From d18d8e745ae5b5acd09c2a667da2b014e03cb1ad Mon Sep 17 00:00:00 2001 From: Pierre Mavro Date: Fri, 22 Apr 2022 19:58:06 +0200 Subject: [PATCH] feat: add security rules to aws EC2 --- lib/aws/bootstrap-ec2/ec2-sec-group.tf | 19 +++++++++++++------ lib/aws/bootstrap-ec2/ec2.j2.tf | 4 +++- lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf | 2 +- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/lib/aws/bootstrap-ec2/ec2-sec-group.tf b/lib/aws/bootstrap-ec2/ec2-sec-group.tf index 02cd4bfc..a82bd0e9 100644 --- a/lib/aws/bootstrap-ec2/ec2-sec-group.tf +++ b/lib/aws/bootstrap-ec2/ec2-sec-group.tf @@ -13,15 +13,22 @@ resource "aws_security_group" "ec2_cluster" { tags = local.tags_ec2 } -# OPTIONAL: Allow inbound traffic from your local workstation external IP -# to the Kubernetes. You will need to replace A.B.C.D below with -# your real IP. Services like icanhazip.com can help you find this. -resource "aws_security_group_rule" "cluster_ingress_workstation_https" { - cidr_blocks = var.ec2_access_cidr_blocks - description = "Allow workstation to communicate with the cluster API Server" +resource "aws_security_group_rule" "https" { + cidr_blocks = "0.0.0.0/0" + description = "HTTPS connectivity" from_port = 443 protocol = "tcp" security_group_id = aws_security_group.ec2_cluster.id to_port = 443 type = "ingress" } + +resource "aws_security_group_rule" "ssh" { + cidr_blocks = "0.0.0.0/0" + description = "SSH remote access" + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.ec2_cluster.id + to_port = 22 + type = "ssh" +} \ No newline at end of file diff --git a/lib/aws/bootstrap-ec2/ec2.j2.tf b/lib/aws/bootstrap-ec2/ec2.j2.tf index e85ed5f9..2a9bb030 100644 --- a/lib/aws/bootstrap-ec2/ec2.j2.tf +++ b/lib/aws/bootstrap-ec2/ec2.j2.tf @@ -31,7 +31,9 @@ resource "aws_instance" "web" { associate_public_ip_address = true # security - #vpc_security_group_ids = [aws_vpc.ec2.*.id] + vpc_security_group_ids = [aws_vpc.ec2.id] + subnet_id = aws_subnet.ec2_zone_a.id + security_groups = [aws_security_group.ec2_cluster.id] user_data = local.bootstrap diff --git a/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf b/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf index c4612160..e5235b07 100644 --- a/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf +++ b/lib/aws/bootstrap-ec2/tf-providers-aws.j2.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.66.0" + version = "~> 4.11.0" } external = { source = "hashicorp/external"