Skip to content

Commit

Permalink
Csr/sg rule conflicts (#3297)
Browse files Browse the repository at this point in the history 
* fix up security group rules file

* formatting
  • Loading branch information
@robertsweetman
robertsweetman authored Sep 6, 2023
1 parent 3820259 commit 982a684
Showing 1 changed file with 95 additions and 133 deletions.
228 changes: 95 additions & 133 deletions terraform/environments/corporate-staff-rostering/locals_security_groups.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,28 +116,13 @@ locals {
protocol = -1
self = true
}
# http135 = {
# description = "Allow ingress from port 135"
# from_port = 135
# to_port = 135
# protocol = "Any"
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
# http139 = {
# description = "Allow ingress from port 139"
# from_port = 139
# to_port = 139
# protocol = "Any"
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
https = {
description = "Allow ingress from port 443"
from_port = 443
to_port = 443

dns = {
description = "Allow ingress Azure domain controllers"
from_port = 53
to_port = 53
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
http = {
Expand All @@ -148,33 +133,23 @@ locals {
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
rdp = {
description = "Allow ingress from port 3389"
from_port = 3389
to_port = 3389
rpc = {
description = "Allow ingress Azure domain controllers"
from_port = 135
to_port = 135
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.rdp.inbound
security_groups = []
}
smb = {
description = "Allow ingress Azure domain controllers"
from_port = 445
to_port = 445
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["10.102.0.196/32"]
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
dns = {
/* netbios = { FIXME: add this back in
description = "Allow ingress Azure domain controllers"
from_port = 53
to_port = 53
protocol = "TCP"
from_port = 137
to_port = 139
protocol = -1
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
ldap = {
} */
/* ldap = { FIXME: add this back in
description = "Allow ingress Azure domain controllers"
from_port = 389
to_port = 389
Expand All @@ -189,6 +164,24 @@ locals {
protocol = "UDP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
} */
https = {
description = "Allow ingress from port 443"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
smb = {
description = "Allow ingress Azure domain controllers"
from_port = 445
to_port = 445
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["10.102.0.196/32"]
security_groups = []
}
ldap_ssl = {
description = "Allow ingress Azure domain controllers"
Expand All @@ -206,34 +199,26 @@ locals {
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
rpc = {
description = "Allow ingress Azure domain controllers"
from_port = 135
to_port = 135
rdp = {
description = "Allow ingress from port 3389"
from_port = 3389
to_port = 3389
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
cidr_blocks = local.security_group_cidrs.rdp.inbound
security_groups = []
}
rpc_dynamic = {
active_directory_web_services = {
description = "Allow ingress Azure domain controllers"
from_port = 49152
to_port = 65535
from_port = 9389
to_port = 9389
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
netbios = {
description = "Allow ingress Azure domain controllers"
from_port = 137
to_port = 139
protocol = -1
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
active_directory_web_services = {
rpc_dynamic = {
description = "Allow ingress Azure domain controllers"
from_port = 9389
to_port = 9389
from_port = 49152
to_port = 65535
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
Expand Down Expand Up @@ -310,23 +295,6 @@ locals {
protocol = -1
self = true
}
# NOTE: this is a bit redundant as mod-platform does not allow http connections
http = {
description = "Allow ingress from port 80"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
https = {
description = "Allow ingress from port 443"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
ssh = {
description = "Allow SSH ingress"
from_port = 22
Expand All @@ -335,33 +303,41 @@ locals {
cidr_blocks = local.security_group_cidrs.ssh
security_groups = []
}
rdp = {
description = "Allow ingress from port 3389"
from_port = 3389
to_port = 3389
dns = {
description = "Allow ingress Azure domain controllers"
from_port = 53
to_port = 53
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.rdp.inbound
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
smb = {
description = "Allow ingress Azure domain controllers"
from_port = 445
to_port = 445
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["10.102.0.196/32"]
# NOTE: this is a bit redundant as mod-platform does not allow http connections
http = {
description = "Allow ingress from port 80"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
dns = {
rpc = {
description = "Allow ingress Azure domain controllers"
from_port = 53
to_port = 53
from_port = 135
to_port = 135
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
ldap = {
/* } FIXME: add this back in
netbios = {
description = "Allow ingress Azure domain controllers"
from_port = 137
to_port = 139
protocol = -1
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
} */
/* ldap = { FIXME: add this back in
description = "Allow ingress Azure domain controllers"
from_port = 389
to_port = 389
Expand All @@ -376,7 +352,26 @@ locals {
protocol = "UDP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
} */
https = {
description = "Allow ingress from port 443"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["10.0.0.0/8"]
security_groups = []
}
smb = {
description = "Allow ingress Azure domain controllers"
from_port = 445
to_port = 445
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["10.102.0.196/32"]
security_groups = []
}

ldap_ssl = {
description = "Allow ingress Azure domain controllers"
from_port = 636
Expand All @@ -393,20 +388,12 @@ locals {
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
rpc = {
description = "Allow ingress Azure domain controllers"
from_port = 135
to_port = 135
rdp = {
description = "Allow ingress from port 3389"
from_port = 3389
to_port = 3389
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
netbios = {
description = "Allow ingress Azure domain controllers"
from_port = 137
to_port = 139
protocol = -1
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
cidr_blocks = local.security_group_cidrs.rdp.inbound
security_groups = []
}
active_directory_web_services = {
Expand Down Expand Up @@ -473,22 +460,6 @@ locals {
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
# http49152_65535 = {
# description = "Allow ingress from port 49152-65535"
# from_port = 49152-65535
# to_port = 49152-65535
# protocol = "TCP"
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
# http445 = {
# description = "Allow ingress from port 445"
# from_port = 445
# to_port = 445
# protocol = "TCP"
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
# http45054 = {
# description = "Allow ingress from port 45054"
# from_port = 45054
Expand Down Expand Up @@ -543,14 +514,6 @@ locals {
cidr_blocks = local.security_group_cidrs.ssh
security_groups = []
}
# http49152_65535 = {
# description = "Allow ingress from port 49152-65535"
# from_port = 49152-65535
# to_port = 49152-65535
# protocol = "TCP"
# cidr_blocks = ["10.0.0.0/8"]
# security_groups = []
# }
# http41521 = {
# description = "Allow ingress from port 1521"
# from_port = 1521
Expand Down Expand Up @@ -611,7 +574,6 @@ locals {
security_groups = []
}
}

}
}
}
Expand Down

0 comments on commit 982a684

Please sign in to comment.