Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 8df24053bf
Branches Tags
xdr-terraform-m...
/
base
/
keycloak
/
security-groups.tf

security-groups.tf 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. # Rather than pass in the aws security group, we just look it up. This will
    2. 

  2. # probably be useful other places, as well.
    3. 

  3. data "aws_security_group" "typical-host" {
    4. 

  4.   name   = "typical-host"
    5. 

  5.   vpc_id = var.vpc_id
    6. 

  6. }
    7. 

  7. 

  8. data "aws_security_group" "aws_endpoints" {
    9. 

  9.   name   = "aws_endpoints"
    10. 

  10.   vpc_id = var.vpc_id
    11. 

  11. }
    12. 

  12. 

  13. # For now, opening everything:
    14. 

  14. #   ajp port: 8009
    15. 

  15. #   http: 8080
    16. 

  16. #   https: 8443
    17. 

  17. #   mgmt-http: 9990
    18. 

  18. #   mgmt-https: 9993
    19. 

  19. #   txn-recovery-environment: 4712
    20. 

  20. #   txn-status-manager: 4713
    21. 

  21. #
    22. 

  22. #   Also opening 80 and 443 for certbot
    23. 

  23. 

  24. resource "aws_security_group" "instance" {
    25. 

  25.   name = "Keycloak"
    26. 

  26.   description = "Keycloak Instances"
    27. 

  27.   vpc_id = var.vpc_id
    28. 

  28.   tags = merge(var.standard_tags, var.tags)
    29. 

  29. }
    30. 

  30. 

  31. resource "aws_security_group_rule" "cluster-connectivity-ingress" {
    32. 

  32.   description = "Receive any from other cluster members"
    33. 

  33.   type = "ingress"
    34. 

  34.   from_port = -1
    35. 

  35.   to_port = -1
    36. 

  36.   protocol = -1
    37. 

  37.   security_group_id = aws_security_group.instance.id
    38. 

  38.   source_security_group_id = aws_security_group.instance.id
    39. 

  39. }
    40. 

  40. 

  41. resource "aws_security_group_rule" "cluster-connectivity-egress" {
    42. 

  42.   description = "send any to other cluster members"
    43. 

  43.   type = "egress"
    44. 

  44.   from_port = -1
    45. 

  45.   to_port = -1
    46. 

  46.   protocol = -1
    47. 

  47.   security_group_id = aws_security_group.instance.id
    48. 

  48.   source_security_group_id = aws_security_group.instance.id
    49. 

  49. }
    50. 

  50. 

  51. 

  52. #resource "aws_security_group_rule" "instance-http-in" {
    53. 

  53. #  description = ""
    54. 

  54. #  type = "ingress"
    55. 

  55. #  from_port = "80"
    56. 

  56. #  to_port = "80"
    57. 

  57. #  protocol = "tcp"
    58. 

  58. #  cidr_blocks = [ "0.0.0.0/0" ]
    59. 

  59. #  security_group_id = aws_security_group.instance.id
    60. 

  60. #}
    61. 

  61. #
    62. 

  62. #resource "aws_security_group_rule" "instance-https-in" {
    63. 

  63. #  description = ""
    64. 

  64. #  type = "ingress"
    65. 

  65. #  from_port = "443"
    66. 

  66. #  to_port = "443"
    67. 

  67. #  protocol = "tcp"
    68. 

  68. #  cidr_blocks = [ "0.0.0.0/0" ]
    69. 

  69. #  security_group_id = aws_security_group.instance.id
    70. 

  70. #}
    71. 

  71. #
    72. 

  72. #resource "aws_security_group_rule" "instance-ajp-in" {
    73. 

  73. #  description = ""
    74. 

  74. #  type = "ingress"
    75. 

  75. #  from_port = "8009"
    76. 

  76. #  to_port = "8009"
    77. 

  77. #  protocol = "tcp"
    78. 

  78. #  cidr_blocks = [ "0.0.0.0/0" ]
    79. 

  79. #  security_group_id = aws_security_group.instance.id
    80. 

  80. #}
    81. 

  81. 

  82. resource "aws_security_group_rule" "instance-alt-http-in-from-access" {
    83. 

  83.   description = "Alt HTTP from access"
    84. 

  84.   type = "ingress"
    85. 

  85.   from_port = "8080"
    86. 

  86.   to_port = "8080"
    87. 

  87.   protocol = "tcp"
    88. 

