| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 |
- #----------------------------------------------------------------
- # SG for the external ELB
- #----------------------------------------------------------------
- locals {
- # from https://config.zscaler.com/zscalergov.net/cenr
- zscalar_cidrs = [
- "165.225.3.0/24",
- "136.226.10.0/23",
- "136.226.12.0/23",
- "136.226.14.0/23",
- "165.225.46.0/24",
- "136.226.6.0/23",
- "136.226.4.0/23",
- "136.226.8.0/23",
- "136.226.22.0/24",
- "165.225.48.0/24",
- "136.226.18.0/23",
- "136.226.16.0/23",
- "136.226.20.0/23",
- ]
- salt_masters = [
- "18.253.198.129/32", # Salt Master Prod - proxy
- "18.253.73.251/32", # salt master prod
- "18.252.61.81/32", # Salt master dev - proxy
- "18.253.226.199/32", # salt aster dev
- ]
- # Locking down sources on 2021-12-10 due to log4j vulnerability
- #allowed_sources = local.zscalar_cidrs
- #allowed_sources = concat(local.trusted_ips, local.zscalar_cidrs)
- #allowed_sources = concat(local.zscalar_cidrs, local.trusted_ips, local.salt_masters)
- # Restored access on 2021-12-14
- allowed_sources = ["0.0.0.0/0"]
- }
- #----------------------------------------------------------------
- # SG for the Internal ELB
- #----------------------------------------------------------------
- resource "aws_security_group" "ghe_elb_internal" {
- # checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
- name_prefix = "ghe_elb_internal"
- tags = merge(local.standard_tags, var.tags, { Name = "github-internal-lb" })
- vpc_id = var.vpc_id
- description = "Internal ELB for GitHub Enterprise Server"
- }
- #-----------------------------------------------------------------
- # INGRESS
- #-----------------------------------------------------------------
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- description = "HTTPS - Inbound"
- cidr_blocks = ["10.0.0.0/8"]
- from_port = 443
- to_port = 443
- protocol = "tcp"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- description = "HTTPS 8443 - Inbound"
- cidr_blocks = ["10.0.0.0/8"]
- from_port = 8443
- to_port = 8443
- protocol = "tcp"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "ingress"
- description = "Inbound git"
- cidr_blocks = ["10.0.0.0/8"]
- from_port = 22
- to_port = 22
- protocol = "tcp"
- }
- #-----------------------------------------------------------------
- # INGRESS
- #-----------------------------------------------------------------
- # Let the ELB talk to the github server(s)
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- description = "HTTPS - Outbound from ELB to GH Servers"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 443
- to_port = 443
- protocol = "tcp"
- }
- # Let the ELB talk to the github server(s)
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- description = "HTTPS 8443 - Outbound from ELB to GH Servers"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 8443
- to_port = 8444
- protocol = "tcp"
- }
- resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
- security_group_id = aws_security_group.ghe_elb_internal.id
- type = "egress"
- description = "HTTPS 23 - Outbound from ELB to GH Servers"
- source_security_group_id = aws_security_group.ghe_server.id
- from_port = 23
- to_port = 23
- protocol = "tcp"
- }
|
