From 6614d74e3e0f3c351df0ec78b162bd9d20d8a1d3 Mon Sep 17 00:00:00 2001
From: Basil Vandegriend <basil.vandegriend@cgi.com>
Date: Mon, 16 Oct 2023 11:16:09 -0600
Subject: [PATCH] fix: #938 Remove unnecessary flows from nsgs based on
 security reviews. (#960)

---
 .../server/network_security_groups.tf         | 81 ++-----------------
 terraform/tools/terragrunt.hcl                |  8 +-
 2 files changed, 11 insertions(+), 78 deletions(-)

diff --git a/infrastructure/server/network_security_groups.tf b/infrastructure/server/network_security_groups.tf
index 122c46a9f..4813d2108 100644
--- a/infrastructure/server/network_security_groups.tf
+++ b/infrastructure/server/network_security_groups.tf
@@ -9,40 +9,16 @@ resource "aws_security_group" "fam_app_sg" {
         managed-by = "terraform"
     }
 
-    ingress {
-        from_port = 0
-        to_port = 0
-        protocol = "-1"
-        cidr_blocks = ["10.10.32.0/20", "10.10.128.0/20"]
-        description = "Central VPC Traffic Inbound from Web subnets"
-    }
-
-    ingress {
-        from_port = 0
-        to_port = 0
-        protocol = "-1"
-        cidr_blocks = ["10.10.0.0/19", "10.10.96.0/19"]
-        description = "Central VPC Traffic Inbound from App subnets"
-    }
-
-    ingress {
-        from_port = 0
-        to_port = 0
-        protocol = "-1"
-        cidr_blocks = ["10.10.64.0/21", "10.10.72.0/21"]
-        description = "Central VPC Traffic Inbound from Mgmt subnets"
-    }
-
-    egress {
-        from_port = 0
-        to_port = 0
-        protocol = "-1"
-        cidr_blocks = ["0.0.0.0/0"]
-        description = "Allow All Outbound Traffic"
-    }
+}
 
+resource "aws_vpc_security_group_egress_rule" "fam_app_sg_outbound" {
+  security_group_id = aws_security_group.fam_app_sg.id
+  cidr_ipv4   = "0.0.0.0/0"
+  ip_protocol = "-1"
+  description = "Allow All Outbound Traffic"
 }
 
+
 resource "aws_security_group" "fam_data_sg" {
     name = "fam_data_sg"
     description = "FAM custom security group for data tier."
@@ -70,52 +46,9 @@ resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_postgres" {
   description = "Allow traffic to database from FAM application tier (lambdas)."
 }
 
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_web_a" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.32.0/20"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from Web-a"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_web_b" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.128.0/20"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from Web-b"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_app_a" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.0.0/19"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from App-a"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_app_b" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.96.0/19"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from App-b"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_mgmt_a" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.64.0/21"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from Mgmt-a"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_mgmt_b" {
-  security_group_id = aws_security_group.fam_data_sg.id
-  cidr_ipv4   = "10.10.72.0/21"
-  ip_protocol = "-1"
-  description = "Central VPC Traffic Inbound from Mgmt-b"
-}
-
 resource "aws_vpc_security_group_egress_rule" "fam_data_sg_outbound" {
   security_group_id = aws_security_group.fam_data_sg.id
   cidr_ipv4   = "0.0.0.0/0"
   ip_protocol = "-1"
   description = "Allow All Outbound Traffic"
 }
-
diff --git a/terraform/tools/terragrunt.hcl b/terraform/tools/terragrunt.hcl
index e83c7289d..7861b88fc 100644
--- a/terraform/tools/terragrunt.hcl
+++ b/terraform/tools/terragrunt.hcl
@@ -28,16 +28,16 @@ generate "tools_tfvars" {
     prod = "${local.common_vars.inputs.idp_logout_chain_prod_url}"
     tools = "${local.common_vars.inputs.idp_logout_chain_tools_url}"
   }
-  front_end_redirect_path = "https://d3d7kmp8kmi5ix.cloudfront.net"
+  front_end_redirect_path = "https://fam-tools.nrs.gov.bc.ca"
   fam_callback_urls = [
-    "https://d3d7kmp8kmi5ix.cloudfront.net/authCallback",
+    "https://fam-tools.nrs.gov.bc.ca/authCallback",
     "http://localhost:5173/authCallback",
     "http://localhost:8000/docs/oauth2-redirect",
     "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
   ]
   fam_logout_urls = [
-    "${local.common_vars.inputs.idp_logout_chain_dev_url}https://d3d7kmp8kmi5ix.cloudfront.net",
-    "${local.common_vars.inputs.idp_logout_chain_dev_url}http://localhost:5173"
+    "${local.common_vars.inputs.idp_logout_chain_tools_url}https://fam-tools.nrs.gov.bc.ca",
+    "${local.common_vars.inputs.idp_logout_chain_tools_url}http://localhost:5173"
   ]
   fam_console_idp_name = "DEV-IDIR"
   forest_client_api_base_url = "https://nr-forest-client-api-test.api.gov.bc.ca"