Skip to content

Commit

Permalink
cleanup_sg_names
Browse files Browse the repository at this point in the history
  • Loading branch information
@jdbass
jdbass committed Mar 8, 2024
1 parent 15576fa commit 858fbdc
Showing 1 changed file with 43 additions and 43 deletions.
86 changes: 43 additions & 43 deletions tofu/modules/fullstack/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ module "vpc_endpoints" {
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
policy = data.aws_iam_policy_document.ecr_endpoint.json
security_group_ids = [aws_security_group.ecr_endpoint_sg.id]
security_group_ids = [aws_security_group.ecr_endpoint.id]
tags = merge(local.tags, {
Name = "${local.name_prefix}-ecr-api"
})
Expand All @@ -74,7 +74,7 @@ module "vpc_endpoints" {
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
policy = data.aws_iam_policy_document.ecr_endpoint.json
security_group_ids = [aws_security_group.ecr_endpoint_sg.id]
security_group_ids = [aws_security_group.ecr_endpoint.id]
tags = merge(local.tags, {
Name = "${local.name_prefix}-ecr-dkr"
})
Expand All @@ -84,7 +84,7 @@ module "vpc_endpoints" {
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
policy = data.aws_iam_policy_document.secrets_endpoint.json
security_group_ids = [aws_security_group.secrets_endpoint_sg.id]
security_group_ids = [aws_security_group.secrets_endpoint.id]
tags = merge(local.tags, {
Name = "${local.name_prefix}-secretsmanager"
})
Expand All @@ -94,7 +94,7 @@ module "vpc_endpoints" {
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
policy = data.aws_iam_policy_document.logs_endpoint.json
security_group_ids = [aws_security_group.logs_endpoint_sg.id]
security_group_ids = [aws_security_group.logs_endpoint.id]
tags = merge(local.tags, {
Name = "${local.name_prefix}-logs"
})
Expand Down Expand Up @@ -244,7 +244,7 @@ data "aws_iam_policy_document" "logs_endpoint" {
################################################################################

# Backend SG
resource "aws_security_group" "backend_sg" {
resource "aws_security_group" "backend" {
name = "${local.name_prefix}-backend"
description = "Appointment backend traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -254,7 +254,7 @@ resource "aws_security_group" "backend_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "5000 from ALB"
from_port = 5000
to_port = 5000
Expand All @@ -263,43 +263,43 @@ resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
}

resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "mysql to DB"
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.rds_sg.id
referenced_security_group_id = aws_security_group.rds.id
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "TLS to ECR endpoints"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.ecr_endpoint_sg.id
referenced_security_group_id = aws_security_group.ecr_endpoint.id
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "TLS to logs endpoint"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.logs_endpoint_sg.id
referenced_security_group_id = aws_security_group.logs_endpoint.id
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "TLS to secrets endpoint"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.secrets_endpoint_sg.id
referenced_security_group_id = aws_security_group.secrets_endpoint.id
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
security_group_id = aws_security_group.backend_sg.id
security_group_id = aws_security_group.backend.id
description = "TLS to S3 endpoint"
from_port = 443
to_port = 443
Expand All @@ -308,7 +308,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
}

# Frontend SG
resource "aws_security_group" "frontend_sg" {
resource "aws_security_group" "frontend" {
name = "${local.name_prefix}-frontend"
description = "Appointment frontend traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -318,7 +318,7 @@ resource "aws_security_group" "frontend_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "allow_http_from_frontend_alb" {
security_group_id = aws_security_group.frontend_sg.id
security_group_id = aws_security_group.frontend.id
description = "HTTP from ALB"
from_port = 80
to_port = 80
Expand All @@ -327,7 +327,7 @@ resource "aws_vpc_security_group_ingress_rule" "allow_http_from_frontend_alb" {
}

resource "aws_vpc_security_group_egress_rule" "allow_5000_to_backend" {
security_group_id = aws_security_group.frontend_sg.id
security_group_id = aws_security_group.frontend.id
description = "5000 to backend"
from_port = 5000
to_port = 5000
Expand All @@ -336,31 +336,31 @@ resource "aws_vpc_security_group_egress_rule" "allow_5000_to_backend" {
}

resource "aws_vpc_security_group_egress_rule" "allow_http_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
security_group_id = aws_security_group.frontend.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 80
to_port = 80
ip_protocol = "tcp"
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
security_group_id = aws_security_group.frontend.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 443
to_port = 443
ip_protocol = "tcp"
}

resource "aws_vpc_security_group_egress_rule" "allow_smtp_ipv4_frontend" {
security_group_id = aws_security_group.frontend_sg.id
security_group_id = aws_security_group.frontend.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 587
to_port = 587
ip_protocol = "tcp"
}

