-1

i wanted to create a security group, which allowes users to travel threw the port 443 and 80. I need the port 443 for downloading github actions packages, however the it sais that the connection timed out. If i add in the GUI from AWS the Group: ALL ICMP - IPv4, it works. How do i need to adjust my terraform file, that these two ports doesn't get blocked?

Terraform file:

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 4.16"
    }
  }
  required_version = ">= 1.2.0"
}
provider "aws" {
  region = "us-east-1"
}
data "template_file" "nginx" {
  template = file("./cloud-init.yaml")
}
resource "aws_key_pair" "deployer" {
    key_name = "gb"
}
resource "aws_security_group" "gradebook" {
  name        = "gradebook"
  description = "Security group for Gradebook server"
  ingress {
    protocol   = "tcp"
    from_port  = 22
    to_port    = 22
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    protocol   = "tcp"
    from_port  = 80
    to_port    = 80
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    protocol   = "tcp"
    from_port  = 443
    to_port    = 443
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    protocol   = "-1"
    from_port  = 0
    to_port    = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}
resource "aws_instance" "web_server" {
  ami          = "ami-0574da719dca65348"
  instance_type = "t2.micro"
  vpc_security_group_ids = [aws_security_group.gradebook.id]
  user_data = data.template_file.nginx.rendered
  key_name = aws_key_pair.deployer.key_name
  tags = {
    Name = "BOSSES_gradebook_nginx"
  }
}
crvxッ
  • 60
  • 7

1 Answers1

0

This ingress rule overrides all other ingress rules, as it allows all traffic. So the other rules aren't currently doing anything:

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

The other ingress rules for port 80 and port 443 should only exist if you actually have some sort of web server software running on the EC2 instance. No ingress rules at all are needed in order to perform a download.

This egress rule allows the EC2 server to download from anywhere:

  egress {
    protocol   = "-1"
    from_port  = 0
    to_port    = 0
    cidr_blocks = ["0.0.0.0/0"]
  }

If you are getting an network timeout when trying to download things from the Internet on the EC2 instance then the issue is most likely that the EC2 instance simply doesn't have Internet access. To have Internet access the EC2 instance either needs to have a public IP assigned to it, and be in a subnet with a route to an Internet Gateway, or it needs to be in a subnet with a route to a NAT Gateway.

Mark B
  • 183,023
  • 24
  • 297
  • 295