Merge branch 'feature/aws-terraform-security' into 'main'

feat: add bind_host options and conditional Grafana access

See merge request postgres-ai/postgres_ai!60

Author: bogdan-ts

docker-compose.yml

@@ -35,7 +35,7 @@ services:
         "pg_stat_statements.track=all",
       ]
     ports:
-      - "55432:5432"
+      - "${BIND_HOST:-}55432:5432"
     volumes:
       - target_db_data:/var/lib/postgresql/data
       - ./config/target-db/init.sql:/docker-entrypoint-initdb.d/init.sql
@@ -49,7 +49,7 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
     ports:
-      - "55433:5432"
+      - "${BIND_HOST:-}55433:5432"
     volumes:
       - sink_postgres_data:/var/lib/postgresql/data
       - ./config/sink-postgres/init.sql:/docker-entrypoint-initdb.d/init.sql
@@ -59,7 +59,7 @@ services:
     image: prom/prometheus:v3.4.2
     container_name: sink-prometheus
     ports:
-      - "59090:9090"
+      - "${BIND_HOST:-}59090:9090"
     volumes:
       - ./config/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus_data:/prometheus
@@ -83,7 +83,7 @@ services:
         "--web-addr=:8080",
       ]
     ports:
-      - "58080:8080"
+      - "${BIND_HOST:-}58080:8080"
     depends_on:
       - sources-generator
       - sink-postgres
@@ -104,8 +104,8 @@ services:
         "--web-addr=:8089",
       ]
     ports:
-      - "58089:8089"
-      - "59091:9091"
+      - "${BIND_HOST:-}58089:8089"
+      - "${BIND_HOST:-}59091:9091"
     depends_on:
       - sources-generator
       - sink-prometheus
@@ -123,7 +123,7 @@ services:
       GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD:-demo}
       GF_INSTALL_PLUGINS: yesoreyeram-infinity-datasource
     ports:
-      - "3000:3000"
+      - "${GRAFANA_BIND_HOST:-}3000:3000"
     volumes:
       - grafana_data:/var/lib/grafana
       - ./config/grafana/provisioning:/etc/grafana/provisioning
@@ -144,7 +144,7 @@ services:
     depends_on:
       - sink-prometheus
     ports:
-      - "55000:5000"
+      - "${BIND_HOST:-}55000:5000"
     restart: unless-stopped
   # PostgreSQL Reports Generator - Runs reports after 1 hour
   postgres-reports:

terraform/aws/QUICKSTART.md

@@ -29,10 +29,15 @@ Uncomment and set all required parameters:
 - `instance_type` - EC2 instance type (e.g., t3.medium)
 - `data_volume_size` - data disk size in GiB
 - `data_volume_type` / `root_volume_type` - volume types (gp3, st1, sc1)
-- `allowed_ssh_cidr` / `allowed_cidr_blocks` - CIDR blocks for access
+- `allowed_ssh_cidr` - CIDR blocks for SSH access (use `["YOUR_IP/32"]`, get IP: `curl ifconfig.me`)
+- `allowed_cidr_blocks` - CIDR blocks for Grafana (use `[]` to disable direct access = SSH tunnel only, most secure)
 - `use_elastic_ip` - allocate Elastic IP (true/false)
 - `grafana_password` - Grafana admin password
-- `postgres_ai_version` - git branch/tag (optional, defaults to "main")
+- `bind_host` - port binding for internal services (optional, defaults to `"127.0.0.1:"`)
+
+Optional parameters:
+- `grafana_bind_host` - Grafana port binding (defaults to `"127.0.0.1:"` for SSH tunnel)
+- `postgres_ai_version` - git branch/tag (defaults to "0.10")
 
 ## Add monitoring instances
 
@@ -70,13 +75,38 @@ terraform output ssh_command
 
 ## Access
 
+### Grafana
+
+Terraform will show the correct access method after deployment:
+
+```bash
+# See access instructions for your configuration
+terraform output grafana_access_hint
+```
+
+**SSH tunnel access (default):**
+
+```bash
+# Create SSH tunnel
+ssh -i ~/.ssh/postgres-ai-key.pem -NL 3000:localhost:3000 ubuntu@$(terraform output -raw public_ip)
+
+# Open browser
+open http://localhost:3000
+# Login: monitor / <password from terraform.tfvars>
+```
+
+**Direct access (if configured):**
+
 ```bash
 # Grafana dashboard
 open $(terraform output -raw grafana_url)
 # Login: monitor / <password from terraform.tfvars>
+```
 
-# SSH
-ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw external_ip)
+### SSH
+
+```bash
+ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw public_ip)
 ```
 
 ## Operations

terraform/aws/README.md

@@ -49,8 +49,8 @@ instance_type        = "t3.medium"
 data_volume_size     = 50
 data_volume_type     = "gp3"  # gp3 (SSD), st1 (HDD), sc1 (HDD)
 root_volume_type     = "gp3"
-allowed_ssh_cidr     = ["203.0.113.0/24"]
-allowed_cidr_blocks  = ["203.0.113.0/24"]
+allowed_ssh_cidr     = ["YOUR_IP/32"]  # Replace with your actual IP address
+allowed_cidr_blocks  = []              # Empty list = no direct access, SSH tunnel required (most secure)
 use_elastic_ip       = true
 grafana_password     = "YourSecurePassword123!"
 ```
@@ -59,9 +59,13 @@ grafana_password     = "YourSecurePassword123!"
 
 ```hcl
 # OPTIONAL (have defaults)
-postgres_ai_api_key = "your-api-key"  # For uploading reports
-enable_demo_db      = false           # Demo database (default: true)
-postgres_ai_version = "main"          # Git branch/tag (default: "main")
+postgres_ai_api_key   = "your-api-key"    # For uploading reports
+enable_demo_db        = false             # Demo database (default: false)
+postgres_ai_version   = "0.10"            # Git branch/tag (default: "0.10")
+bind_host             = "127.0.0.1:"      # Internal services on localhost (default, most secure)
+# bind_host           = ""                # OR: Bind to all interfaces
+grafana_bind_host     = "127.0.0.1:"      # Grafana on localhost only (default, use SSH tunnel)
+# grafana_bind_host   = ""                # OR: Grafana accessible from outside
 
 monitoring_instances = [
   {
@@ -85,15 +89,17 @@ instance_type        = "t3.medium"
 data_volume_size     = 100
 data_volume_type     = "gp3"
 root_volume_type     = "gp3"
-allowed_ssh_cidr     = ["203.0.113.0/24"]
-allowed_cidr_blocks  = ["203.0.113.0/24"]
+allowed_ssh_cidr     = ["YOUR_IP/32"]  # Replace with your actual IP
+allowed_cidr_blocks  = []              # Empty list = no direct access (most secure)
 use_elastic_ip       = true
 grafana_password     = "SecurePassword123!"
 
 # OPTIONAL
 postgres_ai_api_key  = "your-api-key"
 enable_demo_db       = false
-postgres_ai_version  = "v0.9"
+postgres_ai_version  = "0.10"
+bind_host            = "127.0.0.1:"      # Default
+grafana_bind_host    = "127.0.0.1:"      # Default
 
 monitoring_instances = [
   {
@@ -113,7 +119,34 @@ monitoring_instances = [
 ```bash
 terraform output ssh_command
 # Or directly:
-ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw external_ip)
+ssh -i ~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw public_ip)
+```
+
+### Grafana access
+
+Terraform automatically detects the correct access method based on your configuration:
+
+```bash
+# Get access instructions for your setup
+terraform output grafana_access_hint
+```
+
+**Option 1: SSH tunnel (when `allowed_cidr_blocks = []` or `grafana_bind_host = "127.0.0.1:"`)**
+
+```bash
+# Create SSH tunnel
+ssh -i ~/.ssh/postgres-ai-key.pem -NL 3000:localhost:3000 ubuntu@$(terraform output -raw public_ip)
+
+# Open browser
+open http://localhost:3000
+# Login: monitor / <your grafana_password>
+```
+
+**Option 2: Direct access (when `allowed_cidr_blocks = ["YOUR_IP/32"]` and `grafana_bind_host = ""`)**
+
+```bash
+# Open browser
+open $(terraform output -raw grafana_url)
 ```
 
 ### Service management
@@ -176,14 +209,25 @@ sudo docker-compose up -d
 
 ### Recommendations
 
-1. Restrict SSH access:
+1. **Most secure setup (SSH tunnel only)**:
 ```hcl
-allowed_ssh_cidr = ["your.ip.address/32"]
+allowed_ssh_cidr     = ["your.ip.address/32"]
+allowed_cidr_blocks  = []  # Empty list = no direct access to Grafana from anywhere
+bind_host            = "127.0.0.1:"
+grafana_bind_host    = "127.0.0.1:"
+```
+
+Access Grafana via SSH tunnel:
+```bash
+ssh -i ~/.ssh/key.pem -NL 3000:localhost:3000 ubuntu@instance-ip
 ```
 
-2. Restrict Grafana access:
+2. **Production with direct Grafana access**:
 ```hcl
-allowed_cidr_blocks = ["your.office.ip/24"]
+allowed_ssh_cidr     = ["YOUR_OFFICE_IP/24"]  # Replace with your office network
+allowed_cidr_blocks  = ["YOUR_OFFICE_IP/24"]  # Replace with your office network
+bind_host            = "127.0.0.1:"           # Internal services protected
+grafana_bind_host    = ""                     # Grafana accessible
 ```
 
 3. Use AWS Systems Manager instead of SSH:
@@ -193,6 +237,13 @@ aws ssm start-session --target $(terraform output -raw instance_id)
 
 4. Automate backups with AWS Backup or cron.
 
+### Port binding configuration
+
+- `bind_host = "127.0.0.1:"` - Internal services only on localhost (recommended)
+- `bind_host = ""` - Internal services on all interfaces
+- `grafana_bind_host = "127.0.0.1:"` - Grafana only via SSH tunnel (default)
+- `grafana_bind_host = ""` - Grafana accessible from network
+
 ## Monitoring
 
 ### CloudWatch metrics
@@ -231,6 +282,13 @@ ssh ubuntu@your-ip "sudo docker ps -a"
 ### No access to Grafana
 
 ```bash
+# Check if allowed_cidr_blocks is empty (SSH tunnel required)
+grep allowed_cidr_blocks terraform.tfvars
+
+# If empty, use SSH tunnel
+ssh -i ~/.ssh/key.pem -NL 3000:localhost:3000 ubuntu@your-ip
+# Then open http://localhost:3000
+
 # Check Security Group
 aws ec2 describe-security-groups \
   --group-ids $(terraform output -raw security_group_id)

terraform/aws/main.tf

@@ -46,7 +46,7 @@ data "aws_ami" "ubuntu" {
   }
 }
 
-# VPC (simplified - use default or create minimal)
+# VPC
 resource "aws_vpc" "main" {
   cidr_block           = "10.0.0.0/16"
   enable_dns_hostnames = true
@@ -113,13 +113,17 @@ resource "aws_security_group" "main" {
     cidr_blocks = var.allowed_ssh_cidr
   }
 
-  # Grafana
-  ingress {
-    description = "Grafana"
-    from_port   = 3000
-    to_port     = 3000
-    protocol    = "tcp"
-    cidr_blocks = var.allowed_cidr_blocks
+  # Grafana (optional, only if allowed_cidr_blocks is not empty)
+  # If empty, use SSH tunnel: ssh -i ~/.ssh/key.pem -NL 3000:localhost:3000 ubuntu@<instance-ip>
+  dynamic "ingress" {
+    for_each = length(var.allowed_cidr_blocks) > 0 ? [1] : []
+    content {
+      description = "Grafana"
+      from_port   = 3000
+      to_port     = 3000
+      protocol    = "tcp"
+      cidr_blocks = var.allowed_cidr_blocks
+    }
   }
 
   # Allow all outbound
@@ -168,6 +172,8 @@ resource "aws_instance" "main" {
     postgres_ai_api_key  = var.postgres_ai_api_key
     enable_demo_db       = var.enable_demo_db
     postgres_ai_version  = var.postgres_ai_version
+    bind_host            = var.bind_host
+    grafana_bind_host    = var.grafana_bind_host
     instances_yml        = templatefile("${path.module}/instances.yml.tpl", {
       monitoring_instances = var.monitoring_instances
       enable_demo_db       = var.enable_demo_db