Security Groups - Intermediate

Lesson 10

You know what a security group is and how to deploy one with Terraform. You can add multiple ingress rules and understand the ports and protocols used. In this lesson, you’ll be expanding on your knowledge by learning how to associate one of the EC2 instances you created with the security group you created. This means any traffic that wants to access your EC2 instance must first get through your security group.

As your EC2 instances stand now, they are publicly accessible by anyone, from anywhere, through any port. Putting your EC2 instance behind a security group is one way to control the type of traffic (and where it comes from) that can access your EC2 instance.

Currently, you have three ingress rules for your security group:

  ingress {
    description = "Inbound insecure internet traffic"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

This ingress rule allows insecure internet traffic in through port 80 from anywhere (["0.0.0.0/0"]).

  ingress {
    description = "Inbound insecure internet traffic"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

This ingress rule allows secure internet traffic in through port 80 from anywhere (["0.0.0.0/0"]).

  ingress {
    description = "allow ssh from my computer"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["96.7.151.52/32"]
  }

This ingress rule allows ssh traffic in through port 22 from your computer (["96.7.151.52/32"]).

If you put your EC2 instance behind this security group, it will no longer be completely open, but instead can only be accessed over the internet through port 80 or 443, or from your computer via ssh. It might not seem like it yet, but this makes your EC2 instance incredibly more secure than it was before.

Let’s jump in and start building!

Table of contents

  1. Security Groups - Intermediate
  2. Referring to other terraform resources
  3. Connect an EC2 instance to the security group
  4. Change the name of your security group
  5. Next Steps
    1. Redo the lesson (optional)
    2. Move On

Referring to other terraform resources

In AWS, most of your resources are working together or are, in some way, connected. You will almost never have an EC2 instance running alone in an account, completely separate from other resources. You’ll want to do things like put it behind a security group, in a specific VPC or subnet, or have it use a particular launch template (don’t worry, you haven’t learned about any of these yet). In AWS, if you wanted to put your EC2 instance behind a particular security group, you would navigate to the instance in AWS and click the security group you want from a drop down menu. It would be manual work everytime you needed to change the security group.

You can do the same thing in Terraform, but without the manual work. Once you have the code set up, it’s there to stay. In your current ec2-terraform project you now have two EC2 instances and a security group, but they haven’t yet been connected – they are still completely separate from each other.

Given the current rules for your security group resource, and the knowledge that:

  • Your front-end EC2 instance should be accessible via the internet
  • Your back-end EC2 instance should not be accessible via the internet

Which EC2 instance do you think you will be associating with your security group?

Answer

The front-end EC2 instance!

The current ingress rules for your security group allow both insecure and secure internet traffic (http and https, respectively). As your front-end EC2 needs internet access (and your back-end EC2 doesn’t), you will be associating the front-end EC2 with the current security group.

We are going to use the above example to demonstrate how you can connect different resources you create together. This will become incredibly important later on as we build more and more resources that need to be connected. You should complete this lesson as many times as it takes for you to feel confident in the process.

Connect an EC2 instance to the security group

Currently, you have an ec2.tf file, which contains two EC2 instances and a security_group.tf file, which contains a single security group. Right now, they are separate resources that aren’t associated in any way.

Let’s change that!

For now, we just need the id of the one security group we’ve created. We have two options to get it:

  • We could log in to AWS, find the security group, copy the id, then paste it into the security_groups list, OR
  • We could refer to the security group directly in terraform, without needing to go find the id in AWS.

    The first option isn’t ideal because everytime we would have to first run terraform apply to create the security group, then do all the manual work of finding the newly created security group id, then go back into terraform, paste in the id, then run terraform apply again. We would have to do this process any time we needed to launch our whole stack for a new client or new application. Not ideal.

    The second option takes out all the manual work! If we refer to the security group we create in terraform (instead of the id it will have once deployed) terraform will automagically associate the two!

  1. Open up the ec2.tf file.
  2. For the front-end EC2 instance, add a new parameter: security_groups. The parameter security_groups accepts a list of strings. This means you could list the ids of multiply security groups if you wanted to.
  3. To associate resources in terraform, you will use similar syntax every time. In the security_groups parameter, start typing: aws_ and see what autocomplete options show up.
  4. You should notice that you have two options: instance and security_group. This is because your code editor scans your terraform code and looks for the resources you have. This scan shows that you have at least one instance resource and at least one security group resource.
  5. We want to associate our security_group so choose it from the dropdown.
  6. Then type . and see what autocomplete options you have. Now, you will need to choose which security group you want to associate. Because you only have one security group, you only see one option right now: yourname-security-group.
  7. Choose yourname-security-group from the options and type . again. You will see a long list of autocomplete options.
  8. Now, you need to decide what information about the security group you need: the arn, name, id, etc. In this case, you need the name, so choose name from the options.

    Note: In most cases, you will need the id of a resource, but sometimes you will need other identifiers, such as the name or arn (similar to an id). In this course, we will always tell you what you need, but you can also find it for yourself by searching through the Terraform docs (a topic we will also cover later). You need the name currently, because your security group and instances are deploying into a defeault Virtual Private Cloud (VPC). Once you create your own VPC, we’ll switch this reference to id.

  9. You’re done! You’ve now told your front-end EC2 instance it needs to be “behind” the security group you’ve created (yourname-security-group).
  10. Run terraform apply, log in to AWS and verify your front-end EC2 instance is associated with the correct security group. ass-ec2-sg aws-ec2-sg

Change the name of your security group

Change the name, then go back and re-associate.

Next Steps

You’ve now covered what type of EC2 instance would go behind the security group you have created and how to associate resources in Terraform. How you feel about referring to resources and why you associated your front-end EC2 to your security group determines what you should do next.

Redo the lesson (optional)

If you don’t feel as comfortable as you’d like with the above lesson, you can start over.

  • In your ec2.tf file, simply delete the line:

     security_groups = [aws_security_group.yourname-security-group.name]
    

You’ll then be back to where you started! Head to the beginning of the lesson.

Move On

Once you understand:

  • How to associate a resource in Terraform with another resource
  • How to update names of resources
  • Why having ingress rules for ports 80 and 443 mean only the front-end instance should be associated

You should feel confident moving on to the next lesson, Advanced Security Groups.