| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 |
- # Rather than pass in the aws security group, we just look it up. This will
- # probably be useful other places, as well.
- data "aws_security_group" "typical-host" {
- name = "typical-host"
- vpc_id = var.vpc_id
- }
- #----------------------------------------------------------------------------
- # Security Group for Teleport
- #----------------------------------------------------------------------------
- resource "aws_security_group" "instance" {
- # checkov:skip=CKV2_AWS_5: this SG is attached to Teleport
- # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
- # otherwise, you get stuck in `destroying` during routine changes.
- name_prefix = "instance-${var.instance_name}"
- description = "Instances of type ${var.instance_name}"
- vpc_id = var.vpc_id
- tags = merge(local.standard_tags, var.tags)
- lifecycle {
- create_before_destroy = true
- }
- }
- #----------------------------------------------------------------------------
- # INGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "instance-http-in-external" {
- type = "ingress"
- description = "Web Interface from External ALB"
- from_port = "3080"
- to_port = "3080"
- protocol = "tcp"
- source_security_group_id = aws_security_group.alb_server_external.id
- security_group_id = aws_security_group.instance.id
- }
- resource "aws_security_group_rule" "instance-http-in-internal" {
- type = "ingress"
- description = "Web Interface from Internal ALB"
- from_port = "3080"
- to_port = "3080"
- protocol = "tcp"
- source_security_group_id = aws_security_group.alb_server_internal.id
- security_group_id = aws_security_group.instance.id
- }
- resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
- type = "ingress"
- description = "Teleport Proprietary Ports via NLB"
- from_port = "3023"
- to_port = "3026"
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
- security_group_id = aws_security_group.instance.id
- }
- #resource "aws_security_group_rule" "instance-teleport-in-3026" {
- # description = "Teleport Proprietary Ports via NLB"
- # type = "ingress"
- # from_port = "3026"
- # to_port = "3026"
- # protocol = "tcp"
- # cidr_blocks = [ "0.0.0.0/0" ]
- # security_group_id = aws_security_group.instance.id
- #}
- #resource "aws_security_group_rule" "instance-teleport-proxy-in" {
- # description = "Teleport - Proxy web server"
- # type = "ingress"
- # from_port = "3080"
- # to_port = "3080"
- # protocol = "tcp"
- # cidr_blocks = [ "0.0.0.0/0" ]
- # security_group_id = aws_security_group.instance.id
- #}
- #----------------------------------------------------------------------------
- # EGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "instance-teleport-out-ssh" {
- type = "egress"
- description = "Outbound SSH"
- from_port = "22"
- to_port = "22"
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
- security_group_id = aws_security_group.instance.id
- }
- resource "aws_security_group_rule" "instance-teleport-out-teleport" {
- type = "egress"
- description = "Outbound Teleport"
- from_port = "3022"
- to_port = "3026"
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
- security_group_id = aws_security_group.instance.id
- }
- resource "aws_security_group_rule" "instance-teleport-out-https" {
- type = "egress"
- description = "HTTPS - Outbound, required for DynamoDB Streams (no vpc endpoint available)"
- from_port = "443"
- to_port = "443"
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
- security_group_id = aws_security_group.instance.id
- }
|
