security groups

2020-04-09 20:11:09 -07:00 · 2020-04-09 20:11:09 -07:00 · 9a9b4d0090
parent ddf83c628c
commit 9a9b4d0090
2 changed files with 132 additions and 0 deletions
--- a/security-groups.tf
+++ b/security-groups.tf
@ -0,0 +1,116 @@
+# Security Groups (SG)
+
+## Load Balancer SG
+resource "aws_security_group" "load_balancer" {
+  name_prefix = "${var.main_project_tag}-alb-sg"
+  description = "Firewall for the application load balancer fronting the vault instances."
+  vpc_id = aws_vpc.vault.id
+  tags = merge(
+    { "Name" = "${var.main_project_tag}-alb-sg" },
+    { "Project" = var.main_project_tag }
+  )
+}
+
+resource "aws_security_group_rule" "load_balancer_allow_80" {
+  security_group_id = aws_security_group.load_balancer.id
+  type = "ingress"
+  protocol = "tcp"
+  from_port = 80
+  to_port = 80
+  cidr_blocks = var.allowed_traffic_cidr_blocks
+  description = "Allow HTTP traffic."
+}
+
+resource "aws_security_group_rule" "load_balancer_allow_443" {
+  security_group_id = aws_security_group.load_balancer.id
+  type = "ingress"
+  protocol = "tcp"
+  from_port = 443
+  to_port = 443
+  cidr_blocks = var.allowed_traffic_cidr_blocks
+  description = "Allow HTTPS traffic."
+}
+
+resource "aws_security_group_rule" "load_balancer_allow_outbound" {
+  security_group_id = aws_security_group.load_balancer.id
+  type = "egress"
+  protocol    = "-1"
+  from_port   = 0
+  to_port     = 0
+  cidr_blocks = ["0.0.0.0/0"]
+  description = "Allow any outbound traffic."
+}
+
+## Vault Instance SG
+
+resource "aws_security_group" "vault_instance" {
+  name_prefix = "${var.main_project_tag}-vault-instance-sg"
+  description = "Firewall for the vault instances."
+  vpc_id = aws_vpc.vault.id
+  tags = merge(
+    { "Name" = "${var.main_project_tag}-vault-instance-sg" },
+    { "Project" = var.main_project_tag }
+  )
+}
+
+resource "aws_security_group_rule" "vault_instance_allow_8200" {
+  security_group_id = aws_security_group.vault_instance.id
+  type = "ingress"
+  protocol = "tcp"
+  from_port = 8200
+  to_port = 8200
+  source_security_group_id = aws_security_group.load_balancer.id
+  description = "Allow traffic from Load Balancer."
+}
+
+resource "aws_security_group_rule" "vault_instance_allow_8201" {
+  security_group_id = aws_security_group.vault_instance.id
+  type = "ingress"
+  protocol = "tcp"
+  from_port = 8201
+  to_port = 8201
+  self = true
+  description = "Allow traffic from fellow vault instances that have this SG."
+}
+
+resource "aws_security_group_rule" "vault_instance_allow_outbound" {
+  security_group_id = aws_security_group.vault_instance.id
+  type = "egress"
+  protocol    = "-1"
+  from_port   = 0
+  to_port     = 0
+  cidr_blocks = ["0.0.0.0/0"]
+  description = "Allow any outbound traffic."
+}
+
+## Bastion SG
+
+resource "aws_security_group" "bastion" {
+  name_prefix = "${var.main_project_tag}-bastion-sg"
+  description = "Firewall for the operator bastion instance"
+  vpc_id = aws_vpc.vault.id
+  tags = merge(
+    { "Name" = "${var.main_project_tag}-bastion-sg" },
+    { "Project" = var.main_project_tag }
+  )
+}
+
+resource "aws_security_group_rule" "bastion_allow_22" {
+  security_group_id = aws_security_group.bastion.id
+  type = "ingress"
+  protocol = "tcp"
+  from_port = 22
+  to_port = 22
+  cidr_blocks = var.allowed_bastion_cidr_blocks
+  description = "Allow SSH traffic."
+}
+
+resource "aws_security_group_rule" "bastion_allow_outbound" {
+  security_group_id = aws_security_group.bastion.id
+  type = "egress"
+  protocol    = "-1"
+  from_port   = 0
+  to_port     = 0
+  cidr_blocks = ["0.0.0.0/0"]
+  description = "Allow any outbound traffic."
+}
--- a/variables.tf
+++ b/variables.tf
@ -82,6 +82,22 @@ variable "dynamodb_table_name" {
  default = "vault_storage"
 }

+# Allowed Traffic
+## What IP Address ranges (via CIDR) are allowed to access your vault?
+
+variable "allowed_traffic_cidr_blocks" {
+  description = "List of CIDR blocks allowed to access your vault.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+## What IP Address range can access your bastion server?
+variable "allowed_bastion_cidr_blocks" {
+  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}
+
 # Operator Mode
 ## Turning this on will enable NAT and Bastion to access the Vault Instances