# SG Summary - Server # # 22 - From anywhere # 122 - From vpc-access, ghe-backup # 443-444 - From Load Balancers, vpc-access # 8443 - From vpc-access, GHE-Backup # 8444 - From Load Balancers # resource "aws_security_group" "ghe_server" { # checkov:skip=CKV2_AWS_5: this SG is attached to GitHub name_prefix = "ghe_server" tags = merge(local.standard_tags, var.tags, { Name = "github-enterprise-server" }) vpc_id = var.vpc_id description = "GitHub Enterprise Servers and Backup Servers" } #----------------------------------------------------------------- # INGRESS #----------------------------------------------------------------- resource "aws_security_group_rule" "ghe_server_inbound_22" { # checkov:skip=CKV_AWS_24: Intentionally Open security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "Inbound tcp/22 (ssh) from external IPs (through NLB)" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open } resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = module.elb.security_group_id type = "ingress" description = "HTTP - Inbound from external ELBs for LetsEncrypt" from_port = 80 to_port = 80 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "Inbound SSH (for mgmt)" cidr_blocks = local.cidr_map["vpc-access"] from_port = 122 to_port = 122 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "Inbound SSH (for mgmt)" from_port = 122 to_port = 122 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_backup_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_backup_server.id type = "ingress" description = "Inbound SSH (for mgmt)" from_port = 122 to_port = 122 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_https_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "HTTPS - Inbound" cidr_blocks = local.cidr_map["vpc-access"] from_port = 443 to_port = 444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = module.elb.security_group_id type = "ingress" description = "HTTPS - Inbound from external ELBs" from_port = 443 to_port = 444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" description = "HTTPS - Inbound from internal ELBs" from_port = 443 to_port = 444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_cidr" { security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "HTTPS - Inbound (for mgmt)" cidr_blocks = local.cidr_map["vpc-access"] from_port = 8443 to_port = 8444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_server.id type = "ingress" description = "HTTPS - Inbound (for mgmt)" from_port = 8443 to_port = 8444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_backup_sgs" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_backup_server.id type = "ingress" description = "HTTPS - Inbound (for mgmt)" from_port = 8443 to_port = 8444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_8444" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" description = "HTTPS - Inbound/8444 from internal ELBs" from_port = 8443 to_port = 8444 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444" { security_group_id = aws_security_group.ghe_server.id source_security_group_id = module.elb.security_group_id type = "ingress" description = "HTTPS - Inbound/8444 from external ELBs" from_port = 8443 to_port = 8444 protocol = "tcp" } #----------------------------------------------------------------- # Outbound access #----------------------------------------------------------------- resource "aws_security_group_rule" "ghe_server_outbound_http" { security_group_id = aws_security_group.ghe_server.id type = "egress" description = "Outbound http for LetsEncrypt" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible from_port = 80 to_port = 80 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_outbound_https" { security_group_id = aws_security_group.ghe_server.id type = "egress" description = "Outbound https for LetsEncrypt" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible from_port = 443 to_port = 443 protocol = "tcp" } resource "aws_security_group_rule" "ghe_server_outbound_syslog" { security_group_id = aws_security_group.ghe_server.id type = "egress" description = "Outbound syslog - TCP" cidr_blocks = local.cidr_map["vpc-splunk"] from_port = 1514 to_port = 1514 protocol = "tcp" }