tightened security group

kunduso · Jul 25, 2023 · a3ec8fe · a3ec8fe
1 parent ba287da
commit a3ec8fe
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 23 deletions.
diff --git a/compute.tf b/compute.tf
@@ -1,25 +1,25 @@
-resource "aws_security_group" "http-sg" {
-  name        = "allow_http_access"
-  description = "allow inbound http traffic"
-  vpc_id      = aws_vpc.this.id
+# resource "aws_security_group" "http-sg" {
+#   name        = "allow_http_access"
+#   description = "allow inbound http traffic"
+#   vpc_id      = aws_vpc.this.id
 
-  ingress {
-    description = "from my ip range"
-    from_port   = "80"
-    to_port     = "80"
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  egress {
-    cidr_blocks = ["0.0.0.0/0"]
-    from_port   = "0"
-    protocol    = "-1"
-    to_port     = "0"
-  }
-  tags = {
-    "Name" = "Application-1-sg"
-  }
-}
+#   ingress {
+#     description = "from my ip range"
+#     from_port   = "80"
+#     to_port     = "80"
+#     protocol    = "tcp"
+#     cidr_blocks = ["0.0.0.0/0"]
+#   }
+#   egress {
+#     cidr_blocks = ["0.0.0.0/0"]
+#     from_port   = "0"
+#     protocol    = "-1"
+#     to_port     = "0"
+#   }
+#   tags = {
+#     "Name" = "Application-1-sg"
+#   }
+# }
 data "aws_ami" "amazon_ami" {
   filter {
     name   = "name"
@@ -36,7 +36,7 @@ resource "aws_instance" "app-server" {
   count                  = length(var.subnet_cidr_public)
   instance_type          = "t2.micro"
   ami                    = data.aws_ami.amazon_ami.id
-  vpc_security_group_ids = [aws_security_group.http-sg.id]
+  vpc_security_group_ids = [aws_security_group.ec2_instance.id]
   subnet_id              = element(aws_subnet.public.*.id, count.index)
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address
   associate_public_ip_address = true

diff --git a/loadbalancer.tf b/loadbalancer.tf
@@ -39,7 +39,7 @@ resource "aws_lb" "front" {
   name               = "front"
   internal           = false
   load_balancer_type = "application"
-  security_groups    = [aws_security_group.http-sg.id]
+  security_groups    = [aws_security_group.lb.id]
   subnets            = [for subnet in aws_subnet.public : subnet.id]
 
   enable_deletion_protection = false

diff --git a/securitygroup.tf b/securitygroup.tf
@@ -0,0 +1,50 @@
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.this.id
+  ingress {
+    protocol  = -1
+    self      = true
+    from_port = 0
+    to_port   = 0
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+resource "aws_security_group" "ec2_instance" {
+  name        = "IN-SG"
+  description = "Allow inbound and outbound traffic to EC2 instances from load balancer security group"
+  ingress {
+    from_port       = 80
+    to_port         = 80
+    protocol        = "tcp"
+    security_groups = [aws_security_group.lb.id]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  vpc_id = aws_vpc.this.id
+}
+
+resource "aws_security_group" "lb" {
+  name        = "LB-SG"
+  description = "Allow inbound and outbound traffic to load balancer from the internet."
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  vpc_id = aws_vpc.this.id
+}