#---------------------------------------------------------------- # SG for the external ELB #---------------------------------------------------------------- locals { # from https://config.zscaler.com/zscalergov.net/cenr zscalar_cidrs = [ "165.225.3.0/24", "136.226.10.0/23", "136.226.12.0/23", "136.226.14.0/23", "165.225.46.0/24", "136.226.6.0/23", "136.226.4.0/23", "136.226.8.0/23", "136.226.22.0/24", "165.225.48.0/24", "136.226.18.0/23", "136.226.16.0/23", "136.226.20.0/23", ] salt_masters = [ "18.253.198.129/32", # Salt Master Prod - proxy "18.253.73.251/32", # salt master prod "18.252.61.81/32", # Salt master dev - proxy "18.253.226.199/32", # salt aster dev ] # Locking down sources on 2021-12-10 due to log4j vulnerability #allowed_sources = local.zscalar_cidrs #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs) #allowed_sources = concat(local.zscalar_cidrs, var.trusted_ips, local.salt_masters) # Restored access on 2021-12-14 allowed_sources = ["0.0.0.0/0"] } #---------------------------------------------------------------- # SG for the internal ELB #---------------------------------------------------------------- resource "aws_security_group" "ghe_elb_internal" { name_prefix = "ghe_elb_internal" tags = merge(var.standard_tags, var.tags, { Name = "github-internal-lb" }) vpc_id = var.vpc_id description = "Internal ELB for GitHub Enterprise Server" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = ["10.0.0.0/8"] from_port = 443 to_port = 443 protocol = "tcp" description = "Inbound https" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = ["10.0.0.0/8"] from_port = 8443 to_port = 8443 protocol = "tcp" description = "Inbound https" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = ["10.0.0.0/8"] from_port = 22 to_port = 22 protocol = "tcp" description = "Inbound git" } # Let the ELB talk to the github server(s) resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 443 to_port = 443 protocol = "tcp" description = "Outbound https from ELB to GH Servers" } # Let the ELB talk to the github server(s) resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 8443 to_port = 8444 protocol = "tcp" description = "Outbound https from ELB to GH Servers" } resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 23 to_port = 23 protocol = "tcp" description = "Outbound https from ELB to GH Servers" }