From 16efa0244fe4673e74091cf1a75673b9098acf5e Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Wed, 8 Jan 2025 17:22:31 +0000 Subject: [PATCH] add more security groups cause of limits (#9262) * add more security groups cause of limits * change fix to follow ncr approach --- .../oasys-national-reporting/locals_lbs.tf | 2 +- .../locals_security_groups.tf | 58 ++++++++++++++++--- 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/terraform/environments/oasys-national-reporting/locals_lbs.tf b/terraform/environments/oasys-national-reporting/locals_lbs.tf index d1bd4e9025a..8844cc4bea4 100644 --- a/terraform/environments/oasys-national-reporting/locals_lbs.tf +++ b/terraform/environments/oasys-national-reporting/locals_lbs.tf @@ -10,7 +10,7 @@ locals { force_destroy_bucket = true internal_lb = false load_balancer_type = "application" - security_groups = ["public-lb"] + security_groups = ["public-lb", "public-lb-2"] subnets = module.environment.subnets["public"].ids listeners = { diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf index 965602e839e..3881b00d050 100644 --- a/terraform/environments/oasys-national-reporting/locals_security_groups.tf +++ b/terraform/environments/oasys-national-reporting/locals_security_groups.tf @@ -6,8 +6,10 @@ locals { enduserclient_internal = flatten([ "10.0.0.0/8", ]) - enduserclient_public = flatten([ - module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, + enduserclient_public1 = flatten([ + module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public + ]) + enduserclient_public2 = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.mp_cidrs.live_eu_west_nat, ]) @@ -28,8 +30,10 @@ locals { enduserclient_internal = [ "10.0.0.0/8" ] - enduserclient_public = flatten([ - module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, + enduserclient_public1 = flatten([ + module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public + ]) + enduserclient_public2 = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.mp_cidrs.live_eu_west_nat, ]) @@ -63,19 +67,19 @@ locals { protocol = -1 self = true } - http_lb = { + http = { description = "Allow http ingress" from_port = 80 to_port = 80 protocol = "TCP" - cidr_blocks = local.security_group_cidrs.enduserclient_public + cidr_blocks = local.security_group_cidrs.enduserclient_public1 } - https_lb = { - description = "Allow enduserclient https ingress" + https = { + description = "Allow https ingress" from_port = 443 to_port = 443 protocol = "TCP" - cidr_blocks = local.security_group_cidrs.enduserclient_public + cidr_blocks = local.security_group_cidrs.enduserclient_public1 } } egress = { @@ -88,6 +92,42 @@ locals { } } } + public-lb-2 = { + description = "Security group for public load balancer part 2" + ingress = { + all-within-subnet = { + description = "Allow all ingress to self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + http = { + description = "Allow http ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.enduserclient_public2 + } + https = { + description = "Allow https ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.enduserclient_public2 + } + } + egress = { + all = { + description = "Allow all egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_groups = [] + } + } + } lb = { description = "Security group for public subnet" ingress = {