Config sg (#2)

Improved security by updating the Security Groups configuration.
EconomistDigitalSolutions · Jan 29, 2019 · 11b5dc2 · 11b5dc2
1 parent da0d54c
commit 11b5dc2
Show file tree

Hide file tree

Showing 16 changed files with 309 additions and 32 deletions.
diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@ This module provisions the resources necessary to run a (docker) application in
 ## Table of contents
 
 - [Terraform/AWS Auto Scaling Module](#terraformaws-auto-scaling-module)
+  - [Table of contents](#table-of-contents)
   - [WWH - What, Why, How](#wwh---what-why-how)
   - [Usage](#usage)
   - [Implementation details](#implementation-details)
@@ -188,8 +189,4 @@ None
 
 * changing the AWS region requires changing the machine AMI.
 
-* only one of the subnets is publicly accessible
-  * check route_table_association method and adapt it for the two subnets
-
-
 
diff --git a/_alb.tf b/_alb.tf
@@ -26,4 +26,3 @@ resource "aws_lb_listener" "lb_listener" {
     target_group_arn = "${aws_lb_target_group.lb_target.arn}"
   }
 }
-
diff --git a/_asg.tf b/_asg.tf
@@ -8,7 +8,7 @@ resource "aws_launch_configuration" "launch_config" {
   iam_instance_profile        = "${var.iam-role-name != "" ? var.iam-role-name : ""}"
   key_name                    = "${var.instance-key-name != "" ? var.instance-key-name : ""}"
   user_data                   = "${var.user-data-script != "" ? file("${var.user-data-script}") : ""}"
-  associate_public_ip_address = "${var.instance-associate-public-ip}"                                  
+  associate_public_ip_address = "${var.instance-associate-public-ip == "true" ? true : false}"
   security_groups             = ["${aws_security_group.sg.id}"]
 }
 
@@ -35,4 +35,3 @@ resource "aws_autoscaling_attachment" "asg_attachment_bar" {
   autoscaling_group_name = "${aws_autoscaling_group.asg.id}"
   alb_target_group_arn   = "${aws_lb_target_group.lb_target.arn}"
 }
-
diff --git a/_network.tf b/_network.tf
@@ -53,5 +53,3 @@ resource "aws_route_table_association" "rta_2" {
   subnet_id      = "${aws_subnet.subnet-2.id}"
   route_table_id = "${aws_route_table.rt.id}"
 }
-
-
diff --git a/_sg.tf b/_sg.tf
@@ -5,23 +5,23 @@ resource "aws_security_group" "sg" {
 
   ingress {
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["${var.ssh-allowed-ips}"]
     from_port   = "22"
     to_port     = "22"
   }
 
   ingress {
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
     from_port   = "80"
     to_port     = "80"
+    security_groups = ["${aws_security_group.sg_alb.id}"]
   }
 
   ingress {
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
     from_port   = "443"
     to_port     = "443"
+    security_groups = ["${aws_security_group.sg_alb.id}"]
   }
 
   egress {

diff --git a/_variables.tf b/_variables.tf
@@ -163,3 +163,9 @@ variable "sub-domain-name" {
   type        = "string"
   default     = ""
 }
+
+variable "ssh-allowed-ips" {
+  description = "The list of IPs that are allowed to SSH into the instances"
+  type        = "list"
+  default     = []
+}
diff --git a/examples/engagement-app/main.tf b/examples/engagement-app/main.tf
@@ -0,0 +1,19 @@
+module "asg" {
+  source  = "../../"
+
+  aws-profile                  = "ds-web-products-staging"
+  aws-region                   = "eu-west-3" 
+  instance-ami                 = "ami-0dd7e7ed60da8fb83"  
+  user-data-script             = "./user-data.sh" 
+  asg-min-size                 = "2"                      
+  asg-max-size                 = "4"
+  asg-def-size                 = "2"
+  alb-name                     = "rafa-ian-alb"
+  placement-group-name         = "rafa-ian-pg"
+  target-group-name            = "rafa-ian-tg"
+  asg-name                     = "rafa-ian-asg"
+  launch-config-name           = "rafa-ian-lc"
+  instance-associate-public-ip = "true"
+  iam-role-name                = "engage-ECR-read"
+  ssh-allowed-ips              = ["62.255.97.196/32", "62.255.97.197/32"]
+}
diff --git a/examples/engagement-app/user-data.sh b/examples/engagement-app/user-data.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# basic patching
+sudo yum -y update
+
+# docker
+sudo yum -y install docker
+sudo service docker start
+
+# docker-compose
+sudo curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+sudo chmod +x /usr/local/bin/docker-compose
+sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
+
+# login to ECR
+sudo aws ecr get-login --no-include-email --region eu-west-2 > login.sh
+sudo bash login.sh
+
+# get docker-compose from S3
+sudo aws s3api get-object \
+  --bucket docker-compose-engagement \
+  --key docker-compose.yml \
+  docker-compose.yml
+
+# get nginx configuration
+sudo mkdir container-balancer && cd container-balancer
+sudo aws s3api get-object \
+  --bucket docker-compose-engagement \
+  --key container-balancer/nginx.conf \
+  nginx.conf
+
+# create /etc/nginx directory if not exists
+sudo mkdir -p /etc/nginx
+
+# run app
+sudo docker-compose up
diff --git a/examples/hello-app/_main.tf b/examples/hello-app/_main.tf
@@ -3,13 +3,13 @@ module "asg" {
   version = "1.0.0"
 
