3 năm trước cách đây · 32cf6b9b12
--- a/base/github/securitygroups-load-balancers.tf
+++ b/base/github/securitygroups-load-balancers.tf
@@ -1,6 +1,29 @@
 
				 #----------------------------------------------------------------
			
 
				 # SG for the external ELB
			
 
				 #----------------------------------------------------------------
			
 
				+locals {
			
 
				+  # from https://config.zscaler.com/zscalergov.net/cenr
			
 
				+  zscalar_cidrs = [
			
 
				+    "165.225.3.0/24",
			
 
				+    "136.226.10.0/23",
			
 
				+    "136.226.12.0/23",
			
 
				+    "136.226.14.0/23",
			
 
				+    "165.225.46.0/24",
			
 
				+    "136.226.6.0/23",
			
 
				+    "136.226.4.0/23",
			
 
				+    "136.226.8.0/23",
			
 
				+    "136.226.22.0/24",
			
 
				+    "165.225.48.0/24",
			
 
				+    "136.226.18.0/23",
			
 
				+    "136.226.16.0/23",
			
 
				+    "136.226.20.0/23",
			
 
				+  ]
			
 
				+  # Locking down sources on 2021-12-10 due to log4j vulnerability
			
 
				+  #allowed_sources = local.zscalar_cidrs
			
 
				+  allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs)
			
 
				+  #allowed_sources = [ "0.0.0.0/0" ]
			
 
				+}
			
 
				+
			
 
				 resource "aws_security_group" "ghe_elb_external" {
			
 
				   name_prefix = "ghe_elb_external"
			
 
				   tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
			
@@ -11,7 +34,7 @@ resource "aws_security_group" "ghe_elb_external" {
 
				 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
			
 
				   security_group_id        = aws_security_group.ghe_elb_external.id
			
 
				   type                     = "ingress"
			
 
				-  cidr_blocks              = [ "0.0.0.0/0" ]
			
 
				+  cidr_blocks              = local.allowed_sources
			
 
				   from_port                = 22
			
 
				   to_port                  = 22
			
 
				   protocol                 = "tcp"
			
@@ -21,7 +44,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
 
				 resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
			
 
				   security_group_id        = aws_security_group.ghe_elb_external.id
			
 
				   type                     = "ingress"
			
 
				-  cidr_blocks              = [ "0.0.0.0/0" ]
			
 
				+  cidr_blocks              = local.allowed_sources
			
 
				   from_port                = 80
			
 
				   to_port                  = 80
			
 
				   protocol                 = "tcp"
			
@@ -31,7 +54,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
 
				 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
			
 
				   security_group_id        = aws_security_group.ghe_elb_external.id
			
 
				   type                     = "ingress"
			
 
				-  cidr_blocks              = [ "0.0.0.0/0" ]
			
 
				+  cidr_blocks              = local.allowed_sources
			
 
				   from_port                = 443
			
 
				   to_port                  = 444
			
 
				   protocol                 = "tcp"