From d18f997e24e1562d71d22d7c7090d736ea2293fe Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Wed, 15 Mar 2023 17:11:28 -0400 Subject: [PATCH 1/7] update qldb module --- terraform-modules/aws/qldb/main.tf | 29 +++++++++++++++++++++++++ terraform-modules/aws/qldb/variables.tf | 12 ++++++++++ 2 files changed, 41 insertions(+) diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf index 8dcb87819..81a952ca4 100644 --- a/terraform-modules/aws/qldb/main.tf +++ b/terraform-modules/aws/qldb/main.tf @@ -2,5 +2,34 @@ resource "aws_qldb_ledger" "this" { name = var.name permissions_mode = var.permissions_mode deletion_protection = var.deletion_protection + kms_key = var.kms_key tags = var.tags + + vpc_configuration { + subnet_ids = var.subnet_ids + security_group_ids = [aws_security_group.this.id] + } } +resource "aws_security_group" "this" { + name = var.name + description = "qldb security group" + vpc_id = var.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = var.tags +} \ No newline at end of file diff --git a/terraform-modules/aws/qldb/variables.tf b/terraform-modules/aws/qldb/variables.tf index 08e8003c2..beba59c82 100644 --- a/terraform-modules/aws/qldb/variables.tf +++ b/terraform-modules/aws/qldb/variables.tf @@ -21,3 +21,15 @@ variable "tags" { default = {} description = "AWS Tags" } + +variable "subnet_ids" { + type = list(string) + default = [] + description = "(Required) The private subnet IDs in which the environment should be created. MWAA requires two subnets." +} + +variable "vpc_id" { + type = string + default = "" + description = "The vpc ID" +} \ No newline at end of file From 697df8f0b11118907a88c2467868f93459485bcc Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Wed, 15 Mar 2023 17:21:28 -0400 Subject: [PATCH 2/7] remove redundant code --- terraform-modules/aws/qldb/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf index 81a952ca4..2fcb47924 100644 --- a/terraform-modules/aws/qldb/main.tf +++ b/terraform-modules/aws/qldb/main.tf @@ -2,7 +2,6 @@ resource "aws_qldb_ledger" "this" { name = var.name permissions_mode = var.permissions_mode deletion_protection = var.deletion_protection - kms_key = var.kms_key tags = var.tags vpc_configuration { From ce876f506dbe111f227cceb9fa7466483d10cb08 Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Wed, 15 Mar 2023 18:10:14 -0400 Subject: [PATCH 3/7] add security group --- terraform-modules/aws/qldb/main.tf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf index 2fcb47924..4296044b2 100644 --- a/terraform-modules/aws/qldb/main.tf +++ b/terraform-modules/aws/qldb/main.tf @@ -3,14 +3,10 @@ resource "aws_qldb_ledger" "this" { permissions_mode = var.permissions_mode deletion_protection = var.deletion_protection tags = var.tags - - vpc_configuration { - subnet_ids = var.subnet_ids - security_group_ids = [aws_security_group.this.id] - } } + resource "aws_security_group" "this" { - name = var.name + name = "qldb-${var.name}" description = "qldb security group" vpc_id = var.vpc_id From fdd897d38f9a0a1b82e68dde454593ee0da3dc61 Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Wed, 15 Mar 2023 18:27:38 -0400 Subject: [PATCH 4/7] added vpc endpoint for qldb --- terraform-modules/aws/qldb/main.tf | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf index 4296044b2..d1716ea37 100644 --- a/terraform-modules/aws/qldb/main.tf +++ b/terraform-modules/aws/qldb/main.tf @@ -5,7 +5,7 @@ resource "aws_qldb_ledger" "this" { tags = var.tags } -resource "aws_security_group" "this" { +resource "aws_security_group" "qldb" { name = "qldb-${var.name}" description = "qldb security group" vpc_id = var.vpc_id @@ -26,5 +26,18 @@ resource "aws_security_group" "this" { ipv6_cidr_blocks = ["::/0"] } + tags = var.tags +} + +resource "aws_vpc_endpoint" "qldb" { + vpc_id = var.vpc_id + service_name = "com.amazonaws.us-west-2.qldb.session" + vpc_endpoint_type = "Interface" + + security_group_ids = [aws_security_group.qldb.id] + subnet_ids = var.subnet_ids + + private_dns_enabled = true + tags = var.tags } \ No newline at end of file From 390d0127c3864daf165e946c563fccbee01e4c78 Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Thu, 16 Mar 2023 