   # required variables
-  aws-profile       = "${var.aws-profile}"          # provide a profile from ~/.aws/credentials 
-  aws-region        = "${var.aws-region}"                 
+  aws-profile = "${var.aws-profile}" # provide a profile from ~/.aws/credentials 
+  aws-region  = "${var.aws-region}"
 
   # optinal
-  instance-ami      = "ami-0dd7e7ed60da8fb83"       # if you change region, you must change the AMI
-  user-data-script  = "./deploy-hello-node.sh"      # deployment script
-  asg-min-size      = "2"                           # number of machines
-  asg-max-size      = "4"
-  asg-def-size      = "2"
+  instance-ami     = "ami-0dd7e7ed60da8fb83"  # if you change region, you must change the AMI
+  user-data-script = "./deploy-hello-node.sh" # deployment script
+  asg-min-size     = "2"                      # number of machines
+  asg-max-size     = "4"
+  asg-def-size     = "2"
 }
diff --git a/examples/hello-asg-app/_main.tf b/examples/hello-asg-app/_main.tf
@@ -3,13 +3,13 @@ module "asg" {
   version = "1.0.0"
 
   # required variables
-  aws-profile       = "${var.aws-profile}"          # provide a profile from ~/.aws/credentials 
-  aws-region        = "${var.aws-region}"                 
+  aws-profile = "${var.aws-profile}" # provide a profile from ~/.aws/credentials 
+  aws-region  = "${var.aws-region}"
 
