AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168
							# From vmray admin installation guide, page 24
# Clients to server on 443
# Server to workers on 5900-5999 (VNC)
# Workers to server on 80 and 443

# Server
resource "aws_security_group" "vmray_server_sg" {
  name        = "vmray_server_sg"
  description = "Security Rules Specific to VMRay"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmray_server_http_in_from_workers" {
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in_from_workers" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  #cidr_blocks       = var.cidr_map["vpc-access"]
  source_security_group_id = aws_security_group.vmray_alb_internal.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

## VMRay Does DNS Lookups to the Local Network
resource "aws_security_group_rule" "vmray_server_tcpdns_out" {
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = [ var.vpc_info["cidr"] ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_udpdns_out" {
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = [ var.vpc_info["cidr"] ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

## VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_server_http_out" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_out" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
  type              = "egress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

# Workers
resource "aws_security_group" "vmray_worker_sg" {
  name        = "vmray_worker_sg"
  description = "Security Rules for the VMRay Worker Nodes"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" {
  type              = "ingress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmwary_worker_vnc_from_access" {
  type              = "ingress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  cidr_blocks       = var.cidr_map["vpc-access"]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

## VMRay Does DNS Lookups to the Local Network
resource "aws_security_group_rule" "vmray_worker_tcpdns_out" {
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "tcp"
  cidr_blocks       = [ var.vpc_info["cidr"] ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_udpdns_out" {
  type              = "egress"
  from_port         = 53
  to_port           = 53
  protocol          = "udp"
  cidr_blocks       = [ var.vpc_info["cidr"] ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_http_out" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_https_out" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_http_to_server" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_https_to_server" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}