Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/mcamacho97/terraform-mean-stack-aws/llms.txt

Use this file to discover all available pages before exploring further.

The security module implements network segmentation for the MEAN stack through three security groups that reference each other as sources. Traffic flows strictly top-to-bottom: the internet reaches the ALB, the ALB reaches Node.js instances, and Node.js instances are the only permitted source for MongoDB connections. No direct path exists from the internet to the application or database tier.

Security Groups

ALB Security Group — <project_name>-alb-sg

The load balancer is the only public-facing resource and accepts HTTP and HTTPS traffic from anywhere.
DirectionProtocolPortSourceDescription
InboundTCP800.0.0.0/0HTTP from the internet
InboundTCP4430.0.0.0/0HTTPS from the internet
OutboundAllAll0.0.0.0/0Unrestricted egress

Node Security Group — <project_name>-node-sg

Node.js application instances accept HTTP traffic only from the ALB security group (not from any IP range), and SSH from a single configurable CIDR.
DirectionProtocolPortSourceDescription
InboundTCP80ALB security group IDHTTP forwarded from the ALB
InboundTCP22var.allowed_ssh_ipSSH from your specified CIDR
OutboundAllAll0.0.0.0/0Unrestricted egress
The HTTP inbound rule uses security_groups (a security group reference) rather than cidr_blocks. This means traffic on port 80 is accepted only from resources attached to the ALB security group — direct IP access to port 80 is blocked even if the instance has a public IP.

MongoDB Security Group — <project_name>-mongo-sg

The database tier permits only the MongoDB wire protocol and only from the Node security group. There is no SSH inbound rule — use AWS Systems Manager Session Manager to access the instance (see the iam module).
DirectionProtocolPortSourceDescription
InboundTCP27017Node security group IDMongoDB from Node.js tier only
OutboundAllAll0.0.0.0/0Unrestricted egress

Input Variables

project_name
string
required
Prefix for all security group name and Name tag values (e.g. terraform-mean produces terraform-mean-alb-sg).
vpc_id
string
required
The ID of the VPC in which all three security groups are created. Sourced from module.network.vpc_id.
allowed_ssh_ip
string
required
A CIDR block permitted to reach Node.js instances on port 22 (e.g. 203.0.113.42/32). This value is used in the Node security group’s SSH inbound rule.

Outputs

alb_security_group_id
string
The ID of the ALB security group. Passed to the alb module via alb_security_group_id.
node_security_group_id
string
The ID of the Node security group. Passed to the node_1 and node_2 EC2 module instances.
mongo_security_group_id
string
The ID of the MongoDB security group. Passed to the mongodb EC2 module instance.

Module Call

module "security" {
  source = "./modules/security"

  project_name   = var.project_name
  vpc_id         = module.network.vpc_id
  allowed_ssh_ip = var.allowed_ssh_ip
}
Always set allowed_ssh_ip to your specific public IP with a /32 suffix (e.g. 203.0.113.42/32). Setting it to 0.0.0.0/0 exposes SSH on all Node.js instances to the entire internet and creates a critical security risk.

Build docs developers (and LLMs) love