From 4ebce2e0878b22aae388309082870a955e2b4b86 Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Mon, 2 Sep 2024 23:18:25 -0700
Subject: [PATCH 1/5] incomplete, need to find fetch-ssm-from-other-account
 example

---
 terraform-unity/ecs.tf | 51 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/terraform-unity/ecs.tf b/terraform-unity/ecs.tf
index 9386695..5c9bdae 100644
--- a/terraform-unity/ecs.tf
+++ b/terraform-unity/ecs.tf
@@ -150,3 +150,54 @@ resource "aws_ecs_service" "httpd_service" {
     aws_ssm_parameter.managementproxy_config
   ]
 }
+
+# Find the MC's ALB's security group (created before unity-proxy)
+data "aws_security_group" "mc_alb_sg" {
+  tags = {
+    Venue       = var.venue
+    ServiceArea = "cs"
+    Component   = "Unity Management Console"
+    Name        = "Unity Management Console Load Balancer SG"
+    Project     = var.project
+    CreatedBy   = "cs"
+    Env         = var.venue
+    Stack       = "Unity Management Console"
+  }
+}
+
+data "aws_ssm_parameter" "shared_services_account_id" {
+  name = "/unity/shared-services/aws/account"
+}
+
+data "aws_ssm_parameter" "shared_services_public_subnet1_id" {
+  name = ":parameter/unity/account/network/publicsubnet1"
+}
+
+data "aws_ssm_parameter" "shared_services_public_subnet2_id" {
+  name = ":parameter/unity/account/network/publicsubnet2"
+}
+
+data "aws_subnet" "shared_services_public_subnet1" {
+  id = data.aws_ssm_parameter.shared_services_public_subnet1_id
+}
+
+data "aws_subnet" "shared_services_public_subnet2" {
+  id = data.aws_ssm_parameter.shared_services_public_subnet2_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ecs_sg_ingress_rule" {
+  security_group_id = aws_security_group.ecs_sg.id
+  from_port   = 8080
+  to_port     = 8080
+  ip_protocol    = "tcp"
+  cidr_ipv4 = data.aws_subnet.shared_services_public_subnet1.cidr_block
+}
+
+resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
+  security_group_id = aws_security_group.ecs_sg.id
+    from_port   = 0
+    to_port     = 0
+    ip_protocol = -1
+    referenced_security_group_id = data.aws_security_group.mc_alb_sg.id
+    #cidr_ipv4 = "0.0.0.0/0"
+}
\ No newline at end of file

From 5d3d989843caa4424a2f990a619a887f99765cdc Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Mon, 2 Sep 2024 23:36:15 -0700
Subject: [PATCH 2/5] adding proper syntax for cross-account reference

---
 terraform-unity/ecs.tf        | 51 -----------------------------------
 terraform-unity/networking.tf | 46 +++++++++++++++++++++++--------
 2 files changed, 35 insertions(+), 62 deletions(-)

