AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241
							data "aws_vpc" "this" {
  id = var.vpc_id
}

data "aws_prefix_list" "private_s3" {
  filter {
    name = "prefix-list-name"
    values = [ "com.amazonaws.*.s3" ]
  }
}

locals {
  vpc_name = lookup(data.aws_vpc.this.tags, "Name", data.aws_vpc.this.cidr_block)
}

resource "aws_security_group" "security_group" {
  name = "typical-host"
  description = "Required typical-host SG for VPC ${local.vpc_name} (${var.vpc_id})"
  vpc_id = var.vpc_id
  tags = merge(var.tags, { "Name" = "typical-host", "vpc_name" = local.vpc_name })
}

## Ingress
resource "aws_security_group_rule" "scanner_access" {
  security_group_id = aws_security_group.security_group.id
  type = "ingress"
  description = "Full Access from Security Scanners"
  from_port = 0
  to_port = 0
  protocol = -1
  cidr_blocks = var.cidr_map["scanners"]
  count = length(var.cidr_map["scanners"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "ssh_access" {
  security_group_id = aws_security_group.security_group.id
  type = "ingress"
  description = "SSH Access"
  from_port = 22
  to_port = 22
  protocol = "tcp"
  # Convert to a set to remove duplicates
  cidr_blocks = toset(concat(var.cidr_map["bastions"], var.cidr_map["vpns"]))
  count = length(toset(concat(var.cidr_map["bastions"], var.cidr_map["vpns"]))) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "ping_inbound" {
  security_group_id = aws_security_group.security_group.id
  type = "ingress"
  description = "Inbound Pings"
  from_port = -1
  to_port = -1
  protocol = "icmp"
  cidr_blocks = [ "10.0.0.0/8" ]
}

## Outbound:
resource "aws_security_group_rule" "ping_outbound" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound Pings"
  from_port = -1
  to_port = -1
  protocol = "icmp"
  cidr_blocks = [ "0.0.0.0/0" ]
}

resource "aws_security_group_rule" "github_access_ssh" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound GitHub"
  from_port = 22
  to_port = 22
  protocol = "tcp"
  cidr_blocks = var.cidr_map["vpc-public"]
  count = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "github_access_http" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound GitHub"
  from_port = 80
  to_port = 80
  protocol = "tcp"
  cidr_blocks = var.cidr_map["vpc-public"]
  count = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "github_access_https" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound GitHub"
  from_port = 443
  to_port = 443
  protocol = "tcp"
  cidr_blocks = var.cidr_map["vpc-public"]
  count = length(var.cidr_map["vpc-public"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "dns_access_tcp" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound TCP DNS"
  from_port = 53
  to_port = 53
  protocol = "tcp"
  cidr_blocks = var.cidr_map["dns"]
  count = length(var.cidr_map["dns"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "dns_access_udp" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound UDP DNS"
  from_port = 53
  to_port = 53
  protocol = "udp"
  cidr_blocks = var.cidr_map["dns"]
  count = length(var.cidr_map["dns"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_salt_masters" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to Salt Masters"
  from_port = 4505
  to_port = 4506
  protocol = "tcp"
  cidr_blocks = var.cidr_map["salt"]
  count = length(var.cidr_map["salt"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_web_servers_80" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to Repo Servers"
  from_port = 80
  to_port = 80
  protocol = "tcp"
  cidr_blocks = var.cidr_map["web"]
  count = length(var.cidr_map["web"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_web_servers_443" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to Repo Servers"
  from_port = 443
  to_port = 443
  protocol = "tcp"
  cidr_blocks = var.cidr_map["web"]
  count = length(var.cidr_map["web"]) > 0 ? 1 : 0
}

# Systems need to be able to access vpc endpoints on 80/443
resource "aws_security_group_rule" "outbound_to_local_vpc_80" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to VPC Endpoints"
  from_port = 80
  to_port = 80
  protocol = "tcp"
  source_security_group_id = var.aws_endpoints_sg
}

resource "aws_security_group_rule" "outbound_to_local_vpc_443" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to VPC Endpoints"
  from_port = 443
  to_port = 443
  protocol = "tcp"
  source_security_group_id = var.aws_endpoints_sg
}

resource "aws_security_group_rule" "outbound_to_mailrelay_25" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound Email to mailrelay"
  from_port = 25
  to_port = 25
  protocol = "tcp"
  cidr_blocks = var.cidr_map["vpc-system-services"]
  count = length(var.cidr_map["vpc-system-services"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Outbound to S3 endpoint"
  from_port = 443
  to_port = 443
  protocol = "tcp"
  prefix_list_ids = [ data.aws_prefix_list.private_s3.id ]
  count = length([ data.aws_prefix_list.private_s3.id ]) > 0 ? 1 : 0 # todo: handle case of no s3 prefix list
}

resource "aws_security_group_rule" "outbound_to_sensu" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Monitoring Outbound"
  from_port = 8081
  to_port   = 8081
  protocol  = "tcp"
  cidr_blocks = var.cidr_map["monitoring"]
  count = length(var.cidr_map["monitoring"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_s2s" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description              = "Splunk UF outbound to Moose Indexers"
  from_port = 9997
  to_port   = 9998
  protocol  = "tcp"
  cidr_blocks = var.cidr_map["moose"]
  count = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_idxc" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description              = "Outbound IDXC Discovery to MOOSE"
  from_port = 8089
  to_port   = 8089
  protocol  = "tcp"
  cidr_blocks = var.cidr_map["moose"]
  count = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}

resource "aws_security_group_rule" "outbound_to_moose_hec" {
  security_group_id = aws_security_group.security_group.id
  type = "egress"
  description = "Connect to HEC"
  from_port = 8088
  to_port = 8088
  protocol = "tcp"
  cidr_blocks = var.cidr_map["moose"]
  count = length(var.cidr_map["moose"]) > 0 ? 1 : 0
}