11:44:42 -0400 Subject: [PATCH 5/7] added output for the VPC endpoint --- terraform-modules/aws/qldb/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform-modules/aws/qldb/outputs.tf b/terraform-modules/aws/qldb/outputs.tf index 9a28b8721..4b4bf800c 100644 --- a/terraform-modules/aws/qldb/outputs.tf +++ b/terraform-modules/aws/qldb/outputs.tf @@ -5,3 +5,8 @@ output "id" { output "arn" { value = aws_qldb_ledger.this.arn } + +output "vpc_endpoint_id" { + value = aws_vpc_endpoint.qldb.id +} + From d8c58b076b834aff727b67b9d6eaf89a70e75fa1 Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Thu, 16 Mar 2023 13:38:02 -0400 Subject: [PATCH 6/7] updated security group rules --- terraform-modules/aws/qldb/main.tf | 32 +++++++++++++++---------- terraform-modules/aws/qldb/variables.tf | 30 +++++++++++++++++++++++ 2 files changed, 50 insertions(+), 12 deletions(-) diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf index d1716ea37..642808eba 100644 --- a/terraform-modules/aws/qldb/main.tf +++ b/terraform-modules/aws/qldb/main.tf @@ -10,20 +10,28 @@ resource "aws_security_group" "qldb" { description = "qldb security group" vpc_id = var.vpc_id - ingress { - description = "TLS from VPC" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + dynamic "ingress" { + for_each = var.ingress_rule + content { + description = ingress.value["description"] + from_port = ingress.value["from_port"] + to_port = ingress.value["to_port"] + protocol = ingress.value["protocol"] + cidr_blocks = ingress.value["cidr_blocks"] + ipv6_cidr_blocks = ingress.value["ipv6_cidr_blocks"] + } } - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] + dynamic "egress" { + for_each = var.egress_rule + content { + description = egress.value["description"] + from_port = egress.value["from_port"] + to_port = egress.value["to_port"] + protocol = egress.value["protocol"] + cidr_blocks = egress.value["cidr_blocks"] + ipv6_cidr_blocks = egress.value["ipv6_cidr_blocks"] + } } tags = var.tags diff --git a/terraform-modules/aws/qldb/variables.tf b/terraform-modules/aws/qldb/variables.tf index beba59c82..c56994a63 100644 --- a/terraform-modules/aws/qldb/variables.tf +++ b/terraform-modules/aws/qldb/variables.tf @@ -32,4 +32,34 @@ variable "vpc_id" { type = string default = "" description = "The vpc ID" +} + +variable "ingress_rule" { + type = list(any) + description = "A list of ingress rules" + default = [ + { + description = "All ports from internal addresses" + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + ipv6_cidr_blocks = [] + }, + ] +} + +variable "egress_rule" { + type = list(any) + description = "A list of egress rules" + default = [ + { + description = "All ports from internal addresses" + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + ipv6_cidr_blocks = ["::/0"] + }, + ] } \ No newline at end of file From 714ef502440e177f73b2962e7c15c5e1342c2159 Mon Sep 17 00:00:00 2001 From: sakruthiJupalli Date: Thu, 16 Mar 2023 14:11:15 -0400 Subject: [PATCH 7/7] updated rules to more restricted traffic --- terraform-modules/aws/qldb/variables.tf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/terraform-modules/aws/qldb/variables.tf b/terraform-modules/aws/qldb/variables.tf index c56994a63..a087d7bcd 100644 --- a/terraform-modules/aws/qldb/variables.tf +++ b/terraform-modules/aws/qldb/variables.tf @@ -39,9 +39,10 @@ variable "ingress_rule" { description = "A list of ingress rules" default = [ { - description = "All ports from internal addresses" - from_port = 0 - to_port = 65535 + description = "TLS from VPC" + //Port 443 is commonly used port for secure HTTPS traffic + from_port = 443 + to_port = 443 protocol = "tcp" cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] ipv6_cidr_blocks = [] @@ -54,9 +55,10 @@ variable "egress_rule" { description = "A list of egress rules" default = [ { - description = "All ports from internal addresses" - from_port = 0 - to_port = 65535 + description = "Allow outbound HTTPS traffic to VPC" + //Port 443 is commonly used port for secure HTTPS traffic + from_port = 443 + to_port = 443 protocol = "tcp" cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] ipv6_cidr_blocks = ["::/0"]