# --------------------------------------------------------------------------------------------------------------------- # SECURITY GROUP FOR VAULT CLIENT(WEB SERVER) # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "vault-client_sg" { name = "vault-client_sg" vpc_id = aws_vpc.main.id # SSH ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } # Vault API traffic ingress { from_port = 8200 to_port = 8200 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } # Admin URL ingress { from_port = 8080 to_port = 8080 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } # Internal Traffic ingress { from_port = 0 to_port = 0 protocol = "-1" self = true } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.stack}-vault-client-sg" Project = var.stack } } # --------------------------------------------------------------------------------------------------------------------- # SECURITY GROUP FOR VAULT SERVER # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "vault-server_sg" { name = "vault-server_sg" vpc_id = aws_vpc.main.id # SSH ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } # Vault API traffic ingress { from_port = 8200 to_port = 8200 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } # Internal Traffic ingress { from_port = 0 to_port = 0 protocol = "-1" self = true } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.stack}-vault-server-sg" Project = var.stack } } # --------------------------------------------------------------------------------------------------------------------- # SECURITY GROUP FOR MySQL # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "db-sg" { name = "${var.stack}-db-sg" description = "Access to the RDS instances from the VPC" vpc_id = aws_vpc.main.id ingress { from_port = 3306 to_port = 3306 protocol = "tcp" cidr_blocks = [var.vpc_cidr] } ingress { from_port = 8 to_port = 0 protocol = "icmp" cidr_blocks = [var.vpc_cidr] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.stack}-db-sg" } } # --------------------------------------------------------------------------------------------------------------------- # SECURITY GROUP FOR Load Balancer # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "load_balancer" { name_prefix = "${var.stack}-alb-sg" description = "Firewall for the application load balancer fronting the vault instances." vpc_id = aws_vpc.main.id tags = merge( { "Name" = "${var.stack}-alb-sg" }, { "Project" = var.stack } ) } resource "aws_security_group_rule" "load_balancer_allow_80" { security_group_id = aws_security_group.load_balancer.id type = "ingress" protocol = "tcp" from_port = 80 to_port = 80 cidr_blocks = var.allowed_traffic_cidr_blocks description = "Allow HTTP traffic." } resource "aws_security_group_rule" "load_balancer_allow_outbound" { security_group_id = aws_security_group.load_balancer.id type = "egress" protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] description = "Allow any outbound traffic." }