diff --git a/terraform-unity/ecs.tf b/terraform-unity/ecs.tf
index 5c9bdae..9386695 100644
--- a/terraform-unity/ecs.tf
+++ b/terraform-unity/ecs.tf
@@ -150,54 +150,3 @@ resource "aws_ecs_service" "httpd_service" {
     aws_ssm_parameter.managementproxy_config
   ]
 }
-
-# Find the MC's ALB's security group (created before unity-proxy)
-data "aws_security_group" "mc_alb_sg" {
-  tags = {
-    Venue       = var.venue
-    ServiceArea = "cs"
-    Component   = "Unity Management Console"
-    Name        = "Unity Management Console Load Balancer SG"
-    Project     = var.project
-    CreatedBy   = "cs"
-    Env         = var.venue
-    Stack       = "Unity Management Console"
-  }
-}
-
-data "aws_ssm_parameter" "shared_services_account_id" {
-  name = "/unity/shared-services/aws/account"
-}
-
-data "aws_ssm_parameter" "shared_services_public_subnet1_id" {
-  name = ":parameter/unity/account/network/publicsubnet1"
-}
-
-data "aws_ssm_parameter" "shared_services_public_subnet2_id" {
-  name = ":parameter/unity/account/network/publicsubnet2"
-}
-
-data "aws_subnet" "shared_services_public_subnet1" {
-  id = data.aws_ssm_parameter.shared_services_public_subnet1_id
-}
-
-data "aws_subnet" "shared_services_public_subnet2" {
-  id = data.aws_ssm_parameter.shared_services_public_subnet2_id
-}
-
-resource "aws_vpc_security_group_ingress_rule" "ecs_sg_ingress_rule" {
-  security_group_id = aws_security_group.ecs_sg.id
-  from_port   = 8080
-  to_port     = 8080
-  ip_protocol    = "tcp"
-  cidr_ipv4 = data.aws_subnet.shared_services_public_subnet1.cidr_block
-}
-
-resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
-  security_group_id = aws_security_group.ecs_sg.id
-    from_port   = 0
-    to_port     = 0
-    ip_protocol = -1
-    referenced_security_group_id = data.aws_security_group.mc_alb_sg.id
-    #cidr_ipv4 = "0.0.0.0/0"
-}
\ No newline at end of file
diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
index 86743c4..2b34a4c 100644
--- a/terraform-unity/networking.tf
+++ b/terraform-unity/networking.tf
@@ -1,10 +1,10 @@
 # Create an Application Load Balancer (ALB)
 resource "aws_lb" "httpd_alb" {
   name                       = "${var.project}-${var.venue}-httpd-alb"
-  internal                   = false
+  internal                   = true
   load_balancer_type         = "application"
   security_groups            = [aws_security_group.ecs_alb_sg.id]
-  subnets                    = local.public_subnet_ids
+  subnets                    = local.subnet_ids
   enable_deletion_protection = false
   preserve_host_header       = true
   tags = {
@@ -110,15 +110,15 @@ resource "aws_vpc_security_group_ingress_rule" "ecs_alb_ingress_sg_rule" {
   referenced_security_group_id = aws_security_group.ecs_alb_sg.id
 }
 
-# Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
-#tfsec:ignore:AVD-AWS-0107
-resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
-  security_group_id = aws_security_group.ecs_alb_sg.id
-  to_port           = 8080
-  from_port         = 8080
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
+# # Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
+# #tfsec:ignore:AVD-AWS-0107
+# resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
+#   security_group_id = aws_security_group.ecs_alb_sg.id
+#   to_port           = 8080
+#   from_port         = 8080
+#   ip_protocol       = "tcp"
+#   cidr_ipv4         = "0.0.0.0/0"
+# }
 
 # Add a new egress rule to the ECS's security group, allowing ECS to fetch the container images/proxy
 resource "aws_vpc_security_group_egress_rule" "ecs_egress_sg_rule" {
@@ -137,3 +137,27 @@ resource "aws_vpc_security_group_egress_rule" "ecs_alb_egress_sg_rule" {
   ip_protocol       = "tcp"
   cidr_ipv4         = "0.0.0.0/0"
 }
+
+# not great but we're just gonna grab all of the subnets on the other side and allow them
+data "aws_vpc_peering_connection" "pc" {
+  peer_owner_id = data.aws_ssm_parameter.shared_service_account_id.value
+  peer_region   = data.aws_ssm_parameter.shared_service_region.value
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
+  for_each          = toset([for c in data.aws_vpc_peering_connection.pc.peer_cidr_block_set : c.cidr_block])
+  security_group_id = aws_security_group.ecs_alb_sg.id
+  from_port         = 8080
+  to_port           = 8080
+  ip_protocol       = "tcp"
+  cidr_ipv4         = each.key
+}
+
+resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
+  security_group_id            = aws_security_group.ecs_sg.id
+  from_port                    = 0
+  to_port                      = 65535
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = data.aws_security_group.mc_alb_sg.id
+  #cidr_ipv4 = "0.0.0.0/0"
+}

