# Terraform Security Groups

### Introduction

In the last lesson, we saw how to launch an EC2 instance using terraform.  To accomplish this, we worked with two terraform blocks, the `provider` block and the `resource` block.

The provider block is where we specified the aws service and the related region.

```bash
provider "aws" {
  region = "us-east-2"
}
```

And the resource block is where we specified that we would be using the ec2 instance, called `aws_instance` and the configuration details like the `ami` and `instance_type`.

```bash
resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}
```

In this lesson, we'll look at adding our security group information to our ec2 instance.

### Adding a Web Application

We can see this by setting up a little server directly on our AWS machine like so.

```bash
resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  
  user_data = <<-EOF
              #!/bin/bash
              echo "Hello, World" > index.html
              nohup busybox httpd -f -p 80 &
              EOF
}
```

Let's take a closer look at the newly added code.

```bash
user_data = <<-EOF
              #!/bin/bash
              echo "Hello World" > index.html
              nohup busybox httpd -f -p 80 &
              EOF
```

* **user_data**

The `user_data` is property is not something we'll use very often.  We're simply taking advantage of the fact that it's run by terraform after our instance sets up.  

* **EOF**

EOF is simply the delimiter for a multiline string in bash (called a docstring).  Notice that we begin with `<<-EOF` and end with `EOF`.  

> It's equivalent to the `"""` in Python.  

* **Our Server**

Then we write `Hello World` into an `index.html` file.  And that file is then served via the busybox server on port 80, and and the process is run as a background job.

Now let's apply our changes.

* `terraform init`
* `terraform apply`

Now if we try to access our string server by visiting our public ip address, we will not be able to access our page.

<img src="./security_wall_access.png" width="60%">

### The Issue

Remember that in AWS, every EC2 instance is placed behind a firewall that determines how traffic from flows to and from EC2 machine.  By default, no traffic is allowed to flow into our EC2 machine.  

But don't worry we can enable access with the following.

```bash
resource "aws_security_group" "app_security" {
  name = "app_security"
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
```

The above information mainly aligns with the information we provided through the AWS console.

<img src="./ssh-access.png" width="100%">

So now, with our terraform code copied below, let's describe what it's doing.

We create a `aws_security_group` resource, which specifies the firewall for our ec2 instance.  We name it `app_security` in terraform, and then inside the block specify the aws group name of `app_security` as well.  

Ingress is used to describe traffic flowing into our application.  Here we say that users can access our application at port 80, and this traffic will flow to port 80.  Then the `cidr_blocks` is used to specify which ip addresses are allowed to access our machine.  In this case we provide `0.0.0.0/0` to not restrict based on ip address.

```bash
resource "aws_security_group" "app_security" {
  name = "app_security"
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
```

Now that we created our new security group resource the changes there is one last step.

### Connecting our Resources

We need to tell our EC2 instance to use our created resource above.  We do so adding the `security_group_ids` attribute.  In other words, we want to find the id of the security group created above. 

Finding that id is a little tricky, especially because the security group hasn't yet been created.  But we can do so by adding the following code to our resource.

```bash
resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  vpc_security_group_ids = [aws_security_group.app_security.id]


  user_data = <<-EOF
              #!/bin/bash
              echo "Hello, World" > index.html
              nohup busybox httpd -f -p 80 &
              EOF
}
```

So above, we retrieve the id by going to the resource type `aws_security_group` then the name of our specific resource `app_security` and then the id property `id`.  With that we can apply our changes and access our website.

<img src="./hello_tf.png" width="60%">

### Summary

In this lesson, we discussed how to configure the security group, or firewall, for our EC2 instance.  We do so by creating an `aws_security_group` resource, and then linking to that resource within our EC2 resource.

To create the `aws_security_group` resource we need to specify the `to_port`, where the client can connect to and the `from_port`, where the client is then forwarded to.  We also use the `cidr_blocks` attribute to specify which ip addresses have access to our EC2 machine.

```bash
resource "aws_security_group" "app_security" {
  name = "app_security"
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
```

Finally, we conect our `aws_security_group` and `aws_instance` resources by adding the following line of code to our specific aws instance.
```bash
vpc_security_group_ids =  [aws_security_group.app_security.id]
```

### Resources

[Introducing Terraform](https://blog.gruntwork.io/an-introduction-to-terraform-f17df9c6d180)

[Terraform with Docker](https://www.airpair.com/aws/posts/ntiered-aws-docker-terraform-guide)

* Potentially, need to talk about nginx and an AWS load balancer.