## Indexer Security Group # # Summary: # Ingress: # x tcp/8000 - Splunk Web - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion # x tcp/8088 - Splunk HEC - (local.data_sources) Entire VPC + var.additional_source + local.splunk_legacy_cidr # x tcp/8088 - MOOSE ONLY - 10.0.0.0/8 # x tcp/8089 - Splunk API - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion, legacy infra (vpc-private-services) VPC for monitoring console # x tcp/8089 - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr # x tcp/8089 - MOOSE ONLY - 10.0.0.0/8 # x tcp/9887 - IDX Replication - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr # x tcp/9997-9998 - Splunk Data - (local.data_sources) Entire VPC + var.additional_source + local.splunk_legacy_cidr # x tcp/9997-9998 - MOOSE ONLY - 10.0.0.0/8 # Egress: # tcp/9887 - IDX Replication - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr # tcp/8089 - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr locals { splunk_vpc_cidrs = toset(concat(local.splunk_legacy_cidr, [var.vpc_cidr], local.cidr_map["vpc-private-services"])) access_cidrs = local.cidr_map["vpc-access"] data_sources = toset(concat(tolist(local.splunk_vpc_cidrs), local.splunk_data_sources)) } resource "aws_security_group" "indexer_security_group" { # checkov:skip=CKV2_AWS_5: this SG is attached to Indexers name = "indexer_security_group" description = "Security Group for Splunk Indexers" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags, { "Name" = "indexer_security_group" }) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "splunk-web-in" { type = "ingress" description = "Web access from Bastions and VPN" from_port = 8000 to_port = 8000 protocol = "tcp" cidr_blocks = local.access_cidrs security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-hec-in" { type = "ingress" description = "Splunk HEC access" from_port = 8088 to_port = 8088 protocol = "tcp" cidr_blocks = local.data_sources # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally open to Internet for HEC from AWS security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-hec-in-moose" { count = local.is_moose ? 1 : 0 type = "ingress" description = "Splunk HEC - Inbound to Moose access" from_port = 8088 to_port = 8088 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-api-in-access" { type = "ingress" description = "Splunk API + Indexer Discovery" from_port = 8089 to_port = 8089 protocol = "tcp" # need to concat here, since legacy subnet is already in the rule cidr_blocks = toset(concat(tolist(local.access_cidrs), tolist(local.splunk_vpc_cidrs), local.cidr_map["vpc-splunk"])) security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-api-in-moose" { count = local.is_moose ? 1 : 0 type = "ingress" description = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY" from_port = 8089 to_port = 8089 protocol = "tcp" # Internal source _do_ use indexer discovery, so moose needs 10/8 open to the entirety. cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-idx-replication" { type = "ingress" description = "Splunk Indexer Replication" from_port = 9887 to_port = 9887 protocol = "tcp" cidr_blocks = local.splunk_vpc_cidrs security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-data-in" { type = "ingress" description = "Splunk Data - Inbound" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = local.data_sources # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally open to Internet due to NLB security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-data-in-moose" { count = local.is_moose ? 1 : 0 type = "ingress" description = "Splunk Data - Inbound for Moose" from_port = 9997 to_port = 9998 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] security_group_id = aws_security_group.indexer_security_group.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "splunk-idx-replication-out" { type = "egress" description = "Splunk Indexer Replication - Outbound" from_port = 9887 to_port = 9887 protocol = "tcp" cidr_blocks = local.splunk_vpc_cidrs security_group_id = aws_security_group.indexer_security_group.id } resource "aws_security_group_rule" "splunk-api-out" { type = "egress" description = "Splunk API - Outbound to talk to indexers" from_port = 8089 to_port = 8089 protocol = "tcp" cidr_blocks = local.splunk_vpc_cidrs security_group_id = aws_security_group.indexer_security_group.id }