# Security Group Lab

### Introduction

In this lesson, we'll practice working with the security group -- that is, the firewall -- associated with an EC2 instance.  We'll do so by first creating our security group, and then attaching the security group to our ec2 instance.

### Another Warning

> **Warning**: Once again, below code will **only** work on a machine that has *busybox* installed on it.  The ami available in your region may be different from what you see below, **but** if you choose an ami for an Ubuntu image, you should be good.  

To choose an ami associated with an ubuntu image, you can get the ami by going to `EC2 > Launch Instance`.  And then select the Ubuntu logo from quickstart.  

> <img src="./ubuntu-machine.png" width="40%">

### Getting Started

Before getting started, let's take a look at the work that we've accomplished so far.  

```bash
# tf/main.tf 

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "backend_server" {
  ami           = "ami-07d9b9ddc6cd8dd30"
  instance_type = "t2.micro"
  
  user_data = <<-EOF
              #!/bin/bash
              mkdir -p /var/www/html
              echo "Hello Everyone" > /var/www/html/index.html
              cd /var/www/html
              nohup busybox httpd -f -p 80 &
              EOF
  
  tags = {
      Name = "backend server"
  }
}
```

In our `tf/main.tf` file, we specify our provider and region, and then create an `aws_instance` resource named `backend_server` in terraform.  We configure it to have `instance_type` of `t2.micro`, and set the AMI id.

We also setup some code so that will run a server that displays the text `"Hello Everyone"`.  Our task will be to expose this server so that any ip address can acess it on port `80`.

### Enabling SSH Access

Now it's time to create the security group resource.  We'll provide you with the basic structure and it will be your task to fill in the related values:

```bash
ingress {
    from_port   = ""
    to_port     = ""
    protocol    = "tcp"
    cidr_blocks = []
  }
```

> Note: The `from_port` and `to_port` values can be **integers**, we just specified an empty string to indicate placeholder.

So we'll start by asking you to enable *SSH access*.  Now remember that when we ssh into a machine we need to use our pem file on our local computer to then access our EC2 instance.  So this means we need to perform an initial step of connecting a pem file, that is on our laptop, to our ec2 instance.

1. Connecting a key pair

In terraform (and in aws) this pem file is referred to as our key-pair.  So to connect one of our pem files, let's navigate to the AWS console, and then type in key pairs.  We should see it show up under `Features` -- click there.

<img src="./key_pairs.png" width="60%">

Then, we will be taken to a screen that displays our previously created key pairs.

<img src="key_pairs_before.png" width="90%">

Each of the existing pairs should correspond to a separate .pem file on your computer. 

> If you cannot find any of the related pem files, just click on `Create key pair` to create, and then download another one.

Ok, now we'll use one of the key pairs listed above to connect to our EC2 instance.  We can do so by going to our existing `aws_instance` resource, and adding a `key_name` attribute after the `instance_type` attribute.  Set the value for `key_name` equal to the corresponding name that is displayed in the console -- in other words, there should be no .pem at the end.

2. Back to Security Group

Now that we have specified the key name, we will still need to allow for SSH access on port 22.  We'll do ask you to fill in the `from_port` and `to_port` values.

```bash
resource "aws_security_group" "ssh_backend_security" {
    name = "ssh backend security"
    
    ingress {
        cidr_blocks = [
          "0.0.0.0/0"
        ]
    from_port = ""
        to_port = ""
        protocol = "tcp"
      }
    
      egress {
       from_port = 0
       to_port = 0
       protocol = "-1"
       cidr_blocks = ["0.0.0.0/0"]
     }
}
```

So above, we create a new security group (in addition to our security group for web access), and this time we have an attribute for `ingress` and `egress`.  If ingress is making *requests* into our machine, the egress is how information leaves the machine.  Notice that we again allow outbound requests to be sent to any ip address.

The last step is connecting our new security group to the `aws_instance` resource.  Make this change yourself so that we have two `security_group_ids` referenced in the list.

Then apply the changes.  

If it works, we should be able to ssh into the machine use our pem file.  

For instructions, remember that we can click on the related EC2 instance, and then click on the `Connect` button to the right, followed by the `SSH` tab.

<img src="./connect_ssh.png" width="80%">

Then navigate to the folder where your pem file lives (perhaps in the `~/.ssh` folder).  

```bash
cd ~/.ssh
```

And from there we can connect to our machine.  You can connect with something like the following.

```bash
ssh -i "example.pem" ubuntu@ec2-54-209-183-201.compute-1.amazonaws.com
```

### Providing an output

Of course, the line above will vary based on your machine, but perhaps we can provide an output that says something like:
    
`"ssh with the following: "`, and then provides the information for our particular machine.

Here, we'll get you started with the following:

```bash
output "connection_instructions" {
  value = "ssh with the following: ssh -i ${aws_instance.backend_server.key_name}.pem ubuntu@" 
}
```

> So the above uses string interpolation to refereence our `key_name` inside of a string.

Then `cd` into the correct folder and confirm that properly allows you to ssh into the machine.

### Adding the Security Group

Now it's time to update the security group resource so that we have http access.  We'll provide you with the basic structure and it will be your task to fill in the related values:


Add another set of ingress rules, this time enabling access to our http port.

> So within the same security group, add another ingress rule, and fill in the correct values.

```bash
    ingress {
        from_port   = ""
        to_port     = ""
        protocol    = "tcp"
        cidr_blocks = []
      }
```

> Note: The `from_port` and `to_port` values can be **integers**, we just specified an empty string to indicate placeholder.

When you're finished adding the ingress rule then **connect** *the security group to the EC2 resource defined above*.  

Next, let's confirm that this worked.  So first, go to the aws web console to see the newly created ec2 instance.  It will have a name of `backend server`.

> <img src="./backend-server.png" width="60%">

The instance Id should also match the instance id that was displayed in the terminal after running `terraform apply`.

From there, click on the instance, and then click on the `security` panel, and then click on the security group -- named `http backend security`. 

> <img src="./security-group.png" width="60%">

Click on `Edit Inbound Rules`, which should show us the following.

> <img src="./port-3000.png" width="60%">

Notice that the port is port 80.  This is because when we set up the web app, we said to run on the port 80.
```python
user_data = <<-EOF
              #!/bin/bash
              mkdir -p /var/www/html
              echo "Hello Everyone" > /var/www/html/index.html
              cd /var/www/html
              nohup busybox httpd -f -p 80 &
              EOF
```

Ok, so if this is setup properly, we should be able to visit the domain name address, and see the text `Hello Everyone`.

> **Gotcha:** Be sure to make the add in the port when visiting the address, and be sure that you are visiting `http://ipaddress:80` as opposed `https`.

> <img src="./hello-all.png" width="60%">

**Finally**, make sure to destroy all of the resources with `terraform destroy`.

### Summary

Great work, we have now seen how to setup the security for enabling access to our EC2 machine via SSH and http in terraform.

[terraform keypair](https://medium.com/@hmalgewatta/setting-up-an-aws-ec2-instance-with-ssh-access-using-terraform-c336c812322f)

[IP Addresses and Subnets Digital Ocean](https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking#netmasks-and-subnets)

[Terraform and CIDR](http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/)