AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136
							## Indexer Security Group
#
# Summary:
#   Ingress:
# x   tcp/8000      - Splunk Web                 - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion
# x   tcp/8088      - Splunk HEC                 - (local.data_sources) Entire VPC + var.additional_source + var.splunk_legacy_cidr
# x   tcp/8088      - MOOSE ONLY                 - 10.0.0.0/8
# x   tcp/8089      - Splunk API                 - (local.access_cidrs) vpc-access, legacy openvpn, legacy bastion, legacy infra (vpc-private-services) VPC for monitoring console
# x   tcp/8089      - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
# x   tcp/8089      - MOOSE ONLY                 - 10.0.0.0/8
# x   tcp/9887      - IDX Replication            - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
# x   tcp/9997-9998 - Splunk Data                - (local.data_sources) Entire VPC + var.additional_source + var.splunk_legacy_cidr
# x   tcp/9997-9998 - MOOSE ONLY                 - 10.0.0.0/8
#   Egress:
#     tcp/9887      - IDX Replication            - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
#     tcp/8089      - Splunk API + IDX Discovery - (local.splunk_vpc_cidrs) Entire VPC + var.splunk_legacy_cidr
locals {
  splunk_vpc_cidrs = toset(concat(var.splunk_legacy_cidr, [var.vpc_cidr], var.cidr_map["vpc-private-services"]))
  access_cidrs     = var.cidr_map["vpc-access"]
  data_sources     = toset(concat(tolist(local.splunk_vpc_cidrs), var.splunk_data_sources))
}

resource "aws_security_group" "indexer_security_group" {
  name        = "indexer_security_group"
  description = "Security Group for Splunk Indexers"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags, { "Name" = "indexer_security_group" })
}

## Ingress

resource "aws_security_group_rule" "splunk-web-in" {
  description       = "Web access from bastions and vpn"
  type              = "ingress"
  from_port         = 8000
  to_port           = 8000
  protocol          = "tcp"
  cidr_blocks       = local.access_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-hec-in" {
  description       = "Splunk HEC access"
  type              = "ingress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = local.data_sources
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-hec-in-moose" {
  count             = local.is_moose ? 1 : 0
  description       = "Splunk HEC access"
  type              = "ingress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-in-access" {
  description = "Splunk API + Indexer Discovery"
  type        = "ingress"
  from_port   = 8089
  to_port     = 8089
  protocol    = "tcp"
  # need to concat here, since legacy subnet is already in the rule
  cidr_blocks       = toset(concat(tolist(local.access_cidrs), tolist(local.splunk_vpc_cidrs), var.cidr_map["vpc-splunk"]))
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-in-moose" {
  count       = local.is_moose ? 1 : 0
  description = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
  type        = "ingress"
  from_port   = 8089
  to_port     = 8089
  protocol    = "tcp"
  # Internal source _do_ use indexer discovery, so moose needs 10/8 open to the entirety.
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-idx-replication" {
  description       = "Splunk Indexer Replication"
  type              = "ingress"
  from_port         = 9887
  to_port           = 9887
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-data-in" {
  description       = "Splunk Data In"
  type              = "ingress"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = local.data_sources
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-data-in-moose" {
  count             = local.is_moose ? 1 : 0
  description       = "Splunk Data In for Moose"
  type              = "ingress"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/8"]
  security_group_id = aws_security_group.indexer_security_group.id
}

## Egress
resource "aws_security_group_rule" "splunk-idx-replication-out" {
  description       = "Splunk Indexer Replication"
  type              = "egress"
  from_port         = 9887
  to_port           = 9887
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}

resource "aws_security_group_rule" "splunk-api-out" {
  description       = "Splunk API Outbound to talk to indexers"
  type              = "egress"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.indexer_security_group.id
}