Skip to content

The security_groups.tf File

Filename Location Group Project/Repository
vpc_subnets.tf ./vpc_subnets.tf infrastructure terraform

Why?

If we don't allow traffic through to our AWS EC2 Instances, AWS will simply block all traffic. To allow traffic in (or prevent it) we have to define Security Groups.

We'll be allowing SSH into the instances and HTTPS into the ALB.

Breakdown

Let's break down our Security Groups into sections based on the protocol they're allowing in.

ALB - HTTPS

1
2
3
4
5
6
7
8
9
resource "aws_security_group" "alb" {
  name        = "httpcats-alb"
  description = "Manages all connections to the ALB"
  vpc_id      = aws_vpc.httpcats.id

  tags = merge(local.common_tags, {
    "Name" = "ALBs"
  })
}

Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
resource "aws_security_group_rule" "alb-https" {
  type              = "ingress"
  description       = "HTTPS"
  from_port         = "443"
  to_port           = "443"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.alb.id
}

resource "aws_security_group_rule" "egress_all" {
  type              = "egress"
  description       = "All"
  from_port         = "-1"
  to_port           = "-1"
  protocol          = "all"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.alb.id
}

Web Servers - HTTP, SSH

1
2
3
4
5
6
7
8
9
resource "aws_security_group" "webserver" {
  name        = "httpcats-webserver"
  description = "Manages all connections to the internal web servers"
  vpc_id      = aws_vpc.httpcats.id

  tags = merge(local.common_tags, {
    "Name" = "Webservers"
  })
}

Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
resource "aws_security_group_rule" "http-custom" {
  type              = "ingress"
  description       = "custom http port"
  from_port         = "8080"
  to_port           = "8080"
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.httpcats.cidr_block]
  security_group_id = aws_security_group.webserver.id
}

resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  description       = "ssh"
  from_port         = "22"
  to_port           = "22"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.webserver.id
}

resource "aws_security_group_rule" "webserver-egress" {
  type              = "egress"
  description       = "All"
  from_port         = "-1"
  to_port           = "-1"
  protocol          = "all"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.webserver.id
}

The Solution

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
resource "aws_security_group" "alb" {
  name        = "httpcats-alb"
  description = "Manages all connections to the ALB"
  vpc_id      = aws_vpc.httpcats.id

  tags = merge(local.common_tags, {
    "Name" = "ALBs"
  })
}

resource "aws_security_group_rule" "alb-https" {
  type              = "ingress"
  description       = "HTTPS"
  from_port         = "443"
  to_port           = "443"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.alb.id
}

resource "aws_security_group_rule" "egress_all" {
  type              = "egress"
  description       = "All"
  from_port         = "-1"
  to_port           = "-1"
  protocol          = "all"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.alb.id
}


resource "aws_security_group" "webserver" {
  name        = "httpcats-webserver"
  description = "Manages all connections to the internal web servers"
  vpc_id      = aws_vpc.httpcats.id

  tags = merge(local.common_tags, {
    "Name" = "Webservers"
  })
}

resource "aws_security_group_rule" "http-custom" {
  type              = "ingress"
  description       = "custom http port"
  from_port         = "8080"
  to_port           = "8080"
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.httpcats.cidr_block]
  security_group_id = aws_security_group.webserver.id
}

resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  description       = "ssh"
  from_port         = "22"
  to_port           = "22"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.webserver.id
}

resource "aws_security_group_rule" "webserver-egress" {
  type              = "egress"
  description       = "All"
  from_port         = "-1"
  to_port           = "-1"
  protocol          = "all"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.webserver.id
}

Terraform Documentation

Type Documentation
aws_security_group Terraform AWS Provider
aws_security_group_rule Terraform AWS Provider

Committing the Code

  1. Set your working directory to the infrastructure/terraform repository
  2. Save the file as security_groups.tf and use git add security_groups.tf to add it to the Git staging area
  3. Use git commit -am 'securing our infra with some firewall rules' to commit the file to our repository
  4. Push the code to GitLab.com: git push

Last update: August 25, 2021