xdr-terraform-modules/base/splunk_servers/indexer_cluster/security-group-indexers.tf

## Indexer Security Group
#
# Summary:
#   Ingress:
# x   tcp/8000      - Splunk Web                 - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion
# x   tcp/8088      - Splunk HEC                 - (local.data_sources) Entire VPC + var.additional_source + var.splunk_legacy_cidr
# x   tcp/8088      - MOOSE ONLY                 - 10.0.0.0/8
# x   tcp/8089      - Splunk API                 - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion
# x   tcp/8089      - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
# x   tcp/8089      - MOOSE ONLY                 - 10.0.0.0/8
# x   tcp/9887      - IDX Replication            - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
# x   tcp/9997-9998 - Splunk Data                - (local.data_sources) Entire VPC + var.additional_source + var.splunk_legacy_cidr
# x   tcp/9997-9998 - MOOSE ONLY                 - 10.0.0.0/8
#   Egress:
#     tcp/9887      - IDX Replication            - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
#     tcp/8089      - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
locals {
  splunk_vpc_cidrs = toset(concat(var.splunk_legacy_cidr, [ var.vpc_cidr ]))
  access_cidrs     = var.cidr_map["vpc-access"]
  data_sources     = toset(concat(tolist(local.splunk_vpc_cidrs), var.splunk_data_sources))
}

resource "aws_security_group" "indexer_security_group" {
  name = "indexer_security_group"
  description = "Security Group for Splunk Indexers"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags, { "Name" = "indexer_security_group" })
}

## Ingress

resource "aws_security_group_rule" "splunk-web-in" {
  description       = "Web access from bastions and vpn"
  type              = "ingress"
  from_port         = 8000
  to_port           = 8000
  protocol          = "tcp"
  cidr_blocks       = local.access_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-hec-in" {
  description       = "Splunk HEC access"
  type              = "ingress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = local.data_sources
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-hec-in-moose" {
  count             = local.is_moose ? 1 : 0
  description       = "Splunk HEC access"
  type              = "ingress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = [ "10.0.0.0/8" ]
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-in-access" {
  description       = "Splunk API + Indexer Discovery"
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  # Note: This should not be data_sources, as we do not need to give remote sources access to indexer discovery
  cidr_blocks       = local.access_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-in-vpc" {
  description       = "Splunk API + Indexer Discovery"
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  # Note: This should not be data_sources, as we do not need to give remote sources access to indexer discovery
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-in-moose" {
  count             = local.is_moose ? 1 : 0
  description       = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
  type              = "ingress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  # Internal source _do_ use indexer discovery, so moose needs 10/8 open to the entirety.
  cidr_blocks       = [ "10.0.0.0/8" ]
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-idx-replication" {
  description       = "Splunk Indexer Replication"
  type              = "ingress"
  from_port         = 9887
  to_port           = 9887
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-data-in" {
  description       = "Splunk Data In"
  type              = "ingress"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = local.data_sources
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-data-in-moose" {
  count             = local.is_moose ? 1 : 0
  description       = "Splunk Data In for Moose"
  type              = "ingress"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = [ "10.0.0.0/8" ]
  security_group_id = aws_security_group.indexer_security_group.id
}

## Egress
resource "aws_security_group_rule" "splunk-idx-replication-out" {
  description       = "Splunk Indexer Replication"
  type              = "egress"
  from_port         = 9887
  to_port           = 9887
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-out" {
  description       = "Splunk API Outbound to talk to indexers"
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}