diff --git a/terraform/environments/ccms-ebs/application_variables.json b/terraform/environments/ccms-ebs/application_variables.json index 61fd0785a6d..f0a9bf92fc2 100644 --- a/terraform/environments/ccms-ebs/application_variables.json +++ b/terraform/environments/ccms-ebs/application_variables.json @@ -305,16 +305,19 @@ }, "ec2_sg_base_ingress_rules": { "TCP_80": { + "application": "HTTP", "from_port": 80, "to_port": 80, "protocol": "TCP" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP" }, "TCP_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP" @@ -322,18 +325,21 @@ }, "ec2_sg_base_egress_rules": { "TCP_80": { + "application": "HTTP", "from_port": 80, "to_port": 80, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP", @@ -342,62 +348,74 @@ }, "ec2_sg_ingress_rules": { "TCP_80": { + "application": "HTTP", "from_port": 80, "to_port": 80, "protocol": "TCP" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP" }, "TCP_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP" }, "TCP_1389": { + "application": "Oracle LDAP", "from_port": 1389, "to_port": 1389, "protocol": "TCP" }, "TCP_152x": { + "application": "Oracle Net Listener", "from_port": 1521, "to_port": 1522, "protocol": "TCP" }, "TCP_5101": { + "application": "Unknown", "from_port": 5101, "to_port": 5101, "protocol": "TCP" }, "TCP_5401": { + "application": "Unknown", "from_port": 5401, "to_port": 5401, "protocol": "TCP" }, "TCP_5575": { + "application": "Unknown", "from_port": 5575, "to_port": 5575, "protocol": "TCP" }, "TCP_1636": { + "application": "Oracle LDAP SSL", "from_port": 1636, "to_port": 1636, "protocol": "TCP" }, "TCP_10401": { + "application": "Unknown", "from_port": 10401, "to_port": 10401, "protocol": "TCP" }, "TCP_800x": { + "application": "Oracle HTTP", "from_port": 8000, "to_port": 8005, "protocol": "TCP", "destination_cidr": "10.200.0.0/20" }, "TCP_444x": { + "application": "Oracle HTTPS", "from_port": 4443, "to_port": 4444, "protocol": "TCP", @@ -406,78 +424,98 @@ }, "ec2_sg_egress_rules": { "TCP_80": { + "application": "HTTP", "from_port": 80, "to_port": 80, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, + "FTP_20": { + "application": "FTP", + "from_port": 20, + "to_port": 21, + "protocol": "TCP", + "destination_cidr": "0.0.0.0/0" + }, "SSH_22": { - "from_port": 21, + "application": "SSH", + "from_port": 22, "to_port": 22, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_1389": { + "application": "Oracle LDAP", "from_port": 1389, "to_port": 1389, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_152x": { + "application": "Oracle Net Listener", "from_port": 1521, "to_port": 1522, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_5101": { + "application": "Unknown", "from_port": 5101, "to_port": 5101, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_5401": { + "application": "Unknown", "from_port": 5401, "to_port": 5401, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_5575": { + "application": "Unknown", "from_port": 5575, "to_port": 5575, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_1636": { + "application": "Oracle LDAP SSL", "from_port": 1636, "to_port": 1636, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_10401": { + "application": "Unknown", "from_port": 10401, "to_port": 10401, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_50000": { + "application": "Lloyds FTP", "from_port": 50000, "to_port": 51000, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_800x": { + "application": "Oracle HTTP", "from_port": 8000, "to_port": 8005, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_444x": { + "application": "Oracle HTTPS", "from_port": 4443, "to_port": 4444, "protocol": "TCP", @@ -486,16 +524,19 @@ }, "ec2_sg_ftp_ingress_rules": { "FTP_20": { + "application": "FTP", "from_port": 20, - "to_port": 22, + "to_port": 21, "protocol": "TCP" }, "FTP_3010": { + "application": "FTP passive ports", "from_port": 3000, "to_port": 3010, "protocol": "TCP" }, "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP" @@ -503,18 +544,21 @@ }, "ec2_sg_ftp_egress_rules": { "FTP_20": { + "application": "FTP", "from_port": 20, - "to_port": 22, + "to_port": 21, "protocol": "TCP", "destination_cidr": "10.200.0.0/13" }, "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP", "destination_cidr": "10.200.0.0/13" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", @@ -523,11 +567,13 @@ }, "ec2_sg_clamav_ingress_rules": { "TCP_3310": { + "application": "ClamAV", "from_port": 