infra/security-groups.tf

# Here are general definitions for security rulesets

resource "aws_security_group" "basic_web_sec" {
  name = "Athens General web server ruleset"
  description = "Allowing strictly web traffic"
  vpc_id = aws_vpc.athens_vpc.id
  # Intake of web requests(only serving TLS enabled traffic)
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  # WARN: Due to the usage of debian based images this rule
  # is effectively required in order to properly update
  # the system as apt mostly talks over port 443(maybe port 80 too?)
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
}

resource "aws_security_group" "internal_ssh_recv" {
  name = "Athens Internal SSH RECV"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = [var.crete_cidr]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
}

# Main role: SSH host/dev box(not to be up 24/7)
# Note this one is kinda special because the dev box
# itself is _kinda_ special(?)
resource "aws_security_group" "gamma_sec" {
  name = "Athens Gamma Sec"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
  egress {
    cidr_blocks = [ var.crete_cidr ]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
  # Again this is for APT to update repo's when needed
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
}
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Here are general definitions for security rulesets`

			`resource "aws_security_group" "basic_web_sec" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens General web server ruleset"`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`description = "Allowing strictly web traffic"`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Intake of web requests(only serving TLS enabled traffic)`
			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
			`# WARN: Due to the usage of debian based images this rule`
			`# is effectively required in order to properly update`
			`# the system as apt mostly talks over port 443(maybe port 80 too?)`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
			`}`

			`resource "aws_security_group" "internal_ssh_recv" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens Internal SSH RECV"`
			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`ingress {`
			`cidr_blocks = [var.crete_cidr]`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`}`
			`}`

			`# Main role: SSH host/dev box(not to be up 24/7)`
			`# Note this one is kinda special because the dev box`
			`# itself is _kinda_ special(?)`
			`resource "aws_security_group" "gamma_sec" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens Gamma Sec"`
			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`}`
			`egress {`
			`cidr_blocks = [ var.crete_cidr ]`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`}`
			`# Again this is for APT to update repo's when needed`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
			`}`