add dev jumpservers to rdp port allow range, fix ldap and netbios rul…

…es (#3298) * add dev jumpservers to rdp port allow range, fix ldap and netbios rules * add RDGateway subnet * rename * there's 2 of them * change name to debug issue * change name to trigger plan * delete rules * comment back in * comment out problematic rules
ministryofjustice · Sep 6, 2023 · e1a61a1 · e1a61a1
1 parent d1f5f5d
commit e1a61a1
Showing 1 changed file with 9 additions and 26 deletions.
diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf
@@ -12,7 +12,7 @@ locals {
       module.ip_addresses.azure_fixngo_cidrs.internet_egress,
     ])
     rdp = {
-      inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26"]
+      inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26", "10.102.1.64/26", "10.102.0.128/26"]
     }
     oracle_db = flatten([
       module.ip_addresses.azure_fixngo_cidrs.devtest,
@@ -141,27 +141,19 @@ locals {
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
         }
-        /* netbios = {   FIXME: add this back in
+        /* netbios = {
           description     = "Allow ingress Azure domain controllers"
           from_port       = 137
           to_port         = 139
           protocol        = -1
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
-        } */
-        /* ldap = { FIXME: add this back in
-          description     = "Allow ingress Azure domain controllers"
-          from_port       = 389
-          to_port         = 389
-          protocol        = "TCP"
-          cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
-          security_groups = []
         }
-        ldap_udp = {
-          description     = "Allow ingress Azure domain controllers"
+        ldap = {
+          description     = "Allow LDAP ingress from Azure domain controllers"
           from_port       = 389
           to_port         = 389
-          protocol        = "UDP"
+          protocol        = -1
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
         } */
@@ -328,28 +320,19 @@ locals {
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
         }
-        /* } FIXME: add this back in 
-        netbios = {
+        /* netbios = {
           description     = "Allow ingress Azure domain controllers"
           from_port       = 137
           to_port         = 139
           protocol        = -1
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
-        } */
-        /* ldap = {  FIXME: add this back in 
-          description     = "Allow ingress Azure domain controllers"
-          from_port       = 389
-          to_port         = 389
-          protocol        = "TCP"
-          cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
-          security_groups = []
         }
-        ldap_udp = {
-          description     = "Allow ingress Azure domain controllers"
+        ldap = {
+          description     = "Allow LDAP ingress from Azure domain controllers"
           from_port       = 389
           to_port         = 389
-          protocol        = "UDP"
+          protocol        = -1
           cidr_blocks     = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
           security_groups = []
         } */