# SG Summary - Server # Inbound:: # tcp/8888 - from 10.0.0.0/8 # tcp/443 - from load balancers, vpc-access (legacy was from 10.0.0.0/8) # # Outbound: # tcp/8089 - 10.0.0.0/8 (splunk) # udp/53 - 0.0.0.0/0 (dns for oscontext) # DISABLED tcp/464 - 10.80.0.0/16 (legacy vpc) # DISABLED tcp/636 - 0.0.0.0/0 (LDAPS outbound) # DISABLED tcp/389 - 10.80.0.0/16 (legacy vpc) # DISABLED tcp+udp/88 - 10.80.0.0/16 (idm) # # New: resource "aws_security_group" "phantom_server" { name_prefix = "phantom_server" tags = merge( var.standard_tags, var.tags, { Name = "phantom_server" } ) vpc_id = var.vpc_id description = "Phantom Server" } #----------------------------------------------------------------- # Inbound access #----------------------------------------------------------------- resource "aws_security_group_rule" "phantom_server_inbound_8888" { security_group_id = aws_security_group.phantom_server.id type = "ingress" cidr_blocks = [ "10.0.0.0/8" ] from_port = 8888 to_port = 8888 protocol = "tcp" description = "Inbound 8888 - Phantom Websocket" } resource "aws_security_group_rule" "phantom_server_inbound_alb_443" { security_group_id = aws_security_group.phantom_server.id type = "ingress" source_security_group_id = aws_security_group.phantom_alb_internal.id from_port = 443 to_port = 443 protocol = "tcp" description = "Inbound 443 (from load balancers)" } resource "aws_security_group_rule" "phantom_server_inbound_alb_443_from_vpn" { security_group_id = aws_security_group.phantom_server.id type = "ingress" cidr_blocks = var.cidr_map["vpc-access"] from_port = 443 to_port = 443 protocol = "tcp" description = "Inbound 443 (from load access, for troubleshooting)" } #----------------------------------------------------------------- # Outbound access #----------------------------------------------------------------- resource "aws_security_group_rule" "phantom_server_outbound_postgres" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = [ "10.0.0.0/8" ] from_port = 8089 to_port = 8089 protocol = "tcp" description = "Outbound to splunk everywhere" } resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 53 to_port = 53 protocol = "tcp" description = "Outbound tcp dns anywhere" } resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 53 to_port = 53 protocol = "udp" description = "Outbound udp dns anywhere" } resource "aws_security_group_rule" "phantom_server_outbound_http" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 80 to_port = 80 protocol = "tcp" description = "Outbound http anywhere (required for saleforce and others)" } resource "aws_security_group_rule" "phantom_server_outbound_https" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = [ "0.0.0.0/0" ] from_port = 443 to_port = 443 protocol = "tcp" description = "Outbound https anywhere (required for saleforce and others)" } resource "aws_security_group_rule" "phantom_server_outbound_ssh_to_legacy" { security_group_id = aws_security_group.phantom_server.id type = "egress" cidr_blocks = var.environment == "prod" ? [ "10.80.101.221/32" ] : [ "10.96.101.186/32" ] from_port = 22 to_port = 22 protocol = "tcp" description = "Outbound ssh to legacy. Remove after migration." }