Create real-world like ASW security groups using Terraform

On By insidepacketIn Network Automation, Terraform

[dzhang@localhost terraform]$ cat instance.tf
provider “aws” {
access_key = “my_access_key”
secret_key = “my_secret_key”
region = “ap-southeast-2”
}
resource “aws_security_group” “app_server” {
name = “app_server”
description = “app server security group”
vpc_id = “vpc-d808xxxx”

ingress {
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“6x.24x.5x.16x/32”]
}

tags {
Name = “APP”
}
}

resource “aws_security_group” “web_server” {
name = “web_server”
description = “Web Server security group”
vpc_id = “vpc-d808xxxx”

ingress {
from_port = 80
to_port = 80
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}
egress {
from_port = 1024
to_port = 65535
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}

tags {
Name = “WEB”
}
}

resource “aws_security_group_rule” “internal-sg” {
security_group_id = “${aws_security_group.web_server.id}”
type = “egress”
from_port = 8301
to_port = 8301
protocol = “udp”
self = true
}

resource “aws_security_group_rule” “to_app” {
security_group_id = “${aws_security_group.web_server.id}”
type = “egress”
from_port = 8301
to_port = 8301
protocol = “tcp”
source_security_group_id = “${aws_security_group.app_server.id}”
}

resource “aws_security_group_rule” “from_web” {
security_group_id = “${aws_security_group.app_server.id}”
type = “ingress”
from_port = 8301
to_port = 8301
protocol = “tcp”
source_security_group_id = “${aws_security_group.web_server.id}”
}
[dzhang@localhost terraform]$

[dzhang@localhost terraform]$ terraform apply
aws_security_group.app_server: Creating…
description: “” => “app server security group”
egress.#: “” => “”
ingress.#: “” => “1”
ingress.625464618.cidr_blocks.#: “” => “1”
ingress.625464618.cidr_blocks.0: “” => “6x.24x.5x.16x/32”
ingress.625464618.from_port: “” => “22”
ingress.625464618.protocol: “” => “tcp”
ingress.625464618.security_groups.#: “” => “0”
ingress.625464618.self: “” => “false”
ingress.625464618.to_port: “” => “22”
name: “” => “app_server”
owner_id: “” => “”
tags.%: “” => “1”
tags.Name: “” => “APP”
vpc_id: “” => “vpc-d808xxxx”
aws_security_group.web_server: Creating…
description: “” => “Web Server security group”
egress.#: “” => “1”
egress.1543620397.cidr_blocks.#: “” => “1”
egress.1543620397.cidr_blocks.0: “” => “0.0.0.0/0”
egress.1543620397.from_port: “” => “1024”
egress.1543620397.prefix_list_ids.#: “” => “0”
egress.1543620397.protocol: “” => “tcp”
egress.1543620397.security_groups.#: “” => “0”
egress.1543620397.self: “” => “false”
egress.1543620397.to_port: “” => “65535”
ingress.#: “” => “1”
ingress.2214680975.cidr_blocks.#: “” => “1”
ingress.2214680975.cidr_blocks.0: “” => “0.0.0.0/0”
ingress.2214680975.from_port: “” => “80”
ingress.2214680975.protocol: “” => “tcp”
ingress.2214680975.security_groups.#: “” => “0”
ingress.2214680975.self: “” => “false”
ingress.2214680975.to_port: “” => “80”
name: “” => “web_server”
owner_id: “” => “”
tags.%: “” => “1”
tags.Name: “” => “WEB”
vpc_id: “” => “vpc-d808xxxx”
aws_security_group.app_server: Creation complete
aws_security_group.web_server: Creation complete
aws_security_group_rule.from_web: Creating…
from_port: “” => “8301”
protocol: “” => “tcp”
security_group_id: “” => “sg-ba43ecdd”
self: “” => “false”
source_security_group_id: “” => “sg-b943ecde”
to_port: “” => “8301”
type: “” => “ingress”
aws_security_group_rule.to_app: Creating…
from_port: “” => “8301”
protocol: “” => “tcp”
security_group_id: “” => “sg-b943ecde”
self: “” => “false”
source_security_group_id: “” => “sg-ba43ecdd”
to_port: “” => “8301”
type: “” => “egress”
aws_security_group_rule.internal-sg: Creating…
from_port: “” => “8301”
protocol: “” => “udp”
security_group_id: “” => “sg-b943ecde”
self: “” => “true”
source_security_group_id: “” => “”
to_port: “” => “8301”
type: “” => “egress”
aws_security_group_rule.from_web: Creation complete
aws_security_group_rule.internal-sg: Creation complete
aws_security_group_rule.to_app: Creation complete

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate
[dzhang@localhost terraform]$ terraform destory
Usage: terraform [–version] [–help] [args]

The available commands for execution are listed below.
The most common, useful commands are shown first, followed by
less common or more advanced commands. If you’re just getting
started with Terraform, stick with the common commands. For the
other commands, please read the help and docs before usage.

Common commands:
apply Builds or changes infrastructure
console Interactive console for Terraform interpolations
destroy Destroy Terraform-managed infrastructure
fmt Rewrites config files to canonical format
get Download and install modules for the configuration
graph Create a visual graph of Terraform resources
import Import existing infrastructure into Terraform
init Initializes Terraform configuration from a module
output Read an output from a state file
plan Generate and show an execution plan
push Upload this Terraform module to Atlas to run
refresh Update local state file against real resources
remote Configure remote state storage
show Inspect Terraform state or plan
taint Manually mark a resource for recreation
untaint Manually unmark a resource as tainted
validate Validates the Terraform files
version Prints the Terraform version

All other commands:
debug Debug output management (experimental)
state Advanced state management
[dzhang@localhost terraform]$ terraform destroy
Do you really want to destroy?
Terraform will delete all your managed infrastructure.
There is no undo. Only ‘yes’ will be accepted to confirm.

Enter a value: yes

aws_security_group.app_server: Refreshing state… (ID: sg-ba43ecdd)
aws_security_group.web_server: Refreshing state… (ID: sg-b943ecde)
aws_security_group_rule.internal-sg: Refreshing state… (ID: sgrule-2476559081)
aws_security_group_rule.to_app: Refreshing state… (ID: sgrule-2890481209)
aws_security_group_rule.from_web: Refreshing state… (ID: sgrule-3247970428)
aws_security_group_rule.from_web: Destroying…
aws_security_group_rule.to_app: Destroying…
aws_security_group_rule.internal-sg: Destroying…
aws_security_group_rule.internal-sg: Destruction complete
aws_security_group_rule.from_web: Destruction complete
aws_security_group_rule.to_app: Destruction complete
aws_security_group.app_server: Destroying…
aws_security_group.web_server: Destroying…
aws_security_group.web_server: Destruction complete
aws_security_group.app_server: Destruction complete

Destroy complete! Resources: 5 destroyed.
[dzhang@localhost terraform]$

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s