xdr-terraform-modules/base/github/securitygroup-server.tf

# SG Summary - Server
#
#   22 - From vpc-access
#   23 - From Load Balancers
#   122 - From vpc-access, ghe-backup
#   443-444 - From Load Balancers, vpc-access
#   8443 - From vpc-access, GHE-Backup
#   8444 - From Load Balancers
#   
resource "aws_security_group" "ghe_server" {
  name_prefix = "ghe_server"
  tags = merge( var.standard_tags, var.tags, { Name = "github-enterprise-server" } )
  vpc_id      = var.vpc_id
  description = "GitHub Enterprise Servers and Backup Servers"
}

#-----------------------------------------------------------------
# Inbound access
#-----------------------------------------------------------------
resource "aws_security_group_rule" "ghe_server_inbound_ssh_cidr" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "ingress"
  cidr_blocks              = var.cidr_map["vpc-access"]
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound ssh (for git)"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_23" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  from_port                = 23
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Inbound tcp/23 (ssh-proxy) from external ELBs"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_23" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  from_port                = 23
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Inbound tcp/23 (ssh-proxy) from internal ELBs"
}

resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Inbound HTTP from external ELBs for LetsEncrypt"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "ingress"
  cidr_blocks              = var.cidr_map["vpc-access"]
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
  description              = "Inbound ssh (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_server.id
  type                     = "ingress"
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
  description              = "Inbound ssh (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_backup_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_backup_server.id
  type                     = "ingress"
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
  description              = "Inbound ssh (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_cidr" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "ingress"
  cidr_blocks              = var.cidr_map["vpc-access"]
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
  description              = "Inbound https"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
  description              = "Inbound https from external ELBs"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
  description              = "Inbound https from internal ELBs"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_cidr" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "ingress"
  cidr_blocks              = var.cidr_map["vpc-access"]
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Inbound https (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_server.id
  type                     = "ingress"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Inbound https (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_backup_sgs" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_backup_server.id
  type                     = "ingress"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Inbound https (for mgmt)"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_8444" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Inbound https/8444 from internal ELBs"
}

resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444" {
  security_group_id        = aws_security_group.ghe_server.id
  source_security_group_id = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Inbound https/8444 from external ELBs"
}

#-----------------------------------------------------------------
# Outbound access
#-----------------------------------------------------------------
resource "aws_security_group_rule" "ghe_server_outbound_http" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "egress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Outbound http for letsencrypt"
}

resource "aws_security_group_rule" "ghe_server_outbound_https" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "egress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Outbound https for letsencrypt"
}

resource "aws_security_group_rule" "ghe_server_outbound_syslog" {
  security_group_id        = aws_security_group.ghe_server.id
  type                     = "egress"
  cidr_blocks              = var.cidr_map["vpc-splunk"]
  from_port                = 1514
  to_port                  = 1514
  protocol                 = "tcp"
  description              = "Outbound syslog"
}