From 982a684544ac8072066bfee167339232919459e5 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Wed, 6 Sep 2023 14:00:16 +0100 Subject: [PATCH] Csr/sg rule conflicts (#3297) * fix up security group rules file * formatting --- .../locals_security_groups.tf | 228 ++++++++---------- 1 file changed, 95 insertions(+), 133 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 4d2bcecd763..3cb7fe35157 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -116,28 +116,13 @@ locals { protocol = -1 self = true } - # http135 = { - # description = "Allow ingress from port 135" - # from_port = 135 - # to_port = 135 - # protocol = "Any" - # cidr_blocks = ["10.0.0.0/8"] - # security_groups = [] - # } - # http139 = { - # description = "Allow ingress from port 139" - # from_port = 139 - # to_port = 139 - # protocol = "Any" - # cidr_blocks = ["10.0.0.0/8"] - # security_groups = [] - # } - https = { - description = "Allow ingress from port 443" - from_port = 443 - to_port = 443 + + dns = { + description = "Allow ingress Azure domain controllers" + from_port = 53 + to_port = 53 protocol = "TCP" - cidr_blocks = ["10.0.0.0/8"] + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } http = { @@ -148,33 +133,23 @@ locals { cidr_blocks = ["10.0.0.0/8"] security_groups = [] } - rdp = { - description = "Allow ingress from port 3389" - from_port = 3389 - to_port = 3389 + rpc = { + description = "Allow ingress Azure domain controllers" + from_port = 135 + to_port = 135 protocol = "TCP" - cidr_blocks = local.security_group_cidrs.rdp.inbound - security_groups = [] - } - smb = { - description = "Allow ingress Azure domain controllers" - from_port = 445 - to_port = 445 - protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers - # cidr_blocks = ["10.102.0.196/32"] + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - dns = { + /* netbios = { FIXME: add this back in description = "Allow ingress Azure domain controllers" - from_port = 53 - to_port = 53 - protocol = "TCP" + from_port = 137 + to_port = 139 + protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } - ldap = { + } */ + /* ldap = { FIXME: add this back in description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 @@ -189,6 +164,24 @@ locals { protocol = "UDP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] + } */ + https = { + description = "Allow ingress from port 443" + from_port = 443 + to_port = 443 + protocol = "TCP" + cidr_blocks = ["10.0.0.0/8"] + security_groups = [] + } + smb = { + description = "Allow ingress Azure domain controllers" + from_port = 445 + to_port = 445 + protocol = "TCP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers + # cidr_blocks = ["10.102.0.196/32"] + security_groups = [] } ldap_ssl = { description = "Allow ingress Azure domain controllers" @@ -206,34 +199,26 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - rpc = { - description = "Allow ingress Azure domain controllers" - from_port = 135 - to_port = 135 + rdp = { + description = "Allow ingress from port 3389" + from_port = 3389 + to_port = 3389 protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + cidr_blocks = local.security_group_cidrs.rdp.inbound security_groups = [] } - rpc_dynamic = { + active_directory_web_services = { description = "Allow ingress Azure domain controllers" - from_port = 49152 - to_port = 65535 + from_port = 9389 + to_port = 9389 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - netbios = { - description = "Allow ingress Azure domain controllers" - from_port = 137 - to_port = 139 - protocol = -1 - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - security_groups = [] - } - active_directory_web_services = { + rpc_dynamic = { description = "Allow ingress Azure domain controllers" - from_port = 9389 - to_port = 9389 + from_port = 49152 + to_port = 65535 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] @@ -310,23 +295,6 @@ locals { protocol = -1 self = true } - # NOTE: this is a bit redundant as mod-platform does not allow http connections - http = { - description = "Allow ingress from port 80" - from_port = 80 - to_port = 80 - protocol = "TCP" - cidr_blocks = ["10.0.0.0/8"] - security_groups = [] - } - https = { - description = "Allow ingress from port 443" - from_port = 443 - to_port = 443 - protocol = "TCP" - cidr_blocks = ["10.0.0.0/8"] - security_groups = [] - } ssh = { description = "Allow SSH ingress" from_port = 22 @@ -335,33 +303,41 @@ locals { cidr_blocks = local.security_group_cidrs.ssh security_groups = [] } - rdp = { - description = "Allow ingress from port 3389" - from_port = 3389 - to_port = 3389 + dns = { + description = "Allow ingress Azure domain controllers" + from_port = 53 + to_port = 53 protocol = "TCP" - cidr_blocks = local.security_group_cidrs.rdp.inbound + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - smb = { - description = "Allow ingress Azure domain controllers" - from_port = 445 - to_port = 445 - protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers - # cidr_blocks = ["10.102.0.196/32"] + # NOTE: this is a bit redundant as mod-platform does not allow http connections + http = { + description = "Allow ingress from port 80" + from_port = 80 + to_port = 80 + protocol = "TCP" + cidr_blocks = ["10.0.0.0/8"] security_groups = [] } - dns = { + rpc = { description = "Allow ingress Azure domain controllers" - from_port = 53 - to_port = 53 + from_port = 135 + to_port = 135 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap = { + /* } FIXME: add this back in + netbios = { + description = "Allow ingress Azure domain controllers" + from_port = 137 + to_port = 139 + protocol = -1 + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + security_groups = [] + } */ + /* ldap = { FIXME: add this back in description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 @@ -376,7 +352,26 @@ locals { protocol = "UDP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] + } */ + https = { + description = "Allow ingress from port 443" + from_port = 443 + to_port = 443 + protocol = "TCP" + cidr_blocks = ["10.0.0.0/8"] + security_groups = [] } + smb = { + description = "Allow ingress Azure domain controllers" + from_port = 445 + to_port = 445 + protocol = "TCP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers + # cidr_blocks = ["10.102.0.196/32"] + security_groups = [] + } + ldap_ssl = { description = "Allow ingress Azure domain controllers" from_port = 636 @@ -393,20 +388,12 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - rpc = { - description = "Allow ingress Azure domain controllers" - from_port = 135 - to_port = 135 + rdp = { + description = "Allow ingress from port 3389" + from_port = 3389 + to_port = 3389 protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - security_groups = [] - } - netbios = { - description = "Allow ingress Azure domain controllers" - from_port = 137 - to_port = 139 - protocol = -1 - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + cidr_blocks = local.security_group_cidrs.rdp.inbound security_groups = [] } active_directory_web_services = { @@ -473,22 +460,6 @@ locals { # cidr_blocks = ["10.0.0.0/8"] # security_groups = [] # } - # http49152_65535 = { - # description = "Allow ingress from port 49152-65535" - # from_port = 49152-65535 - # to_port = 49152-65535 - # protocol = "TCP" - # cidr_blocks = ["10.0.0.0/8"] - # security_groups = [] - # } - # http445 = { - # description = "Allow ingress from port 445" - # from_port = 445 - # to_port = 445 - # protocol = "TCP" - # cidr_blocks = ["10.0.0.0/8"] - # security_groups = [] - # } # http45054 = { # description = "Allow ingress from port 45054" # from_port = 45054 @@ -543,14 +514,6 @@ locals { cidr_blocks = local.security_group_cidrs.ssh security_groups = [] } - # http49152_65535 = { - # description = "Allow ingress from port 49152-65535" - # from_port = 49152-65535 - # to_port = 49152-65535 - # protocol = "TCP" - # cidr_blocks = ["10.0.0.0/8"] - # security_groups = [] - # } # http41521 = { # description = "Allow ingress from port 1521" # from_port = 1521 @@ -611,7 +574,6 @@ locals { security_groups = [] } } - } } }