| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116 |
- # SG Summary - Server
- # Inbound::
- # tcp/8888 - from 10.0.0.0/8
- # tcp/443 - from load balancers, vpc-access (legacy was from 10.0.0.0/8)
- #
- # Outbound:
- # tcp/8089 - 10.0.0.0/8 (splunk)
- # udp/53 - 0.0.0.0/0 (dns for oscontext)
- # DISABLED tcp/464 - 10.80.0.0/16 (legacy vpc)
- # DISABLED tcp/636 - 0.0.0.0/0 (LDAPS outbound)
- # DISABLED tcp/389 - 10.80.0.0/16 (legacy vpc)
- # DISABLED tcp+udp/88 - 10.80.0.0/16 (idm)
- #
- # New:
- resource "aws_security_group" "phantom_server" {
- name_prefix = "phantom_server"
- tags = merge( var.standard_tags, var.tags, { Name = "phantom_server" } )
- vpc_id = var.vpc_id
- description = "Phantom Server"
- }
- #-----------------------------------------------------------------
- # Inbound access
- #-----------------------------------------------------------------
- resource "aws_security_group_rule" "phantom_server_inbound_8888" {
- security_group_id = aws_security_group.phantom_server.id
- type = "ingress"
- cidr_blocks = [ "10.0.0.0/8" ]
- from_port = 8888
- to_port = 8888
- protocol = "tcp"
- description = "Inbound 8888 - Phantom Websocket"
- }
- resource "aws_security_group_rule" "phantom_server_inbound_alb_443" {
- security_group_id = aws_security_group.phantom_server.id
- type = "ingress"
- source_security_group_id = aws_security_group.phantom_alb_internal.id
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Inbound 443 (from load balancers)"
- }
- resource "aws_security_group_rule" "phantom_server_inbound_alb_443_from_vpn" {
- security_group_id = aws_security_group.phantom_server.id
- type = "ingress"
- cidr_blocks = var.cidr_map["vpc-access"]
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Inbound 443 (from load access, for troubleshooting)"
- }
- #-----------------------------------------------------------------
- # Outbound access
- #-----------------------------------------------------------------
- resource "aws_security_group_rule" "phantom_server_outbound_postgres" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = [ "10.0.0.0/8" ]
- from_port = 8089
- to_port = 8089
- protocol = "tcp"
- description = "Outbound to splunk everywhere"
- }
- resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = [ "0.0.0.0/0" ]
- from_port = 53
- to_port = 53
- protocol = "tcp"
- description = "Outbound tcp dns anywhere"
- }
- resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = [ "0.0.0.0/0" ]
- from_port = 53
- to_port = 53
- protocol = "udp"
- description = "Outbound udp dns anywhere"
- }
- resource "aws_security_group_rule" "phantom_server_outbound_http" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = [ "0.0.0.0/0" ]
- from_port = 80
- to_port = 80
- protocol = "tcp"
- description = "Outbound http anywhere (required for saleforce and others)"
- }
- resource "aws_security_group_rule" "phantom_server_outbound_https" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = [ "0.0.0.0/0" ]
- from_port = 443
- to_port = 443
- protocol = "tcp"
- description = "Outbound https anywhere (required for saleforce and others)"
- }
- resource "aws_security_group_rule" "phantom_server_outbound_ssh_to_legacy" {
- security_group_id = aws_security_group.phantom_server.id
- type = "egress"
- cidr_blocks = var.environment == "prod" ? [ "10.80.101.221/32" ] : [ "10.96.101.186/32" ]
- from_port = 22
- to_port = 22
- protocol = "tcp"
- description = "Outbound ssh to legacy. Remove after migration."
- }
|
