# TODO: We probably want this in this module as a standard group in all VPCs, but disabling # for now due to complexity. # # For a "typical host" we have some simple expectations # - able to talk to one of the various salt masters # - able to talk to Amazon's DNS servers # - allow inbound SSH from bastion # - any outbound RPM repo access needed # - 9998/tcp to moose indexers # # # The following is a little complicated because the mainline security-group module # is lacking a little in being able to be super expressive w/ rules. So we # create the base SG with the module, and then attach more detailed rules to it when # complete module "typical_host_sg" { use_name_prefix = false source = "terraform-aws-modules/security-group/aws" version = "~> 2.17" name = "typical-host" tags = "${local.standard_tags}" vpc_id = "${module.vpc.vpc_id}" ingress_cidr_blocks = [ "10.0.0.0/8" ] ingress_rules = [ "all-icmp" ] egress_ipv6_cidr_blocks = [ ] egress_with_cidr_blocks = [ { description = "TCP DNS to Amazon VPC DNS Server" rule = "dns-tcp" cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32" }, { description = "UDP DNS to Amazon VPC DNS Server" rule = "dns-udp" cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32" }, { description = "ICMP" rule = "all-icmp" cidr_blocks = "10.0.0.0/8" }, ] #egress_with_ipv6_cidr_blocks = [ # { # description = "Saltstack RPM Repos IPv6" # rule = "https-443-tcp" # ipv6_cidr_blocks = "2604:a880:400:d0::2:e001/128" # } #] } resource "aws_security_group_rule" "outbound_to_salt_masters" { type = "egress" from_port = 4505 to_port = 4506 protocol = 6 source_security_group_id = "${module.salt_masters_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Connect to Salt Masters" } resource "aws_security_group_rule" "outbound_to_repo_servers_80" { type = "egress" from_port = 80 to_port = 80 protocol = 6 source_security_group_id = "${module.repo_servers_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Connect to Repo Servers" } resource "aws_security_group_rule" "inbound_ssh_bastion" { type = "ingress" from_port = 22 to_port = 22 protocol = 6 security_group_id = "${module.typical_host_sg.this_security_group_id}" source_security_group_id = "${module.bastion_servers_sg.this_security_group_id}" #cidr_blocks = [ "${formatlist("%s/32",module.bastion.private_ip)}" ] description = "Inbound SSH from bastions" } resource "aws_security_group_rule" "typical_host_inbound_ssh_openvpn" { type = "ingress" from_port = 22 to_port = 22 protocol = 6 security_group_id = "${module.typical_host_sg.this_security_group_id}" source_security_group_id = "${module.openvpn_servers_sg.this_security_group_id}" description = "Inbound SSH from openvpn" } resource "aws_security_group_rule" "outbound_to_ec2_endpoints" { type = "egress" from_port = 0 to_port = 0 protocol = -1 security_group_id = "${module.typical_host_sg.this_security_group_id}" source_security_group_id = "${module.aws_endpoints_sg.this_security_group_id}" description = "Outbound to EC2 endpoints" } resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint" { type = "egress" from_port = 0 to_port = 0 protocol = -1 security_group_id = "${module.typical_host_sg.this_security_group_id}" prefix_list_ids = [ "${module.vpc.vpc_endpoint_s3_pl_id}" ] description = "Outbound to S3 endpoint" } resource "aws_security_group_rule" "outbound_to_squid_http" { type = "egress" from_port = 80 to_port = 80 protocol = 6 source_security_group_id = "${module.proxy_servers_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "HTTPS outbound to proxies" } resource "aws_security_group_rule" "outbound_to_mailrelay_25" { type = "egress" from_port = 25 to_port = 25 protocol = 6 source_security_group_id = "${module.mailrelay_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Outbound Email to mailrelay" } resource "aws_security_group_rule" "outbound_to_sensu" { type = "egress" from_port = 8081 to_port = 8081 protocol = "tcp" source_security_group_id = "${module.sensu_servers_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Sensu Outbound" } resource "aws_security_group_rule" "outbound_to_moose_s2s" { type = "egress" from_port = 9997 to_port = 9998 protocol = "tcp" #cidr_blocks = [ "${module.vpc.vpc_cidr_block}" ] source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Splunk UF outbound to Moose Indexers" } resource "aws_security_group_rule" "outbound_to_moose_idxc" { type = "egress" from_port = 8089 to_port = 8089 protocol = "tcp" #cidr_blocks = [ "${module.vpc.vpc_cidr_block}" ] source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Outbound IDXC Discovery to MOOSE" } resource "aws_security_group_rule" "outbound_to_moose_hec" { type = "egress" from_port = 8088 to_port = 8088 protocol = 6 source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Connect to HEC" } resource "aws_security_group_rule" "inbound_from_vuln_scanners" { type = "ingress" from_port = -1 to_port = -1 protocol = -1 source_security_group_id = "${module.vuln_scanners_sg.this_security_group_id}" security_group_id = "${module.typical_host_sg.this_security_group_id}" description = "Allow all from Vuln Scanners" }