How to set up a firewall rule using Terraform for an AWS Lightsail instance?

0
votes

I have create a simple Terraform recipe to set up an AWS Lightsail instance, to install Open Distro for Elasticsearch in it.

Everything ran smoothly during some days, and I could access and play with the Kibana instance in port 5601. But after some days, it was not accessible, and I discovered that I need to set up the firewall rule to let traffic access to port 5601.

I would like setting it up in the Terraform recipe as I've done for GCP with:

resource "google_compute_firewall" "kibana" {
  name    = "kibana-${random_id.instance_id.hex}"
  network = "default"

  allow {
    protocol = "tcp"
    ports    = ["5601"]
  }

  source_ranges = ["0.0.0.0/0"]

}

But I haven't found a clear way to do it. Is aws_security_group what I need or is not way to set it up from Terraform?

Thank you!

3
amazon-web-servicesterraformterraform-provider-awsamazon-lightsail
no resource in terraform currently supports this..there is a PR open for this...github.com/terraform-providers/terraform-provider-aws/issues/… ans WC to SO!error404

3 Answers

0
votes

Yikes. Dont expose 5601 to the world via Lightsail. I would at least setup a reverse proxy to use SSL, but you are better off configuring Xpack for Kibana

0
votes

So far the latest terraform-provider-aws 2.50.0 does not support us to create firewall rule for lightsail instance.

But we can cheat it by using local-exec with built-in aws cli put-instance-public-ports. It will be run after provisioned instance, in the machine that run terraform:

resource "aws_lightsail_instance" "worker" {
  ...
  name              = "worker-${count.index+1}"
  availability_zone = "ap-southeast-1a"
  blueprint_id      = "ubuntu_18_04"
  bundle_id         = "nano_2_0"
  ...
  provisioner "local-exec" {
    command = "aws lightsail put-instance-public-ports --instance-name=worker-${count.index+1} --port-infos fromPort=22,toPort=22,protocol=tcp fromPort=5601,toPort=5601,protocol=tcp"
  }
}
0
votes
resource "aws_lightsail_instance_public_ports" "test" {
  instance_name = aws_lightsail_instance.test.name

  port_info {
    protocol  = "tcp"
    from_port = 80
    to_port   = 80
  }
}

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lightsail_instance_public_ports

Added in AWS provider 3.34.0 (March 26, 2021) https://github.com/hashicorp/terraform-provider-aws/blob/v3.34.0/CHANGELOG.md