-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathsecurity_group.tf
76 lines (63 loc) · 2.46 KB
/
security_group.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
##################
# security group for bastion_service
##################
resource "aws_security_group" "bastion_service" {
name_prefix = var.service_name == "bastion-service" ? format("%s-%s", var.environment_name, var.service_name) : var.service_name
description = "Bastion service"
revoke_rules_on_delete = true
vpc_id = var.vpc
tags = var.tags
lifecycle {
create_before_destroy = true
}
}
##################
# security group rules for bastion_service
##################
# SSH access in from whitelist IP ranges
resource "aws_security_group_rule" "service_ssh_in" {
count = local.cidr_blocks_whitelist_service_yes //? 1 : 0
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.cidr_blocks_whitelist_service
security_group_id = aws_security_group.bastion_service.id
description = "bastion service access"
}
# SSH access in from whitelist IP ranges for Bastion Host - conditional
resource "aws_security_group_rule" "host_ssh_in_cond" {
count = local.hostport_whitelisted ? 1 : 0
type = "ingress"
from_port = 2222
to_port = 2222
protocol = "tcp"
cidr_blocks = var.cidr_blocks_whitelist_host
security_group_id = aws_security_group.bastion_service.id
description = "bastion HOST access"
}
# Default egress policy permissive for users to be able to install their own packages - conditional
resource "aws_security_group_rule" "bastion_host_out" {
count = var.custom_outbound_security_group == false ? 1 : 0
type = "egress"
from_port = 0
to_port = 65535
protocol = -1
security_group_id = aws_security_group.bastion_service.id
cidr_blocks = ["0.0.0.0/0"]
description = "bastion service and host egress"
}
# access from lb cidr ranges for healthchecks
data "aws_subnet" "lb_subnets" {
count = length(var.subnets_lb)
id = var.subnets_lb[count.index]
}
resource "aws_security_group_rule" "lb_healthcheck_in" {
security_group_id = aws_security_group.bastion_service.id
cidr_blocks = data.aws_subnet.lb_subnets.*.cidr_block
from_port = var.lb_healthcheck_port
to_port = var.lb_healthcheck_port
protocol = "tcp"
type = "ingress"
description = "access from load balancer CIDR ranges for healthchecks"
}