Skip to content

Commit

Permalink
nomis reporting: security group fix (#9183)
Browse files Browse the repository at this point in the history 
* split public SGs

* add second SG for public access
  • Loading branch information
@drobinson-moj
drobinson-moj authored Dec 23, 2024
1 parent 2d7d6b1 commit 1aa5067
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 9 deletions.
2 changes: 1 addition & 1 deletion terraform/environments/nomis-combined-reporting/locals_lbs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ locals {
idle_timeout = 3600
internal_lb = false
load_balancer_type = "application"
security_groups = ["public-lb"]
security_groups = ["public-lb", "public-lb-2"]
subnets = module.environment.subnets["public"].ids

instance_target_groups = {
Expand Down
56 changes: 48 additions & 8 deletions terraform/environments/nomis-combined-reporting/locals_security_groups.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,10 @@ locals {
enduserclient_internal = flatten([
"10.0.0.0/8",
])
enduserclient_public = flatten([
enduserclient_public1 = flatten([
module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
])
enduserclient_public2 = flatten([
module.ip_addresses.azure_fixngo_cidrs.internet_egress,
module.ip_addresses.mp_cidrs.non_live_eu_west_nat,
])
Expand All @@ -31,8 +33,10 @@ locals {
enduserclient_internal = [
"10.0.0.0/8"
]
enduserclient_public = flatten([
enduserclient_public1 = flatten([
module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
])
enduserclient_public2 = flatten([
module.ip_addresses.azure_fixngo_cidrs.internet_egress,
module.ip_addresses.mp_cidrs.live_eu_west_nat,
])
Expand Down Expand Up @@ -107,14 +111,50 @@ locals {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.enduserclient_public
cidr_blocks = local.security_group_cidrs.enduserclient_public1
}
https = {
description = "Allow https ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.enduserclient_public1
}
}
egress = {
all = {
description = "Allow all egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_groups = []
}
}
}
public-lb-2 = {
description = "Security group for public load balancer part 2"
ingress = {
all-within-subnet = {
description = "Allow all ingress to self"
from_port = 0
to_port = 0
protocol = -1
self = true
}
http = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.enduserclient_public2
}
https = {
description = "Allow https ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.enduserclient_public
cidr_blocks = local.security_group_cidrs.enduserclient_public2
}
}
egress = {
Expand Down Expand Up @@ -144,31 +184,31 @@ locals {
to_port = 7010
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.http7xxx
security_groups = ["lb", "public-lb"]
security_groups = ["lb", "public-lb", "public-lb-2"]
}
http7777 = {
description = "Allow http7777 ingress"
from_port = 7777
to_port = 7777
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.http7xxx
security_groups = ["lb", "public-lb"]
security_groups = ["lb", "public-lb", "public-lb-2"]
}
http8005 = {
description = "Allow http8005 ingress"
from_port = 8005
to_port = 8005
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.http7xxx
security_groups = ["lb", "public-lb"]
security_groups = ["lb", "public-lb", "public-lb-2"]
}
http8443 = {
description = "Allow http8443 ingress"
from_port = 8443
to_port = 8443
protocol = "tcp"
cidr_blocks = local.security_group_cidrs.http7xxx
security_groups = ["lb", "public-lb"]
security_groups = ["lb", "public-lb", "public-lb-2"]
}
}
egress = {
Expand Down

0 comments on commit 1aa5067

Please sign in to comment.