AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
							module "elb" {
  source = "../../submodules/load_balancer/static_nlb_to_alb"

  name                  = "reposerver"
  target_ids            = [aws_instance.instance.id]
  listener_port         = 443
  target_port           = 80
  target_protocol       = "HTTP"
  target_security_group = aws_security_group.repo_server_security_group.id
  allow_from_any        = false
  redirect_80           = true

  # We need extra security groups to overcome the rules per security group limit
  extra_security_groups = 2

  # WAF variables
  waf_enabled = false # Disabled during testing
  #excluded_rules_AWSManagedRulesCommonRuleSet = [ "SizeRestrictions_BODY" ]
  #excluded_rules_AWSManagedRulesAmazonIpReputationList = []
  #excluded_rules_AWSManagedRulesKnownBadInputsRuleSet = []
  #excluded_rules_AWSManagedRulesSQLiRuleSet = []
  #excluded_rules_AWSManagedRulesLinuxRuleSet = []
  #excluded_rules_AWSManagedRulesUnixRuleSet = []
  #additional_blocked_ips = []
  #allowed_ips = []
  #admin_ips = []

  # Optional Variables
  healthcheck_port     = 80
  healthcheck_protocol = "HTTP"
  healthcheck_path     = "/epel/7/repodata/repomd.xml"
  healthcheck_matcher  = "200"
  stickiness           = false

  # Inherited Variables
  tags           = merge(local.standard_tags, var.tags)
  dns_info       = var.dns_info
  public_subnets = var.public_subnets
  environment    = var.environment
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
  vpc_id         = var.vpc_id

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
    aws.c2                             = aws.c2
  }
}

# module.elb.extra_security_groups
resource "aws_security_group_rule" "alb-http-in-external-c2-users" {
  # This deserves some explanation.  Terraform "for_each" expects to be
  # getting as input a map of values to iterate over as part of the foreach.
  # The keys of the map are used to name each of these objects created.  Looking
  # in the terraform plan output of a for_each you'll see things like:
  #
  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
  #
  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
  # makes a new thing that is a map of maps, where the key value is the description with
  # blanks removed.
  #
  # We could have made the variable more natively-friendly to for_each but this seemed
  # like a better solution for what we were trying to accomplish.
  for_each = { for s in local.c2_services_external_ips : replace(s.description, "/\\s*/", "") => s }

  description       = "For redirect from 80 to 443 - ${each.value.description}"
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
  security_group_id = module.elb.extra_security_group_ids[0]
}

resource "aws_security_group_rule" "https-in-external-c2-users" {
  for_each = { for s in local.c2_services_external_ips : replace(s.description, "/\\s*/", "") => s }

  description       = "inbound repository requests - ${each.value.description}"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
  security_group_id = module.elb.extra_security_group_ids[1]
}