From cce608f59b802efbadf3fcbd15584beb74490130 Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 15:12:22 +0100 Subject: [PATCH 1/9] add dev jumpservers to rdp port allow range, fix ldap and netbios rules --- .../locals_security_groups.tf | 33 +++++-------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 3cb7fe35157..b72cd64f6d4 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -12,7 +12,7 @@ locals { module.ip_addresses.azure_fixngo_cidrs.internet_egress, ]) rdp = { - inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26"] + inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26", "10.102.1.64/26"] } oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.devtest, @@ -141,30 +141,22 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - /* netbios = { FIXME: add this back in + netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ - /* ldap = { FIXME: add this back in - description = "Allow ingress Azure domain controllers" - from_port = 389 - to_port = 389 - protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - security_groups = [] } - ldap_udp = { + ldap = { description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 - protocol = "UDP" + protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ + } https = { description = "Allow ingress from port 443" from_port = 443 @@ -328,7 +320,6 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - /* } FIXME: add this back in netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 @@ -336,23 +327,15 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ - /* ldap = { FIXME: add this back in - description = "Allow ingress Azure domain controllers" - from_port = 389 - to_port = 389 - protocol = "TCP" - cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] - security_groups = [] } - ldap_udp = { + ldap = { description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 - protocol = "UDP" + protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ + } https = { description = "Allow ingress from port 443" from_port = 443 From 82adf8230943ee43a534291095cafe87811c8fba Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 15:25:01 +0100 Subject: [PATCH 2/9] add RDGateway subnet --- .../corporate-staff-rostering/locals_security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index b72cd64f6d4..608d854bce8 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -12,7 +12,7 @@ locals { module.ip_addresses.azure_fixngo_cidrs.internet_egress, ]) rdp = { - inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26", "10.102.1.64/26"] + inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.3.0/26", "10.102.1.64/26", "10.102.0.128/26"] } oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.devtest, From 2fb51e906cb0d1d133b19f0abaf1d24f729c66bb Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 15:32:44 +0100 Subject: [PATCH 3/9] rename --- .../corporate-staff-rostering/locals_security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 608d854bce8..6a50e799df0 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -149,7 +149,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap = { + ldap_new = { description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 From df8a3d39d75e13a445d3b80073a191eff2d224dd Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 15:36:33 +0100 Subject: [PATCH 4/9] there's 2 of them --- .../corporate-staff-rostering/locals_security_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 6a50e799df0..912df636520 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -328,7 +328,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap = { + ldap_new = { description = "Allow ingress Azure domain controllers" from_port = 389 to_port = 389 From 395f83d9c79e47a5e86681465f1a99ffc00aef3d Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 15:53:17 +0100 Subject: [PATCH 5/9] change name to debug issue --- .../corporate-staff-rostering/locals_security_groups.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 912df636520..73e756bd394 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -149,8 +149,8 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap_new = { - description = "Allow ingress Azure domain controllers" + ldap = { + description = "Allow ingress Azure domain controllers for LDAP" from_port = 389 to_port = 389 protocol = -1 @@ -328,8 +328,8 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap_new = { - description = "Allow ingress Azure domain controllers" + ldap = { + description = "Allow ingress Azure domain controllers for LDAP" from_port = 389 to_port = 389 protocol = -1 From 4ddccf9097d765ee941867d9f4a7e330792af00b Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 16:10:41 +0100 Subject: [PATCH 6/9] change name to trigger plan --- .../corporate-staff-rostering/locals_security_groups.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 73e756bd394..f247bdce79c 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -150,7 +150,7 @@ locals { security_groups = [] } ldap = { - description = "Allow ingress Azure domain controllers for LDAP" + description = "Allow LDAP ingress from Azure domain controllers" from_port = 389 to_port = 389 protocol = -1 @@ -329,7 +329,7 @@ locals { security_groups = [] } ldap = { - description = "Allow ingress Azure domain controllers for LDAP" + description = "Allow LDAP ingress from Azure domain controllers" from_port = 389 to_port = 389 protocol = -1 From 120d0804a11a943fc14dd1ae6703dc6ea7e0685d Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 17:02:37 +0100 Subject: [PATCH 7/9] delete rules --- .../corporate-staff-rostering/locals_security_groups.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index f247bdce79c..ac250831800 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -141,7 +141,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - netbios = { + /* netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -156,7 +156,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } + } */ https = { description = "Allow ingress from port 443" from_port = 443 @@ -320,7 +320,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - netbios = { + /* netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -335,7 +335,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } + } */ https = { description = "Allow ingress from port 443" from_port = 443 From 8cd2affa9071b4a1c85e5e991c3288a19b0bc630 Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 17:07:24 +0100 Subject: [PATCH 8/9] comment back in --- .../corporate-staff-rostering/locals_security_groups.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index ac250831800..f247bdce79c 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -141,7 +141,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - /* netbios = { + netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -156,7 +156,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ + } https = { description = "Allow ingress from port 443" from_port = 443 @@ -320,7 +320,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - /* netbios = { + netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -335,7 +335,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } */ + } https = { description = "Allow ingress from port 443" from_port = 443 From c667ce235773c4a837feaa18cad1188892b8b87e Mon Sep 17 00:00:00 2001 From: robertsweetman Date: Wed, 6 Sep 2023 17:28:46 +0100 Subject: [PATCH 9/9] comment out problematic rules --- .../corporate-staff-rostering/locals_security_groups.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index f247bdce79c..ac250831800 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -141,7 +141,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - netbios = { + /* netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -156,7 +156,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } + } */ https = { description = "Allow ingress from port 443" from_port = 443 @@ -320,7 +320,7 @@ locals { cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - netbios = { + /* netbios = { description = "Allow ingress Azure domain controllers" from_port = 137 to_port = 139 @@ -335,7 +335,7 @@ locals { protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } + } */ https = { description = "Allow ingress from port 443" from_port = 443