# SG Summary - Server # # 22 - From vpc-access # 23 - From Load Balancers # 122 - From vpc-access, ghe-backup # 443-444 - From Load Balancers, vpc-access # 8443 - From vpc-access, GHE-Backup # 8444 - From Load Balancers # resource "aws_security_group" "ghe_server" { name_prefix = "ghe_server" tags = merge( var.standard_tags, var.tags, { Name = "github-enterprise-server" } ) vpc_id = var.vpc_id description = "GitHub Enterprise Servers and Backup Servers" } #----------------------------------------------------------------- # Inbound access #----------------------------------------------------------------- resource "aws_security_group_rule" "ghe_server_inbound_ssh_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" cidr_blocks = var.cidr_map["vpc-access"] from_port = 22 to_port = 22 protocol = "tcp" description = "Inbound ssh (for git)" } resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_23" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" from_port = 23 to_port = 23 protocol = "tcp" description = "Inbound tcp/23 (ssh-proxy) from external ELBs" } resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_23" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" from_port = 23 to_port = 23 protocol = "tcp" description = "Inbound tcp/23 (ssh-proxy) from internal ELBs" } resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" description = "Inbound HTTP from external ELBs for LetsEncrypt" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" cidr_blocks = var.cidr_map["vpc-access"] from_port = 122 to_port = 122 protocol = "tcp" description = "Inbound ssh (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_server.id type = "ingress" from_port = 122 to_port = 122 protocol = "tcp" description = "Inbound ssh (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_backup_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_backup_server.id type = "ingress" from_port = 122 to_port = 122 protocol = "tcp" description = "Inbound ssh (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_https_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" cidr_blocks = var.cidr_map["vpc-access"] from_port = 443 to_port = 444 protocol = "tcp" description = "Inbound https" } resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" from_port = 443 to_port = 444 protocol = "tcp" description = "Inbound https from external ELBs" } resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" from_port = 443 to_port = 444 protocol = "tcp" description = "Inbound https from internal ELBs" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" cidr_blocks = var.cidr_map["vpc-access"] from_port = 8443 to_port = 8444 protocol = "tcp" description = "Inbound https (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_server.id type = "ingress" from_port = 8443 to_port = 8444 protocol = "tcp" description = "Inbound https (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_backup_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_backup_server.id type = "ingress" from_port = 8443 to_port = 8444 protocol = "tcp" description = "Inbound https (for mgmt)" } resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_8444" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" from_port = 8443 to_port = 8444 protocol = "tcp" description = "Inbound https/8444 from internal ELBs" } resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" from_port = 8443 to_port = 8444 protocol = "tcp" description = "Inbound https/8444 from external ELBs" } #----------------------------------------------------------------- # Outbound access #----------------------------------------------------------------- resource "aws_security_group_rule" "ghe_server_outbound_http" { security_group_id = aws_security_group.ghe_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 80 to_port = 80 protocol = "tcp" description = "Outbound http for letsencrypt" } resource "aws_security_group_rule" "ghe_server_outbound_https" { security_group_id = aws_security_group.ghe_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 443 to_port = 443 protocol = "tcp" description = "Outbound https for letsencrypt" } resource "aws_security_group_rule" "ghe_server_outbound_syslog" { security_group_id = aws_security_group.ghe_server.id type = "egress" cidr_blocks = var.cidr_map["vpc-splunk"] from_port = 1514 to_port = 1514 protocol = "tcp" description = "Outbound syslog" }