Merge pull request #10 from barracuda-cloudgen-access/bncga-1037-redi…

…s-sec-group BNCGA-1037 | Redis security group
barracuda-cloudgen-access · Aug 17, 2021 · 971021f · 971021f
2 parents 28c2483 + 25588ed
commit 971021f
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log
 
+## v1.2.2
+
+- [aws-asg] Limit outbound to resource group.
+- [aws-asg] Add redis egress security group.
+
 ## v1.2.1
 
 - [aws-asg] Update terraform versions.

diff --git a/modules/aws-asg/README.md b/modules/aws-asg/README.md
@@ -12,9 +12,9 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.38 |
-| <a name="provider_null"></a> [null](#provider\_null) | ~> 3 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.54.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.1.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
@@ -43,7 +43,6 @@ No modules.
 | [aws_security_group.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_security_group_rule.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [null_resource.tags_as_list_of_maps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_string.prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_ami.ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
@@ -69,7 +68,7 @@ No modules.
 | <a name="input_launch_cfg_associate_public_ip_address"></a> [launch\_cfg\_associate\_public\_ip\_address](#input\_launch\_cfg\_associate\_public\_ip\_address) | Associate a public ip address with an instance in a VPC | `bool` | `false` | no |
 | <a name="input_launch_cfg_instance_type"></a> [launch\_cfg\_instance\_type](#input\_launch\_cfg\_instance\_type) | The type of instance to use (e.g. t2.micro, t2.small, t2.medium, etc) | `string` | `"t2.small"` | no |
 | <a name="input_launch_cfg_key_pair_name"></a> [launch\_cfg\_key\_pair\_name](#input\_launch\_cfg\_key\_pair\_name) | The name of the key pair to use | `string` | n/a | yes |
-| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v1.2.1"` | no |
+| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v1.2.2"` | no |
 | <a name="input_nlb_enable_cross_zone_load_balancing"></a> [nlb\_enable\_cross\_zone\_load\_balancing](#input\_nlb\_enable\_cross\_zone\_load\_balancing) | Configure cross zone load balancing for the NLB | `bool` | `false` | no |
 | <a name="input_nlb_subnets"></a> [nlb\_subnets](#input\_nlb\_subnets) | A list of public subnet IDs to attach to the LB. Use Public Subnets only | `list(string)` | n/a | yes |
 | <a name="input_redis_subnets"></a> [redis\_subnets](#input\_redis\_subnets) | A list of subnet IDs to to use for the redis instances.<br>  At least two subnets on different Availability Zones must be provided | `list(any)` | `[]` | no |

diff --git a/modules/aws-asg/examples/README.md b/modules/aws-asg/examples/README.md
@@ -13,7 +13,7 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudgen-access-proxy"></a> [cloudgen-access-proxy](#module\_cloudgen-access-proxy) | git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.1 |  |
+| <a name="module_cloudgen-access-proxy"></a> [cloudgen-access-proxy](#module\_cloudgen-access-proxy) | git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg | v1.2.2 |
 | <a name="module_key_pair"></a> [key\_pair](#module\_key\_pair) | terraform-aws-modules/key-pair/aws | 1.0.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.0.0 |
 

diff --git a/modules/aws-asg/examples/cga_with_vpc.tf b/modules/aws-asg/examples/cga_with_vpc.tf
@@ -23,7 +23,7 @@ provider "aws" {
 #
 
 module "cloudgen-access-proxy" {
-  source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.1"
+  source = "git::git@github.com:barracuda-cloudgen-access/terraform-modules.git//modules/aws-asg?ref=v1.2.2"
 
   # More examples
   # run 'rm -rf .terraform/' after changing source

diff --git a/modules/aws-asg/main.tf b/modules/aws-asg/main.tf
@@ -14,7 +14,7 @@ resource "random_string" "prefix" {
 # Enrollment token
 #
 
-resource "aws_secretsmanager_secret" "token" {
+resource "aws_secretsmanager_secret" "token" { #tfsec:ignore:AWS095
   name                    = "cga_proxy_${random_string.prefix.result}_enrollment_token"
   description             = "CloudGen Access Proxy Enrollment Token"
   recovery_window_in_days = 0
@@ -116,6 +116,14 @@ resource "aws_security_group" "resources" {
   description = "Use this group to allow CloudGen Access Proxy to access internal resources"
   vpc_id      = data.aws_subnet.vpc_from_first_subnet.vpc_id
 
+  egress {
+    description = "Allow outbound to self"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    self        = true
+  }
+
   tags = {
     Name = "cga-proxy-${random_string.prefix.result}-resources"
   }
@@ -128,21 +136,25 @@ resource "aws_security_group" "redis" {
   description = "Used to allow CloudGen Access proxy to redis"
   vpc_id      = data.aws_subnet.vpc_from_first_subnet.vpc_id
 
-  tags = {
-    Name = "cga-proxy-${random_string.prefix.result}-redis"
+  ingress {
+    description = "Allow ingress to redis port from group members"
+    from_port   = 6379
+    to_port     = 6379
+    protocol    = "tcp"
+    self        = true
   }
-}
 
-resource "aws_security_group_rule" "redis" {
-  count = local.redis_enabled ? 1 : 0
+  egress {
+    description = "Allow outbound to self"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    self        = true
+  }
 
-  description       = "Allow ingress to redis port from group members"
-  type              = "ingress"
-  from_port         = 6379
-  to_port           = 6379
-  protocol          = "tcp"
-  self              = true
-  security_group_id = aws_security_group.redis[0].id
+  tags = {
+    Name = "cga-proxy-${random_string.prefix.result}-redis"
+  }
 }
 
 #
@@ -393,7 +405,7 @@ resource "aws_iam_role_policy" "redis" {
 # CloudWatch
 #
 
-resource "aws_cloudwatch_log_group" "cloudgen_access_proxy" {
+resource "aws_cloudwatch_log_group" "cloudgen_access_proxy" { #tfsec:ignore:AWS089
   count = var.cloudwatch_logs_enabled ? 1 : 0
 
   name              = "/aws/ec2/cga-proxy-${random_string.prefix.result}"

diff --git a/modules/aws-asg/variables.tf b/modules/aws-asg/variables.tf
@@ -44,7 +44,7 @@ variable "cloudgen_access_proxy_level" {
 variable "module_version" {
   description = "Terraform module version"
   type        = string
-  default     = "v1.2.1"
+  default     = "v1.2.2"
 }
 
 #