From de4d6cb2bb3daaadea13b7276096c6e3dbf43713 Mon Sep 17 00:00:00 2001 From: Mark Boyd Date: Wed, 25 Sep 2024 15:18:16 -0400 Subject: [PATCH 1/3] refactor code to use separate TF resources for security group ingress/egress rules rather than inline blocks --- .../bosh_vpc/sg_restricted_web_traffic.tf | 67 ++++++++++++------- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf index f8515c6d8..bd005bb78 100644 --- a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf +++ b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf @@ -10,31 +10,52 @@ resource "aws_security_group" "restricted_web_traffic" { description = "Restricted web type traffic" vpc_id = aws_vpc.main_vpc.id - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = sort(var.restricted_ingress_web_cidrs) - ipv6_cidr_blocks = sort(var.restricted_ingress_web_ipv6_cidrs) + tags = { + Name = "${var.stack_description} - Restricted Incoming Web Traffic" } +} - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = sort(var.restricted_ingress_web_cidrs) - ipv6_cidr_blocks = sort(var.restricted_ingress_web_ipv6_cidrs) - } +resource "aws_vpc_security_group_ingress_rule" "http_ipv4_ingress_rules" { + for_each = var.restricted_ingress_web_cidrs + security_group_id = aws_security_group.restricted_web_traffic.id + cidr_ipv4 = each.value + from_port = 80 + to_port = 80 + ip_protocol = "tcp" +} - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } +resource "aws_vpc_security_group_ingress_rule" "http_ipv6_ingress_rules" { + for_each = var.restricted_ingress_web_ipv6_cidrs + security_group_id = aws_security_group.restricted_web_traffic.id + cidr_ipv6 = each.value + from_port = 80 + to_port = 80 + ip_protocol = "tcp" +} - tags = { - Name = "${var.stack_description} - Restricted Incoming Web Traffic" - } +resource "aws_vpc_security_group_ingress_rule" "https_ipv4_ingress_rules" { + for_each = var.restricted_ingress_web_cidrs + security_group_id = aws_security_group.restricted_web_traffic.id + cidr_ipv4 = each.value + from_port = 443 + to_port = 443 + ip_protocol = "tcp" +} + +resource "aws_vpc_security_group_ingress_rule" "https_ipv6_ingress_rules" { + for_each = var.restricted_ingress_web_ipv6_cidrs + security_group_id = aws_security_group.restricted_web_traffic.id + cidr_ipv6 = each.value + from_port = 443 + to_port = 443 + ip_protocol = "tcp" +} + +resource "aws_vpc_security_group_egress_rule" "all_egress" { + security_group_id = aws_security_group.restricted_web_traffic.id + from_port = 0 + to_port = 0 + ip_protocol = "-1" + cidr_ipv4 = ["0.0.0.0/0"] + cidr_ipv6 = ["::/0"] } From 5b793531402674a86dcbdc2134785356b27f17bf Mon Sep 17 00:00:00 2001 From: Mark Boyd Date: Wed, 25 Sep 2024 15:32:31 -0400 Subject: [PATCH 2/3] fix TF --- .../bosh_vpc/sg_restricted_web_traffic.tf | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf index bd005bb78..6b67447ea 100644 --- a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf +++ b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf @@ -16,36 +16,36 @@ resource "aws_security_group" "restricted_web_traffic" { } resource "aws_vpc_security_group_ingress_rule" "http_ipv4_ingress_rules" { - for_each = var.restricted_ingress_web_cidrs + for_each = toset(var.restricted_ingress_web_cidrs) security_group_id = aws_security_group.restricted_web_traffic.id - cidr_ipv4 = each.value + cidr_ipv4 = each.key from_port = 80 to_port = 80 ip_protocol = "tcp" } resource "aws_vpc_security_group_ingress_rule" "http_ipv6_ingress_rules" { - for_each = var.restricted_ingress_web_ipv6_cidrs + for_each = toset(var.restricted_ingress_web_ipv6_cidrs) security_group_id = aws_security_group.restricted_web_traffic.id - cidr_ipv6 = each.value + cidr_ipv6 = each.key from_port = 80 to_port = 80 ip_protocol = "tcp" } resource "aws_vpc_security_group_ingress_rule" "https_ipv4_ingress_rules" { - for_each = var.restricted_ingress_web_cidrs + for_each = toset(var.restricted_ingress_web_cidrs) security_group_id = aws_security_group.restricted_web_traffic.id - cidr_ipv4 = each.value + cidr_ipv4 = each.key from_port = 443 to_port = 443 ip_protocol = "tcp" } resource "aws_vpc_security_group_ingress_rule" "https_ipv6_ingress_rules" { - for_each = var.restricted_ingress_web_ipv6_cidrs + for_each = toset(var.restricted_ingress_web_ipv6_cidrs) security_group_id = aws_security_group.restricted_web_traffic.id - cidr_ipv6 = each.value + cidr_ipv6 = each.key from_port = 443 to_port = 443 ip_protocol = "tcp" @@ -56,6 +56,6 @@ resource "aws_vpc_security_group_egress_rule" "all_egress" { from_port = 0 to_port = 0 ip_protocol = "-1" - cidr_ipv4 = ["0.0.0.0/0"] - cidr_ipv6 = ["::/0"] + cidr_ipv4 = "0.0.0.0/0" + cidr_ipv6 = "::/0" } From 1f3e93a708f7d0cb12b372382980302439061dbe Mon Sep 17 00:00:00 2001 From: Mark Boyd Date: Wed, 25 Sep 2024 15:39:48 -0400 Subject: [PATCH 3/3] fix TF --- terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf index 6b67447ea..12ed49f9b 100644 --- a/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf +++ b/terraform/modules/bosh_vpc/sg_restricted_web_traffic.tf @@ -51,11 +51,18 @@ resource "aws_vpc_security_group_ingress_rule" "https_ipv6_ingress_rules" { ip_protocol = "tcp" } -resource "aws_vpc_security_group_egress_rule" "all_egress" { +resource "aws_vpc_security_group_egress_rule" "all_egress_ipv4" { security_group_id = aws_security_group.restricted_web_traffic.id from_port = 0 to_port = 0 ip_protocol = "-1" cidr_ipv4 = "0.0.0.0/0" +} + +resource "aws_vpc_security_group_egress_rule" "all_egress_ipv6" { + security_group_id = aws_security_group.restricted_web_traffic.id + from_port = 0 + to_port = 0 + ip_protocol = "-1" cidr_ipv6 = "::/0" }