使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Review the Infrastructure code for web app deployment

0

Hi AWS, I have to deploy a web application that supports the following design:

1.The end-users only contact the load balancers and the underlying instance are accessed for management purposes, design a security group scheme which supports the minimal set of ports required for communication. 2. The AWS generated load balancer hostname with be used for request to the public facing web application.

I have to write the terraform code for the same. I wrote the code for Security Group but I am not sure if it is sufficing the requirements asked or not. Here is the code snippet:

resource "aws_security_group" "client_alb" {
  name_prefix = "${var.default_tags.project_name}-alb"
  description = "security group for web application load balancer"
  vpc_id      = aws_vpc.main.id
  tags = {
    Name = "${var.default_tags.project_name}-sg"
  }
}

resource "aws_security_group_rule" "client_alb_allow_80" {
  security_group_id = aws_security_group.client_alb.id
  type              = "ingress"
  protocol          = "tcp"
  from_port         = 80
  to_port           = 80
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
  description       = "Allow HTTP traffic."
}

resource "aws_security_group_rule" "client_alb_allow_443" {
  security_group_id = aws_security_group.client_alb.id
  type              = "ingress"
  protocol          = "tcp"
  from_port         = 443
  to_port           = 443
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
  description       = "Allow HTTP traffic."
}

resource "aws_security_group_rule" "client_alb_allow_outbound" {
  security_group_id = aws_security_group.client_alb.id
  type              = "egress"
  protocol          = "-1"
  from_port         = 0
  to_port           = 0
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
  description       = "Allow any outbound traffic."
}

Could someone please review and help me with point 2 as well?

主題
基礎架構即程式碼網路與內容交付
標籤
基礎架構即程式碼安全性群組Terraform
語言
English
profile picture
Arjun Goel
已提問 3 個月前檢視次數 135 次
2 個答案
0

You have shown the TF for the sg but you have shown us the code for the alb or EC2’s.

However the TF looks good if these are only used on the alb.

The alb resource will return the DNS name as an output along with the dns zone id.

profile picture
專家
Gary Mclean
已回答 3 個月前
  • Arjun Goel
    3 個月前

    I wrote the code for EC2 Security Groups. This is the complete requirement:

    1. The end-users only contact the load balancers and the underlying instance are accessed for management purposes, design a security group scheme which supports the minimal set of ports required for communication.
    2. The AWS generated load balancer hostname with be used for request to the public facing web application.
    3. An autoscaling group should be created which utilizes the latest AWS AMI
    4. The instance in the ASG Must contain both a root volume to store the application / services and must contain a secondary volume meant to store any log data bound from / var/log Must include a web server of your choice.
    5. Configure web application using Ansible, all requirements in this task of configuring the operating system should be defined in the launch configuration and/or the user data script
    6. Create self signed certificate for test.example.com and used this hostname with Load balancer, this dns should be resolve internally within VPC network with route 53 private hosted zone.
  • Arjun Goel
    3 個月前

    Hi @Gary, I have listed down the requirements that I have been given. Can you please review and help me in figuring things out?

0

Hello, Arjun

Regarding 2nd could explain me a little bit more?

Thanks

Abhinav Chauhan
已回答 3 個月前
  • Gary Mclean 專家
    3 個月前

    The alb needs an outbound rule to connect to the resources in question. Ie ec2

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容