xdr-terraform-modules/base/github/securitygroups-load-balancers.tf

#----------------------------------------------------------------
# SG for the external ELB
#----------------------------------------------------------------
locals {
  # from https://config.zscaler.com/zscalergov.net/cenr
  zscalar_cidrs = [
    "165.225.3.0/24",
    "136.226.10.0/23",
    "136.226.12.0/23",
    "136.226.14.0/23",
    "165.225.46.0/24",
    "136.226.6.0/23",
    "136.226.4.0/23",
    "136.226.8.0/23",
    "136.226.22.0/24",
    "165.225.48.0/24",
    "136.226.18.0/23",
    "136.226.16.0/23",
    "136.226.20.0/23",
  ]
  salt_masters = [
    "18.253.198.129/32", # Salt Master Prod - proxy
    "18.253.73.251/32",  # salt master prod
    "18.252.61.81/32",   # Salt master dev - proxy
    "18.253.226.199/32", # salt aster dev
  ]
  allowed_sources = ["0.0.0.0/0"]
}

#----------------------------------------------------------------
# SG for the Internal ELB
#----------------------------------------------------------------
resource "aws_security_group" "ghe_elb_internal" {
  # checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
  name_prefix = "ghe_elb_internal"
  tags        = merge(local.standard_tags, var.tags, { Name = "github-internal-lb" })
  vpc_id      = var.vpc_id
  description = "Internal ELB for GitHub Enterprise Server"
}

#-----------------------------------------------------------------
# INGRESS
#-----------------------------------------------------------------
resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
  security_group_id = aws_security_group.ghe_elb_internal.id
  type              = "ingress"
  description       = "HTTPS - Inbound"
  cidr_blocks       = ["10.0.0.0/8"]
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
}

resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
  security_group_id = aws_security_group.ghe_elb_internal.id
  type              = "ingress"
  description       = "HTTPS 8443 - Inbound"
  cidr_blocks       = ["10.0.0.0/8"]
  from_port         = 8443
  to_port           = 8443
  protocol          = "tcp"
}
resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
  security_group_id = aws_security_group.ghe_elb_internal.id
  type              = "ingress"
  description       = "Inbound git"
  cidr_blocks       = ["10.0.0.0/8"]
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
}

#-----------------------------------------------------------------
# INGRESS
#-----------------------------------------------------------------
# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  description              = "HTTPS - Outbound from ELB to GH Servers"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  description              = "HTTPS 8443 - Outbound from ELB to GH Servers"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
}
resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  description              = "HTTPS 23 - Outbound from ELB to GH Servers"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 23
  to_port                  = 23
  protocol                 = "tcp"
}