Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network security groups #117

Merged
merged 15 commits into from
Feb 15, 2024
Merged

Network security groups #117

merged 15 commits into from
Feb 15, 2024

Conversation

bryan-bar
Copy link
Collaborator

@bryan-bar bryan-bar commented Feb 7, 2024
edited
Loading

BREAKING CHANGES:

  • service_cidrblocks default open access removed. This can lead to unexpected open ports and expose resources that are not properly secured. You can still manually set 0.0.0.0/0 or make use of the new cli options to dynamically set the service cidr blocks.

Changes:

  • service_cidrblocks can be updated with a list of cidrs to amend the ip allowlist for service connections.
    • TF_VAR_service_cidrblocks='["100.100.200.4/32"]' terraform apply
  • force_dynamic_ip can be set to fetch the controller's ip to be appended to the service_cidrblocks.
    • TF_VAR_force_dynamic_ip=true terraform apply
  • region_ports merged under port with defaults = internal
  • service_ports merged under port with defaults = service
  • port defaults is unused by default to avoid unexpected open connections.
  • 4 port defaults options available:
    • internal - region cidrblocks for internal networking
    • public - any access cidrblocks
    • service - service access cidrblocks
    • "" - no cidrblock defaults

@bryan-bar bryan-bar force-pushed the service-ports branch 9 times, most recently from d266e89 to 3a21f09 Compare February 15, 2024 02:21
alfer-edb
alfer-edb approved these changes Feb 15, 2024
View reviewed changes
Copy link
Contributor

@alfer-edb alfer-edb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bryan-bar bryan-bar force-pushed the service-ports branch 2 times, most recently from 599cb88 to c9faf4a Compare February 15, 2024 20:58
@bryan-bar
Allow service ports to be easily added by defining a list of cidrs as…
d4999ec 
…signed to 'service_cidrblocks'
@bryan-bar
Gcloud modules - Update ports to be listed under a single port list a…
842af71 
…nd allow for setting of defaults to internal, public, or service
@bryan-bar
Azure modules - Update ports to be listed under a single port list an…
50cdfec 
…d allow for setting of defaults to internal, public, or service
@bryan-bar
AWS modules - Update ports to be listed under a single port list and …
633de09 
…allow for setting of defaults to internal, public, or service
@bryan-bar
Network ports backwards compatability added. service_ports and region…
af06114 
…s_ports combined as a single list and assigned defaults=service or defaults=internal.
@bryan-bar
terraform root module - force_dynamic_ip variable added so that a dyn…
6cf0e83 
…amic ip may be added to the service_cidrblocks. 0.0.0.0/0 will no longer be set a default to avoid accidental exposure of resources.
@bryan-bar
AWS Module networking - cidrs default removed and update security gro…
41a8a50 
…ups to make use of changes
@bryan-bar
Azure Module networking - cidrs default removed, update security grou…
14cd36c 
…ps to make use of changes and restrict ips to instance when used within the machine module.
@bryan-bar
Gcloud Module networking - cidrs default removed, update security gro…
ae9f6d3 
…ups to make use of changes and restrict ips to instance when used within the machine module.
@bryan-bar
terraform root module - 'public_cidrblock' changes to 'public_cidrblo…
59127b2 
…cks' variable so that a list of cidrblocks can be set to restrict 'public' ports
@bryan-bar
FIX: edb-terraform cli - Avoid destroying projects with remote backen…
c91c95c 
…ds. We should always run 'terraform state list' to see if a remote backend is set.
@bryan-bar
FIX: Azure provider - features block must always be defined as a stan…
56d7fef 
…dalone block and each aliased block still requires the features block
@bryan-bar
AWS/Azure/Gcloud Networking - replace defaults with an empty string a…
2c74cc9 
…nd raise a helpful message for users
@bryan-bar
Changes:
18895b3 
- Update docs and examples for networking
- Update aws cli install example with v2.
@bryan-bar
FIX: Azure/Gcloud Networking - set target_cidrblocks to the regions c…
a8ccc07 
…idr range so port rules only target the region it is configured in. This is not needed for AWS since a security group is created and attached to the VPC.
@bryan-bar bryan-bar merged commit a83be6f into main Feb 15, 2024
@bryan-bar bryan-bar deleted the service-ports branch February 15, 2024 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alfer-edb alfer-edb alfer-edb approved these changes

@mw2q mw2q Awaiting requested review from mw2q

@hannahms hannahms Awaiting requested review from hannahms

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bryan-bar @alfer-edb