Initial Review (Naren)

[sekarnaren]

IGW is meant for ingress and not egress. you have to use NAT GW for egress.

 # Grant the VPC internet access on its main route table
resource "aws_route" "internet_access" {
  route_table_id         = "${aws_vpc.lijoDemoVPC.main_route_table_id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = "${aws_internet_gateway.default.id}"
}

Its a good practice (infact secure practice) to allow ELB security group access to you web and flask app instead of VPC CIDR.

  # HTTP access from the VPC
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }

Better and secure to specific on the DB port (3306) for mysql RDS rather than a range 0 to 65535

# DB resources
resource "aws_security_group" "default" {
  name        = "main_rds_sg"
  description = "Allow all inbound traffic"
  vpc_id      = "${aws_vpc.lijoDemoVPC.id}"

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "TCP"
    cidr_blocks = ["${var.cidr_blocks}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "${var.sg_name}"
  }
}

[lijoyoung]

All agreed. As you can clearly see, I couldn't get to tighten security coz of lack of time. A good example is the DB port (3306) for sure :)

[lijoyoung]

A few more security flaws when I reviewed:

• the flask_sg (line 94) Should only have had ssh and port 5000 access from within VPC, not 0.0.0.0/0

• same with db-security group (line 209)

• the db-password is hard-coded in variable.tf file. (There must be some vault kind of feature in Terraform, but I need to figure that out) Or perhaps pick the password from host environment_variables

• the db is not encyrpted. (line 253)

• skip_final_snapshot = "true" so that its easy on demo and we can do 'terraform destroy' easily.