3310, "to_port": 3310, "protocol": "TCP" }, "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP" @@ -535,18 +581,21 @@ }, "ec2_sg_clamav_egress_rules": { "TCP_3310": { + "application": "ClamAV", "from_port": 3310, "to_port": 3310, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", @@ -555,11 +604,13 @@ }, "ec2_sg_mailrelay_ingress_rules": { "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP" }, "SMTP_25": { + "application": "SMTP", "from_port": 25, "to_port": 25, "protocol": "TCP" @@ -567,24 +618,28 @@ }, "ec2_sg_mailrelay_egress_rules": { "SSH_22": { + "application": "SSH", "from_port": 22, "to_port": 22, "protocol": "TCP", "destination_cidr": "10.200.0.0/13" }, "SMTP_25": { + "application": "SMTP", "from_port": 25, "to_port": 25, "protocol": "TCP", "destination_cidr": "10.200.0.0/13" }, "HTTPS_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "SMTP_587": { + "application": "SMTP SES", "from_port": 587, "to_port": 587, "protocol": "TCP", @@ -641,6 +696,7 @@ }, "ec2_sg_ingress_rules_db": { "UDP_ALL": { + "application": "UDP ALL", "from_port": 0, "to_port": 65535, "protocol": "UDP" @@ -648,18 +704,21 @@ }, "ec2_sg_egress_rules_db": { "TCP_80": { + "application": "HTTP", "from_port": 80, "to_port": 80, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", "destination_cidr": "0.0.0.0/0" }, "SSH_22": { + "application": "SSH", "from_port": 21, "to_port": 22, "protocol": "TCP", @@ -668,6 +727,7 @@ }, "lb_sg_ingress_rules": { "TCP_443": { + "application": "HTTPS", "from_port": 443, "to_port": 443, "protocol": "TCP", @@ -676,6 +736,7 @@ }, "lb_sg_egress_rules": { "TCP_80": { + "application": "HTTP", "from_port": 0, "to_port": 0, "protocol": "TCP", diff --git a/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf b/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf index ecefa25ee8f..d7ea5456d6f 100644 --- a/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf +++ b/terraform/environments/ccms-ebs/ccms-ec2-security_groups.tf @@ -14,7 +14,7 @@ resource "aws_security_group_rule" "ingress_traffic_oracle_base" { for_each = local.application_data.ec2_sg_base_ingress_rules security_group_id = aws_security_group.ec2_sg_oracle_base.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -26,7 +26,7 @@ resource "aws_security_group_rule" "egress_traffic_oracle_base_sg" { #for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_oracle_base.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -37,7 +37,7 @@ resource "aws_security_group_rule" "egress_traffic_oracle_base_cidr" { #for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_oracle_base.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -45,7 +45,6 @@ resource "aws_security_group_rule" "egress_traffic_oracle_base_cidr" { } */ - # Security Group for EBSDB resource "aws_security_group" "ec2_sg_ebsdb" { name = "ec2_sg_ebsdb" @@ -60,7 +59,7 @@ resource "aws_security_group_rule" "ingress_traffic_ebsdb" { for_each = local.application_data.ec2_sg_ingress_rules security_group_id = aws_security_group.ec2_sg_ebsdb.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -71,7 +70,7 @@ resource "aws_security_group_rule" "egress_traffic_ebsdb_sg" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_ebsdb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -82,7 +81,7 @@ resource "aws_security_group_rule" "egress_traffic_ebsdb_cidr" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_ebsdb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -103,7 +102,7 @@ resource "aws_security_group_rule" "ingress_traffic_ebsapps" { for_each = local.application_data.ec2_sg_ingress_rules security_group_id = aws_security_group.ec2_sg_ebsapps.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -114,7 +113,7 @@ resource "aws_security_group_rule" "egress_traffic_ebsapps_sg" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_ebsapps.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -125,7 +124,7 @@ resource "aws_security_group_rule" "egress_traffic_ebsapps_cidr" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_ebsapps.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -146,7 +145,7 @@ resource "aws_security_group_rule" "ingress_traffic_webgate" { for_each = local.application_data.ec2_sg_ingress_rules security_group_id = aws_security_group.ec2_sg_webgate.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -157,7 +156,7 @@ resource "aws_security_group_rule" "egress_traffic_webgate_sg" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_webgate.