security groups
This commit is contained in:
parent
ddf83c628c
commit
9a9b4d0090
|
@ -0,0 +1,116 @@
|
|||
# Security Groups (SG)
|
||||
|
||||
## Load Balancer SG
|
||||
resource "aws_security_group" "load_balancer" {
|
||||
name_prefix = "${var.main_project_tag}-alb-sg"
|
||||
description = "Firewall for the application load balancer fronting the vault instances."
|
||||
vpc_id = aws_vpc.vault.id
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-alb-sg" },
|
||||
{ "Project" = var.main_project_tag }
|
||||
)
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "load_balancer_allow_80" {
|
||||
security_group_id = aws_security_group.load_balancer.id
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 80
|
||||
to_port = 80
|
||||
cidr_blocks = var.allowed_traffic_cidr_blocks
|
||||
description = "Allow HTTP traffic."
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "load_balancer_allow_443" {
|
||||
security_group_id = aws_security_group.load_balancer.id
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
cidr_blocks = var.allowed_traffic_cidr_blocks
|
||||
description = "Allow HTTPS traffic."
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "load_balancer_allow_outbound" {
|
||||
security_group_id = aws_security_group.load_balancer.id
|
||||
type = "egress"
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Allow any outbound traffic."
|
||||
}
|
||||
|
||||
## Vault Instance SG
|
||||
|
||||
resource "aws_security_group" "vault_instance" {
|
||||
name_prefix = "${var.main_project_tag}-vault-instance-sg"
|
||||
description = "Firewall for the vault instances."
|
||||
vpc_id = aws_vpc.vault.id
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-vault-instance-sg" },
|
||||
{ "Project" = var.main_project_tag }
|
||||
)
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "vault_instance_allow_8200" {
|
||||
security_group_id = aws_security_group.vault_instance.id
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 8200
|
||||
to_port = 8200
|
||||
source_security_group_id = aws_security_group.load_balancer.id
|
||||
description = "Allow traffic from Load Balancer."
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "vault_instance_allow_8201" {
|
||||
security_group_id = aws_security_group.vault_instance.id
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 8201
|
||||
to_port = 8201
|
||||
self = true
|
||||
description = "Allow traffic from fellow vault instances that have this SG."
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "vault_instance_allow_outbound" {
|
||||
security_group_id = aws_security_group.vault_instance.id
|
||||
type = "egress"
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Allow any outbound traffic."
|
||||
}
|
||||
|
||||
## Bastion SG
|
||||
|
||||
resource "aws_security_group" "bastion" {
|
||||
name_prefix = "${var.main_project_tag}-bastion-sg"
|
||||
description = "Firewall for the operator bastion instance"
|
||||
vpc_id = aws_vpc.vault.id
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-bastion-sg" },
|
||||
{ "Project" = var.main_project_tag }
|
||||
)
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion_allow_22" {
|
||||
security_group_id = aws_security_group.bastion.id
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
cidr_blocks = var.allowed_bastion_cidr_blocks
|
||||
description = "Allow SSH traffic."
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion_allow_outbound" {
|
||||
security_group_id = aws_security_group.bastion.id
|
||||
type = "egress"
|
||||
protocol = "-1"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Allow any outbound traffic."
|
||||
}
|
16
variables.tf
16
variables.tf
|
@ -82,6 +82,22 @@ variable "dynamodb_table_name" {
|
|||
default = "vault_storage"
|
||||
}
|
||||
|
||||
# Allowed Traffic
|
||||
## What IP Address ranges (via CIDR) are allowed to access your vault?
|
||||
|
||||
variable "allowed_traffic_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
## What IP Address range can access your bastion server?
|
||||
variable "allowed_bastion_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
# Operator Mode
|
||||
## Turning this on will enable NAT and Bastion to access the Vault Instances
|
||||
|
||||
|
|
Loading…
Reference in New Issue