创建安全资源
有了新的VPC,我们现在可以继续部署安全资源。我们将在VPC中创建安全组和VPC endpoint, VPC endpoint可以让我们以私有方式连接到受支持的AWS服务和由AWS PrivateLink提供支持的VPC endpoint服务。VPC实例无需公有IP地址即可与服务资源进行通信。Amazon VPC与服务之间的流量不会离开Amazon网络。
创建资源
- aws_security_group - 创建一个安全组,用于控制允许进入和离开资源的流量
- aws_vpc_endpoint - 创建一个VPC端点(VPCE),可让客户以私有方式连接到受支持的AWS服务
打开terraform文件夹中的main.tf,添加以下内容并保存文件
# Security Groups
resource "aws_security_group" "nfs" {
name_prefix = "${var.namespace}-nfs-"
vpc_id = aws_vpc.default.id
ingress {
description = "Allow any NFS traffic from private subnets" # 允许来自私有子网的NFS流量
cidr_blocks = concat(values(aws_subnet.private)[*].cidr_block, values(aws_subnet.private_ingress)[*].cidr_block)
from_port = 2049 # NFS默认端口
to_port = 2049
protocol = "tcp"
}
egress {
description = "Allow all outbound traffic" # 允许所有出站流量
cidr_blocks = ["0.0.0.0/0"] # IPv4任意地址
ipv6_cidr_blocks = ["::/0"] # IPv6任意地址
from_port = 0
to_port = 0
protocol = "-1" # 所有协议
}
}
resource "aws_security_group" "app" {
name_prefix = "${var.namespace}-app-" # 应用安全组名称前缀
vpc_id = aws_vpc.default.id
ingress {
description = "Allow HTTPS from any IP" # 允许来自任意IP的HTTPS流量
cidr_blocks = ["0.0.0.0/0"]
from_port = 443 # HTTPS端口
to_port = 443
protocol = "tcp"
}
ingress {
description = "Allow HTTP from any IP" # 允许来自任意IP的HTTP流量
cidr_blocks = ["0.0.0.0/0"]
from_port = 80 # HTTP端口
to_port = 80
protocol = "tcp"
}
egress {
description = "Allow all outbound traffic" # 允许所有出站流量
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
from_port = 0
to_port = 0
protocol = "-1"
}
}
resource "aws_security_group" "db" {
name_prefix = "${var.namespace}-db-" # 数据库安全组名称前缀
vpc_id = aws_vpc.default.id
ingress {
description = "Allow incoming traffic for MySQL" # 允许MySQL入站流量
from_port = 3306 # MySQL默认端口
to_port = 3306
protocol = "tcp"
cidr_blocks = concat(values(aws_subnet.private)[*].cidr_block, values(aws_subnet.private_ingress)[*].cidr_block) # 仅允许来自私有子网的访问
}
egress {
description = "Allow all outbound traffic" # 允许所有出站流量
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "any" {
name_prefix = "${var.namespace}-any-" # 通用安全组名称前缀
vpc_id = aws_vpc.default.id
ingress {
description = "Allow any incoming traffic " # 允许任意入站流量
from_port = 0
to_port = 0
protocol = -1 # 所有协议
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
description = "Allow all outbound traffic" # 允许所有出站流量
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
# Create VPC endpoints
resource "aws_vpc_endpoint" "interface" {
for_each = toset(["ssm", "ssmmessages", "ec2messages", "secretsmanager"]) # 创建4个接口类型的VPC端点
vpc_id = aws_vpc.default.id
service_name = "com.amazonaws.${data.aws_region.current.name}.${each.key}" # AWS服务端点名称
vpc_endpoint_type = "Interface" # 接口类型端点
private_dns_enabled = true # 启用私有DNS
subnet_ids = values(aws_subnet.private_ingress)[*].id # 部署在私有入口子网
security_group_ids = [aws_security_group.any.id] # 使用通用安全组
tags = {
Name = "${var.namespace}-endpoint-${each.key}" # 端点名称标签
}
}
resource "aws_vpc_endpoint" "gateway" {
for_each = toset(["s3"]) # 创建S3网关类型端点
vpc_id = aws_vpc.default.id
service_name = "com.amazonaws.${data.aws_region.current.name}.${each.key}" # S3服务端点名称
tags = {
Name = "${var.namespace}-endpoint-${each.key}" # 端点名称标签
}
}
通过更新main.tf,我们创建安全组来限制对应用程序、数据库、网络文件存储的访问,并创建VPC endpoint
-
运行命令
terraform validate来验证语法 -
运行命令
terraform plan -
运行命令
terraform apply来应用部署
查看部署
返回VPC控制台并验证我们的Terraform部署中是否创建了相应的安全资源:
安全组 - 共4个:
endpoint -共5个 :
现在我们已经确认创建了安全资源,接下来创建应用程序资源。