-

ministryofjustice · Jan 21, 2025 · 6eb26e3 · 6eb26e3
1 parent 0318902
commit 6eb26e3
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 2 deletions.
diff --git a/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf b/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf
@@ -23,7 +23,7 @@ locals {
         disable_api_termination = false
         instance_type           = "m6i.xlarge"
         key_name                = "ec2-user"
-        vpc_security_group_ids  = ["bip"]
+        vpc_security_group_ids  = ["bip-app"]
         tags = {
           backup-plan = "daily-and-weekly"
         }
@@ -71,7 +71,7 @@ locals {
         disable_api_termination = false
         instance_type           = "r6i.xlarge"
         key_name                = "ec2-user"
-        vpc_security_group_ids  = ["web"]
+        vpc_security_group_ids  = ["bip-web"]
         tags = {
           backup-plan = "daily-and-weekly"
         }

diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
@@ -2,6 +2,7 @@ locals {
   security_group_cidrs_devtest = {
     http7xxx = flatten([
       module.ip_addresses.azure_fixngo_cidrs.devtest,
+      module.ip_addresses.mp_cidr[module.environment.vpc_name],
     ])
     enduserclient_internal = flatten([
       "10.0.0.0/8",
@@ -27,6 +28,7 @@ locals {
   security_group_cidrs_preprod_prod = {
     http7xxx = flatten([
       module.ip_addresses.azure_fixngo_cidrs.prod,
+      module.ip_addresses.mp_cidr[module.environment.vpc_name],
     ])
     enduserclient_internal = [
       "10.0.0.0/8"
@@ -194,6 +196,7 @@ locals {
           cidr_blocks     = local.security_group_cidrs.http7xxx
           security_groups = ["lb", "private-jumpserver"]
         }
+
         weblogic_node_manager_web = {
           description     = "5556: weblogic node manager"
           from_port       = 5556
@@ -202,6 +205,14 @@ locals {
           cidr_blocks     = local.security_group_cidrs.http7xxx
           security_groups = ["lb", "private-jumpserver"]
         }
+        http7010 = {
+          description     = "Allow http7010 ingress"
+          from_port       = 7010
+          to_port         = 7010
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.http7xxx
+          security_groups = ["lb", "public-lb", "public-lb-2"]
+        }
         weblogic_admin = {
           description     = "7001: Weblogic admin port"
           from_port       = 7001
@@ -238,6 +249,98 @@ locals {
       }
     }
 
+    bip-web = {
+      description = "Security group for bip web tier"
+      ingress = {
+        all-within-subnet = {
+          description = "Allow all ingress to self"
+          from_port   = 0
+          to_port     = 0
+          protocol    = -1
+          self        = true
+        }
+        http7010 = {
+          description     = "Allow http7010 ingress"
+          from_port       = 7010
+          to_port         = 7010
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.http7xxx
+          security_groups = ["lb", "public-lb", "public-lb-2"]
+        }
+        http7777 = {
+          description     = "Allow http7777 ingress"
+          from_port       = 7777
+          to_port         = 7777
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.http7xxx
+          security_groups = ["lb", "public-lb", "public-lb-2"]
+        }
+        http8005 = {
+          description     = "Allow http8005 ingress"
+          from_port       = 8005
+          to_port         = 8005
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.http7xxx
+          security_groups = ["lb", "public-lb", "public-lb-2"]
+        }
+        http8443 = {
+          description     = "Allow http8443 ingress"
+          from_port       = 8443
+          to_port         = 8443
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.http7xxx
+          security_groups = ["lb", "public-lb", "public-lb-2"]
+        }
+      }
+      egress = {
+        all = {
+          description     = "Allow all egress"
+          from_port       = 0
+          to_port         = 0
+          protocol        = "-1"
+          cidr_blocks     = ["0.0.0.0/0"]
+          security_groups = []
+        }
+      }
+    }
+    bip-app = {
+      description = "Security group for bip application tier"
+      ingress = {
+        all-within-subnet = {
+          description = "Allow all ingress to self"
+          from_port   = 0
+          to_port     = 0
+          protocol    = -1
+          self        = true
+        }
+        all-from-web = {
+          description     = "Allow all ingress from web"
+          from_port       = 0
+          to_port         = 0
+          protocol        = -1
+          security_groups = ["bip-web"]
+        }
+        cms-ingress = {
+          description     = "Allow http6400-http6500 ingress"
+          from_port       = 6400
+          to_port         = 6500
+          protocol        = "tcp"
+          security_groups = ["private-jumpserver"]
+          cidr_blocks     = ["10.0.0.0/8"] # added for testing, remove later
+        }
+      }
+      egress = {
+        all = {
+          description     = "Allow all egress"
+          from_port       = 0
+          to_port         = 0
+          protocol        = "-1"
+          cidr_blocks     = ["0.0.0.0/0"]
+          security_groups = []
+        }
+      }
+    }
+
     boe = {
       description = "Security group for Windows App Servers"
       ingress = {