From 9a935b64ff78285e74846688fa8a69f8a52d40f0 Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Sat, 18 Jan 2025 23:40:36 -0800
Subject: [PATCH 3/5] removing commented unused code

---
 terraform-unity/networking.tf | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
index 2b34a4c..d9ea5dd 100644
--- a/terraform-unity/networking.tf
+++ b/terraform-unity/networking.tf
@@ -110,16 +110,6 @@ resource "aws_vpc_security_group_ingress_rule" "ecs_alb_ingress_sg_rule" {
   referenced_security_group_id = aws_security_group.ecs_alb_sg.id
 }
 
-# # Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
-# #tfsec:ignore:AVD-AWS-0107
-# resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
-#   security_group_id = aws_security_group.ecs_alb_sg.id
-#   to_port           = 8080
-#   from_port         = 8080
-#   ip_protocol       = "tcp"
-#   cidr_ipv4         = "0.0.0.0/0"
-# }
-
 # Add a new egress rule to the ECS's security group, allowing ECS to fetch the container images/proxy
 resource "aws_vpc_security_group_egress_rule" "ecs_egress_sg_rule" {
   security_group_id = aws_security_group.ecs_sg.id
@@ -159,5 +149,4 @@ resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
   to_port                      = 65535
   ip_protocol                  = "tcp"
   referenced_security_group_id = data.aws_security_group.mc_alb_sg.id
-  #cidr_ipv4 = "0.0.0.0/0"
 }

From bcf04ac0e9dc455c2ec683e50d046773dac1b7f6 Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Tue, 21 Jan 2025 17:46:19 -0800
Subject: [PATCH 4/5] changing to security-group-based allow rules

---
 terraform-unity/networking.tf | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
index d9ea5dd..5d495f5 100644
--- a/terraform-unity/networking.tf
+++ b/terraform-unity/networking.tf
@@ -128,19 +128,16 @@ resource "aws_vpc_security_group_egress_rule" "ecs_alb_egress_sg_rule" {
   cidr_ipv4         = "0.0.0.0/0"
 }
 
-# not great but we're just gonna grab all of the subnets on the other side and allow them
-data "aws_vpc_peering_connection" "pc" {
-  peer_owner_id = data.aws_ssm_parameter.shared_service_account_id.value
-  peer_region   = data.aws_ssm_parameter.shared_service_region.value
+data "aws_ssm_parameter" "shared-services_security_group" {
+  name = "arn:aws:ssm:${data.aws_ssm_parameter.shared_service_region.value}:${data.aws_ssm_parameter.shared_service_account_id.value}:parameter/unity/shared-services/network/httpd_security_group"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
-  for_each          = toset([for c in data.aws_vpc_peering_connection.pc.peer_cidr_block_set : c.cidr_block])
   security_group_id = aws_security_group.ecs_alb_sg.id
   from_port         = 8080
   to_port           = 8080
   ip_protocol       = "tcp"
-  cidr_ipv4         = each.key
+  referenced_security_group_id = data.aws_ssm_parameter.shared-services_security_group.id
 }
 
 resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {

From d0043c4823b96e651cc054fab090de2c50c950cd Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Tue, 21 Jan 2025 18:27:42 -0800
Subject: [PATCH 5/5] need to specify value not id

---
 terraform-unity/networking.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
index 5d495f5..4727779 100644
--- a/terraform-unity/networking.tf
+++ b/terraform-unity/networking.tf
@@ -137,7 +137,7 @@ resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
   from_port         = 8080
   to_port           = 8080
   ip_protocol       = "tcp"
-  referenced_security_group_id = data.aws_ssm_parameter.shared-services_security_group.id
+  referenced_security_group_id = data.aws_ssm_parameter.shared-services_security_group.value
 }
 
 resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {