tighten security groups and add ipv6

Author: mbund

terraform/auth.tf

@@ -163,16 +163,17 @@ resource "aws_security_group" "auth" {
   vpc_id = aws_vpc.default.id
 
   ingress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    security_groups = [aws_security_group.traefik.id]
   }
 
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
   }
 }

terraform/ctfd.tf

@@ -281,17 +281,17 @@ resource "aws_security_group" "ctfd" {
   vpc_id = aws_vpc.default.id
 
   ingress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
-    # security_groups = [aws_security_group.traefik.id]
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    security_groups = [aws_security_group.traefik.id]
   }
 
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
   }
 }

terraform/networking.tf

@@ -1,7 +1,8 @@
 resource "aws_vpc" "default" {
-  cidr_block           = "10.0.0.0/16"
-  enable_dns_support   = true
-  enable_dns_hostnames = true
+  cidr_block                       = "10.0.0.0/16"
+  assign_generated_ipv6_cidr_block = true
+  enable_dns_support               = true
+  enable_dns_hostnames             = true
 
   tags = {
     Name = local.name
@@ -17,9 +18,10 @@ resource "aws_internet_gateway" "default" {
 }
 
 resource "aws_subnet" "public" {
-  vpc_id                  = aws_vpc.default.id
-  cidr_block              = "10.0.1.0/24"
-  availability_zone       = local.availability_zone
+  vpc_id            = aws_vpc.default.id
+  cidr_block        = "10.0.1.0/24"
+  ipv6_cidr_block   = cidrsubnet(aws_vpc.default.ipv6_cidr_block, 8, 1)
+  availability_zone = local.availability_zone
 
   tags = {
     Name = "${local.name}-public"
@@ -30,13 +32,13 @@ resource "aws_route_table" "public" {
   vpc_id = aws_vpc.default.id
 
   route {
-    ipv6_cidr_block = "::/0"
-    gateway_id      = aws_internet_gateway.default.id
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.default.id
   }
 
   route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.default.id
+    ipv6_cidr_block = "::/0"
+    gateway_id      = aws_internet_gateway.default.id
   }
 
   tags = {
@@ -50,9 +52,10 @@ resource "aws_route_table_association" "public" {
 }
 
 resource "aws_subnet" "private" {
-  vpc_id                  = aws_vpc.default.id
-  cidr_block              = "10.0.0.0/24"
-  availability_zone       = local.availability_zone
+  vpc_id            = aws_vpc.default.id
+  cidr_block        = "10.0.0.0/24"
+  ipv6_cidr_block   = cidrsubnet(aws_vpc.default.ipv6_cidr_block, 8, 0)
+  availability_zone = local.availability_zone
 
   tags = {
     Name = "${local.name}-private"
@@ -73,6 +76,11 @@ resource "aws_route_table" "private" {
     network_interface_id = aws_instance.traefik.primary_network_interface_id
   }
 
+  route {
+    ipv6_cidr_block      = "::/0"
+    network_interface_id = aws_instance.traefik.primary_network_interface_id
+  }
+
   tags = {
     Name = "${local.name}-private"
   }

terraform/traefik.tf

@@ -4,7 +4,7 @@ resource "aws_eip" "traefik" {
   tags = {
     Name = "${local.name}-traefik"
   }
-  depends_on = [ aws_internet_gateway.default ]
+  depends_on = [aws_internet_gateway.default]
 }
 
 resource "aws_instance" "traefik" {
@@ -15,8 +15,9 @@ resource "aws_instance" "traefik" {
   iam_instance_profile        = aws_iam_instance_profile.ecs_instance.name
   vpc_security_group_ids      = [aws_security_group.traefik.id]
   source_dest_check           = false
-  associate_public_ip_address = false
+  associate_public_ip_address = true
   user_data_replace_on_change = true
+  ipv6_addresses              = [cidrhost(aws_subnet.public.ipv6_cidr_block, 4)]
 
   root_block_device {
     volume_type = "gp3"
@@ -35,6 +36,7 @@ resource "aws_instance" "traefik" {
     echo "ECS_CLUSTER=${aws_ecs_cluster.default.name}" > /etc/ecs/ecs.config
 
     echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
+    echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
     sysctl -p
 
     cat <<EOF > /etc/systemd/system/nat-setup.service
@@ -142,8 +144,8 @@ resource "aws_ecs_task_definition" "traefik" {
         logDriver = "awslogs"
         options = {
           "awslogs-group"         = aws_cloudwatch_log_group.default.name
-          "awslogs-region"        = local.region,
-          "awslogs-stream-prefix" = "traefik",
+          "awslogs-region"        = local.region
+          "awslogs-stream-prefix" = "traefik"
         }
       }
 
@@ -193,34 +195,27 @@ resource "aws_security_group" "traefik" {
   vpc_id = aws_vpc.default.id
 
   ingress {
-    from_port       = 80
-    to_port         = 80
-    protocol        = "tcp"
-    security_groups = []
-    cidr_blocks     = ["0.0.0.0/0"]
+    from_port        = 80
+    to_port          = 80
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
   }
 
   ingress {
-    from_port       = 443
-    to_port         = 443
-    protocol        = "tcp"
-    security_groups = []
-    cidr_blocks     = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port       = 22
-    to_port         = 22
-    protocol        = "tcp"
-    security_groups = []
-    cidr_blocks     = ["0.0.0.0/0"]
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
   }
 
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
   }
 }
 
@@ -324,3 +319,12 @@ resource "aws_route53_record" "wildcard_a" {
   ttl     = 300
   records = [aws_eip.traefik.public_ip]
 }
+
+resource "aws_route53_record" "wildcard_aaaa" {
+  count   = 1
+  zone_id = local.domain_zone_id
+  name    = "*.testing.${local.domain}"
+  type    = "AAAA"
+  ttl     = 300
+  records = [aws_instance.traefik.ipv6_addresses[0]]
+}