infra/security-groups.tf

# Here are general definitions for security rulesets

resource "aws_security_group" "general_web_req" {
  name = "Athens General web server ruleset"
  description = "Allowing strictly web traffic"
  vpc_id = aws_vpc.athens_vpc.id
  # Intake of web requests(only serving TLS enabled traffic)
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
  # WARN: Due to the usage of debian based images this rule
  # is effectively required in order to properly update
  # the system as apt mostly talks over port 443(maybe port 80 too?)
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 443
    to_port = 443
    protocol = "tcp"
  }
  # WARN: like 99% certrain apt falls back to port 80 on occasion
  # which means we kinda need egress in to not break when requesting
  # from shitty repos ...
  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 80
    to_port = 80
    protocol = "tcp"
  }
}

resource "aws_security_group" "remote_ssh_rec" {
  name = "Athens Internal SSH RECV"
  vpc_id = aws_vpc.athens_vpc.id
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
}
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Here are general definitions for security rulesets`

!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`resource "aws_security_group" "general_web_req" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens General web server ruleset"`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`description = "Allowing strictly web traffic"`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# Intake of web requests(only serving TLS enabled traffic)`
			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
			`to_port = 80`
			`protocol = "tcp"`
			`}`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`# WARN: Due to the usage of debian based images this rule`
			`# is effectively required in order to properly update`
			`# the system as apt mostly talks over port 443(maybe port 80 too?)`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`}`
!+ Sigma Instance This will be the web host reverse proxy (for alpha & beta) !+ More sec groups for port 80 for apt's request fallback Only because Apt blows * Renaming sec-group::basic_web_sec -> sec-group::general_web_req Should be clearer w/ this rename 2021-11-25 20:44:00 -08:00			`# WARN: like 99% certrain apt falls back to port 80 on occasion`
			`# which means we kinda need egress in to not break when requesting`
			`# from shitty repos ...`
			`egress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 80`
			`to_port = 80`
			`protocol = "tcp"`
			`}`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`}`

- Removing tons of complexity and removing cost overall ! Down to just 2 public servers for now because why tf now servers 2021-12-03 21:25:51 -08:00			`resource "aws_security_group" "remote_ssh_rec" {`
+ vpc id to sec groups 2021-11-25 00:11:51 -08:00			`name = "Athens Internal SSH RECV"`
			`vpc_id = aws_vpc.athens_vpc.id`
! Baseline Terraform configuration(no EIP yet) Major components are scripted out here however a gateway + EIP still need to be configured for full base level infra "doneness" 2021-11-24 20:44:32 -08:00			`ingress {`
			`cidr_blocks = ["0.0.0.0/0"]`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`}`
			`}`
- Removing tons of complexity and removing cost overall ! Down to just 2 public servers for now because why tf now servers 2021-12-03 21:25:51 -08:00