resource "aws_security_group" "backend_sg" { }) } -resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_frontend" { +resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" { security_group_id = aws_security_group.backend_sg.id - description = "5000 from frontend" + description = "5000 from ALB" from_port = 5000 to_port = 5000 ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.frontend_sg.id + referenced_security_group_id = module.backend_alb.security_group_id } resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB" { @@ -258,19 +270,41 @@ resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB" { ip_protocol = "tcp" referenced_security_group_id = aws_security_group.rds_sg.id } -resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_backend" { - security_group_id = aws_security_group.backend_sg.id - cidr_ipv4 = "0.0.0.0/0" - from_port = 80 - to_port = 80 - ip_protocol = "tcp" + +resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" { + security_group_id = aws_security_group.backend_sg.id + description = "TLS to ECR endpoints" + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.ecr_endpoint_sg } -resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_backend" { + +resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" { + security_group_id = aws_security_group.backend_sg.id + description = "TLS to logs endpoint" + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.logs_endpoint_sg +} + +resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" { + security_group_id = aws_security_group.backend_sg.id + description = "TLS to secrets endpoint" + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.secrets_endpoint_sg +} + +resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" { security_group_id = aws_security_group.backend_sg.id - cidr_ipv4 = "0.0.0.0/0" + description = "TLS to S3 endpoint" from_port = 443 to_port = 443 ip_protocol = "tcp" + prefix_list_id = [data.aws_prefix_list.s3.id] } # Frontend SG @@ -282,30 +316,25 @@ resource "aws_security_group" "frontend_sg" { Name = "${local.name_prefix}-frontend" }) } -resource "aws_vpc_security_group_ingress_rule" "allow_tls_from_internet" { - security_group_id = aws_security_group.frontend_sg.id - description = "TLS from Internet" - from_port = 443 - to_port = 443 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" -} -resource "aws_vpc_security_group_ingress_rule" "allow_http_from_internet" { - security_group_id = aws_security_group.frontend_sg.id - description = "HTTP from Internet" - from_port = 80 - to_port = 80 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" + +resource "aws_vpc_security_group_ingress_rule" "allow_http_from_frontend_alb" { + security_group_id = aws_security_group.frontend_sg.id + description = "HTTP from ALB" + from_port = 80 + to_port = 80 + ip_protocol = "tcp" + referenced_security_group_id = module.frontend_alb.security_group_id } + resource "aws_vpc_security_group_egress_rule" "allow_5000_to_backend" { security_group_id = aws_security_group.frontend_sg.id - description = "5000 to self" + description = "5000 to backend" from_port = 5000 to_port = 5000 ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.backend_sg.id + referenced_security_group_id = module.backend_alb.security_group_id } + resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_frontend" { security_group_id = aws_security_group.frontend_sg.id cidr_ipv4 = "0.0.0.0/0" @@ -313,6 +342,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_frontend" { to_port = 80 ip_protocol = "tcp" } + resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_frontend" { security_group_id = aws_security_group.frontend_sg.id cidr_ipv4 = "0.0.0.0/0" @@ -320,6 +350,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_frontend" { to_port = 443 ip_protocol = "tcp" } + resource "aws_vpc_security_group_egress_rule" "allow_smtp_ipv4_frontend" { security_group_id = aws_security_group.frontend_sg.id cidr_ipv4 = "0.0.0.0/0" @@ -337,6 +368,7 @@ resource "aws_security_group" "rds_sg" { Name = "${local.name_prefix}-rds" }) } + resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" { security_group_id = aws_security_group.rds_sg.id description = "Allow MySQL from backend" @@ -345,11 +377,6 @@ resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" { ip_protocol = "tcp" referenced_security_group_id = aws_security_group.backend_sg.id } -resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" { - security_group_id = aws_security_group.rds_sg.id - cidr_ipv4 = "0.0.0.0/0" - ip_protocol = "-1" # semantically equivalent to all ports -} # ECR Endpoint SG resource "aws_security_group" "ecr_endpoint_sg" { @@ -360,6 +387,7 @@ resource "aws_security_group" "ecr_endpoint_sg" { Name = "${local.name_prefix}-ecr-endpoint" }) } + resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_backend" { security_group_id = aws_security_group.ecr_endpoint_sg.id description = "TLS from Backend" @@ -368,9 +396,10 @@ resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_backend" { ip_protocol = "tcp" referenced_security_group_id = aws_security_group.backend_sg.id } + resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_frontend" { security_group_id = aws_security_group.ecr_endpoint_sg.id - description = "TLS from Backend" + description = "TLS from Frontend" from_port = 443 to_port = 443 ip_protocol = "tcp" @@ -386,6 +415,7 @@ resource "aws_security_group" "secrets_endpoint_sg" { Name = "${local.name_prefix}-secrets-endpoint" }) } + resource "aws_vpc_security_group_ingress_rule" "secrets_allow_tls_from_backend" { security_group_id = aws_security_group.secrets_endpoint_sg.id description = "TLS from Backend" @@ -404,6 +434,7 @@ resource "aws_security_group" "logs_endpoint_sg" { Name = "${local.name_prefix}-logs-endpoint" }) } + resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_backend" { security_group_id = aws_security_group.logs_endpoint_sg.id description = "TLS from Backend" @@ -412,9 +443,10 @@ resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_backend" { ip_protocol = "tcp" referenced_security_group_id = aws_security_group.backend_sg.id } + resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_frontend" { security_group_id = aws_security_group.logs_endpoint_sg.id - description = "TLS from Backend" + description = "TLS from Frontend" from_port = 443 to_port = 443 ip_protocol = "tcp" @@ -426,7 +458,7 @@ resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_frontend" { ################################################################################ data "aws_secretsmanager_secret" "db_secrets" { - arn = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-temp-loy40P" + arn = "arn:aws:secretsmanager:${data.aws_region.current.name}:768512802988:secret:staging/appointment/db-temp-loy40P" } data "aws_secretsmanager_secret_version" "current" { secret_id = data.aws_secretsmanager_secret.db_secrets.id @@ -442,11 +474,11 @@ module "db" { instance_class = "db.t3.medium" allocated_storage = 20 - db_name = "appointment" - username = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"] - password = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"] + db_name = "appointment" + username = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"] + password = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"] manage_master_user_password = false - port = "3306" + port = "3306" iam_database_authentication_enabled = true @@ -466,7 +498,7 @@ module "db" { major_engine_version = "8.0" # Database Deletion Protection - skip_final_snapshot = true #var.environment != "sandbox" ? false : true + skip_final_snapshot = true #var.environment != "sandbox" ? false : true deletion_protection = false #var.environment != "sandbox" ? true : false tags = local.tags @@ -507,7 +539,7 @@ resource "aws_ecs_service" "backend_service" { subnets = module.vpc.private_subnets } - task_definition = "arn:aws:ecs:us-east-1:768512802988:task-definition/${local.name_prefix}-backend" + task_definition = "arn:aws:ecs:${data.aws_region.current.name}:768512802988:task-definition/${local.name_prefix}-backend" desired_count = 1 tags = local.tags } @@ -528,17 +560,19 @@ module "backend_alb" { # Security Group security_group_ingress_rules = { - all_http = { - from_port = 5000 - to_port = 5000 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" + inbound = { + from_port = 5000 + to_port = 5000 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.frontend_sg.id } } security_group_egress_rules = { - all = { - ip_protocol = "-1" - cidr_ipv4 = module.vpc.vpc_cidr_block + outbound = { + from_port = 5000 + to_port = 5000 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.backend_sg.id } } @@ -603,7 +637,7 @@ resource "aws_ecs_service" "frontend_service" { subnets = module.vpc.private_subnets } - task_definition = "arn:aws:ecs:us-east-1:768512802988:task-definition/${local.name_prefix}-frontend" + task_definition = "arn:aws:ecs:${data.aws_region.current.name}:768512802988:task-definition/${local.name_prefix}-frontend" desired_count = 1 tags = local.tags } @@ -638,9 +672,11 @@ module "frontend_alb" { } } security_group_egress_rules = { - all = { - ip_protocol = "-1" - cidr_ipv4 = module.vpc.vpc_cidr_block + outbound = { + from_port = 80 + to_port = 80 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.frontend_sg.id } } diff --git a/tofu/sandbox/main.tf b/tofu/sandbox/main.tf index 65a70287..5a88d88d 100644 --- a/tofu/sandbox/main.tf +++ b/tofu/sandbox/main.tf @@ -9,5 +9,4 @@ module "appointment" { region = "us-east-1" vpc_cidr = "10.0.0.0/16" ssl_cert_arn = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4" - db_user = "tba_user" } \ No newline at end of file