| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 |
- resource "aws_security_group" "openvpn_security_group" {
- name_prefix = "${ var.instance_name }_security_group"
- description = "Security Group for OpenVPN Instance(s)"
- vpc_id = var.vpc_id
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_security_group_rule" "openvpn-in" {
- type = "ingress"
- from_port = 1194
- to_port = 1194
- protocol = "udp"
- # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
- cidr_blocks = [ "0.0.0.0/0" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-https-in" {
- type = "ingress"
- from_port = 443
- to_port = 443
- protocol = "tcp"
- # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
- cidr_blocks = [ "0.0.0.0/0" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-permissive-out" {
- # We allow all outbound for openvpn
- type = "egress"
- from_port = -1
- to_port = -1
- protocol = "all"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- # We have specific egress rules, as well, but the list may be incomplete.
- resource "aws_security_group_rule" "openvpn-splunk-out" {
- type = "egress"
- from_port = 8000
- to_port = 8000
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-https-out" {
- type = "egress"
- from_port = 443
- to_port = 443
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-https-alt-out" {
- type = "egress"
- from_port = 8443
- to_port = 8443
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-phantom-out" {
- type = "egress"
- from_port = 8888
- to_port = 8888
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-github-ssh-out" {
- type = "egress"
- from_port = 122
- to_port = 122
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-ssh-out" {
- type = "egress"
- from_port = 22
- to_port = 22
- protocol = "tcp"
- cidr_blocks = [ "10.0.0.0/8" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-nessus-out" {
- type = "egress"
- from_port = 8834
- to_port = 8835
- protocol = "tcp"
- cidr_blocks = toset(concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"]))
- security_group_id = aws_security_group.openvpn_security_group.id
- description = "Access to Nessus"
- }
- resource "aws_security_group_rule" "openvpn-license-server-out" {
- # Needed for license server check-in. Seems to be stable IP.
- type = "egress"
- from_port = 443
- to_port = 443
- protocol = "tcp"
- cidr_blocks = [ "54.183.149.72/32" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
- resource "aws_security_group_rule" "openvpn-ldap-out" {
- type = "egress"
- from_port = 636
- to_port = 636
- protocol = "tcp"
- # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP
- cidr_blocks = [ "0.0.0.0/0" ]
- security_group_id = aws_security_group.openvpn_security_group.id
- }
|
