Updated subnet tags and tightened up the security groups

.github/workflows/code-scan.yml

@@ -4,9 +4,13 @@ name: checkov-static-analysis-scan
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
   push:
-    branches: [ "*" ]
+    branches: [ '*' ]
+    paths-ignore:
+      - '**/README.md'
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
+    paths-ignore:
+      - '**/README.md'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

.github/workflows/terraform.yml

@@ -4,8 +4,12 @@ on:
   workflow_dispatch:
   push:
     branches: [ '*' ]
+    paths-ignore:
+      - '**/README.md'
   pull_request:
     branches: ["main"]
+    paths-ignore:
+      - '**/README.md'
 
 permissions: read-all
 
@@ -77,12 +81,6 @@ jobs:
                         --format=json \
                         --out-file=/tmp/infracost.json
 
-    # Generate an Infracost breakdown.
-    - name: Generate Infracost breakdown
-      if: github.event_name == 'pull_request'
-      run: |
-        infracost breakdown --path=. --show-skipped
-
     - name: Post Infracost estimate
       if: github.event_name == 'pull_request'
       run: |

ReadMe.md

@@ -5,9 +5,10 @@
 ## Motivation
 My objectives was to create an application load balancer and attach that to three Amazon EC2 instances hosted in three different availability zones in a region using **Terraform and GitHub Actions.**
 
-I discussed the concept in detail in my notes at -[CI-CD with Terraform and GitHub Actions to deploy to AWS.](https://skundunotes.com/2023/03/07/ci-cd-with-terraform-and-github-actions-to-deploy-to-aws/)
+<br />I discussed the concept in detail in my notes at -[CI-CD with Terraform and GitHub Actions to deploy to AWS.](https://skundunotes.com/2023/03/07/ci-cd-with-terraform-and-github-actions-to-deploy-to-aws/)
+<br />If you are interested in learning about how to create an external application load balancer with Amazon EC2 instances in a private subnet, check out the code in this repository: [add-aws-elb-ec2-private-subnet-terraform](https://github.com/kunduso/add-aws-elb-ec2-private-subnet-terraform)
 
-*Note: I did not include the concepts of creating the EC2 instances, or installing a certificate, or route53 in this note.*
+<br />*Note: I did not include the concepts of creating the EC2 instances, or installing a certificate, or route53 in this note.*
 
 ## Prerequisites
 For this code to function without errors, I created an OpenID connect identity provider in Amazon Identity and Access Management that has a trust relationship with this GitHub repository. You can read about it [here](https://skundunotes.com/2023/02/28/securely-integrate-aws-credentials-with-github-actions-using-openid-connect/) to get a detailed explanation with steps.

compute.tf

@@ -1,25 +1,25 @@
-resource "aws_security_group" "http-sg" {
-  name        = "allow_http_access"
-  description = "allow inbound http traffic"
-  vpc_id      = aws_vpc.this.id
+# resource "aws_security_group" "http-sg" {
+#   name        = "allow_http_access"
+#   description = "allow inbound http traffic"
+#   vpc_id      = aws_vpc.this.id
 
-  ingress {
-    description = "from my ip range"
-    from_port   = "80"
-    to_port     = "80"
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  egress {
-    cidr_blocks = ["0.0.0.0/0"]
-    from_port   = "0"
-    protocol    = "-1"
-    to_port     = "0"
-  }
-  tags = {
-    "Name" = "Application-1-sg"
-  }
-}
+#   ingress {
+#     description = "from my ip range"
+#     from_port   = "80"
+#     to_port     = "80"
+#     protocol    = "tcp"
+#     cidr_blocks = ["0.0.0.0/0"]
+#   }
+#   egress {
+#     cidr_blocks = ["0.0.0.0/0"]
+#     from_port   = "0"
+#     protocol    = "-1"
+#     to_port     = "0"
+#   }
+#   tags = {
+#     "Name" = "Application-1-sg"
+#   }
+# }
 data "aws_ami" "amazon_ami" {
   filter {
     name   = "name"
@@ -32,12 +32,12 @@
   most_recent = true
   owners      = ["amazon"]
 }
 resource "aws_instance" "app-server" {
-  count                  = length(var.subnet_cidr_private)
+  count                  = length(var.subnet_cidr_public)
   instance_type          = "t2.micro"
   ami                    = data.aws_ami.amazon_ami.id
-  vpc_security_group_ids = [aws_security_group.http-sg.id]
-  subnet_id              = element(aws_subnet.private.*.id, count.index)
+  vpc_security_group_ids = [aws_security_group.ec2_instance.id]
+  subnet_id              = element(aws_subnet.public.*.id, count.index)
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address
   associate_public_ip_address = true
   tags = {

