Some simplification of security groups. We don't need to ssh into the frontend and backend; instead we can use AWS ECS Exec to run commands inside running containers.

Author: davidsilva

terraform/environments/development/main.tf

@@ -67,6 +67,7 @@ module "ecs" {
   frontend_sg_id            = module.security_groups.frontend_sg_id
   backend_sg_id             = module.security_groups.backend_sg_id
   alb_sg_id                 = module.security_groups.alb_sg_id
+  bastion_sg_id             = module.security_groups.bastion_sg_id
   ecs_task_execution_role   = module.iam.ecs_task_execution_role_arn
   ecs_task_role_arn = module.iam.ecs_task_role_arn
   service_discovery_namespace_id = module.service_discovery.namespace_id

terraform/modules/ecs/main.tf

@@ -100,7 +100,7 @@ resource "aws_ecs_service" "frontend" {
     network_configuration {
         subnets          = var.private_subnet_ids
         security_groups  = [var.frontend_sg_id, var.alb_sg_id]
-        assign_public_ip = true
+        assign_public_ip = false
     }
 
     load_balancer {

terraform/modules/ecs/variables.tf

@@ -48,6 +48,11 @@ variable "alb_sg_id" {
     type        = string
 }
 
+variable "bastion_sg_id" {
+    description = "The ID of the security group to attach to the bastion host"
+    type        = string
+}
+
 variable "ecs_task_execution_role" {
     description = "The ARN of the ECS task execution role"
     type        = string

terraform/modules/security_groups/main.tf

@@ -4,32 +4,25 @@ resource "aws_security_group" "alb_sg" {
     vpc_id = var.vpc_id
 
     ingress {
-        from_port = 0
-        to_port = 65535
+        from_port = 80
+        to_port = 80
         protocol = "tcp"
         cidr_blocks = ["0.0.0.0/0"]
     }
 
-    # ingress {
-    #     from_port = 80
-    #     to_port = 80
-    #     protocol = "tcp"
-    #     cidr_blocks = ["0.0.0.0/0"]
-    # }
-
-    # ingress {
-    #     from_port = 443
-    #     to_port = 443
-    #     protocol = "tcp"
-    #     cidr_blocks = ["0.0.0.0/0"]
-    # }
+    ingress {
+        from_port = 443
+        to_port = 443
+        protocol = "tcp"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
 
-    # ingress {
-    #     from_port = 3000
-    #     to_port = 3000
-    #     protocol = "tcp"
-    #     cidr_blocks = ["0.0.0.0/0"]
-    # }
+    ingress {
+        from_port = 3000
+        to_port = 3000
+        protocol = "tcp"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
 
     egress {
         from_port = 0
@@ -53,25 +46,14 @@ resource "aws_security_group" "frontend_sg" {
         from_port = 80
         to_port = 80
         protocol = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-        # security_groups = [aws_security_group.alb_sg.id]
+        security_groups = [aws_security_group.alb_sg.id]
     }
 
-    # need to set up load balancer for ssh
     ingress {
         from_port = 443
         to_port = 443
         protocol = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-        # security_groups = [aws_security_group.alb_sg.id]
-    }
-
-    ingress {
-        from_port = 22
-        to_port = 22
-        protocol = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-        # security_groups = [aws_security_group.bastion_sg.id]
+        security_groups = [aws_security_group.alb_sg.id]
     }
 
     egress {
@@ -96,19 +78,7 @@ resource "aws_security_group" "backend_sg" {
         from_port = 3000
         to_port = 3000
         protocol = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-        security_groups = [
-            aws_security_group.bastion_sg.id,
-            aws_security_group.frontend_sg.id
-        ]
-    }
-
-    ingress {
-        from_port = 22
-        to_port = 22
-        protocol = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-        security_groups = [aws_security_group.bastion_sg.id]
+        security_groups = [aws_security_group.alb_sg.id]
     }
 
     egress {