AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
							#----------------------------------------------------------------
# SG for the external ELB
#----------------------------------------------------------------
resource "aws_security_group" "ghe_elb_external" {
  name_prefix = "ghe_elb_external"
  tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
  vpc_id      = var.vpc_id
  description = "External ELB for GitHub Enterprise Server"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound git"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Inbound http to ELB"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
  description              = "Inbound https to ELB"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_external_outbound_ssh" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 23
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Outbound ssh (PROXY) from ELB to GH servers"
}

resource "aws_security_group_rule" "ghe_elb_external_outbound_http" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Outbound HTTP from ELB to GH servers for LetsEncrypt on GHE"
}

resource "aws_security_group_rule" "ghe_elb_external_outbound_https" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH servers"
}

#----------------------------------------------------------------
# SG for the internal ELB
#----------------------------------------------------------------
resource "aws_security_group" "ghe_elb_internal" {
  name_prefix = "ghe_elb_internal"
  tags = merge( var.standard_tags, var.tags, { Name = "github-internal-lb" } )
  vpc_id      = var.vpc_id
  description = "Internal ELB for GitHub Enterprise Server"
}

resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Inbound https"
}

resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 8443
  to_port                  = 8443
  protocol                 = "tcp"
  description              = "Inbound https"
}
resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound git"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}
resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 23 
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}