# From vmray admin installation guide, page 24 # Clients to server on 443 # Server to workers on 5900-5999 (VNC) # Workers to server on 80 and 443 # Server resource "aws_security_group" "vmray_server_sg" { name = "vmray_server_sg" description = "Security Rules Specific to VMRay" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } resource "aws_security_group_rule" "vmray_server_http_in_from_workers" { description = "Allow inbound port 80 for redirect from other vmray servers" type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_https_in_from_workers" { description = "Allow inbound https for interserver communication from other vmray servers" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_https_in" { description = "Allow https ingress from the VPN" type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" #cidr_blocks = local.cidr_map["vpc-access"] source_security_group_id = aws_security_group.vmray_alb_internal.id security_group_id = aws_security_group.vmray_server_sg.id } ## VMRay Does DNS Lookups to the Local Network resource "aws_security_group_rule" "vmray_server_tcpdns_out" { description = "Allow DNS lookups to the local DNS server" type = "egress" from_port = 53 to_port = 53 protocol = "tcp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_udpdns_out" { description = "Allow DNS lookups to the local DNS server" type = "egress" from_port = 53 to_port = 53 protocol = "udp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_server_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_server_http_out" { description = "VMRay requires direct HTTP outbound" type = "egress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_server_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_server_https_out" { description = "VMRay requires direct HTTPS outbound" type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_vnc_to_workers" { description = "VMRay uses VNC for client machine access." type = "egress" from_port = 5900 to_port = 5999 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } # Workers resource "aws_security_group" "vmray_worker_sg" { name = "vmray_worker_sg" description = "Security Rules for the VMRay Worker Nodes" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" { description = "VMRay uses VNC for client machine access." type = "ingress" from_port = 5900 to_port = 5999 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmwary_worker_vnc_from_access" { description = "VMRay uses VNC for client machine access." type = "ingress" from_port = 5900 to_port = 5999 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_tcpdns_out" { description = "VMRay does DNS lookups to an instance in the local vpc." type = "egress" from_port = 53 to_port = 53 protocol = "tcp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_udpdns_out" { description = "VMRay does DNS lookups to an instance in the local vpc." type = "egress" from_port = 53 to_port = 53 protocol = "udp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_worker_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_worker_http_out" { description = "VMRay requires direct HTTP access." type = "egress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_worker_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_worker_https_out" { description = "VMRay requires direct HTTPS access." type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_http_to_server" { description = "VMRay worker communicates with the server." type = "egress" from_port = 80 to_port = 80 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_https_to_server" { description = "VMRay worker communicates with the server." type = "egress" from_port = 443 to_port = 443 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id }