AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186
							# From vmray admin installation guide, page 24
# Clients to server on 443
# Server to workers on 5900-5999 (VNC)
# Workers to server on 80 and 443

# Server
resource "aws_security_group" "vmray_server_sg" {
  name        = "vmray_server_sg"
  description = "Security Rules Specific to VMRay"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmray_server_http_in_from_workers" {
  description              = "Allow inbound port 80 for redirect from other vmray servers"
  type                     = "ingress"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id        = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in_from_workers" {
  description              = "Allow inbound https for interserver communication from other vmray servers"
  type                     = "ingress"
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id        = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in" {
  description = "Allow https ingress from the VPN"
  type        = "ingress"
  from_port   = 443
  to_port     = 443
  protocol    = "tcp"
  #cidr_blocks       = local.cidr_map["vpc-access"]
  source_security_group_id = aws_security_group.vmray_alb_internal.id
  security_group_id        = aws_security_group.vmray_server_sg.id
}

## VMRay Does DNS Lookups to the Local Network
resource "aws_security_group_rule" "vmray_server_tcpdns_out" {
  description       = "Allow DNS lookups to the local DNS server"
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = [var.vpc_info["cidr"]]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_udpdns_out" {
  description       = "Allow DNS lookups to the local DNS server"
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = [var.vpc_info["cidr"]]
  security_group_id = aws_security_group.vmray_server_sg.id
}

# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_server_http_out" {
  description       = "VMRay requires direct HTTP outbound"
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.vmray_server_sg.id
}

# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_server_https_out" {
  description       = "VMRay requires direct HTTPS outbound"
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
  description              = "VMRay uses VNC for client machine access."
  type                     = "egress"
  from_port                = 5900
  to_port                  = 5999
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id        = aws_security_group.vmray_server_sg.id
}

# Workers
resource "aws_security_group" "vmray_worker_sg" {
  name        = "vmray_worker_sg"
  description = "Security Rules for the VMRay Worker Nodes"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" {
  description              = "VMRay uses VNC for client machine access."
  type                     = "ingress"
  from_port                = 5900
  to_port                  = 5999
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id        = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmwary_worker_vnc_from_access" {
  description       = "VMRay uses VNC for client machine access."
  type              = "ingress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  cidr_blocks       = local.cidr_map["vpc-access"]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_tcpdns_out" {
  description       = "VMRay does DNS lookups to an instance in  the local vpc."
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = [var.vpc_info["cidr"]]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_udpdns_out" {
  description       = "VMRay does DNS lookups to an instance in  the local vpc."
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = [var.vpc_info["cidr"]]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_worker_http_out" {
  description       = "VMRay requires direct HTTP access."
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_worker_https_out" {
  description       = "VMRay requires direct HTTPS access."
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_http_to_server" {
  description              = "VMRay worker communicates with the server."
  type                     = "egress"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id        = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_https_to_server" {
  description              = "VMRay worker communicates with the server."
  type                     = "egress"
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id        = aws_security_group.vmray_worker_sg.id
}