#---------------------------------------------------------------- # SG for the external ELB #---------------------------------------------------------------- locals { # from https://config.zscaler.com/zscalergov.net/cenr zscalar_cidrs = [ "165.225.3.0/24", "136.226.10.0/23", "136.226.12.0/23", "136.226.14.0/23", "165.225.46.0/24", "136.226.6.0/23", "136.226.4.0/23", "136.226.8.0/23", "136.226.22.0/24", "165.225.48.0/24", "136.226.18.0/23", "136.226.16.0/23", "136.226.20.0/23", ] # Locking down sources on 2021-12-10 due to log4j vulnerability #allowed_sources = local.zscalar_cidrs #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs) # salt masters only for the weekend allowed_sources = [ "18.253.198.129/32" ] #allowed_sources = [ "0.0.0.0/0" ] } resource "aws_security_group" "ghe_elb_external" { name_prefix = "ghe_elb_external" tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } ) vpc_id = var.vpc_id description = "External ELB for GitHub Enterprise Server" } resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" { security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" cidr_blocks = local.allowed_sources from_port = 22 to_port = 22 protocol = "tcp" description = "Inbound git" } resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" { security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" cidr_blocks = local.allowed_sources from_port = 80 to_port = 80 protocol = "tcp" description = "Inbound http to ELB" } resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" { security_group_id = aws_security_group.ghe_elb_external.id type = "ingress" cidr_blocks = local.allowed_sources from_port = 443 to_port = 444 protocol = "tcp" description = "Inbound https to ELB" } # Let the ELB talk to the github server(s) resource "aws_security_group_rule" "ghe_elb_external_outbound_ssh" { security_group_id = aws_security_group.ghe_elb_external.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 23 to_port = 23 protocol = "tcp" description = "Outbound ssh (PROXY) from ELB to GH servers" } resource "aws_security_group_rule" "ghe_elb_external_outbound_http" { security_group_id = aws_security_group.ghe_elb_external.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 80 to_port = 80 protocol = "tcp" description = "Outbound HTTP from ELB to GH servers for LetsEncrypt on GHE" } resource "aws_security_group_rule" "ghe_elb_external_outbound_https" { security_group_id = aws_security_group.ghe_elb_external.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 443 to_port = 443 protocol = "tcp" description = "Outbound https from ELB to GH servers" } #---------------------------------------------------------------- # SG for the internal ELB #---------------------------------------------------------------- resource "aws_security_group" "ghe_elb_internal" { name_prefix = "ghe_elb_internal" tags = merge( var.standard_tags, var.tags, { Name = "github-internal-lb" } ) vpc_id = var.vpc_id description = "Internal ELB for GitHub Enterprise Server" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = [ "10.0.0.0/8" ] from_port = 443 to_port = 443 protocol = "tcp" description = "Inbound https" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = [ "10.0.0.0/8" ] from_port = 8443 to_port = 8443 protocol = "tcp" description = "Inbound https" } resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" { security_group_id = aws_security_group.ghe_elb_internal.id type = "ingress" cidr_blocks = [ "10.0.0.0/8" ] from_port = 22 to_port = 22 protocol = "tcp" description = "Inbound git" } # Let the ELB talk to the github server(s) resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 443 to_port = 443 protocol = "tcp" description = "Outbound https from ELB to GH Servers" } # Let the ELB talk to the github server(s) resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 8443 to_port = 8444 protocol = "tcp" description = "Outbound https from ELB to GH Servers" } resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" { security_group_id = aws_security_group.ghe_elb_internal.id type = "egress" source_security_group_id = aws_security_group.ghe_server.id from_port = 23 to_port = 23 protocol = "tcp" description = "Outbound https from ELB to GH Servers" }