我正在使用Terraform设置AWS基础架构。其中一个组件是ElasticBeanstalk应用程序/环境,带有负载均衡器和自动扩展组。我不希望将端点暴露给整个Internet,而只是暴露在有限的IP地址列表中。为此,我使用适当的入站规则创建安全组,并将其分配给负载均衡器。但是在应用脚本之后,负载均衡器有两个安全组 - 一个是我的,另一个是默认的,允许来自任何地方的HTTP流量。 作为临时解决方法,我手动删除默认SG的入站规则。这种方法作为长期解决方案是不可接受的,因为我希望完全自动化基础设施设置(没有任何人工干预)。
这是我的配置:
resource "aws_elastic_beanstalk_environment" "abc_env" {
name = "abc-${var.environment_name}"
application = "${aws_elastic_beanstalk_application.abc-service.name}"
solution_stack_name = "64bit Amazon Linux 2016.09 v2.3.0 running Python 3.4"
cname_prefix = "abc-${var.environment_name}"
tier = "WebServer"
wait_for_ready_timeout = "30m"
setting {
name = "InstanceType"
namespace = "aws:autoscaling:launchconfiguration"
value = "m3.medium"
}
setting {
name = "SecurityGroups"
namespace = "aws:elb:loadbalancer"
value = "${var.limited_http_acccess_id}"
}
setting {
name = "VPCId"
namespace = "aws:ec2:vpc"
value = "${var.vpc_id}"
}
setting {
name = "Subnets"
namespace = "aws:ec2:vpc"
value = "${var.public_net_id}"
}
setting {
name = "AssociatePublicIpAddress"
namespace = "aws:ec2:vpc"
value = "true"
}
setting {
name = "ELBSubnets"
namespace = "aws:ec2:vpc"
value = "${var.public_net_id}"
}
setting {
name = "ELBScheme"
namespace = "aws:ec2:vpc"
value = "external"
}
setting {
name = "MinSize"
namespace = "aws:autoscaling:asg"
value = "2"
}
setting {
name = "MaxSize"
namespace = "aws:autoscaling:asg"
value = "4"
}
setting {
name = "Availability Zones"
namespace = "aws:autoscaling:asg"
value = "Any 2"
}
setting {
name = "CrossZone"
namespace = "aws:elb:loadbalancer"
value = "true"
}
setting {
name = "Unit"
namespace = "aws:autoscaling:trigger"
value = "Percent"
}
setting {
name = "MeasureName"
namespace = "aws:autoscaling:trigger"
value = "CPUUtilization"
}
setting {
name = "LowerThreshold"
namespace = "aws:autoscaling:trigger"
value = "20"
}
setting {
name = "UpperThreshold"
namespace = "aws:autoscaling:trigger"
value = "80"
}
setting {
name = "Period"
namespace = "aws:autoscaling:trigger"
value = "5"
}
setting {
name = "UpperBreachScaleIncrement"
namespace = "aws:autoscaling:trigger"
value = "1"
}
setting {
name = "LowerBreachScaleIncrement"
namespace = "aws:autoscaling:trigger"
value = "-1"
}
setting {
name = "Notification Endpoint"
namespace = "aws:elasticbeanstalk:sns:topics"
value = "${var.notification_email}"
}
tags = "${merge(var.default_tags, map("Name", "abc environment"))}"
}
所以问题是:如果不与AWS进行手动交互(仅使用Terraform脚本),如何限制对负载均衡器的访问?
[UPDATE] 这是我的网络配置
resource "aws_vpc" "main_vpc" {
cidr_block = "${var.vpc_cidr_block}"
enable_dns_hostnames = true
}
resource "aws_subnet" "public_network" {
vpc_id = "${aws_vpc.main_vpc.id}"
cidr_block = "${var.public_network_cidr_block}"
}
resource "aws_internet_gateway" "gateway" {
vpc_id = "${aws_vpc.main_vpc.id}"
}
resource "aws_route_table" "public" {
vpc_id = "${aws_vpc.main_vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.gateway.id}"
}
}
resource "aws_route_table_association" "public" {
route_table_id = "${aws_route_table.public.id}"
subnet_id = "${aws_subnet.public_network.id}"
}
resource "aws_security_group" "limited_http_acccess" {
name = "limited_http_acccess"
description = "This security group allows to access resources within VPC from specified IP addresses"
vpc_id = "${aws_vpc.main_vpc.id}"
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["${split(",", var.allowed_cidr_list)}"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
答案 0 :(得分:2)
根据AWS docs,需要将ManagedSecurityGroup添加到ElasticBeansstalk配置中,以防止使用默认安全组。
因此,在我的aws_elastic_beanstalk_environment中添加以下行修复了问题
setting {
name = "ManagedSecurityGroup"
namespace = "aws:elb:loadbalancer"
value = "${var.limited_http_acccess_id}"
}