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -168,7 +167,7 @@ resource "aws_security_group_rule" "egress_traffic_webgate_cidr" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_webgate.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -189,7 +188,7 @@ resource "aws_security_group_rule" "ingress_traffic_accessgate" { for_each = local.application_data.ec2_sg_ingress_rules security_group_id = aws_security_group.ec2_sg_accessgate.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -200,7 +199,7 @@ resource "aws_security_group_rule" "egress_traffic_accessgate_sg" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_accessgate.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -211,7 +210,7 @@ resource "aws_security_group_rule" "egress_traffic_accessgate_cidr" { for_each = local.application_data.ec2_sg_egress_rules security_group_id = aws_security_group.ec2_sg_accessgate.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -248,7 +247,7 @@ resource "aws_security_group_rule" "ingress_traffic_ebslb" { for_each = local.application_data.lb_sg_ingress_rules security_group_id = aws_security_group.sg_ebsapps_lb.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -259,7 +258,7 @@ resource "aws_security_group_rule" "egress_traffic_ebslb_sg" { for_each = local.application_data.lb_sg_egress_rules security_group_id = aws_security_group.sg_ebsapps_lb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -270,7 +269,7 @@ resource "aws_security_group_rule" "egress_traffic_ebslb_cidr" { for_each = local.application_data.lb_sg_egress_rules security_group_id = aws_security_group.sg_ebsapps_lb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -293,7 +292,7 @@ resource "aws_security_group_rule" "ingress_traffic_ftp" { for_each = local.application_data.ec2_sg_ftp_ingress_rules security_group_id = aws_security_group.ec2_sg_ftp.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -305,7 +304,7 @@ resource "aws_security_group_rule" "egress_traffic_ftp" { for_each = local.application_data.ec2_sg_ftp_egress_rules security_group_id = aws_security_group.ec2_sg_ftp.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -329,7 +328,7 @@ resource "aws_security_group_rule" "ingress_traffic_clamav" { for_each = local.application_data.ec2_sg_clamav_ingress_rules security_group_id = aws_security_group.ec2_sg_clamav.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -341,7 +340,7 @@ resource "aws_security_group_rule" "egress_traffic_clamav" { for_each = local.application_data.ec2_sg_clamav_egress_rules security_group_id = aws_security_group.ec2_sg_clamav.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -354,7 +353,7 @@ resource "aws_security_group_rule" "all_internal_ingress_traffic" { for_each = { for sub in data.aws_security_groups.all_security_groups.ids : sub => sub } security_group_id = each.value type = "ingress" - description = "Ingress for all internal traffic" + description = "In: all internal traffic" protocol = "all" from_port = 0 to_port = 0 @@ -373,7 +372,7 @@ resource "aws_security_group_rule" "all_internal_egress_traffic" { security_group_id = each.value #security_group_id = aws_security_group.ec2_sg_oracle_base.id type = "egress" - description = "Egress for all internal traffic" + description = "Out: all internal traffic" protocol = "all" from_port = 0 to_port = 0 @@ -402,7 +401,7 @@ resource "aws_security_group_rule" "ingress_traffic_webgatelb" { for_each = local.application_data.lb_sg_ingress_rules security_group_id = aws_security_group.sg_webgate_lb.id type = "ingress" - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("In: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -413,7 +412,7 @@ resource "aws_security_group_rule" "egress_traffic_webgatelb_sg" { for_each = local.application_data.lb_sg_egress_rules security_group_id = aws_security_group.sg_webgate_lb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port @@ -424,7 +423,7 @@ resource "aws_security_group_rule" "egress_traffic_webgatelb_cidr" { for_each = local.application_data.lb_sg_egress_rules security_group_id = aws_security_group.sg_webgate_lb.id type = "egress" - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + description = format("Out: %s %d (%s)", each.value.protocol, each.value.from_port, each.value.application) protocol = each.value.protocol from_port = each.value.from_port to_port = each.value.to_port