| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 |
- ## Indexer Security Group
- #
- # Summary:
- # Ingress:
- # x tcp/8000 - Splunk Web - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion
- # x tcp/8088 - Splunk HEC - (local.data_sources) Entire VPC + var.additional_source + local.splunk_legacy_cidr
- # x tcp/8088 - MOOSE ONLY - 10.0.0.0/8
- # x tcp/8089 - Splunk API - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion, legacy infra (vpc-private-services) VPC for monitoring console
- # x tcp/8089 - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr
- # x tcp/8089 - MOOSE ONLY - 10.0.0.0/8
- # x tcp/9887 - IDX Replication - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr
- # x tcp/9997-9998 - Splunk Data - (local.data_sources) Entire VPC + var.additional_source + local.splunk_legacy_cidr
- # x tcp/9997-9998 - MOOSE ONLY - 10.0.0.0/8
- # Egress:
- # tcp/9887 - IDX Replication - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr
- # tcp/8089 - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + local.splunk_legacy_cidr
- locals {
- splunk_vpc_cidrs = toset(concat(local.splunk_legacy_cidr, [var.vpc_cidr], local.cidr_map["vpc-private-services"]))
- access_cidrs = local.cidr_map["vpc-access"]
- data_sources = toset(concat(tolist(local.splunk_vpc_cidrs), local.splunk_data_sources))
- }
- resource "aws_security_group" "indexer_security_group" {
- # checkov:skip=CKV2_AWS_5: this SG is attached to Indexers
- name = "indexer_security_group"
- description = "Security Group for Splunk Indexers"
- vpc_id = var.vpc_id
- tags = merge(local.standard_tags, var.tags, { "Name" = "indexer_security_group" })
- }
- #----------------------------------------------------------------------------
- # INGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "splunk-web-in" {
- type = "ingress"
- description = "Web access from Bastions and VPN"
- from_port = 8000
- to_port = 8000
- protocol = "tcp"
- cidr_blocks = local.access_cidrs
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-hec-in" {
- type = "ingress"
- description = "Splunk HEC access"
- from_port = 8088
- to_port = 8088
- protocol = "tcp"
- cidr_blocks = local.data_sources # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally open to Internet for HEC from AWS
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-hec-in-moose" {
- count = local.is_moose ? 1 : 0
- type = "ingress"
- description = "Splunk HEC - Inbound to Moose access"
- from_port = 8088
- to_port = 8088
- protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-api-in-access" {
- type = "ingress"
- description = "Splunk API + Indexer Discovery"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- # need to concat here, since legacy subnet is already in the rule
- cidr_blocks = toset(concat(tolist(local.access_cidrs), tolist(local.splunk_vpc_cidrs), local.cidr_map["vpc-splunk"]))
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-api-in-moose" {
- count = local.is_moose ? 1 : 0
- type = "ingress"
- description = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- # Internal source _do_ use indexer discovery, so moose needs 10/8 open to the entirety.
- cidr_blocks = ["10.0.0.0/8"]
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-idx-replication" {
- type = "ingress"
- description = "Splunk Indexer Replication"
- from_port = 9887
- to_port = 9887
- protocol = "tcp"
- cidr_blocks = local.splunk_vpc_cidrs
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-data-in" {
- type = "ingress"
- description = "Splunk Data - Inbound"
- from_port = 9997
- to_port = 9998
- protocol = "tcp"
- cidr_blocks = local.data_sources # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally open to Internet due to NLB
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-data-in-moose" {
- count = local.is_moose ? 1 : 0
- type = "ingress"
- description = "Splunk Data - Inbound for Moose"
- from_port = 9997
- to_port = 9998
- protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
- security_group_id = aws_security_group.indexer_security_group.id
- }
- #----------------------------------------------------------------------------
- # EGRESS
- #----------------------------------------------------------------------------
- resource "aws_security_group_rule" "splunk-idx-replication-out" {
- type = "egress"
- description = "Splunk Indexer Replication - Outbound"
- from_port = 9887
- to_port = 9887
- protocol = "tcp"
- cidr_blocks = local.splunk_vpc_cidrs
- security_group_id = aws_security_group.indexer_security_group.id
- }
- resource "aws_security_group_rule" "splunk-api-out" {
- type = "egress"
- description = "Splunk API - Outbound to talk to indexers"
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- cidr_blocks = local.splunk_vpc_cidrs
- security_group_id = aws_security_group.indexer_security_group.id
- }
|
