# From vmray admin installation guide, page 24 # Clients to server on 443 # Server to workers on 5900-5999 (VNC) # Workers to server on 80 and 443 #---------------------------------------------------------------------------- # VMRAY Server ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "vmray_server_sg" { # checkov:skip=CKV2_AWS_5: this SG is attached to VMRAY Server name = "vmray_server_sg" description = "Security Rules Specific to VMRay" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "vmray_server_http_in_from_workers" { type = "ingress" description = "HTTP - Inbound port 80 for redirect from other VMRAY Servers" from_port = 80 to_port = 80 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_https_in_from_workers" { type = "ingress" description = "HTTPS - Inbound for interserver communication from other VMRAY Servers" from_port = 443 to_port = 443 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_https_in" { type = "ingress" description = "HTTPS - Inbound - from the VPN" from_port = 443 to_port = 443 protocol = "tcp" #cidr_blocks = local.cidr_map["vpc-access"] source_security_group_id = aws_security_group.vmray_alb_internal.id security_group_id = aws_security_group.vmray_server_sg.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- ## VMRay Does DNS Lookups to the Local Network resource "aws_security_group_rule" "vmray_server_tcpdns_out" { type = "egress" description = "DNS TCP - Outbound - lookups to the local DNS server" from_port = 53 to_port = 53 protocol = "tcp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_udpdns_out" { type = "egress" description = "DNS UDP - Outbound - lookups to the local DNS server" from_port = 53 to_port = 53 protocol = "udp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_http_out" { type = "egress" description = "HTTP - Outbound - VMRay requirement" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_https_out" { type = "egress" description = "HTTPS - Outbound - VMRay requirement" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access security_group_id = aws_security_group.vmray_server_sg.id } resource "aws_security_group_rule" "vmray_server_vnc_to_workers" { type = "egress" description = "VMRay uses VNC for client machine access." from_port = 5900 to_port = 5999 protocol = "tcp" source_security_group_id = aws_security_group.vmray_worker_sg.id security_group_id = aws_security_group.vmray_server_sg.id } #---------------------------------------------------------------------------- # VMRAY Worker ALB Security Group #---------------------------------------------------------------------------- resource "aws_security_group" "vmray_worker_sg" { # checkov:skip=CKV2_AWS_5: this SG is attached to VMRAY worker name = "vmray_worker_sg" description = "Security Rules for the VMRay Worker Nodes" vpc_id = var.vpc_id tags = merge(local.standard_tags, var.tags) } #---------------------------------------------------------------------------- # INGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" { description = "VMRay uses VNC for client machine access." type = "ingress" from_port = 5900 to_port = 5999 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmwary_worker_vnc_from_access" { description = "VMRay uses VNC for client machine access." type = "ingress" from_port = 5900 to_port = 5999 protocol = "tcp" cidr_blocks = local.cidr_map["vpc-access"] security_group_id = aws_security_group.vmray_worker_sg.id } #---------------------------------------------------------------------------- # EGRESS #---------------------------------------------------------------------------- resource "aws_security_group_rule" "vmray_worker_tcpdns_out" { type = "egress" description = "VMRay DNS TCP - Outbound to instance in local vpc." from_port = 53 to_port = 53 protocol = "tcp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_udpdns_out" { type = "egress" description = "VMRay DNS UDP - Outbound to instance in local vpc." from_port = 53 to_port = 53 protocol = "udp" cidr_blocks = [var.vpc_info["cidr"]] security_group_id = aws_security_group.vmray_worker_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_worker_http_out" { type = "egress" description = "HTTP - Outbound - VMRay requires direct HTTP access." from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_worker_sg.id } # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access resource "aws_security_group_rule" "vmray_worker_https_out" { type = "egress" description = "HTTPS - Outbound - VMRay requires direct HTTPS access." from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_http_to_server" { type = "egress" description = "HTTP - VMRay worker communicates with the server." from_port = 80 to_port = 80 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id } resource "aws_security_group_rule" "vmray_worker_https_to_server" { type = "egress" description = "HTTPS - VMRay worker communicates with the server." from_port = 443 to_port = 443 protocol = "tcp" source_security_group_id = aws_security_group.vmray_server_sg.id security_group_id = aws_security_group.vmray_worker_sg.id }