resource "aws_security_group" "openvpn_security_group" { name_prefix = "${ var.instance_name }_security_group" description = "Security Group for OpenVPN Instance(s)" vpc_id = var.vpc_id tags = merge(var.standard_tags, var.tags) } resource "aws_security_group_rule" "openvpn-in" { type = "ingress" from_port = 1194 to_port = 1194 protocol = "udp" # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access. cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-https-in" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access. cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-permissive-out" { # We allow all outbound for openvpn type = "egress" from_port = -1 to_port = -1 protocol = "all" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } # We have specific egress rules, as well, but the list may be incomplete. resource "aws_security_group_rule" "openvpn-splunk-out" { type = "egress" from_port = 8000 to_port = 8000 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-https-out" { type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-https-alt-out" { type = "egress" from_port = 8443 to_port = 8443 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-phantom-out" { type = "egress" from_port = 8888 to_port = 8888 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-github-ssh-out" { type = "egress" from_port = 122 to_port = 122 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-ssh-out" { type = "egress" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-nessus-out" { type = "egress" from_port = 8834 to_port = 8835 protocol = "tcp" cidr_blocks = toset(concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"])) security_group_id = aws_security_group.openvpn_security_group.id description = "Access to Nessus" } resource "aws_security_group_rule" "openvpn-license-server-out" { # Needed for license server check-in. Seems to be stable IP. type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [ "54.183.149.72/32" ] security_group_id = aws_security_group.openvpn_security_group.id } resource "aws_security_group_rule" "openvpn-ldap-out" { type = "egress" from_port = 636 to_port = 636 protocol = "tcp" # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.openvpn_security_group.id }