-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathnsgs.tf
148 lines (139 loc) · 6.22 KB
/
nsgs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
####################################################################################
## Network Security Groups for Private subnets
####################################################################################
resource "azurerm_network_security_group" "private_dmz" {
name = "${module.private_vnet.vnet_name}-dmz"
location = var.location
resource_group_name = module.private_vnet.vnet_rg_name
# No security rule: using 'azurerm_network_security_rule' to allow composition across files
tags = local.default_tags
}
resource "azurerm_subnet_network_security_group_association" "private_dmz" {
subnet_id = module.private_vnet.subnets["private-vnet-dmz"]
network_security_group_id = azurerm_network_security_group.private_dmz.id
}
resource "azurerm_network_security_rule" "deny_all_from_vnet" {
name = "deny-all-from-vnet"
# Priority should be the highest value possible (lower than the default 65000 "default" rules not overidable) but higher than the other security rules
# ref. https://github.com/hashicorp/terraform-provider-azurerm/issues/11137 and https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#priority
priority = 4096
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = module.private_vnet.vnet_address_space
destination_address_prefix = "*"
resource_group_name = module.private_vnet.vnet_rg_name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
resource "azurerm_network_security_rule" "deny_all_to_vnet" {
name = "deny-all-to-vnet"
# Priority should be the highest value possible (lower than the default 65000 "default" rules not overidable) but higher than the other security rules
# ref. https://github.com/hashicorp/terraform-provider-azurerm/issues/11137 and https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#priority
priority = 4095
direction = "Outbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefixes = module.private_vnet.vnet_address_space
resource_group_name = module.private_vnet.vnet_rg_name
network_security_group_name = azurerm_network_security_group.private_dmz.name
}
####################################################################################
## Network Security Groups for Public subnets
####################################################################################
resource "azurerm_network_security_group" "public_apptier" {
name = "${module.public_vnet.vnet_rg_name}-nsg-apptier"
location = var.location
resource_group_name = module.public_vnet.vnet_rg_name
# No security rule: using 'azurerm_network_security_rule' to allow composition across files
tags = local.default_tags
## Inbound rules
#trivy:ignore:azure-network-no-public-ingress
security_rule {
name = "allow-http-inbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
#trivy:ignore:azure-network-no-public-ingress
security_rule {
name = "allow-https-inbound"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
#trivy:ignore:azure-network-no-public-ingress
security_rule {
name = "allow-ldap-inbound"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "allow-rsyncd-inbound"
priority = 103
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "873"
# 52.202.51.185: pkg.origin.jenkins.io
# TODO: replace by the object reference data when all DNS entries will be imported
source_address_prefixes = ["52.202.51.185/32"]
destination_address_prefix = "*"
}
security_rule {
name = "allow-private-ssh-inbound"
priority = 4001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefixes = module.private_vnet.vnet_address_space
destination_address_prefix = "*"
}
## Outbound rules
security_rule {
name = "allow-puppet-outbound"
priority = 2100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8140"
source_address_prefix = "*"
destination_address_prefixes = module.private_vnet.vnet_address_space
}
#trivy:ignore:azure-network-no-public-egress
security_rule {
name = "allow-https-outbound"
priority = 2101
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}