skkuding · donghun1214 · Jan 6, 2025 · Jan 6, 2025
diff --git a/apps/infra/production/network/modules/security_group/main.tf b/apps/infra/production/network/modules/security_group/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.82"
+    }
+  }
+}
+
+provider "aws" {
+  region = "ap-northeast-2"
+}
diff --git a/apps/infra/production/network/modules/security_group/outputs.tf b/apps/infra/production/network/modules/security_group/outputs.tf
@@ -0,0 +1,3 @@
+output "security_group_ids" {
+  value = { for name, sg in aws_security_group.this : name => sg.id }
+}
diff --git a/apps/infra/production/network/modules/security_group/security_group.tf b/apps/infra/production/network/modules/security_group/security_group.tf
@@ -0,0 +1,21 @@
+resource "aws_security_group" "this" {
+  for_each = var.security_groups
+
+  name = each.value.name
+  tags = {
+    Name = each.value.tags_name
+  }
+
+  description = each.value.description
+  vpc_id      = each.value.vpc_id
+
+  ingress = each.value.ingress
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+}
diff --git a/apps/infra/production/network/modules/security_group/variables.tf b/apps/infra/production/network/modules/security_group/variables.tf
@@ -0,0 +1,24 @@
+variable "security_groups" {
+  type = map(object({
+    name        = string
+    tags_name   = string
+    description = string
+    vpc_id      = string
+
+
+    ingress = list(object({
+      description = string
+      from_port   = string
+      to_port     = string
+      protocol    = string
+
+      security_groups = optional(list(string))
+      cidr_blocks     = optional(list(string))
+
+      ipv6_cidr_blocks = optional(list(string), [])
+      prefix_list_ids  = optional(list(string), [])
+      self             = optional(bool, false)
+    }))
+  }))
+  description = "The security group for launch template network inteface. e.g. {name='codedang-sg', description='codedang allow you', tags_name='codedang-sg', ingress={description='from you', from_port=11111, to_port=22222, protocol='tcp'}}"
+}
diff --git a/apps/infra/production/network/nat_instance.tf b/apps/infra/production/network/nat_instance.tf
@@ -0,0 +1,38 @@
+resource "aws_instance" "nat_instance" {
+  ami                    = "ami-08271b263d7b4ae11"
+  instance_type          = "t4g.micro"
+  subnet_id              = var.nat_subnet_id
+  vpc_security_group_ids = [module.nat_security_groups.security_group_ids["sg_nat_instance"]]
+  source_dest_check      = false
+  key_name               = "nat-instance"
+
+  user_data = <<-EOF
+              #!/bin/bash
+              # 1. iptables 서비스 활성화
+              sudo yum install -y iptables-services
+              sudo systemctl enable iptables
+              sudo systemctl start iptables
+
+              # 2. IP 포워딩 활성화 및 영구 설정
+              echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/custom-ip-forwarding.conf
+              sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+
+              # 3. iptables NAT 설정
+              # t4g 시리즈는 Nitro 기반이므로 ens5 사용 (주의!)
+              sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
+              sudo iptables -F FORWARD
+              sudo service iptables save
+              EOF
+
+  tags = {
+    Name = "Codedang-NAT-Instance"
+  }
+}
+
+resource "aws_eip" "nat_instance" {
+  instance = aws_instance.nat_instance.id
+
+  tags = {
+    Name = "Codedang-NAT-Instance"
+  }
+}
diff --git a/apps/infra/production/network/private_network.tf b/apps/infra/production/network/private_network.tf
@@ -3,7 +3,7 @@ resource "aws_route_table" "private" {
 
   route {
     cidr_block           = "0.0.0.0/0"
-    network_interface_id = var.nat_network_interface_id
+    network_interface_id = aws_instance.nat_instance.primary_network_interface_id
   }
 
