diff --git a/terraform/environments/corporate-staff-rostering/locals.tf b/terraform/environments/corporate-staff-rostering/locals.tf index 0cb61923c3f..e0af20ad736 100644 --- a/terraform/environments/corporate-staff-rostering/locals.tf +++ b/terraform/environments/corporate-staff-rostering/locals.tf @@ -64,11 +64,11 @@ locals { } baseline_security_groups = { - data-db = local.security_groups.data_db - migration-web-sg = local.security_groups.Web-SG-migration - migration-app-sg = local.security_groups.App-SG-migration - migration-db-sg = local.security_groups.DB-SG-migration - # domain-controller = local.security_groups.domain-controller NOTE: not yet implemented + data-db = local.security_groups.data_db + migration-web-sg = local.security_groups.Web-SG-migration + migration-app-sg = local.security_groups.App-SG-migration + migration-db-sg = local.security_groups.DB-SG-migration + domain-controller = local.security_groups.domain-controller-access } baseline_sns_topics = {} diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 2271a590517..12ffe5857e1 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -411,90 +411,107 @@ locals { } } } - domain-controller = { + domain-controller-access = { description = "Security group for domain controller inbound" ingress = { - all-from-self = { - description = "Allow all ingress to self" - from_port = 0 - to_port = 0 - protocol = -1 - self = true - } - dns = { + /* dns = { description = "53: Allow DNS ingress from Azure DC" from_port = 53 to_port = 53 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] + } */ + rpc_udp = { + description = "135: UDP MS-RPC AD connect ingress from Azure DC" + from_port = 135 + to_port = 135 + protocol = "UDP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + security_groups = [] } - rpc = { - description = "135: MS-RPC AD connect ingress from Azure DC" + rpc_tcp = { + description = "135: TCP MS-RPC AD connect ingress from Azure DC" from_port = 135 to_port = 135 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] } - ldap = { + netbios = { + description = "139: NetBIOS ingress from Azure DC" + from_port = 139 + to_port = 139 + protocol = "TCP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + security_groups = [] + } + /* ldap = { description = "389: Allow LDAP ingress from Azure DC" from_port = 389 to_port = 389 protocol = -1 cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } - smb = { - description = "445: SMB ingress from Azure DC" + } */ + smb_udp = { + description = "445: UDP SMB ingress from Azure DC" from_port = 445 to_port = 445 - protocol = "TCP" + protocol = "UDP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers # cidr_blocks = ["10.102.0.196/32"] security_groups = [] } - ldap_ssl = { + smb_tcp = { + description = "445: TCP SMB ingress from Azure DC" + from_port = 445 + to_port = 445 + protocol = "TCP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + # cidr_blocks = var.modules.ip_addresses.azure_fixngo_ips.devtest.domain_controllers + # cidr_blocks = [" + } + /* ldap_ssl = { description = "636: Allow LDAP SSL ingress from Azure DC" from_port = 636 to_port = 636 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } - global_catalog_3268_3269 = { + } */ + /* global_catalog_3268_3269 = { description = "3268-3269: Allow LDAP connection to Global Catalog over plain text and SSL" from_port = 3268 to_port = 3269 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } - rdp = { - description = "3389: Allow RDP ingress" - from_port = 3389 - to_port = 3389 - protocol = "TCP" - cidr_blocks = local.security_group_cidrs.rdp.inbound - security_groups = [] - } - active_directory_web_services = { + } */ + /* active_directory_web_services = { description = "9389: Allow Active Directory Web Services ingress from Azure DC" from_port = 9389 to_port = 9389 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] + } */ + rpc_dynamic_udp = { + description = "49152-65535: UDP Dynamic Port range" + from_port = 49152 + to_port = 65535 + protocol = "UDP" + cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] + security_groups = [] } - rpc_dynamic = { - description = "49152-65535: Dynamic Port range" + rpc_dynamic_tcp = { + description = "49152-65535: TCP Dynamic Port range" from_port = 49152 to_port = 65535 protocol = "TCP" cidr_blocks = [for ip in module.ip_addresses.azure_fixngo_ips.devtest.domain_controllers : "${ip}/32"] security_groups = [] - } } egress = { @@ -507,7 +524,6 @@ locals { security_groups = [] } } - } } }