| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171 |
- #----------------------------------------------------------------
- # SG for the external ELB
- #----------------------------------------------------------------
- locals {
- # from https://config.zscaler.com/zscalergov.net/cenr
- zscalar_cidrs = [
- "165.225.3.0/24",
- "136.226.10.0/23",
- "136.226.12.0/23",
- "136.226.14.0/23",
- "165.225.46.0/24",
- "136.226.6.0/23",
- "136.226.4.0/23",
- "136.226.8.0/23",
- "136.226.22.0/24",
- "165.225.48.0/24",
- "136.226.18.0/23",
- "136.226.16.0/23",
- "136.226.20.0/23",
- ]
- salt_masters = [
- "18.253.198.129/32", # Salt Master Prod - proxy
- "18.253.73.251/32", # salt master prod
- "18.252.61.81/32", # Salt master dev - proxy
- "18.253.226.199/32", # salt aster dev
- ]
- # Locking down sources on 2021-12-10 due to log4j vulnerability
- #allowed_sources = local.zscalar_cidrs
- #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs)
- #allowed_sources = concat(local.zscalar_cidrs, var.trusted_ips, local.salt_masters)
- # Restored access on 2021-12-14
- allowed_sources = [ "0.0.0.0/0" ]
- }
- resource "aws_security_group" "ghe_elb_external" {
- name_prefix = "ghe_elb_external"
- tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
- vpc_id = var.vpc_id
- description = "External ELB for GitHub Enterprise Server"
- }
- resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "ingress"
- cidr_blocks = local.allowed_sources
- from_port = 22
- to_port = 22
- protocol = "tcp"
- description = "Inbound git"
- }
- resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "ingress"
- cidr_blocks = local.allowed_sources
- from_port = 80
- to_port = 80
- protocol = "tcp"
- description = "Inbound http to ELB"
- }
- resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "ingress"
- cidr_blocks = local.allowed_sources
- from_port = 443
- to_port = 444
- protocol = "tcp"
- description = "Inbound https to ELB"
- }
- # Let the ELB talk to the github server(s)
- resource "aws_security_group_rule" "ghe_elb_external_outbound_ssh" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 23
- to_port = 23
- protocol = "tcp"
- description = "Outbound ssh (PROXY) from ELB to GH servers"
- }
- resource "aws_security_group_rule" "ghe_elb_external_outbound_http" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 80
- to_port = 80
- protocol = "tcp"
- description = "Outbound HTTP from ELB to GH servers for LetsEncrypt on GHE"
- }
- resource "aws_security_group_rule" "ghe_elb_external_outbound_https" {
- security_group_id = aws_security_group.ghe_elb_external.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Outbound https from ELB to GH servers"
- }
- #----------------------------------------------------------------
- # SG for the internal ELB
- #----------------------------------------------------------------
- resource "aws_security_group" "ghe_elb_internal" {
- name_prefix = "ghe_elb_internal"
- tags = merge( var.standard_tags, var.tags, { Name = "github-internal-lb" } )
- vpc_id = var.vpc_id
- description = "Internal ELB for GitHub Enterprise Server"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- cidr_blocks = [ "10.0.0.0/8" ]
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Inbound https"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- cidr_blocks = [ "10.0.0.0/8" ]
- from_port = 8443
- to_port = 8443
- protocol = "tcp"
- description = "Inbound https"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- cidr_blocks = [ "10.0.0.0/8" ]
- from_port = 22
- to_port = 22
- protocol = "tcp"
- description = "Inbound git"
- }
- # Let the ELB talk to the github server(s)
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Outbound https from ELB to GH Servers"
- }
- # Let the ELB talk to the github server(s)
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 8443
- to_port = 8444
- protocol = "tcp"
- description = "Outbound https from ELB to GH Servers"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 23
- to_port = 23
- protocol = "tcp"
- description = "Outbound https from ELB to GH Servers"
- }
|