loadbalancer.tf

@@ -39,8 +39,8 @@ resource "aws_lb" "front" {
   name               = "front"
   internal           = false
   load_balancer_type = "application"
-  security_groups    = [aws_security_group.http-sg.id]
-  subnets            = [for subnet in aws_subnet.private : subnet.id]
+  security_groups    = [aws_security_group.lb.id]
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
 
   enable_deletion_protection = false
 

main.tf

@@ -6,33 +6,33 @@ resource "aws_vpc" "this" {
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_hostnames
   enable_dns_hostnames = true
   tags = {
-    "Name" = "Application-1"
+    "Name" = "app-1"
   }
 }
-resource "aws_subnet" "private" {
-  count             = length(var.subnet_cidr_private)
+resource "aws_subnet" "public" {
+  count             = length(var.subnet_cidr_public)
   vpc_id            = aws_vpc.this.id
-  cidr_block        = var.subnet_cidr_private[count.index]
+  cidr_block        = var.subnet_cidr_public[count.index]
   availability_zone = var.availability_zone[count.index]
   tags = {
-    "Name" = "Application-1-private"
+    "Name" = "app-1-public-${count.index + 1}"
   }
 }
 resource "aws_route_table" "this-rt" {
   vpc_id = aws_vpc.this.id
   tags = {
-    "Name" = "Application-1-route-table"
+    "Name" = "app-1-route-table"
   }
 }
-resource "aws_route_table_association" "private" {
-  count          = length(var.subnet_cidr_private)
-  subnet_id      = element(aws_subnet.private.*.id, count.index)
+resource "aws_route_table_association" "public" {
+  count          = length(var.subnet_cidr_public)
+  subnet_id      = element(aws_subnet.public.*.id, count.index)
   route_table_id = aws_route_table.this-rt.id
 }
 resource "aws_internet_gateway" "this-igw" {
   vpc_id = aws_vpc.this.id
   tags = {
-    "Name" = "Application-1-gateway"
+    "Name" = "app-1-gateway"
   }
 }
 resource "aws_route" "internet-route" {

securitygroup.tf

@@ -0,0 +1,50 @@
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.this.id
+  ingress {
+    protocol  = -1
+    self      = true
+    from_port = 0
+    to_port   = 0
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+resource "aws_security_group" "ec2_instance" {
+  name        = "IN-SG"
+  description = "Allow inbound and outbound traffic to EC2 instances from load balancer security group"
+  ingress {
+    from_port       = 80
+    to_port         = 80
+    protocol        = "tcp"
+    security_groups = [aws_security_group.lb.id]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  vpc_id = aws_vpc.this.id
+}
+
+resource "aws_security_group" "lb" {
+  name        = "LB-SG"
+  description = "Allow inbound and outbound traffic to load balancer from the internet."
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  vpc_id = aws_vpc.this.id
+}

variables.tf

@@ -19,14 +19,14 @@ variable "secret_key" {
   default     = ""
 }
 
-variable "subnet_cidr_private" {
-  description = "cidr blocks for the private subnets"
+variable "subnet_cidr_public" {
+  description = "cidr blocks for the public subnets"
   default     = ["10.20.20.0/28", "10.20.20.16/28", "10.20.20.32/28"]
   type        = list(any)
 }
 
 variable "availability_zone" {
-  description = "availability zones for the private subnets"
+  description = "availability zones for the public subnets"
   default     = ["us-east-2a", "us-east-2b", "us-east-2c"]
   type        = list(any)
 }