Merge pull request #195 from mdr-engineering/hotfix/ftd_na_FixSecurityGroupsForVPCs

Fixes Security Group Modules

base/github/backup_server.tf

@@ -24,8 +24,8 @@ resource "aws_instance" "ghe-backup-instance" {
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
   # that could be removed.
-  #lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
-  lifecycle { ignore_changes = [ ami, key_name, user_data ] }
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+  #lifecycle { ignore_changes = [ ami, key_name, user_data ] }
 
   # These device definitions are optional, but added for clarity.
   root_block_device {

base/nessus/instance_nessus_scanner/main.tf

@@ -37,8 +37,7 @@ resource "aws_instance" "nessus-scanner-instance" {
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
   # that could be removed.
-  #lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
-  lifecycle { ignore_changes = [ ami, key_name, user_data ] }
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
 
   # These device definitions are optional, but added for clarity.
   root_block_device {

base/nessus/instance_security_center/main.tf

@@ -34,8 +34,8 @@ resource "aws_instance" "security-center-instance" {
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
   # that could be removed.
-  #lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
-  lifecycle { ignore_changes = [ ami, key_name, user_data ] }
+  lifecycle { ignore_changes = [ ami, key_name, user_data, ebs_block_device ] }
+  #lifecycle { ignore_changes = [ ami, key_name, user_data ] }
 
   # These device definitions are optional, but added for clarity.
   root_block_device {

base/qualys_scanners/ec2.tf

@@ -40,7 +40,7 @@ resource aws_instance "qualys_scanner_preauthorized" {
 
   ebs_optimized               = true
   vpc_security_group_ids      = [
-    module.qualys_scanner_sg.this_security_group_id
+    module.qualys_scanner_sg.security_group_id
   ]
 
   credit_specification {
@@ -70,7 +70,7 @@ resource aws_instance "qualys_scanner_standard" {
 
   ebs_optimized               = true
   vpc_security_group_ids      = [
-    module.qualys_scanner_sg.this_security_group_id
+    module.qualys_scanner_sg.security_group_id
   ]
 
   credit_specification {

base/qualys_scanners/main.tf

@@ -34,7 +34,7 @@ module "vpc" {
 
   enable_ec2_endpoint              = true
   ec2_endpoint_private_dns_enabled = true
-  ec2_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
+  ec2_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.security_group_id ]
 
   dhcp_options_domain_name = var.dns_info["private"]["zone"]
 

base/qualys_scanners/outputs.tf

@@ -11,11 +11,11 @@ output private_subnets {
 }
 
 output allow_all_sg_id {
-  value = module.allow_all_sg.this_security_group_id
+  value = module.allow_all_sg.security_group_id
 }
 
 output allow_all_outbound_sg_id {
-  value = module.allow_all_outbound_sg.this_security_group_id
+  value = module.allow_all_outbound_sg.security_group_id
 }
 
 output private_route_tables {

base/security_vpc/main.tf

@@ -48,7 +48,7 @@ module "vpc" {
   enable_dhcp_options = true
 
   enable_ec2_endpoint              = true # PA likes a local ec2 endpoint
-  ec2_endpoint_security_group_ids  = [ module.aws_endpoints_sg.this_security_group_id ]
+  ec2_endpoint_security_group_ids  = [ module.aws_endpoints_sg.security_group_id ]
 
   dhcp_options_domain_name = var.dns_info["private"]["zone"]
 

base/security_vpc/outputs.tf

@@ -36,10 +36,10 @@ output subnet_cidr_map {
 
 output security_groups {
   value = {
-    allow_all = module.allow_all_sg.this_security_group_id
-    allow_all_outbound = module.allow_all_outbound_sg.this_security_group_id
-    allow_trusted = module.allow_trusted_sg.this_security_group_id
-    allow_all_intravpc = module.allow_all_intravpc.this_security_group_id
+    allow_all = module.allow_all_sg.security_group_id
+    allow_all_outbound = module.allow_all_outbound_sg.security_group_id
+    allow_trusted = module.allow_trusted_sg.security_group_id
+    allow_all_intravpc = module.allow_all_intravpc.security_group_id
   }
 }
 

base/security_vpc/security-groups.tf

@@ -8,7 +8,7 @@ locals {
 module "aws_endpoints_sg" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
+  version = "= 4.0.0"
   name        = "aws_endpoints"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id
@@ -24,7 +24,7 @@ module "aws_endpoints_sg" {
 module "allow_all_sg" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
+  version = "= 4.0.0"
   name        = "allow-all"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id
@@ -38,7 +38,7 @@ module "allow_all_sg" {
 module "allow_all_outbound_sg" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
+  version = "= 4.0.0"
   name        = "allow-all-outbound"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id
@@ -49,7 +49,7 @@ module "allow_all_outbound_sg" {
 module "allow_trusted_sg" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
+  version = "= 4.0.0"
   name        = "allow_trusted"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id
@@ -62,7 +62,7 @@ module "allow_trusted_sg" {
 module "allow_all_intravpc" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
+  version = "= 4.0.0"
   name        = "allow_all_intravpc"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id

