Permalink
Browse files

Properly configure security groups for SSM endpoint

  • Loading branch information...
lopopolo committed Nov 11, 2018
1 parent 43681fc commit 8ad4fe11dd4b66d476262a101ed7ad9ae9c9cdd4
Showing with 42 additions and 1 deletion.
  1. +42 −1 terraform/modules/hyperbola/app/backend/security-groups.tf
@@ -7,12 +7,44 @@ data "aws_vpc_endpoint_service" "ssm" {
service = "ssm"
}

resource "aws_security_group" "ssm" {
name_prefix = "app-ssm-sg-"
description = "SSM VPC Endpoint Security Group"
vpc_id = "${data.aws_vpc.this.id}"

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.backend.id}"]
}

ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = ["${aws_security_group.backend.id}"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
security_groups = ["${aws_security_group.backend.id}"]
}

tags {
Name = "${var.name}-ssm-sg"
Environment = "${var.env}"
}
}

resource "aws_vpc_endpoint" "ssm" {
vpc_id = "${data.aws_vpc.this.id}"
service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}"
vpc_endpoint_type = "Interface"
subnet_ids = ["${data.aws_subnet_ids.private.ids}"]
security_group_ids = ["${aws_security_group.backend.id}"]
security_group_ids = ["${aws_security_group.ssm.id}"]
}

resource "aws_security_group" "backend" {
@@ -74,6 +106,15 @@ resource "aws_security_group_rule" "backend-to-s3-endpoint" {
prefix_list_ids = ["${var.s3_endpoint_prefix_list_id}"]
}

resource "aws_security_group_rule" "backend_to_ssm_endpoint" {
type = "egress"
protocol = "-1"
from_port = 0
to_port = 0
security_group_id = "${aws_security_group.backend.id}"
source_security_group_id = "${aws_security_group.ssm.id}"
}

output "backend_security_group_id" {
value = "${aws_security_group.backend.id}"
}

0 comments on commit 8ad4fe1

Please sign in to comment.