xdr-terraform-modules/submodules/security_group/typical_host/main.tf

data "aws_vpc" "this" {
  id = var.vpc_id
}

data "aws_prefix_list" "private_s3" {
  filter {
    name   = "prefix-list-name"
    values = ["com.amazonaws.*.s3"]
  }
}

data "aws_prefix_list" "private_dynamodb" {
  filter {
    name   = "prefix-list-name"
    values = ["com.amazonaws.*.dynamodb"]
  }
}

locals {
  vpc_name = lookup(data.aws_vpc.this.tags, "Name", data.aws_vpc.this.cidr_block)
}

#----------------------------------------------------------------------------
# Typical-Host Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "security_group" {
	# checkov:skip=CKV2_AWS_5: this SG is attached
  name        = "typical-host"
  description = "Required typical-host SG for VPC ${local.vpc_name} (${var.vpc_id})"
  vpc_id      = var.vpc_id
  tags        = merge(var.tags, { "Name" = "typical-host", "vpc_name" = local.vpc_name })
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "scanner_access" {
  security_group_id = aws_security_group.security_group.id
  type              = "ingress"
  description       = "Full Access from Security Scanners"
  from_port         = 0
  to_port           = 0
  protocol          = -1
  cidr_blocks       = var.cidr_map["scanners"]
  count             = length(var.cidr_map["scanners"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "teleport_ssh_access" {
  security_group_id = aws_security_group.security_group.id
  type              = "ingress"
  description       = "Teleport SSH Access"
  from_port         = 3022
  to_port           = 3022
  protocol          = "tcp"
  # Convert to a set to remove duplicates
  cidr_blocks = var.cidr_map["vpc-access"]
  count       = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "ssh_access" {
  security_group_id = aws_security_group.security_group.id
  type              = "ingress"
  description       = "SSH Access"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  # Convert to a set to remove duplicates
  cidr_blocks = toset(concat(var.cidr_map["bastions"], var.cidr_map["vpns"]))
  count       = length(toset(concat(var.cidr_map["bastions"], var.cidr_map["vpns"]))) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "ping_inbound" {
  security_group_id = aws_security_group.security_group.id
  type              = "ingress"
  description       = "Inbound Pings"
  from_port         = -1
  to_port           = -1
  protocol          = "icmp"
  cidr_blocks       = ["10.0.0.0/8"]
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "ping_outbound" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Outbound Pings"
  from_port         = -1
  to_port           = -1
  protocol          = "icmp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
}

resource "aws_security_group_rule" "github_access_ssh" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "SSH - Outbound GitHub"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-public"]
  count             = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "github_access_http" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "HTTP - Outbound GitHub"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-public"]
  count             = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "github_access_https" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "HTTPS - Outbound GitHub"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-public"]
  count             = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "dns_access_tcp" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "DNS TCP - Outbound"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["dns"]
  count             = length(var.cidr_map["dns"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "dns_access_udp" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "DNS UDP - Outbound"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = var.cidr_map["dns"]
  count             = length(var.cidr_map["dns"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_teleport" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Connect to Teleport"
  from_port         = 3080
  to_port           = 3080
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-access"]
  count             = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_teleport_30xx" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Connect to Teleport"
  from_port         = 3023
  to_port           = 3026
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-access"]
  count             = length(var.cidr_map["vpc-access"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_salt_masters" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Connect to Salt Masters"
  from_port         = 4505
  to_port           = 4506
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["salt"]
  count             = length(var.cidr_map["salt"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_web_servers_80" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "HTTP - Outbound - Connect to Repo Servers"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["web"]
  count             = length(var.cidr_map["web"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_web_servers_443" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "HTTPS - Outbound - Connect to Repo Servers"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["web"]
  count             = length(var.cidr_map["web"]) > 0 ? 1 : 0
}

# Systems need to be able to access vpc endpoints on 80/443
resource "aws_security_group_rule" "outbound_to_local_vpc_80" {
  security_group_id        = aws_security_group.security_group.id
  type                     = "egress"
  description              = "HTTP - Connect to VPC Endpoints"
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  source_security_group_id = var.aws_endpoints_sg
}

resource "aws_security_group_rule" "outbound_to_local_vpc_443" {
  security_group_id        = aws_security_group.security_group.id
  type                     = "egress"
  description              = "HTTPS - Connect to VPC Endpoints"
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  source_security_group_id = var.aws_endpoints_sg
}

resource "aws_security_group_rule" "outbound_to_mailrelay_25" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "SMTP - Outbound Email to mailrelay"
  from_port         = 25
  to_port           = 25
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-system-services"]
  count             = length(var.cidr_map["vpc-system-services"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_mailrelay_587" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Submission SMTP-S - Outbound Email to mailrelay"
  from_port         = 587
  to_port           = 587
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-system-services"]
  count             = length(var.cidr_map["vpc-system-services"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Outbound to S3 endpoint"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  prefix_list_ids   = [data.aws_prefix_list.private_s3.id]
  count             = length([data.aws_prefix_list.private_s3.id]) > 0 ? 1 : 0 # todo: handle case of no s3 prefix list
}

resource "aws_security_group_rule" "outbound_to_ec2_dynamodb_endpoint" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Outbound to DynamoDB endpoint"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  prefix_list_ids   = [data.aws_prefix_list.private_dynamodb.id]
  count             = length([data.aws_prefix_list.private_dynamodb.id]) > 0 ? 1 : 0 # todo: handle case of no s3 prefix list
}

resource "aws_security_group_rule" "outbound_to_sensu" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Monitoring Outbound"
  from_port         = 8081
  to_port           = 8081
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["monitoring"]
  count             = length(var.cidr_map["monitoring"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_s2s" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Splunk UF outbound to Moose Indexers"
  from_port         = 9997
  to_port           = 9998
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["moose"]
  count             = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_idxc" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Outbound IDXC Discovery to MOOSE"
  from_port         = 8089
  to_port           = 8089
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["moose"]
  count             = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_hec" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Connect to HEC"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["moose"]
  count             = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_nessus_manager" {
  security_group_id = aws_security_group.security_group.id
  type              = "egress"
  description       = "Connect to Tenable Nessus Manager"
  from_port         = 8834
  to_port           = 8834
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-private-services"]
  count             = length(var.cidr_map["vpc-private-services"]) > 0 ? 1 : 0
}