   # optional
-  instance-ami      = "ami-0dd7e7ed60da8fb83"       # if you change region, you must change the AMI
-  user-data-script  = "./deploy-hello-node.sh"      # deployment script
-  asg-min-size      = "2"                           # number of machines
-  asg-max-size      = "5"
-  asg-def-size      = "3"
+  instance-ami     = "ami-0dd7e7ed60da8fb83"  # if you change region, you must change the AMI
+  user-data-script = "./deploy-hello-node.sh" # deployment script
+  asg-min-size     = "2"                      # number of machines
+  asg-max-size     = "5"
+  asg-def-size     = "3"
 }
diff --git a/examples/multi-hello/README.md b/examples/multi-hello/README.md
diff --git a/examples/multi-hello/_main.tf b/examples/multi-hello/_main.tf
@@ -0,0 +1,20 @@
+module "asg" {
+  source  = "EconomistDigitalSolutions/asg/aws"
+  version = "1.0.0"
+
+  # required variables
+  aws-profile = "${var.aws-profile}" # provide a profile from ~/.aws/credentials 
+  aws-region  = "${var.aws-region}"
+
+  instance-ami                 = "ami-0dd7e7ed60da8fb83"  # if you change region, you must change the AMI
+  user-data-script             = "./deploy-hello-node.sh" # deployment script
+  asg-min-size                 = "2"                      # number of machines
+  asg-max-size                 = "5"
+  asg-def-size                 = "3"
+  alb-name                     = "private-test"
+  placement-group-name         = "private-test"
+  target-group-name            = "private-test"
+  asg-name                     = "private-test"
+  launch-config-name           = "private-test"
+  instance-associate-public-ip = "false"
+}
diff --git a/examples/multi-hello/_variables.tf b/examples/multi-hello/_variables.tf
@@ -0,0 +1,165 @@
+variable "aws-region" {
+  description = "The AWS region"
+  type        = "string"
+}
+
+variable "aws-profile" {
+  description = "The name of the AWS shared credentials account."
+  type        = "string"
+}
+
+variable "instance-ami" {
+  description = "The AMI (Amazon Machine Image) that identifies the instance"
+  type        = "string"
+  default     = "ami-01419b804382064e4"
+}
+
+variable "instance-type" {
+  description = "The instance type to be used"
+  type        = "string"
+  default     = "t2.micro"
+}
+
+variable "instance-key-name" {
+  description = "The name of the SSH key to associate to the instance. Note that the key must exist already."
+  type        = "string"
+  default     = ""
+}
+
+variable "iam-role-name" {
+  description = "The IAM role to assign to the instance"
+  type        = "string"
+  default     = ""
+}
+
+variable "instance-associate-public-ip" {
+  description = "Defines if the EC2 instance has a public IP address."
+  type        = "string"
+  default     = "true"
+}
+
+variable "user-data-script" {
+  description = "The filepath to the user-data script, that is executed upon spinning up the instance"
+  type        = "string"
+  default     = ""
+}
+
+variable "instance-tag-name" {
+  description = "instance-tag-name"
+  type        = "string"
+  default     = "EC2-instance-created-with-terraform"
+}
+
+variable "vpc-cidr-block" {
+  description = "The CIDR block to associate to the VPC"
+  type        = "string"
+  default     = "10.0.0.0/16"
+}
+
+variable "subnet-1-cidr-block" {
+  description = "The CIDR block to associate to the subnet"
+  type        = "string"
+  default     = "10.0.0.0/24"
+}
+
+variable "subnet-2-cidr-block" {
+  description = "The CIDR block to associate to the subnet"
+  type        = "string"
+  default     = "10.0.1.0/24"
+}
+
+variable "vpc-tag-name" {
+  description = "The Name to apply to the VPC"
+  type        = "string"
+  default     = "VPC-created-with-terraform"
+}
+
+variable "ig-tag-name" {
+  description = "The name to apply to the Internet gateway tag"
+  type        = "string"
+  default     = "aws-ig-created-with-terraform"
+}
+
+variable "subnet-tag-name" {
+  description = "The Name to apply to the VPN"
+  type        = "string"
+  default     = "VPN-created-with-terraform"
+}
+
+variable "sg-tag-name" {
+  description = "The Name to apply to the security group"
+  type        = "string"
+  default     = "SG-created-with-terraform"
+}
+
+variable "environment" {
+  description = "The environment (production/staging)"
+  type        = "string"
+  default     = "staging"
+}
+
+variable "alb-name" {
+  description = "The application Load Balancer name"
+  type        = "string"
+  default     = "app-load-balancer-w-terraform"
+}
+
+variable "sg-alb-tag-name" {
+  description = "The name of the SG associated with the ALB"
+  type        = "string"
+  default     = "SG-to-theapp-load-balancer-with-terraform"
+}
+
+variable "placement-group-name" {
+  description = "The name of the placement group"
+  type        = "string"
+  default     = "placement-group-created-w-terraform"
+}
+
+variable "target-group-name" {
+  description = "The name of the placement group"
+  type        = "string"
+  default     = "target-group-created-w-terraform"
+}
+
+variable "launch-config-name" {
+  description = "The name of the launch configuration"
+  type        = "string"
+  default     = "launch-configuration-created-with-terraform"
+}
+
+variable "asg-name" {
+  description = "The name of the Auto Scaling Group"
+  type        = "string"
+  default     = "ASG-created-with-terraform"
+}
+
+variable "asg-min-size" {
+  description = "The minimum size of the Auto Scaling Group"
+  type        = "string"
+  default     = "2"
+}
+
+variable "asg-max-size" {
+  description = "The maximum size of the Auto Scaling Group"
+  type        = "string"
+  default     = "4"
+}
+
+variable "asg-def-size" {
+  description = "The default/recommended size of the Auto Scaling Group"
+  type        = "string"
+  default     = "3"
+}
+
+variable "domain-name" {
+  description = "The apps public domain name"
+  type        = "string"
+  default     = ""
+}
+
+variable "sub-domain-name" {
+  description = "The apps public sub domain name"
+  type        = "string"
+  default     = ""
+}