   tags = {

diff --git a/apps/infra/production/network/security_group.tf b/apps/infra/production/network/security_group.tf
@@ -0,0 +1,199 @@
+module "lb_security_groups" {
+  source = "./modules/security_group"
+
+  security_groups = {
+    sg_admin = {
+      name        = "Codedang-SG-LB-Admin"
+      tags_name   = "Codedang-SG-LB-Admin"
+      description = "Allow WEB inbound traffic"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "HTTP"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          description = "HTTPS"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        }
+      ]
+    }
+    sg_client = {
+      name        = "Codedang-SG-LB-Client"
+      tags_name   = "Codedang-SG-LB-Client"
+      description = "Allow WEB inbound traffic"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "HTTP"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          description = "HTTPS"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        }
+      ]
+    }
+  }
+}
+
+module "ssh_security_groups" {
+  source = "./modules/security_group"
+
+  security_groups = {
+    sg_ssh = {
+      name        = "Codedang-AllowSSH"
+      tags_name   = "Codedang-AllowSSH"
+      description = "Allow SSH for Codedang debug"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "SSH"
+          from_port   = 22
+          to_port     = 22
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        }
+      ]
+    }
+  }
+}
+
+module "app_security_groups" {
+  source = "./modules/security_group"
+  #depends_on = [module.storage_security_groups]
+
+  security_groups = {
+    sg_ecs_api = {
+      name        = "Codedang-SG-ECS-Api"
+      tags_name   = "Codedang-SG-ECS-Api"
+      description = "Allow ECS inbound traffic"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "SSH"
+          from_port   = 22
+          to_port     = 22
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          description = "From ALB"
+          from_port   = 32768
+          to_port     = 65535
+          protocol    = "tcp"
+
+          security_groups = [
+            module.lb_security_groups.security_group_ids["sg_admin"],
+            module.lb_security_groups.security_group_ids["sg_client"]
+          ]
+        }
+      ]
+    }
+    sg_ecs_iris = {
+      name        = "Codedang-SG-Iris"
+      tags_name   = "Codedang-SG-Iris"
+      description = "Allow Message Queue inbound traffic"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "SSH"
+          from_port   = 22
+          to_port     = 22
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        },
+        {
+          description = "Iris"
+          from_port   = var.rabbitmq_port
+          to_port     = var.rabbitmq_port
+          protocol    = "tcp"
+          cidr_blocks = ["0.0.0.0/0"]
+        }
+      ]
+    }
+  }
+}
+
+module "nat_security_groups" {
+  source = "./modules/security_group"
+  #depends_on = [module.app_security_groups, module.ssh_security_groups]
+
+  security_groups = {
+    sg_nat_instance = {
+      name        = "Codedang-SG-NAT-Instance"
+      tags_name   = "Codedang-SG-NAT-Instance"
+      description = "Allow Fluent-bit and Other NAT traffic"
+      vpc_id      = aws_vpc.main.id
+      ingress = [
+        {
+          description = "Allow Bastion for SSH"
+          from_port   = 22
+          to_port     = 22
+          protocol    = "tcp"
+          security_groups = [
+            module.ssh_security_groups.security_group_ids["sg_ssh"]
+          ]
+        },
+        {
+          description = "Allow All Traffics from IRIS"
+          from_port   = 0
+          to_port     = 0
+          protocol    = "-1"
+          security_groups = [
+            module.app_security_groups.security_group_ids["sg_ecs_iris"]
+          ]
+        },
+        {
+          description = "Allow RabbitMQ Connection"
+          from_port   = 5671
+          to_port     = 5671
+          protocol    = "tcp"
+          security_groups = [
+            module.app_security_groups.security_group_ids["sg_ecs_api"]
+          ]
+        },
+        {
+          description = "Allow ECS API for Log Data"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "tcp"
+          security_groups = [
+            module.app_security_groups.security_group_ids["sg_ecs_api"]
+          ]
+        },
+        {
+          description = "Allow ECS API for Log Data"
+          from_port   = 3101
+          to_port     = 3101
+          protocol    = "tcp"
+          security_groups = [
+            module.app_security_groups.security_group_ids["sg_ecs_api"]
+          ]
+        },
+        {
+          description = "Allow ECS API for metric, trace data"
+          from_port   = 4318
+          to_port     = 4318
+          protocol    = "tcp"
+          security_groups = [
+            module.app_security_groups.security_group_ids["sg_ecs_api"]
+          ]
+        },
+      ]
+    }
+  }
+}
+
diff --git a/apps/infra/production/network/variables.tf b/apps/infra/production/network/variables.tf
@@ -5,3 +5,5 @@ variable "private_iris2_subnet_id" { sensitive = true }
 variable "private_client_api1_subnet_id" { sensitive = true }
 variable "private_client_api2_subnet_id" { sensitive = true }
 variable "nat_network_interface_id" { sensitive = true }
+variable "nat_subnet_id" { sensitive = true }
+variable "rabbitmq_port" { sensitive = true }
diff --git a/apps/infra/production/storage/s3_testcase.tf b/apps/infra/production/storage/s3_testcase.tf
@@ -6,12 +6,6 @@ resource "aws_s3_bucket" "testcase" {
   }
 }
 
-data "aws_eip" "nat" {
-  tags = {
-    Name = "Codedang-NAT-Instance"
-  }
-}
-
 data "aws_iam_policy_document" "testcase_permissions" {
   statement {
     actions   = ["s3:ListBucket", "s3:GetObject"]