From a8322b7a4bd9b97f3f83878df1242aa778947511 Mon Sep 17 00:00:00 2001
From: carlssonk <o.carlssonk@gmail.com>
Date: Thu, 26 Sep 2024 07:47:26 +0200
Subject: [PATCH] nginx security group

---
 common/security/main.tf    | 45 ++++++++++++++++++++++++++++++++++++++
 common/security/outputs.tf |  6 +++++
 common/services/main.tf    |  6 ++---
 common/services/outputs.tf |  2 +-
 4 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/common/security/main.tf b/common/security/main.tf
index 3dcaf05..8021a25 100644
--- a/common/security/main.tf
+++ b/common/security/main.tf
@@ -11,6 +11,22 @@ locals {
     referenced_security_group_id = module.security_group_vpc_endpoints.id
   }
 
+  allow_outbound_dns_traffic = {
+    description = "Allow outbound DNS traffic"
+    from_port   = 53
+    to_port     = 53
+    ip_protocol = "udp"
+    cidr_ipv4   = "0.0.0.0/0"
+  }
+
+  allow_http_to_anywhere_ipv4 = {
+    description = "Allow HTTPS to any destination"
+    from_port   = 80
+    to_port     = 80
+    ip_protocol = "tcp"
+    cidr_ipv4   = "0.0.0.0/0"
+  }
+
   allow_https_to_anywhere_ipv4 = {
     description = "Allow HTTPS to any destination"
     from_port   = 443
@@ -40,6 +56,12 @@ module "security_group_alb" {
   vpc_id = var.networking_outputs.main_vpc_id
 }
 
+module "security_group_nginx" {
+  source = "../../modules/security-group/default"
+  name   = "nginx"
+  vpc_id = var.networking_outputs.main_vpc_id
+}
+
 module "security_group_ecs_tasks" {
   source = "../../modules/security-group/default"
   name   = "ecs-tasks"
@@ -84,6 +106,29 @@ module "security_group_alb_rules" {
   ])
 }
 
+module "security_group_nginx_rules" {
+  source            = "../../modules/security-group-rules/default"
+  name              = "nginx"
+  security_group_id = module.security_group_nginx.id
+  ingress_rules = flatten([
+    [for ip in module.globals.var.cloudflare_ipv4_ranges : {
+      description = "Allow inbound HTTPS from Cloudflare IP: ${ip}"
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      cidr_ipv4   = ip
+    }],
+    [for ip in module.globals.var.cloudflare_ipv6_ranges : {
+      description = "Allow inbound HTTPS from Cloudflare IP: ${ip}"
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      cidr_ipv6   = ip
+    }]
+  ])
+  egress_rules = [local.allow_outbound_dns_traffic, local.allow_http_to_anywhere_ipv4, local.allow_https_to_anywhere_ipv4]
+}
+
 module "security_group_ecs_tasks_rules" {
   source            = "../../modules/security-group-rules/default"
   name              = "ecs_tasks"
diff --git a/common/security/outputs.tf b/common/security/outputs.tf
index d9193dd..1a8861f 100644
--- a/common/security/outputs.tf
+++ b/common/security/outputs.tf
@@ -1,9 +1,11 @@
 output "policy_documents" {
   value = [
     module.security_group_alb.policy_document,
+    module.security_group_nginx.policy_document,
     module.security_group_ecs_tasks.policy_document,
     module.security_group_vpc_endpoints.policy_document,
     module.security_group_alb_rules.policy_document,
+    module.security_group_nginx_rules.policy_document,
     module.security_group_ecs_tasks_rules.policy_document,
     module.security_group_vpc_endpoints_rules.policy_document,
     module.vpc_endpoints_gateway.policy_document
@@ -14,6 +16,10 @@ output "security_group_alb_id" {
   value = module.security_group_alb.id
 }
 
+output "security_group_nginx_id" {
+  value = module.security_group_nginx.id
+}
+
 output "security_group_ecs_tasks_id" {
   value = module.security_group_ecs_tasks.id
 }
diff --git a/common/services/main.tf b/common/services/main.tf
index 606deea..871c045 100644
--- a/common/services/main.tf
+++ b/common/services/main.tf
@@ -103,14 +103,14 @@ data "cloudinit_config" "this" {
   }
 }
 
-module "ec2_instance_nginx_proxy" {
+module "ec2_instance_nginx" {
   count             = var.reverse_proxy_type == "nginx" ? 1 : 0
   name              = "nginx-reverse-proxy"
   source            = "../../modules/ec2-instance/default"
   ami               = local.AmazonLinux2023AMI[module.globals.var.aws_region]
   instance_type     = "t3.micro"
   subnet_ids        = var.networking_outputs.main_vpc_public_subnet_ids
-  security_group_id = var.security_outputs.security_group_alb_id # Should have the same security group rules as alb
+  security_group_id = var.security_outputs.security_group_nginx_id
 
   user_data = data.cloudinit_config.this.rendered
   # user_data = templatefile("${path.module}/nginx_reverse_proxy.tpl", {
@@ -140,7 +140,7 @@ module "ec2_instance_nginx_proxy" {
 module "ec2_instance_nginx_eip" {
   count       = var.reverse_proxy_type == "nginx" ? 1 : 0
   source      = "../../modules/elastic-ip/default"
-  instance_id = module.ec2_instance_nginx_proxy[0].id
+  instance_id = module.ec2_instance_nginx[0].id
 }
 
 module "main_alb_access_logs_bucket" {
diff --git a/common/services/outputs.tf b/common/services/outputs.tf
index 2f213b3..2e56774 100644
--- a/common/services/outputs.tf
+++ b/common/services/outputs.tf
@@ -1,7 +1,7 @@
 output "policy_documents" {
   value = [
     try(module.service_discovery_namespace[0].policy_document, null),
-    try(module.ec2_instance_nginx_proxy[0].policy_document, null),
+    try(module.ec2_instance_nginx[0].policy_document, null),
     try(module.ec2_instance_nginx_eip[0].policy_document, null),
     try(module.main_alb[0].policy_document, null),
     try(module.main_alb_access_logs_bucket[0].policy_document, null),