  88.   cidr_blocks = var.cidr_map["vpc-access"]
    89. 

  89.   security_group_id = aws_security_group.instance.id
    90. 

  90. }
    91. 

  91. 

  92. resource "aws_security_group_rule" "instance-alt-http-in-from-elb" {
    93. 

  93.   description = "Alt HTTP from ELB"
    94. 

  94.   type = "ingress"
    95. 

  95.   from_port = "8080"
    96. 

  96.   to_port = "8080"
    97. 

  97.   protocol = "tcp"
    98. 

  98.   security_group_id = aws_security_group.instance.id
    99. 

  99.   source_security_group_id = aws_security_group.elb_external.id
    100. 

  100. }
    101. 

  101. 

  102. resource "aws_security_group_rule" "instance-alt-https-in-from-access" {
    103. 

  103.   description = "Alt HTTPS from Access"
    104. 

  104.   type = "ingress"
    105. 

  105.   from_port = "8443"
    106. 

  106.   to_port = "8443"
    107. 

  107.   protocol = "tcp"
    108. 

  108.   cidr_blocks = var.cidr_map["vpc-access"]
    109. 

  109.   security_group_id = aws_security_group.instance.id
    110. 

  110. }
    111. 

  111. 

  112. resource "aws_security_group_rule" "instance-alt-https-in-from-elb" {
    113. 

  113.   description = "Alt HTTPS from ELB"
    114. 

  114.   type = "ingress"
    115. 

  115.   from_port = "8443"
    116. 

  116.   to_port = "8443"
    117. 

  117.   protocol = "tcp"
    118. 

  118.   security_group_id = aws_security_group.instance.id
    119. 

  119.   source_security_group_id = aws_security_group.elb_external.id
    120. 

  120. }
    121. 

  121. 

  122. resource "aws_security_group_rule" "instance-db-outbound" {
    123. 

  123.   description = "Postgres Outbound"
    124. 

  124.   type = "egress"
    125. 

  125.   from_port = "5432"
    126. 

  126.   to_port = "5432"
    127. 

  127.   protocol = "tcp"
    128. 

  128.   security_group_id = aws_security_group.instance.id
    129. 

  129.   source_security_group_id = data.aws_security_group.aws_endpoints.id
    130. 

  130. }
    131. 

  131. 

  132. 

  133. #resource "aws_security_group_rule" "instance-mgmt-http-in" {
    134. 

  134. #  description = ""
    135. 

  135. #  type = "ingress"
    136. 

  136. #  from_port = "9990"
    137. 

  137. #  to_port = "9990"
    138. 

  138. #  protocol = "tcp"
    139. 

  139. #  cidr_blocks = [ "0.0.0.0/0" ]
    140. 

  140. #  security_group_id = aws_security_group.instance.id
    141. 

  141. #}
    142. 

  142. #
    143. 

  143. #resource "aws_security_group_rule" "instance-mgmt-https-in" {
    144. 

  144. #  description = ""
    145. 

  145. #  type = "ingress"
    146. 

  146. #  from_port = "9993"
    147. 

  147. #  to_port = "9993"
    148. 

  148. #  protocol = "tcp"
    149. 

  149. #  cidr_blocks = [ "0.0.0.0/0" ]
    150. 

  150. #  security_group_id = aws_security_group.instance.id
    151. 

  151. #}
    152. 

  152. #
    153. 

  153. #resource "aws_security_group_rule" "instance-txn-in" {
    154. 

  154. #  description = ""
    155. 

  155. #  type = "ingress"
    156. 

  156. #  from_port = "4712"
    157. 

  157. #  to_port = "4713"
    158. 

  158. #  protocol = "tcp"
    159. 

  159. #  cidr_blocks = [ "0.0.0.0/0" ]
    160. 

  160. #  security_group_id = aws_security_group.instance.id
    161. 

  161. #}
    162. 

  162. #
    163. 

  163. ## lock down before production, but I couldn't get letsencrypt to work with the proxy
    164. 

  164. #resource "aws_security_group_rule" "instance-all-out" {
    165. 

  165. #  description = ""
    166. 

  166. #  type = "egress"
    167. 

  167. #  from_port = "-1"
    168. 

  168. #  to_port = "-1"
    169. 

  169. #  protocol = "-1"
    170. 

  170. #  cidr_blocks = [ "0.0.0.0/0" ]
    171. 

  171. #  security_group_id = aws_security_group.instance.id
    172. 

  172. #}
    173.