Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated subnet tags and tightened up the security groups #22

Merged
merged 6 commits into from
Jul 26, 2023
Merged

Updated subnet tags and tightened up the security groups #22

merged 6 commits into from
Jul 26, 2023

Conversation

kunduso
Copy link
Owner

@kunduso kunduso commented Jul 26, 2023

The changes in this PR close #17 and close #3

@kunduso kunduso self-assigned this Jul 26, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 26, 2023
View reviewed changes
securitygroup.tf
Comment on lines +16 to +32
resource "aws_security_group" "ec2_instance" {
name = "IN-SG"
description = "Allow inbound and outbound traffic to EC2 instances from load balancer security group"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = [aws_security_group.lb.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = aws_vpc.this.id
}

Check failure

Code scanning / checkov

Ensure every security groups rule has a description Error

Ensure every security groups rule has a description
securitygroup.tf
Comment on lines +34 to +50
resource "aws_security_group" "lb" {
name = "LB-SG"
description = "Allow inbound and outbound traffic to load balancer from the internet."
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = aws_vpc.this.id
}

Check failure

Code scanning / checkov

Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 Error

Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
securitygroup.tf
Comment on lines +34 to +50
resource "aws_security_group" "lb" {
name = "LB-SG"
description = "Allow inbound and outbound traffic to load balancer from the internet."
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = aws_vpc.this.id
}

Check failure

Code scanning / checkov

Ensure every security groups rule has a description Error

Ensure every security groups rule has a description
@kunduso kunduso temporarily deployed to production July 26, 2023 21:17 — with GitHub Actions Inactive
@infracost
Copy link

infracost bot commented Jul 26, 2023

💰 Infracost estimate: monthly cost will not change

View in Infracost Cloud. This comment will be updated when the cost estimate changes.

@github-actions
Copy link

💰 Infracost estimate: monthly cost will not change

View in Infracost Cloud. This comment will be updated when the cost estimate changes.

@github-actions
Copy link

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan 

terraform
data.aws_ami.amazon_ami: Reading...
data.aws_iam_policy_document.vpc_flowlog_policy: Reading...
data.aws_iam_policy_document.assume_role: Reading...
data.aws_iam_policy_document.assume_role: Read complete after 0s [id=3760307347]
aws_cloudwatch_log_group.cw_loggroup: Refreshing state... [id=example]
aws_vpc.this: Refreshing state... [id=vpc-08b7b4813db409054]
data.aws_iam_policy_document.vpc_flowlog_policy: Read complete after 0s [id=3442509011]
aws_iam_role.vpc_flowlog_role: Refreshing state... [id=vpc_flowlog_role]
data.aws_ami.amazon_ami: Read complete after 0s [id=ami-07251f912d2a831a3]
aws_iam_role_policy.vpc_flowlog_role: Refreshing state... [id=vpc_flowlog_role:vpc_flowlog_role]
aws_flow_log.app1: Refreshing state... [id=fl-00d6ff18a9fa7ef39]
aws_route_table.this-rt: Refreshing state... [id=rtb-0fc6ac37ea1ac44ad]
aws_subnet.public[2]: Refreshing state... [id=subnet-05d38bb91b4703c05]
aws_security_group.lb: Refreshing state... [id=sg-070dc91946245ea40]
aws_default_security_group.default: Refreshing state... [id=sg-034cf0ff21cbeac3f]
aws_internet_gateway.this-igw: Refreshing state... [id=igw-015847a467f235543]
aws_subnet.public[0]: Refreshing state... [id=subnet-0dac2a4e60b75532b]
aws_lb_target_group.front: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:targetgroup/application-front/2208e81df085f184]
aws_subnet.public[1]: Refreshing state... [id=subnet-0fa4635b4366303fa]
aws_security_group.ec2_instance: Refreshing state... [id=sg-0a218d5fb861ea7e4]
aws_route.internet-route: Refreshing state... [id=r-rtb-0fc6ac37ea1ac44ad1080289494]
aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-0a849607a6a9925c3]
aws_route_table_association.public[2]: Refreshing state... [id=rtbassoc-0fe12008d0b9fffdd]
aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0e9b2dfce8f86f1d7]
aws_lb.front: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:loadbalancer/app/front/7a7f64544c33502a]
aws_instance.app-server[2]: Refreshing state... [id=i-07c72765964f8b858]
aws_instance.app-server[0]: Refreshing state... [id=i-086955e709b2e6560]
aws_instance.app-server[1]: Refreshing state... [id=i-056ca7c5f21fd3a0c]
aws_lb_listener.front_end: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:listener/app/front/7a7f64544c33502a/3dc957cb56ef6d78]
aws_lb_target_group_attachment.attach-app1[1]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:targetgroup/application-front/2208e81df085f184-20230726210630305000000002]
aws_lb_target_group_attachment.attach-app1[2]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:targetgroup/application-front/2208e81df085f184-20230726210630348600000003]
aws_lb_target_group_attachment.attach-app1[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:targetgroup/application-front/2208e81df085f184-20230726210630208100000001]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_instance.app-server[0] will be updated in-place
  ~ resource "aws_instance" "app-server" {
        id                                   = "i-086955e709b2e6560"
        tags                                 = {
            "Name" = "app-server-1"
        }
      ~ user_data                            = "f8c969d3cfc2ce542bf59b5c0eaf7a583743503c" -> "9ea6f797c2878361f94d9f508aad35b4b4039b50"
        # (30 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }

  # aws_instance.app-server[1] will be updated in-place
  ~ resource "aws_instance" "app-server" {
        id                                   = "i-056ca7c5f21fd3a0c"
        tags                                 = {
            "Name" = "app-server-2"
        }
      ~ user_data                            = "f8c969d3cfc2ce542bf59b5c0eaf7a583743503c" -> "9ea6f797c2878361f94d9f508aad35b4b4039b50"
        # (30 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }

  # aws_instance.app-server[2] will be updated in-place
  ~ resource "aws_instance" "app-server" {
        id                                   = "i-07c72765964f8b858"
        tags                                 = {
            "Name" = "app-server-3"
        }
      ~ user_data                            = "f8c969d3cfc2ce542bf59b5c0eaf7a583743503c" -> "9ea6f797c2878361f94d9f508aad35b4b4039b50"
        # (30 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

@kunduso kunduso merged commit f415c4e into main Jul 26, 2023
3 of 6 checks passed
@kunduso kunduso deleted the fix-elb branch July 26, 2023 21:18
@kunduso kunduso mentioned this pull request Jul 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@kunduso kunduso

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add source tag for all resources Research new security group
1 participant
@kunduso