# Security Group Lab

### Introduction

In this lesson, we'll practice working with the security group -- that is, the firewall -- associated with an EC2 instance.  We'll do so by adding the security group resource, and from there attaching the security group to our resource.

### Getting Started

Before getting started, let's take a look at the work that we've accomplished so far.  

```bash
# tf/main.tf 

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "backend_server" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  
  user_data = <<-EOF
              #!/bin/bash
              echo "Hello Everyone" > index.html
              nohup busybox httpd -f -p 3000 &
              EOF
  
  tags = {
      Name = "backend server"
  }
}
```

In our `tf/main.tf` file, we specify our provider and region, and then create an `aws_instance` resource named `backend_server` in terraform.  We configure it to have `instance_type` of `t2.micro`, and set the AMI id.

We also setup some code so that will run a server that displays the text `"Hello Everyone"`.  Our task will be to expose this server so that any ip address can acess it on port `3000`.

### Adding the Security Group

Now it's time to create the security group resource.  We'll provide you with the basic structure and it will be your task to fill in the related values:

```bash
resource "aws_security_group" "http_backend_security" {
  name = "http backend security"
  ingress {
    from_port   = ?
    to_port     = ?
    protocol    = "tcp"
    cidr_blocks = ["?"]
  }
}
```

Fill in the code above, and then *connect the security group to the EC2 resource defined above*.  

If it works properly, we should be able to visit the corresponding address, and see the text `Hello Everyone`.

> **Gotcha:** Be sure to make the add in the port when visiting the address, and be sure that you are visiting `http://ipaddress:3000` as opposed `https`.

### Enabling SSH Access

Now that we have setup http access, let's try something new by enabling SSH access.  Now remember that when we ssh into a machine we use our pem file on our local computer to then access our EC2 instance.  

Now for the EC2 instance we are creating with terraform, we can use one of our already existing key-pairs.  We can do this by first navigating to the AWS console, and then type in key pairs.  We should see it show up under `Features` -- click there.

<img src="./key_pairs.png" width="60%">

Then, we will be taken to a screen that displays our previously created key pairs.

<img src="key_pairs_before.png" width="90%">

Each of the existing pairs should correspond to a separate .pem file on your computer. 

> If you cannot find any of the related pem files, just click on `Create key pair` to create, and then download another one.

Ok, now we'll use one of the key pairs listed above to connect to our EC2 instance.  We can do so by going to our existing `aws_instance` resource, and adding a `key_name` attribute after the `instance_type` attribute.  Set the value for `key_name` equal to the corresponding name that is displayed in the console -- in other words, there should be no .pem at the end.

Now that we have specified the key name, we will still need to allow for SSH access on port 22.  We'll do so by adding the following security group.

```bash
resource "aws_security_group" "ssh_backend_security" {
    name = "ssh backend security"
    
    ingress {
        cidr_blocks = [
          "0.0.0.0/0"
        ]
    from_port = 22
        to_port = 22
        protocol = "tcp"
      }
    
      egress {
       from_port = 0
       to_port = 0
       protocol = "-1"
       cidr_blocks = ["0.0.0.0/0"]
     }
}
```

The only new item is our `egress`.  If ingress is making requests into our machine, the egress is how information leaves the machine.  Notice that we again allow responses to be sent to any ip address.

The last step is connecting our new security group to the `aws_instance` resource.  So we hsould now have two `security_group_ids` referenced in the list.

Then apply the changes.  

If it works, we should be able to ssh into the machine use our pem file.  

For instructions, remember that we can click on the related EC2 instance, and then click on the `Connect` button to the right, followed by the `SSH` tab.

<img src="./connect_ssh.png" width="80%">

### Summary

Great work, we have now seen how to setup the security for enabling access to our EC2 machine via SSH and http in terraform.

[terraform keypair](https://medium.com/@hmalgewatta/setting-up-an-aws-ec2-instance-with-ssh-access-using-terraform-c336c812322f)

[IP Addresses and Subnets Digital Ocean](https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking#netmasks-and-subnets)

[Terraform and CIDR](http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/)