Created
June 3, 2019 15:07
-
-
Save carlosescura/b13c0286da9ba317a52b0b6c7402b5b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Security Group for EC2 resources allowing only traffic from ELB | |
resource "aws_security_group" "redash_service_instances_sg" { | |
name = "redash-service-instances-sg" | |
description = "Redash Serving instancs Security Group" | |
vpc_id = "${var.vpc_id}" | |
ingress { | |
from_port = 80 | |
to_port = 80 | |
protocol = "tcp" | |
security_groups = ["${aws_security_group.redash_service_loadbalancer_sg.id}"] | |
description = "Open Docker Server port for Load Balancer" | |
} | |
} | |
resource "aws_security_group" "redash_service_loadbalancer_sg" { | |
name = "redash-service-lb-sg" | |
description = "Redash Serving LB Security Group" | |
vpc_id = "${var.vpc_id}" | |
ingress { | |
from_port = 443 | |
to_port = 443 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
description = "Open SSL port" | |
} | |
egress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] # Cyclic dependency if EC2-SG is used here | |
description = "Allow ELB to ping any service machine" | |
} | |
} | |
resource "aws_security_group" "db_access_sg" { | |
vpc_id = "${var.vpc_id}" | |
name = "redash-db-access-sg" | |
description = "Allow access to RDS" | |
# Allows traffic from the SG itself. Used for read replicas for instance | |
ingress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
self = true | |
} | |
# Allow traffic default PostgreSQL TCP port only from EC2 instances | |
ingress { | |
from_port = 5432 | |
to_port = 5432 | |
protocol = "tcp" | |
security_groups = ["${aws_security_group.redash_service_instances_sg.id}"] | |
} | |
} | |
resource "aws_security_group" "redis_access_sg" { | |
vpc_id = "${var.vpc_id}" | |
name = "redash-redis-access-sg" | |
description = "Allow access to Redis" | |
# Allows traffic from the SG itself | |
ingress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
self = true | |
} | |
# Allow traffic default Redis TCP port only from EC2 instances | |
ingress { | |
from_port = 6379 | |
to_port = 6379 | |
protocol = "tcp" | |
security_groups = ["${aws_security_group.redash_service_instances_sg.id}"] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment