|
|
@@ -217,12 +217,23 @@ resource "aws_security_group_rule" "ssh-out" {
|
|
|
security_group_id = aws_security_group.bastion_security_group.id
|
|
|
}
|
|
|
|
|
|
+# Bastion can access any port internally
|
|
|
+resource "aws_security_group_rule" "bastion-out-all-ports" {
|
|
|
+ type = "egress"
|
|
|
+ protocol = "all"
|
|
|
+ from_port = -1
|
|
|
+ to_port = -1
|
|
|
+ cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ security_group_id = aws_security_group.bastion_security_group.id
|
|
|
+}
|
|
|
+
|
|
|
+# Bastion gets http/https out to the internet. Most hosts need to use the proxy
|
|
|
resource "aws_security_group_rule" "http-out" {
|
|
|
type = "egress"
|
|
|
from_port = 80
|
|
|
to_port = 80
|
|
|
protocol = "tcp"
|
|
|
- cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ cidr_blocks = [ "0.0.0.0/0" ]
|
|
|
security_group_id = aws_security_group.bastion_security_group.id
|
|
|
}
|
|
|
|
|
|
@@ -231,6 +242,6 @@ resource "aws_security_group_rule" "https-out" {
|
|
|
from_port = 443
|
|
|
to_port = 443
|
|
|
protocol = "tcp"
|
|
|
- cidr_blocks = [ "10.0.0.0/8" ]
|
|
|
+ cidr_blocks = [ "0.0.0.0/0" ]
|
|
|
security_group_id = aws_security_group.bastion_security_group.id
|
|
|
}
|
Fred Damstra