AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
							# SG Summary - Server
#
#   22 - From anywhere
#   122 - From vpc-access, ghe-backup
#   443-444 - From Load Balancers, vpc-access
#   8443 - From vpc-access, GHE-Backup
#   8444 - From Load Balancers
#   
resource "aws_security_group" "ghe_server" {
	# checkov:skip=CKV2_AWS_5: this SG is attached to GitHub
  name_prefix = "ghe_server"
  tags        = merge(local.standard_tags, var.tags, { Name = "github-enterprise-server" })
  vpc_id      = var.vpc_id
  description = "GitHub Enterprise Servers and Backup Servers"
}

#-----------------------------------------------------------------
# INGRESS
#-----------------------------------------------------------------
resource "aws_security_group_rule" "ghe_server_inbound_22" {
	# checkov:skip=CKV_AWS_24: Intentionally Open
  security_group_id = aws_security_group.ghe_server.id
  type              = "ingress"
  description       = "Inbound tcp/22 (ssh) from external IPs (through NLB)"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open
}

resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = module.elb.security_group_id
  type                     = "ingress"
  description              = "HTTP - Inbound from external ELBs for LetsEncrypt"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "ingress"
  description       = "Inbound SSH (for mgmt)"
  cidr_blocks       = local.cidr_map["vpc-access"]
  from_port         = 122
  to_port           = 122
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_server.id
  type                     = "ingress"
  description              = "Inbound SSH (for mgmt)"
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_backup_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_backup_server.id
  type                     = "ingress"
  description              = "Inbound SSH (for mgmt)"
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_cidr" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "ingress"
  description       = "HTTPS - Inbound"
  cidr_blocks       = local.cidr_map["vpc-access"]
  from_port         = 443
  to_port           = 444
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = module.elb.security_group_id
  type                     = "ingress"
  description              = "HTTPS - Inbound from external ELBs"
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  description              = "HTTPS - Inbound from internal ELBs"
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_cidr" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "ingress"
  description       = "HTTPS - Inbound (for mgmt)"
  cidr_blocks       = local.cidr_map["vpc-access"]
  from_port         = 8443
  to_port           = 8444
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_server.id
  type                     = "ingress"
  description              = "HTTPS - Inbound (for mgmt)"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_backup_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_backup_server.id
  type                     = "ingress"
  description              = "HTTPS - Inbound (for mgmt)"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_8444" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  description              = "HTTPS - Inbound/8444 from internal ELBs"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = module.elb.security_group_id
  type                     = "ingress"
  description              = "HTTPS - Inbound/8444 from external ELBs"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
}

#-----------------------------------------------------------------
# Outbound access
#-----------------------------------------------------------------
resource "aws_security_group_rule" "ghe_server_outbound_http" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "egress"
  description       = "Outbound http for LetsEncrypt"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_server_outbound_https" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "egress"
  description       = "Outbound https for LetsEncrypt"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_server_outbound_syslog" {
  security_group_id = aws_security_group.ghe_server.id
  type              = "egress"
  description       = "Outbound syslog - TCP"
  cidr_blocks       = local.cidr_map["vpc-splunk"]
  from_port         = 1514
  to_port           = 1514
  protocol          = "tcp"
}