Allows Access on TCP/8089 from vpc-splunk for Monitoring Console

To be tagged v1.23.4

base/splunk_servers/cluster_master/main.tf

@@ -195,7 +195,7 @@ data "template_cloudinit_config" "cloud-init" {
 # Summary:
 #   Ingress:
 #     tcp/8000      - Splunk Web                 - vpc-access, legacy openvpn, legacy bastion
-#     tcp/8089      - Splunk API                 - vpc-access, legacy openvpn, legacy bastion
+#     tcp/8089      - Splunk API                 - vpc-access, legacy openvpn, legacy bastion, vpc-splunk, vpc-private-services
 #     tcp/8089      - Splunk API + IDX Discovery - Entire VPC + var.splunk_legacy_cidr
 #     tcp/8089      - MOOSE ONLY                 - 10.0.0.0/8
 #   Egress:
@@ -236,7 +236,7 @@ resource "aws_security_group_rule" "splunk-api-in" {
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
-  cidr_blocks       = toset(concat(var.splunk_legacy_cidr, [ var.vpc_cidr ], var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
+  cidr_blocks       = toset(concat(var.splunk_legacy_cidr, [ var.vpc_cidr ], var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"], var.cidr_map["vpc-splunk"]))
   security_group_id = aws_security_group.cluster_master_security_group.id
 }
 

base/splunk_servers/heavy_forwarder/main.tf

@@ -195,7 +195,7 @@ data "template_cloudinit_config" "cloud-init" {
 # Summary:
 #   Ingress:
 #     tcp/8000      - Splunk Web                 - vpc-access, legacy openvpn, legacy bastion
-#     tcp/8089      - Splunk API                 - vpc-access, legacy openvpn, legacy bastion
+#     tcp/8089      - Splunk API                 - vpc-access, legacy openvpn, legacy bastion, vpc-splunk (mc)
 #
 #   Egress:
 #     tcp/8089      - Splunk API + IDX Discovery - Entire VPC + var.splunk_legacy_cidr
@@ -226,7 +226,7 @@ resource "aws_security_group_rule" "splunk-api-in" {
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
-  cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
+  cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"], var.cidr_map["vpc-splunk"]))
   security_group_id = aws_security_group.heavy_forwarder_security_group.id
 }
 

base/splunk_servers/indexer_cluster/security-group-indexers.tf

@@ -66,19 +66,8 @@ resource "aws_security_group_rule" "splunk-api-in-access" {
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
-  # Note: This should not be data_sources, as we do not need to give remote sources access to indexer discovery
-  cidr_blocks       = local.access_cidrs
-  security_group_id = aws_security_group.indexer_security_group.id
-}
-
-resource "aws_security_group_rule" "splunk-api-in-vpc" {
-  description       = "Splunk API + Indexer Discovery"
-  type              = "ingress"
-  from_port         = 8089
-  to_port           = 8089
-  protocol          = "tcp"
-  # Note: This should not be data_sources, as we do not need to give remote sources access to indexer discovery
-  cidr_blocks       = local.splunk_vpc_cidrs
+  # need to concat here, since legacy subnet is already in the rule
+  cidr_blocks       = toset(concat(tolist(local.access_cidrs), tolist(local.splunk_vpc_cidrs), var.cidr_map["vpc-splunk"])) 
   security_group_id = aws_security_group.indexer_security_group.id
 }
 

base/splunk_servers/searchhead/main.tf

@@ -240,6 +240,7 @@ resource "aws_security_group_rule" "splunk-api-in" {
   protocol          = "tcp"
   cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], 
                                    var.cidr_map["vpc-private-services"], 
+                                   var.cidr_map["vpc-splunk"], # MC
                                    var.splunk_legacy_cidr, 
                                    [ var.vpc_cidr ], 
                                    local.is_moose ? var.cidr_map["vpc-system-services"] : [], # for salt inventory