AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
							# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

data "aws_security_group" "aws_endpoints" {
  name   = "aws_endpoints"
  vpc_id = var.vpc_id
}

#   ajp port: 8009
#   http: 8080
#   https: 8443
#   mgmt-http: 9990
#   mgmt-https: 9993
#   txn-recovery-environment: 4712
#   txn-status-manager: 4713
resource "aws_security_group" "instance" {
  name        = "RHSSO"
  description = "RHSSO Instances"
	# checkov:skip=CKV2_AWS_5: this SG is attached to RHSSO
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# Ingress
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "cluster-connectivity-ingress" {
  type                     = "ingress"
  description              = "Receive any from other cluster members"
  from_port                = -1
  to_port                  = -1
  protocol                 = -1
  security_group_id        = aws_security_group.instance.id
  source_security_group_id = aws_security_group.instance.id
}

#----------------------------------------------------------------------------
# Egress
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "cluster-connectivity-egress" {
  type                     = "egress"
  description              = "send any to other cluster members"
  from_port                = -1
  to_port                  = -1
  protocol                 = -1
  security_group_id        = aws_security_group.instance.id
  source_security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "outbound_http" {
  type              = "egress"
  description       = "HTTP - Outbound - CRL Lookups go direct"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  security_group_id = aws_security_group.instance.id
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
}

#resource "aws_security_group_rule" "instance-http-in" {
#  description = ""
#  type = "ingress"
#  from_port = "80"
#  to_port = "80"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}
#
#resource "aws_security_group_rule" "instance-https-in" {
#  description = ""
#  type = "ingress"
#  from_port = "443"
#  to_port = "443"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}
#
#resource "aws_security_group_rule" "instance-ajp-in" {
#  description = ""
#  type = "ingress"
#  from_port = "8009"
#  to_port = "8009"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}

#----------------------------------------------------------------------------
# Ingress
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "instance-alt-http-in-from-access" {
  type              = "ingress"
  description       = "HTTP 8080 - Inbound - from access"
  from_port         = "8080"
  to_port           = "8080"
  protocol          = "tcp"
  cidr_blocks       = local.cidr_map["vpc-access"]
  security_group_id = aws_security_group.instance.id
}

#resource "aws_security_group_rule" "instance-alt-http-in-from-elb" {
#  description = "Alt HTTP from ELB"
#  type = "ingress"
#  from_port = "8080"
#  to_port = "8080"
#  protocol = "tcp"
#  security_group_id = aws_security_group.instance.id
#  source_security_group_id = aws_security_group.elb_external.id
#}

resource "aws_security_group_rule" "instance-alt-https-in-from-access" {
  type              = "ingress"
  description       = "HTTPS 8443 - Inbound - from access"
  from_port         = "8443"
  to_port           = "8443"
  protocol          = "tcp"
  cidr_blocks       = local.cidr_map["vpc-access"]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-alt-https-in-from-nlb" {
  type              = "ingress"
  description       = "HTTPS 8443 - Inbound - from Internet"
  from_port         = "8443"
  to_port           = "8443"
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-mgmt-in-from-access" {
  type              = "ingress"
  description       = "HTTPS - Inbound - Management from Access"
  from_port         = "9990"
  to_port           = "9990"
  protocol          = "tcp"
  cidr_blocks       = local.cidr_map["vpc-access"]
  security_group_id = aws_security_group.instance.id
}

#----------------------------------------------------------------------------
# Egress
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "instance-db-outbound" {
  type                     = "egress"
  description              = "Postgres - Outbound"
  from_port                = "5432"
  to_port                  = "5432"
  protocol                 = "tcp"
  security_group_id        = aws_security_group.instance.id
  source_security_group_id = aws_security_group.rhsso_rds_sg.id
}


#resource "aws_security_group_rule" "instance-mgmt-http-in" {
#  description = ""
#  type = "ingress"
#  from_port = "9990"
#  to_port = "9990"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}
#
#resource "aws_security_group_rule" "instance-mgmt-https-in" {
#  description = ""
#  type = "ingress"
#  from_port = "9993"
#  to_port = "9993"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}
#
#resource "aws_security_group_rule" "instance-txn-in" {
#  description = ""
#  type = "ingress"
#  from_port = "4712"
#  to_port = "4713"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}
#
## lock down before production, but I couldn't get letsencrypt to work with the proxy
#resource "aws_security_group_rule" "instance-all-out" {
#  description = ""
#  type = "egress"
#  from_port = "-1"
#  to_port = "-1"
#  protocol = "-1"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}