-
Notifications
You must be signed in to change notification settings - Fork 1
/
sg.tf
143 lines (122 loc) · 3.63 KB
/
sg.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Webserver Security Group
resource "aws_security_group" "web_server" {
name = "WebServer-sg-allow"
description = "Allow web traffic"
vpc_id = aws_vpc.this.id
dynamic "ingress" {
for_each = var.inbound_rules_web
content {
description = ingress.value.description
from_port = ingress.value.port
to_port = ingress.value.port
protocol = ingress.value.protocol
# cidr_blocks = [aws_vpc.this.cidr_block]
#Adding the load balancers security group to the web server as it would be directly connected to the load balancer
#security_groups = [aws_security_group.lb_sg.id]
security_groups = ingress.value.port == 22 ? [aws_security_group.bastion_host.id] : [aws_security_group.lb_sg.id]
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_webserver_sg"
}
}
# Appplication server security group
resource "aws_security_group" "application_server" {
name = "Application-Server-sg-allow"
description = "Allow application traffic"
vpc_id = aws_vpc.this.id
dynamic "ingress" {
for_each = var.inbound_rules_application
content {
description = ingress.value.description
from_port = ingress.value.port
to_port = ingress.value.port
protocol = ingress.value.protocol
# cidr_blocks = [aws_vpc.this.cidr_block]
#security_groups = [aws_security_group.web_server.id]
#security_groups = ingress.value.port == 22 ? [aws_security_group.bastion_host.id] : [aws_security_group.web.id, aws_security_group.lambda_function.id]
security_groups = ingress.value.port == 22 ? [aws_security_group.bastion_host.id] : [aws_security_group.web_server.id]
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_application_server"
}
}
#Bastion Host Security Group
resource "aws_security_group" "bastion_host" {
name = "Bastion-host-sg-allow"
description = "Allow ssh into the private subnet resources using this"
vpc_id = aws_vpc.this.id
ingress {
description = "Allow the ssh traffic to private subnet bastion host from private subnet"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_bastion_host_sg"
}
}
# Application Laod Balancers Security Group
resource "aws_security_group" "lb_sg" {
name = "Loadbalancer-sg-allow"
description = "Allow access to load balancers from the internet"
vpc_id = aws_vpc.this.id
ingress {
description = "Allow access to load balancers from the internet"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_access_to_lb_from_internet"
}
}
# RDS security Group
resource "aws_security_group" "db_sg" {
name = "allow_db"
description = "Allow db access from the application server"
vpc_id = aws_vpc.this.id
ingress {
description = "Allow db access from the application server"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [aws_security_group.application_server.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_db_access_sg"
}
}