From 9a9b4d0090f7dd8792f77e29ada1adef2b9ba019 Mon Sep 17 00:00:00 2001 From: J Cole Morrison Date: Thu, 9 Apr 2020 20:11:09 -0700 Subject: [PATCH] security groups --- security-groups.tf | 116 +++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 16 +++++++ 2 files changed, 132 insertions(+) create mode 100644 security-groups.tf diff --git a/security-groups.tf b/security-groups.tf new file mode 100644 index 0000000..1eb2b41 --- /dev/null +++ b/security-groups.tf @@ -0,0 +1,116 @@ +# Security Groups (SG) + +## Load Balancer SG +resource "aws_security_group" "load_balancer" { + name_prefix = "${var.main_project_tag}-alb-sg" + description = "Firewall for the application load balancer fronting the vault instances." + vpc_id = aws_vpc.vault.id + tags = merge( + { "Name" = "${var.main_project_tag}-alb-sg" }, + { "Project" = var.main_project_tag } + ) +} + +resource "aws_security_group_rule" "load_balancer_allow_80" { + security_group_id = aws_security_group.load_balancer.id + type = "ingress" + protocol = "tcp" + from_port = 80 + to_port = 80 + cidr_blocks = var.allowed_traffic_cidr_blocks + description = "Allow HTTP traffic." +} + +resource "aws_security_group_rule" "load_balancer_allow_443" { + security_group_id = aws_security_group.load_balancer.id + type = "ingress" + protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_blocks = var.allowed_traffic_cidr_blocks + description = "Allow HTTPS traffic." +} + +resource "aws_security_group_rule" "load_balancer_allow_outbound" { + security_group_id = aws_security_group.load_balancer.id + type = "egress" + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + description = "Allow any outbound traffic." +} + +## Vault Instance SG + +resource "aws_security_group" "vault_instance" { + name_prefix = "${var.main_project_tag}-vault-instance-sg" + description = "Firewall for the vault instances." + vpc_id = aws_vpc.vault.id + tags = merge( + { "Name" = "${var.main_project_tag}-vault-instance-sg" }, + { "Project" = var.main_project_tag } + ) +} + +resource "aws_security_group_rule" "vault_instance_allow_8200" { + security_group_id = aws_security_group.vault_instance.id + type = "ingress" + protocol = "tcp" + from_port = 8200 + to_port = 8200 + source_security_group_id = aws_security_group.load_balancer.id + description = "Allow traffic from Load Balancer." +} + +resource "aws_security_group_rule" "vault_instance_allow_8201" { + security_group_id = aws_security_group.vault_instance.id + type = "ingress" + protocol = "tcp" + from_port = 8201 + to_port = 8201 + self = true + description = "Allow traffic from fellow vault instances that have this SG." +} + +resource "aws_security_group_rule" "vault_instance_allow_outbound" { + security_group_id = aws_security_group.vault_instance.id + type = "egress" + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + description = "Allow any outbound traffic." +} + +## Bastion SG + +resource "aws_security_group" "bastion" { + name_prefix = "${var.main_project_tag}-bastion-sg" + description = "Firewall for the operator bastion instance" + vpc_id = aws_vpc.vault.id + tags = merge( + { "Name" = "${var.main_project_tag}-bastion-sg" }, + { "Project" = var.main_project_tag } + ) +} + +resource "aws_security_group_rule" "bastion_allow_22" { + security_group_id = aws_security_group.bastion.id + type = "ingress" + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = var.allowed_bastion_cidr_blocks + description = "Allow SSH traffic." +} + +resource "aws_security_group_rule" "bastion_allow_outbound" { + security_group_id = aws_security_group.bastion.id + type = "egress" + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + description = "Allow any outbound traffic." +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 0eb4630..6067388 100644 --- a/variables.tf +++ b/variables.tf @@ -82,6 +82,22 @@ variable "dynamodb_table_name" { default = "vault_storage" } +# Allowed Traffic +## What IP Address ranges (via CIDR) are allowed to access your vault? + +variable "allowed_traffic_cidr_blocks" { + description = "List of CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR." + type = list(string) + default = ["0.0.0.0/0"] +} + +## What IP Address range can access your bastion server? +variable "allowed_bastion_cidr_blocks" { + description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR." + type = list(string) + default = ["0.0.0.0/0"] +} + # Operator Mode ## Turning this on will enable NAT and Bastion to access the Vault Instances