infra/security-groups.tf

# Here are general definitions for security rulesets

resource "aws_security_group" "ecs_web_ingress" {
  name = "Alpha-Web-Ingress"
  description = "Allow web traffic into the host"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port   = 443
    protocol  = "tcp"
  }
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
  }
}

resource "aws_security_group" "base_ecs" {
  vpc_id = aws_vpc.athens_vpc.id
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
  }
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port   = 443
    protocol  = "tcp"
  }
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 2049
    to_port   = 2049
    protocol  = "tcp"
  }
}

resource "aws_security_group" "load_balancer_health_check" {
  name = "Load Balancer Health check"
  vpc_id = aws_vpc.athens_vpc.id
  egress {
    cidr_blocks = ["10.0.0.0/8"]
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
  }
}

resource "aws_security_group" "general_web_req" {
  name = "Athens General web server ruleset"
  description = "Allowing strictly web traffic"
  vpc_id = aws_vpc.athens_vpc.id
  # Intake of web requests(only serving TLS enabled traffic)
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
  # WARN: Due to the usage of debian based images this rule
  # is effectively required in order to properly update
  # the system as apt mostly talks over port 443(maybe port 80 too?)
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  # WARN: like 99% certrain apt falls back to port 80 on occasion
  # which means we kinda need egress in to not break when requesting
  # from shitty repos ...
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
}
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Here are general definitions for security rulesets`

Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`resource "aws_security_group" "ecs_web_ingress" {`
			`name = "Alpha-Web-Ingress"`
			`description = "Allow web traffic into the host"`
			`vpc_id = aws_vpc.athens_vpc.id`
			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
Formatting and comments 2022-12-27 21:02:56 -08:00			`to_port = 443`
			`protocol = "tcp"`
Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`}`
			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
Formatting and comments 2022-12-27 21:02:56 -08:00			`to_port = 80`
			`protocol = "tcp"`
Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`}`
			`}`

			`resource "aws_security_group" "base_ecs" {`
			`vpc_id = aws_vpc.athens_vpc.id`
Adding fallback for port 80 on base ecs 2022-12-16 22:50:15 -08:00			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
Formatting and comments 2022-12-27 21:02:56 -08:00			`to_port = 80`
			`protocol = "tcp"`
Adding fallback for port 80 on base ecs 2022-12-16 22:50:15 -08:00			`}`
Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
Formatting and comments 2022-12-27 21:02:56 -08:00			`to_port = 443`
			`protocol = "tcp"`
Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`}`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 2049`
Formatting and comments 2022-12-27 21:02:56 -08:00			`to_port = 2049`
			`protocol = "tcp"`
Working sample service with ECS for now this is just a hello world service with a public IP 2022-12-09 20:55:30 -08:00			`}`
			`}`

Health problems finally solved with LB and fargate 2023-01-02 19:08:25 -08:00			`resource "aws_security_group" "load_balancer_health_check" {`
			`name = "Load Balancer Health check"`
			`vpc_id = aws_vpc.athens_vpc.id`
			`egress {`
			`cidr_blocks = ["10.0.0.0/8"]`
			`from_port = 80`
			`to_port = 80`
			`protocol = "tcp"`
			`}`
			`}`

!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`resource "aws_security_group" "general_web_req" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens General web server ruleset"`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`description = "Allowing strictly web traffic"`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Intake of web requests(only serving TLS enabled traffic)`
			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
			`to_port = 80`
			`protocol = "tcp"`
			`}`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# WARN: Due to the usage of debian based images this rule`
			`# is effectively required in order to properly update`
			`# the system as apt mostly talks over port 443(maybe port 80 too?)`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`# WARN: like 99% certrain apt falls back to port 80 on occasion`
			`# which means we kinda need egress in to not break when requesting`
			`# from shitty repos ...`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
			`to_port = 80`
			`protocol = "tcp"`
			`}`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`}`