base/standard_vpc/typicalhost.tf.disabled

@@ -1,202 +0,0 @@
-# TODO: We probably want this in this module as a standard group in all VPCs, but disabling
-# for now due to complexity.
-#
-# For a "typical host" we have some simple expectations
-#   - able to talk to one of the various salt masters
-#   - able to talk to Amazon's DNS servers
-#   - allow inbound SSH from bastion
-#   - any outbound RPM repo access needed
-#   - 9998/tcp to moose indexers
-#
-#
-# The following is a little complicated because the mainline security-group module
-# is lacking a little in being able to be super expressive w/ rules.  So we
-# create the base SG with the module, and then attach more detailed rules to it when
-# complete
-module "typical_host_sg" {
-  use_name_prefix = false
-  source = "terraform-aws-modules/security-group/aws"
-  version = "~> 2.17"
-  name        = "typical-host"
-  tags        = "${local.standard_tags}"
-  vpc_id      = "${module.vpc.vpc_id}"
-
-  ingress_cidr_blocks = [ "10.0.0.0/8" ]
-  ingress_rules = [ "all-icmp" ]
-
-  egress_ipv6_cidr_blocks = [ ]
-
-  egress_with_cidr_blocks = [
-    {
-      description = "TCP DNS to Amazon VPC DNS Server"
-      rule        = "dns-tcp"
-      cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32"
-    },
-    {
-      description = "UDP DNS to Amazon VPC DNS Server"
-      rule        = "dns-udp"
-      cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32"
-    },
-
-    {
-      description = "ICMP"
-      rule 				= "all-icmp"
-      cidr_blocks = "10.0.0.0/8"
-  	},
-
-	]
-
-  #egress_with_ipv6_cidr_blocks = [
-  #  {
-  #    description = "Saltstack RPM Repos IPv6"
-  #    rule 				= "https-443-tcp"
-  #    ipv6_cidr_blocks = "2604:a880:400:d0::2:e001/128"
-  #  }
-  #]
-}
-
-resource "aws_security_group_rule" "outbound_to_salt_masters"
-{
-  type = "egress"
-  from_port = 4505
-  to_port = 4506
-  protocol = 6
-  source_security_group_id = "${module.salt_masters_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description = "Connect to Salt Masters"
-}
-
-resource "aws_security_group_rule" "outbound_to_repo_servers_80"
-{
-  type = "egress"
-  from_port = 80
-  to_port = 80
-  protocol = 6
-  source_security_group_id = "${module.repo_servers_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description = "Connect to Repo Servers"
-}
-
-resource "aws_security_group_rule" "inbound_ssh_bastion"
-{
-  type = "ingress"
-  from_port = 22
-  to_port = 22
-  protocol = 6
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  source_security_group_id = "${module.bastion_servers_sg.this_security_group_id}"
-  #cidr_blocks = [ "${formatlist("%s/32",module.bastion.private_ip)}" ]
-  description = "Inbound SSH from bastions"
-}
-
-resource "aws_security_group_rule" "typical_host_inbound_ssh_openvpn"
-{
-  type = "ingress"
-  from_port = 22
-  to_port = 22
-  protocol = 6
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  source_security_group_id = "${module.openvpn_servers_sg.this_security_group_id}"
-  description = "Inbound SSH from openvpn"
-}
-
-resource "aws_security_group_rule" "outbound_to_ec2_endpoints"
-{
-  type = "egress"
-  from_port = 0
-  to_port = 0
-  protocol = -1
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  source_security_group_id = "${module.aws_endpoints_sg.this_security_group_id}"
-  description = "Outbound to EC2 endpoints"
-}
-
-resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint"
-{
-  type = "egress"
-  from_port = 0
-  to_port = 0
-  protocol = -1
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  prefix_list_ids = [ "${module.vpc.vpc_endpoint_s3_pl_id}" ]
-  description = "Outbound to S3 endpoint"
-}
-
-resource "aws_security_group_rule" "outbound_to_squid_http"
-{
-  type = "egress"
-  from_port = 80
-  to_port = 80
-  protocol = 6
-  source_security_group_id = "${module.proxy_servers_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description  = "HTTPS outbound to proxies"
-}
-
-resource "aws_security_group_rule" "outbound_to_mailrelay_25"
-{
-  type = "egress"
-  from_port = 25
-  to_port = 25
-  protocol = 6
-  source_security_group_id = "${module.mailrelay_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description = "Outbound Email to mailrelay"
-}
-
-resource "aws_security_group_rule" "outbound_to_sensu"
-{
-  type = "egress"
-  from_port = 8081
-  to_port   = 8081
-  protocol  = "tcp"
-  source_security_group_id = "${module.sensu_servers_sg.this_security_group_id}"
-  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
-  description              = "Sensu Outbound"
-}
-
-resource "aws_security_group_rule" "outbound_to_moose_s2s"
-{
-  type = "egress"
-  from_port = 9997
-  to_port   = 9998
-  protocol  = "tcp"
-  #cidr_blocks              = [ "${module.vpc.vpc_cidr_block}" ]
-  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
-  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
-  description              = "Splunk UF outbound to Moose Indexers"
-}
-
-resource "aws_security_group_rule" "outbound_to_moose_idxc"
-{
-  type = "egress"
-  from_port = 8089
-  to_port   = 8089
-  protocol  = "tcp"
-  #cidr_blocks              = [ "${module.vpc.vpc_cidr_block}" ]
-  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
-  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
-  description              = "Outbound IDXC Discovery to MOOSE"
-}
-
-resource "aws_security_group_rule" "outbound_to_moose_hec"
-{
-  type = "egress"
-  from_port = 8088
-  to_port = 8088
-  protocol = 6
-  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description = "Connect to HEC"
-}
-
-resource "aws_security_group_rule" "inbound_from_vuln_scanners"
-{
-  type = "ingress"
-  from_port = -1
-  to_port = -1
-  protocol = -1
-  source_security_group_id = "${module.vuln_scanners_sg.this_security_group_id}"
-  security_group_id = "${module.typical_host_sg.this_security_group_id}"
-  description = "Allow all from Vuln Scanners"
-}