# DB SG
resource "aws_security_group" "rds_sg" {
resource "aws_security_group" "rds" {
name = "${local.name_prefix}-rds"
description = "Allow DB inbound traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -370,16 +370,16 @@ resource "aws_security_group" "rds_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
security_group_id = aws_security_group.rds_sg.id
security_group_id = aws_security_group.rds.id
description = "Allow MySQL from backend"
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = aws_security_group.backend.id
}

# ECR Endpoint SG
resource "aws_security_group" "ecr_endpoint_sg" {
resource "aws_security_group" "ecr_endpoint" {
name = "${local.name_prefix}-ecr"
description = "Allow ECR inbound traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -389,25 +389,25 @@ resource "aws_security_group" "ecr_endpoint_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_backend" {
security_group_id = aws_security_group.ecr_endpoint_sg.id
security_group_id = aws_security_group.ecr_endpoint.id
description = "TLS from Backend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = aws_security_group.backend.id
}

resource "aws_vpc_security_group_ingress_rule" "ecr_allow_tls_from_frontend" {
security_group_id = aws_security_group.ecr_endpoint_sg.id
security_group_id = aws_security_group.ecr_endpoint.id
description = "TLS from Frontend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
referenced_security_group_id = aws_security_group.frontend.id
}

# Secrets endpoint SG
resource "aws_security_group" "secrets_endpoint_sg" {
resource "aws_security_group" "secrets_endpoint" {
name = "${local.name_prefix}-secrets"
description = "Allow Secrets Manager inbound traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -417,16 +417,16 @@ resource "aws_security_group" "secrets_endpoint_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "secrets_allow_tls_from_backend" {
security_group_id = aws_security_group.secrets_endpoint_sg.id
security_group_id = aws_security_group.secrets_endpoint.id
description = "TLS from Backend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = aws_security_group.backend.id
}

# Logs endpoint SG
resource "aws_security_group" "logs_endpoint_sg" {
resource "aws_security_group" "logs_endpoint" {
name = "${local.name_prefix}-logs"
description = "Allow Cloudwatch logs inbound traffic"
vpc_id = module.vpc.vpc_id
Expand All @@ -436,21 +436,21 @@ resource "aws_security_group" "logs_endpoint_sg" {
}

resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_backend" {
security_group_id = aws_security_group.logs_endpoint_sg.id
security_group_id = aws_security_group.logs_endpoint.id
description = "TLS from Backend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = aws_security_group.backend.id
}

resource "aws_vpc_security_group_ingress_rule" "logs_allow_tls_from_frontend" {
security_group_id = aws_security_group.logs_endpoint_sg.id
security_group_id = aws_security_group.logs_endpoint.id
description = "TLS from Frontend"
from_port = 443
to_port = 443
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
referenced_security_group_id = aws_security_group.frontend.id
}

################################################################################
Expand Down Expand Up @@ -484,7 +484,7 @@ module "db" {

multi_az = var.environment == "production" ? true : false
db_subnet_group_name = module.vpc.database_subnet_group
vpc_security_group_ids = [aws_security_group.rds_sg.id]
vpc_security_group_ids = [aws_security_group.rds.id]

maintenance_window = "Wed:12:00-Wed:12:30"
backup_window = "03:00-06:00"
Expand Down Expand Up @@ -536,7 +536,7 @@ resource "aws_ecs_service" "backend_service" {
}
network_configuration {
security_groups = [aws_security_group.backend_sg.id]
security_groups = [aws_security_group.backend.id]
subnets = module.vpc.private_subnets
}
Expand Down Expand Up @@ -565,15 +565,15 @@ module "backend_alb" {
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
referenced_security_group_id = aws_security_group.frontend.id
}
}
security_group_egress_rules = {
outbound = {
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.backend_sg.id
referenced_security_group_id = aws_security_group.backend.id
}
}

Expand Down Expand Up @@ -634,7 +634,7 @@ resource "aws_ecs_service" "frontend_service" {
}
network_configuration {
security_groups = [aws_security_group.frontend_sg.id]
security_groups = [aws_security_group.frontend.id]
subnets = module.vpc.private_subnets
}
Expand Down Expand Up @@ -677,7 +677,7 @@ module "frontend_alb" {
from_port = 80
to_port = 80
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.frontend_sg.id
referenced_security_group_id = aws_security_group.frontend.id
}
}

Expand Down

0 comments on commit 858fbdc

Please sign in to comment.