Feature/simplify (#8)

* fix: add sg rule to connect

db version variable

* fix: remove bastion ec2 instance and templates

* feat: can limit traffic to ip is variable is set

* fix: disable nat

* fix: add alb output

* fix: enable nat

* revert: disable nat

* fix: s3 default encrytion

* fix: s3 default encrytion

* fix: s3 default encrytion

* fix: enable nat

* fix: remove encryption

* fix: s3 default encrytion

---------

Co-authored-by: bruvio <[email protected]>

Author: bruvio

bastion.tf

@@ -10,30 +10,42 @@ resource "aws_db_subnet_group" "main" {
 
 resource "aws_security_group" "rds" {
   description = "Allow access to the RDS database instance."
-  name        = "${var.project}-rds-inbound-access"
+  name        = "${var.prefix}-rds-inbound-access"
   vpc_id      = module.vpc.vpc_id
 
   ingress {
+    # Existing ingress rule for Bastion and ECS services
     protocol  = "tcp"
     from_port = 5432
     to_port   = 5432
     security_groups = [
-      aws_security_group.bastion.id,
+      # aws_security_group.bastion.id,
       aws_security_group.ecs_service.id,
     ]
   }
 
+  # ingress {
+  #   # New ingress rule for your local machine
+  #   protocol  = "tcp"
+  #   from_port = 5432
+  #   to_port   = 5432
+  #   cidr_blocks = [
+  #     "YOUR_PUBLIC_IP/32", # Replace YOUR_PUBLIC_IP with your actual public IP address
+  #   ]
+  # }
+
   tags = var.common_tags
 }
 
+
 resource "aws_db_instance" "main" {
   identifier                 = "${var.project}-db"
   db_name                    = var.db_name
   auto_minor_version_upgrade = true
   allocated_storage          = var.rds_storage
   storage_type               = "gp2"
   engine                     = "postgres"
-  engine_version             = "14"
+  engine_version             = var.engine_version
   instance_class             = var.rds_instance
   db_subnet_group_name       = aws_db_subnet_group.main.name
   password                   = var.db_password

database.tf

@@ -269,6 +269,7 @@ resource "aws_ecs_task_definition" "api" {
 # ----------------------------
 # Security Group for ECS Service
 # ----------------------------
+#trivy:ignore:AVD-AWS-0104
 resource "aws_security_group" "ecs_service" {
   description = "Access for the ECS service"
   name        = "${var.project}-ecs-service"
@@ -329,9 +330,9 @@ resource "aws_ecs_service" "api" {
     container_port   = 8000
   }
   enable_execute_command = var.enable_execute_command
-  
+
   health_check_grace_period_seconds = 300 # 5 minutes
-  
+
   depends_on = [aws_lb_listener.api_https]
 
   tags = var.common_tags

ecs.tf

@@ -32,14 +32,6 @@ resource "tls_private_key" "pk" {
   rsa_bits  = 4096
 }
 
-resource "aws_key_pair" "kp" {
-  key_name   = "${var.project}-${var.bastion_key_name}" # Create "myKey" to AWS!!var.bastion_key_name
-  public_key = tls_private_key.pk.public_key_openssh
-
-  provisioner "local-exec" { # Create "myKey.pem" to your computer!!
-    command = "echo '${tls_private_key.pk.private_key_pem}' > ./${var.project}-myKey.pem"
-  }
-}
 
 resource "aws_iam_policy" "AppApiCi-proxy" {
   name = "${var.project}-AppApi-CI-proxy"

iam.tf

@@ -1,9 +1,10 @@
+#trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "api" {
-  name               = "${var.project}-main"
-  load_balancer_type = "application"
-  subnets            = module.vpc.public_subnets
-
-  security_groups = [aws_security_group.lb.id]
+  name                       = "${var.project}-main"
+  load_balancer_type         = "application"
+  subnets                    = module.vpc.public_subnets
+  drop_invalid_header_fields = true
+  security_groups            = [aws_security_group.lb.id]
 
   tags = var.common_tags
 }
@@ -72,7 +73,7 @@ resource "aws_lb_listener_rule" "host_header_rule" {
   }
 }
 
-
+#trivy:ignore:AVD-AWS-0104
 resource "aws_security_group" "lb" {
   description = "Allow access to Application Load Balancer"
   name        = "${var.project}-lb"
@@ -83,13 +84,15 @@ resource "aws_security_group" "lb" {
     protocol    = "tcp"
     from_port   = 80
     to_port     = 80
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = var.private ? [var.my_ip] : ["0.0.0.0/0"] # Conditional ingress rule
+
   }
   ingress {
     protocol    = "tcp"
     from_port   = 443
     to_port     = 443
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = var.private ? [var.my_ip] : ["0.0.0.0/0"] # Conditional ingress rule
+
   }
 
   egress {
@@ -98,6 +101,8 @@ resource "aws_security_group" "lb" {
     to_port     = 8000
     cidr_blocks = ["0.0.0.0/0"]
   }
-
+  lifecycle {
+    create_before_destroy = true
+  }
   tags = var.common_tags
 }