AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202
							# TODO: We probably want this in this module as a standard group in all VPCs, but disabling
# for now due to complexity.
#
# For a "typical host" we have some simple expectations
#   - able to talk to one of the various salt masters
#   - able to talk to Amazon's DNS servers
#   - allow inbound SSH from bastion
#   - any outbound RPM repo access needed
#   - 9998/tcp to moose indexers
#
#
# The following is a little complicated because the mainline security-group module
# is lacking a little in being able to be super expressive w/ rules.  So we
# create the base SG with the module, and then attach more detailed rules to it when
# complete
module "typical_host_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 2.17"
  name        = "typical-host"
  tags        = "${local.standard_tags}"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress_cidr_blocks = [ "10.0.0.0/8" ]
  ingress_rules = [ "all-icmp" ]

  egress_ipv6_cidr_blocks = [ ]

  egress_with_cidr_blocks = [
    {
      description = "TCP DNS to Amazon VPC DNS Server"
      rule        = "dns-tcp"
      cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32"
    },
    {
      description = "UDP DNS to Amazon VPC DNS Server"
      rule        = "dns-udp"
      cidr_blocks = "${cidrhost(module.vpc.vpc_cidr_block,2)}/32"
    },

    {
      description = "ICMP"
      rule 				= "all-icmp"
      cidr_blocks = "10.0.0.0/8"
  	},

	]

  #egress_with_ipv6_cidr_blocks = [
  #  {
  #    description = "Saltstack RPM Repos IPv6"
  #    rule 				= "https-443-tcp"
  #    ipv6_cidr_blocks = "2604:a880:400:d0::2:e001/128"
  #  }
  #]
}

resource "aws_security_group_rule" "outbound_to_salt_masters"
{
  type = "egress"
  from_port = 4505
  to_port = 4506
  protocol = 6
  source_security_group_id = "${module.salt_masters_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description = "Connect to Salt Masters"
}

resource "aws_security_group_rule" "outbound_to_repo_servers_80"
{
  type = "egress"
  from_port = 80
  to_port = 80
  protocol = 6
  source_security_group_id = "${module.repo_servers_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description = "Connect to Repo Servers"
}

resource "aws_security_group_rule" "inbound_ssh_bastion"
{
  type = "ingress"
  from_port = 22
  to_port = 22
  protocol = 6
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  source_security_group_id = "${module.bastion_servers_sg.this_security_group_id}"
  #cidr_blocks = [ "${formatlist("%s/32",module.bastion.private_ip)}" ]
  description = "Inbound SSH from bastions"
}

resource "aws_security_group_rule" "typical_host_inbound_ssh_openvpn"
{
  type = "ingress"
  from_port = 22
  to_port = 22
  protocol = 6
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  source_security_group_id = "${module.openvpn_servers_sg.this_security_group_id}"
  description = "Inbound SSH from openvpn"
}

resource "aws_security_group_rule" "outbound_to_ec2_endpoints"
{
  type = "egress"
  from_port = 0
  to_port = 0
  protocol = -1
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  source_security_group_id = "${module.aws_endpoints_sg.this_security_group_id}"
  description = "Outbound to EC2 endpoints"
}

resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint"
{
  type = "egress"
  from_port = 0
  to_port = 0
  protocol = -1
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  prefix_list_ids = [ "${module.vpc.vpc_endpoint_s3_pl_id}" ]
  description = "Outbound to S3 endpoint"
}

resource "aws_security_group_rule" "outbound_to_squid_http"
{
  type = "egress"
  from_port = 80
  to_port = 80
  protocol = 6
  source_security_group_id = "${module.proxy_servers_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description  = "HTTPS outbound to proxies"
}

resource "aws_security_group_rule" "outbound_to_mailrelay_25"
{
  type = "egress"
  from_port = 25
  to_port = 25
  protocol = 6
  source_security_group_id = "${module.mailrelay_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description = "Outbound Email to mailrelay"
}

resource "aws_security_group_rule" "outbound_to_sensu"
{
  type = "egress"
  from_port = 8081
  to_port   = 8081
  protocol  = "tcp"
  source_security_group_id = "${module.sensu_servers_sg.this_security_group_id}"
  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
  description              = "Sensu Outbound"
}

resource "aws_security_group_rule" "outbound_to_moose_s2s"
{
  type = "egress"
  from_port = 9997
  to_port   = 9998
  protocol  = "tcp"
  #cidr_blocks              = [ "${module.vpc.vpc_cidr_block}" ]
  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
  description              = "Splunk UF outbound to Moose Indexers"
}

resource "aws_security_group_rule" "outbound_to_moose_idxc"
{
  type = "egress"
  from_port = 8089
  to_port   = 8089
  protocol  = "tcp"
  #cidr_blocks              = [ "${module.vpc.vpc_cidr_block}" ]
  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
  security_group_id        = "${module.typical_host_sg.this_security_group_id}"
  description              = "Outbound IDXC Discovery to MOOSE"
}

resource "aws_security_group_rule" "outbound_to_moose_hec"
{
  type = "egress"
  from_port = 8088
  to_port = 8088
  protocol = 6
  source_security_group_id = "${module.moose_inbound_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description = "Connect to HEC"
}

resource "aws_security_group_rule" "inbound_from_vuln_scanners"
{
  type = "ingress"
  from_port = -1
  to_port = -1
  protocol = -1
  source_security_group_id = "${module.vuln_scanners_sg.this_security_group_id}"
  security_group_id = "${module.typical_host_sg.this_security_group_id}"
  description = "Allow all from Vuln Scanners"
}