diff --git a/services/terraform/self-host/aws-deploy.sh b/services/terraform/self-host/aws-deploy.sh --- a/services/terraform/self-host/aws-deploy.sh +++ b/services/terraform/self-host/aws-deploy.sh @@ -34,6 +34,16 @@ exit 1 fi +# Get the current public IP address +ip_address="$(curl -s ipv4.wtfismyip.com/text)" +if [[ -z "$ip_address" ]]; then + echo "Failed to retrieve IP address. Exiting." + exit 1 +fi + +# Grab resource info from AWS +keyserver_lb_sg_group_id="$(aws ec2 describe-security-groups --filters "Name=group-name,Values=lb-sg" --query "SecurityGroups[0].GroupId" --output text)" + convert_seconds() { total_seconds="$1" minutes="$((total_seconds / 60))" @@ -64,30 +74,44 @@ done } -disable_lb_traffic() { +disable_general_lb_traffic() { + # disables general ip access aws ec2 revoke-security-group-ingress \ - --group-id "$(aws ec2 describe-security-groups --filters "Name=group-name,Values=lb-sg" --query "SecurityGroups[0].GroupId" --output text)" \ + --group-id "$keyserver_lb_sg_group_id" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 > /dev/null + + # enables traffic only for ip calling aws deploy script + aws ec2 authorize-security-group-ingress \ + --group-id "$keyserver_lb_sg_group_id" \ + --protocol tcp \ + --port 443 \ + --cidr "${ip_address}/32" > /dev/null } enable_lb_traffic() { aws ec2 authorize-security-group-ingress \ - --group-id "$(aws ec2 describe-security-groups --filters "Name=group-name,Values=lb-sg" --query "SecurityGroups[0].GroupId" --output text)" \ + --group-id "$keyserver_lb_sg_group_id" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 > /dev/null + + # disables personal ip address ingress rule as no longer necessary + aws ec2 revoke-security-group-ingress \ + --group-id "$keyserver_lb_sg_group_id" \ + --protocol tcp \ + --port 443 \ + --cidr "${ip_address}/32" > /dev/null } # Stop all primary and secondary tasks and disable traffic to load balancer echo "Disabling traffic to load balancer" -disable_lb_traffic +disable_general_lb_traffic http_code=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$health_check_url") if [[ "$http_code" -eq 000 ]]; then echo "Error: Health check timed out trying to access keyserver domain at ${health_check_url}." - echo "Ensure terraform variable allowed_ip is properly configured and run terraform apply" echo "Re-enabling traffic to load balancer until domain is accessible and migration script is rerun" enable_lb_traffic diff --git a/services/terraform/self-host/aws_lb.tf b/services/terraform/self-host/aws_lb.tf --- a/services/terraform/self-host/aws_lb.tf +++ b/services/terraform/self-host/aws_lb.tf @@ -10,13 +10,6 @@ cidr_blocks = ["0.0.0.0/0"] } - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [for ip in var.allowed_ips : "${ip}/32"] - } - egress { from_port = 0 to_port = 0