Link Search Menu Expand Document

Security Groups - Intermediate

Lesson 10

You know what a security group is and how to deploy one with Terraform. You can add multiple ingress rules and understand the ports and protocols used. In this lesson, you’ll be expanding on your knowledge by learning how to associate one of the EC2 instances you created with the security group you created. This means any traffic that wants to access your EC2 instance must first get through your security group.

As your EC2 instances stand now, they are publicly accessible by anyone, from anywhere, through any port. Putting your EC2 instance behind a security group is one way to control the type of traffic (and where it comes from) that can access your EC2 instance.

Currently, you have three ingress rules for your security group:

  ingress {
    description = "Inbound insecure internet traffic"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

This ingress rule allows insecure internet traffic in through port 80 from anywhere (["0.0.0.0/0"]).

  ingress {
    description = "Inbound insecure internet traffic"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

This ingress rule allows secure internet traffic in through port 80 from anywhere (["0.0.0.0/0"]).

  ingress {
    description = "allow ssh from my computer"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["96.7.151.52/32"]
  }

This ingress rule allows ssh traffic in through port 22 from your computer (["96.7.151.52/32"]).

If you put your EC2 instance behind this security group, it will no longer be completely open, but instead can only be accessed over the internet through port 80 or 443, or from your computer via ssh. It might not seem like it yet, but this makes your EC2 instance incredibly more secure than it was before.

Let’s jump in and start building!

Table of contents

  1. Security Groups - Intermediate
  2. Referring to other terraform resources
    1. Connect an EC2 instance to the security group

Referring to other terraform resources

In AWS, most of your resources are working together or are, in some way, connected. You will almost never have an EC2 instance running alone in an account, completely separate from other resources. You’ll want to do things like put it behind a security group, in a specific VPC or subnet, or have it use a particular launch template (don’t worry, you haven’t learned about any of these yet). In AWS, if you wanted to put your EC2 instance behind a particular security group, you would navigate to the instance in AWS and click the security group you want from a drop down menu. It would be manual work everytime you needed to change the security group.

You can do the same thing in Terraform, but without the manual work. Once you have the code set up, it’s there to stay. In your current ec2-terraform project you now have two EC2 instances and a security group, but they haven’t yet been connected – they are still completely separate from each other.

Given the current rules for your security group resource, and the knowledge that:

  • Your front-end EC2 instance should be accessible via the internet
  • Your back-end EC2 instance should not be accessible via the internet

Which EC2 instance do you think you will be associating with your security group?

Answer

The front-end EC2 instance!

The current ingress rules for your security group allow both insecure and secure internet traffic (http and https, respectively). As your front-end EC2 needs internet access (and your back-end EC2 doesn’t), you will be associating the front-end EC2 with the current security group.

We are going to use the above example to demonstrate how you can connect different resources you create together. This will become incredibly important later on as we build more and more resources that need to be connected. You should complete this lesson as many times as it takes for you to feel confident in the process.

Connect an EC2 instance to the security group

Currently, you have an ec2.tf file, which contains two EC2 instances and a security_group.tf file, which contains a single security group. Right now, they are separate resources that aren’t associated in any way.

Let’s change that!

  1. Open up the ec2.tf file.

  2. For the front-end EC2 instance, add a new parameter: security_groups. THe parameter security_groups accepts a list of strings. This means, you could list the ids of multiply security groups if you wanted to.

  3. For now, we just needs the id of the one security group we’ve created. We have two options to get it:
    • We could log in to AWS, find the security group, copy the id, then paste it into the security_groups list, OR
    • We could refer to the security group directly in terraform, without needing to go find the id in AWS.

      The first option isn’t ideal because

Referring to other resources. how to associate with an ec2,