Skip to content

Commit

Permalink
create domain-controller related security-group (#3320)
Browse files Browse the repository at this point in the history 
* create domain-controller related security-group

* remove duplicates

* allow all egress

* add new sg to test

* fix terraform issue with protocols in ports

* let's apply this to something when it actually works
  • Loading branch information
@robertsweetman
robertsweetman authored Sep 9, 2023
1 parent bb65051 commit d0ddf32
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 38 deletions.
10 changes: 5 additions & 5 deletions terraform/environments/corporate-staff-rostering/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,11 @@ locals {
}

baseline_security_groups = {
data-db = local.security_groups.data_db
migration-web-sg = local.security_groups.Web-SG-migration
migration-app-sg = local.security_groups.App-SG-migration
migration-db-sg = local.security_groups.DB-SG-migration
# domain-controller = local.security_groups.domain-controller NOTE: not yet implemented
data-db = local.security_groups.data_db
migration-web-sg = local.security_groups.Web-SG-migration
migration-app-sg = local.security_groups.App-SG-migration
migration-db-sg = local.security_groups.DB-SG-migration
domain-controller = local.security_groups.domain-controller-access
}

baseline_sns_topics = {}
Expand Down
82 changes: 49 additions & 33 deletions terraform/environments/corporate-staff-rostering/locals_security_groups.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,90 +411,107 @@ locals {
}
}
}
domain-controller = {
domain-controller-access = {
description = "Security group for domain controller inbound"
ingress = {
all-from-self = {
description = "Allow all ingress to self"
from_port = 0
to_port = 0
protocol = -1
self = true
}
dns = {
/* dns = {
description = "53: Allow DNS ingress from Azure DC"
from_port = 53
to_port = 53
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
} */
rpc_udp = {
description = "135: UDP MS-RPC AD connect ingress from Azure DC"
from_port = 135
to_port = 135
protocol = "UDP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
rpc = {
description = "135: MS-RPC AD connect ingress from Azure DC"
rpc_tcp = {
description = "135: TCP MS-RPC AD connect ingress from Azure DC"
from_port = 135
to_port = 135
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
ldap = {
netbios = {
description = "139: NetBIOS ingress from Azure DC"
from_port = 139
to_port = 139
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
/* ldap = {
description = "389: Allow LDAP ingress from Azure DC"
from_port = 389
to_port = 389
protocol = -1
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
smb = {
description = "445: SMB ingress from Azure DC"
} */
smb_udp = {
description = "445: UDP SMB ingress from Azure DC"
from_port = 445
to_port = 445
protocol = "TCP"
protocol = "UDP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["10.102.0.196/32"]
security_groups = []
}
ldap_ssl = {
smb_tcp = {
description = "445: TCP SMB ingress from Azure DC"
from_port = 445
to_port = 445
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
# cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers
# cidr_blocks = ["
}
/* ldap_ssl = {
description = "636: Allow LDAP SSL ingress from Azure DC"
from_port = 636
to_port = 636
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
global_catalog_3268_3269 = {
} */
/* global_catalog_3268_3269 = {
description = "3268-3269: Allow LDAP connection to Global Catalog over plain text and SSL"
from_port = 3268
to_port = 3269
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
rdp = {
description = "3389: Allow RDP ingress"
from_port = 3389
to_port = 3389
protocol = "TCP"
cidr_blocks = local.security_group_cidrs.rdp.inbound
security_groups = []
}
active_directory_web_services = {
} */
/* active_directory_web_services = {
description = "9389: Allow Active Directory Web Services ingress from Azure DC"
from_port = 9389
to_port = 9389
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
} */
rpc_dynamic_udp = {
description = "49152-65535: UDP Dynamic Port range"
from_port = 49152
to_port = 65535
protocol = "UDP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []
}
rpc_dynamic = {
description = "49152-65535: Dynamic Port range"
rpc_dynamic_tcp = {
description = "49152-65535: TCP Dynamic Port range"
from_port = 49152
to_port = 65535
protocol = "TCP"
cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"]
security_groups = []

}
}
egress = {
Expand All @@ -507,7 +524,6 @@ locals {
security_groups = []
}
}

}
}
}
Expand Down

0 comments on commit d0ddf32

Please sign in to comment.