mulesoft-flex-gateway-iac/terraform/modules/flex_gateway/sg.tf at main · CityOfPhiladelphia/mulesoft-flex-gateway-iac · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// EC2 security group
resource "aws_security_group" "ec2" {
  name        = "${var.app_name}-${var.env_name}-ec2"
  description = "SG for EC2"
  vpc_id      = var.vpc_id

  tags = merge(local.default_tags, { Name = "${var.app_name}-${var.env_name}-ec2" })
}

resource "aws_vpc_security_group_egress_rule" "ec2_outbound_all_to_everywhere" {
  security_group_id = aws_security_group.ec2.id
  description       = "Full outbound access"

  ip_protocol = -1
  cidr_ipv4   = "0.0.0.0/0"
}

# For health check
resource "aws_vpc_security_group_ingress_rule" "ec2_inbound_http_from_alb" {
  security_group_id = aws_security_group.ec2.id
  description       = "Inbound http access from ALB"

  ip_protocol                  = "tcp"
  from_port                    = 80
  to_port                      = 80
  referenced_security_group_id = aws_security_group.alb.id
}

resource "aws_vpc_security_group_ingress_rule" "ec2_inbound_flex_gateway_from_alb" {
  security_group_id = aws_security_group.ec2.id
  description       = "Inbound http access from ALB"

  ip_protocol                  = "tcp"
  from_port                    = 8081
  to_port                      = 8081
  referenced_security_group_id = aws_security_group.alb.id
}

// ALB security group
resource "aws_security_group" "alb" {
  name        = "${var.app_name}-${var.env_name}-alb"
  description = "SG for ALB"
  vpc_id      = var.vpc_id

  tags = merge(local.default_tags, { Name = "${var.app_name}-${var.env_name}-alb" })
}

resource "aws_vpc_security_group_ingress_rule" "alb_inbound_https_from_anywhere" {
  security_group_id = aws_security_group.alb.id
  description       = "Inbound https access from anywhere"

  ip_protocol = "tcp"
  from_port   = 443
  to_port     = 443
  cidr_ipv4   = "0.0.0.0/0"
}

resource "aws_vpc_security_group_ingress_rule" "alb_inbound_http_from_anywhere" {
  security_group_id = aws_security_group.alb.id
  description       = "Inbound http access from anywhere"

  ip_protocol = "tcp"
  from_port   = 80
  to_port     = 80
  cidr_ipv4   = "0.0.0.0/0"
}

resource "aws_vpc_security_group_egress_rule" "alb_outbound_all_to_ec2" {
  security_group_id = aws_security_group.alb.id
  description       = "Full outbound access to ec2"

  ip_protocol                  = "-1"
  referenced_security_group_id = aws_security_group.ec2.id
}

// Redis security group
resource "aws_security_group" "redis" {
  name        = "${var.app_name}-${var.env_name}-redis"
  description = "SG for Elasticache Redis"
  vpc_id      = var.vpc_id

  tags = merge(local.default_tags, { Name = "${var.app_name}-${var.env_name}-redis" })
}

resource "aws_vpc_security_group_ingress_rule" "redis_inbound_redis_from_ec2" {
  security_group_id = aws_security_group.redis.id
  description       = "Inbound REDIS access from EC2"

  ip_protocol                  = "tcp"
  from_port                    = 6379
  to_port                      = 6379
  referenced_security_group_id = aws_security_group.ec2.id
}