Skip to content

Commit

Permalink
DSOS-2476: RemoteDesktop spike (#4412)
Browse files Browse the repository at this point in the history 
* add test rds

* test

* lb fix

* fix

* fix security group

* lb fix

* fix

* SG update

* dns

* test

* test

* https backend

* test

* fix

* fix

* fix

* fix

* fix

* fix

* test

* fix

* fix

* test

* fix

* fix

* fix

* fix
  • Loading branch information
@drobinson-moj
drobinson-moj authored Jan 2, 2024
1 parent e816676 commit a0e0abd
Show file tree
Hide file tree
Showing 4 changed files with 382 additions and 82 deletions.
11 changes: 3 additions & 8 deletions terraform/environments/hmpps-domain-services/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,12 +67,7 @@ locals {
}

baseline_secretsmanager_secrets = {}

baseline_security_groups = {
private-dc = local.security_groups.private_dc
load-balancer = local.security_groups.load-balancer
}

baseline_sns_topics = {}
baseline_ssm_parameters = {}
baseline_security_groups = local.security_groups
baseline_sns_topics = {}
baseline_ssm_parameters = {}
}
199 changes: 148 additions & 51 deletions terraform/environments/hmpps-domain-services/locals_security_groups.tf
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,154 @@
locals {

security_group_cidrs_devtest = {
core = module.ip_addresses.azure_fixngo_cidrs.devtest_core
ssh = module.ip_addresses.azure_fixngo_cidrs.devtest
enduserclient = [
"10.0.0.0/8"
]
# NOTE: REMOVE THIS WHEN MOVE TO NEW SG's
http7xxx = flatten([
module.ip_addresses.azure_fixngo_cidrs.devtest,
module.ip_addresses.azure_fixngo_cidrs.internet_egress,
])
rdp = {
inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.0.0/16"]
}
domain_controllers = module.ip_addresses.azure_fixngo_cidrs.devtest_domain_controllers
jumpservers = module.ip_addresses.azure_fixngo_cidrs.devtest_jumpservers
azure_vnets = module.ip_addresses.azure_fixngo_cidrs.devtest
}

security_group_cidrs_preprod_prod = {
core = module.ip_addresses.azure_fixngo_cidrs.prod_core
ssh = flatten([
module.ip_addresses.azure_fixngo_cidrs.prod_jumpservers,
# AllowProdStudioHostingSshInBound from 10.244.0.0/22 not included
module.ip_addresses.azure_fixngo_cidrs.prod_core,
module.ip_addresses.azure_fixngo_cidrs.prod, # NOTE: may need removing at some point
])
enduserclient = [
"10.0.0.0/8"
]
# NOTE: REMOVE THIS WHEN MOVE TO NEW SG's
http7xxx = flatten([
module.ip_addresses.azure_fixngo_cidrs.prod,
module.ip_addresses.azure_fixngo_cidrs.internet_egress,
])
rdp = {
inbound = flatten([
module.ip_addresses.azure_fixngo_cidrs.prod,
])
}
domain_controllers = module.ip_addresses.azure_fixngo_cidrs.prod_domain_controllers
jumpservers = module.ip_addresses.azure_fixngo_cidrs.prod_jumpservers
azure_vnets = module.ip_addresses.azure_fixngo_cidrs.prod
}
security_group_cidrs_by_environment = {
development = local.security_group_cidrs_devtest
test = local.security_group_cidrs_devtest
preproduction = local.security_group_cidrs_preprod_prod
production = local.security_group_cidrs_preprod_prod
}
security_group_cidrs = local.security_group_cidrs_by_environment[local.environment]
security_group_cidrs = merge(local.security_group_cidrs_by_environment[local.environment], {
enduserclient_internal = [
"10.0.0.0/8"
]
enduserclient_public = flatten([
module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
])
})

security_groups = {
private_dc = {
rds-ec2s = {
description = "Security group for Remote Desktop Service EC2s"
ingress = {
all-from-self = {
description = "Allow all ingress to self"
from_port = 0
to_port = 0
protocol = -1
self = true
}
http-from-lb = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "TCP"
security_groups = [
"private-lb",
"public-lb",
]
}
http-from-euc = {
description = "Allow direct http access for testing"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
https-from-euc = {
description = "Allow direct https access for testing"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
all-from-azure-vnets-vnet = {
description = "Allow all from azure vnets"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = local.security_group_cidrs.azure_vnets
}
}
egress = {
all = {
description = "Allow all egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_groups = []
}
}
}

public-lb = {
description = "Security group for public load-balancer"
ingress = {
all-from-self = {
description = "Allow all ingress to self"
from_port = 0
to_port = 0
protocol = -1
self = true
}
http_lb = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_public
}
https_lb = {
description = "Allow enduserclient https ingress"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_public
}
}
egress = {
all = {
description = "Allow all traffic outbound"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}

private-lb = {
description = "Security group for internal load-balancer"
ingress = {
all-from-self = {
description = "Allow all ingress to self"
from_port = 0
to_port = 0
protocol = -1
self = true
}
http_lb = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
https_lb = {
description = "Allow enduserclient https ingress"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
}
egress = {
all = {
description = "Allow all traffic outbound"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}

private-dc = {
description = "Security group for Domain Controllers"
ingress = {
all-from-self = {
Expand All @@ -61,6 +158,15 @@ locals {
protocol = -1
self = true
}
http_lb = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "TCP"
security_groups = [
"load-balancer",
]
}
all-from-noms-test-vnet = {
description = "Allow all from noms test vnet"
from_port = 0
Expand Down Expand Up @@ -102,7 +208,6 @@ locals {
}
}

############ NEWLY DEFINED SGs ############

load-balancer = {
description = "New security group for load-balancer"
Expand All @@ -114,27 +219,19 @@ locals {
protocol = -1
self = true
}
# IMPORTANT: check if an 'allow all from azure' rule is required, rather than subsequent load-balancer rules
/* all-from-fixngo = {
description = "Allow all ingress from fixngo"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = local.security_group_cidrs.enduserclient
} */
http_lb = {
description = "Allow http ingress"
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
https_lb = {
description = "Allow enduserclient https ingress"
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.enduserclient
cidr_blocks = local.security_group_cidrs.enduserclient_internal
}
}
egress = {
Expand Down
Loading

0 comments on commit a0e0abd

Please sign in to comment.