AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
							# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

# For now, opening everything:
#   ajp port: 8009
#   http: 8080
#   https: 8443
#   mgmt-http: 9990
#   mgmt-https: 9993
#   txn-recovery-environment: 4712
#   txn-status-manager: 4713
#
#   Also opening 80 and 443 for certbot

resource "aws_security_group" "instance" {
  name = "instance-${var.instance_name}"
  description = "Instances of type ${var.instance_name}"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "instance-http-in" {
  description = ""
  type = "ingress"
  from_port = "80"
  to_port = "80"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-https-in" {
  description = ""
  type = "ingress"
  from_port = "443"
  to_port = "443"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-ajp-in" {
  description = ""
  type = "ingress"
  from_port = "8009"
  to_port = "8009"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-alt-http-in" {
  description = ""
  type = "ingress"
  from_port = "8080"
  to_port = "8080"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-alt-https-in" {
  description = ""
  type = "ingress"
  from_port = "8443"
  to_port = "8443"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-mgmt-http-in" {
  description = ""
  type = "ingress"
  from_port = "9990"
  to_port = "9990"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-mgmt-https-in" {
  description = ""
  type = "ingress"
  from_port = "9993"
  to_port = "9993"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-txn-in" {
  description = ""
  type = "ingress"
  from_port = "4712"
  to_port = "4713"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

# lock down before production, but I couldn't get letsencrypt to work with the proxy
resource "aws_security_group_rule" "instance-all-out" {
  description = ""
  type = "egress"
  from_port = "-1"
  to_port = "-1"
  protocol = "-1"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}