From a13b49e7f45a0b4cdad8a82ea5f6dae4ced1e726 Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Wed, 6 Mar 2024 18:24:05 +0000 Subject: [PATCH 1/3] adding new ingress rule to app and web csr servers --- .../locals_security_groups.tf | 42 ++++++++++++++++++- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 0da956c65ca..af7aa84f989 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -8,6 +8,9 @@ locals { rdp = { inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.0.0/16"] } + # rdgateway = { + # inbound = [module.ip_addresses.mp_cidr.preproduction_production] + # } oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.devtest, module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, @@ -41,6 +44,9 @@ locals { module.ip_addresses.azure_fixngo_cidrs.prod, ]) } + # rdgateway = { + # inbound = [module.ip_addresses.mp_cidr.preproduction_production] + # } oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.prod, module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, @@ -125,7 +131,7 @@ locals { } } web = { - description = "New security group for web-servers" + description = "Security group for CSR web servers" ingress = { all-from-self = { description = "Allow all ingress to self" @@ -200,6 +206,22 @@ locals { protocol = "UDP" cidr_blocks = local.security_group_cidrs.jumpservers } + rdp_tcp_gw = { + description = "3389: Allow RDP ingress from domain services RDGateway" + from_port = 3389 + to_port = 3389 + protocol = "TCP" + # cidr_blocks = local.security_group_cidrs.rdgateway + cidr_blocks = ["10.27.0.0/16"] + } + rdp_udp_gw = { + description = "3389: Allow RDP ingress from domain services RDGateway" + from_port = 3389 + to_port = 3389 + protocol = "UDP" + # cidr_blocks = local.security_group_cidrs.rdgateway + cidr_blocks = ["10.27.0.0/16"] + } winrm_web = { description = "5985-6: Allow WinRM ingress" from_port = 5985 @@ -254,7 +276,7 @@ locals { } } app = { - description = "New security group for application servers" + description = "Security group for CSR application servers" ingress = { all-from-self = { description = "Allow all ingress to self" @@ -320,6 +342,22 @@ locals { protocol = "UDP" cidr_blocks = local.security_group_cidrs.jumpservers } + rdp_tcp_gw = { + description = "3389: Allow RDP ingress from domain services RDGateway" + from_port = 3389 + to_port = 3389 + protocol = "TCP" + # cidr_blocks = local.security_group_cidrs.rdgateway + cidr_blocks = ["10.27.0.0/16"] + } + rdp_udp_gw = { + description = "3389: Allow RDP ingress from domain services RDGateway" + from_port = 3389 + to_port = 3389 + protocol = "UDP" + # cidr_blocks = local.security_group_cidrs.rdgateway + cidr_blocks = ["10.27.0.0/16"] + } winrm_app = { description = "5985-6: Allow WinRM ingress" from_port = 5985 From 07464ea65e42725c1198231d59cf42ee77103f52 Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Thu, 7 Mar 2024 12:09:08 +0000 Subject: [PATCH 2/3] changing description back as it caused force replacement --- .../corporate-staff-rostering/locals_security_groups.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index af7aa84f989..10f1580c8ec 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -131,7 +131,7 @@ locals { } } web = { - description = "Security group for CSR web servers" + description = "New security group for web-servers" ingress = { all-from-self = { description = "Allow all ingress to self" @@ -276,7 +276,7 @@ locals { } } app = { - description = "Security group for CSR application servers" + description = "New security group for application servers" ingress = { all-from-self = { description = "Allow all ingress to self" From 8e881f8c7daba20b7cc3b2e17b40f45319c8f244 Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Thu, 7 Mar 2024 15:38:45 +0000 Subject: [PATCH 3/3] using pre-existing locals for cidr block value --- .../locals_security_groups.tf | 28 +++++++------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf index 10f1580c8ec..ac48114fa0f 100644 --- a/terraform/environments/corporate-staff-rostering/locals_security_groups.tf +++ b/terraform/environments/corporate-staff-rostering/locals_security_groups.tf @@ -8,9 +8,7 @@ locals { rdp = { inbound = ["10.40.165.0/26", "10.112.3.0/26", "10.102.0.0/16"] } - # rdgateway = { - # inbound = [module.ip_addresses.mp_cidr.preproduction_production] - # } + rdgateway = [module.ip_addresses.mp_cidr.development_test] oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.devtest, module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, @@ -44,9 +42,7 @@ locals { module.ip_addresses.azure_fixngo_cidrs.prod, ]) } - # rdgateway = { - # inbound = [module.ip_addresses.mp_cidr.preproduction_production] - # } + rdgateway = [module.ip_addresses.mp_cidr.preproduction_production] oracle_db = flatten([ module.ip_addresses.azure_fixngo_cidrs.prod, module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, @@ -207,20 +203,18 @@ locals { cidr_blocks = local.security_group_cidrs.jumpservers } rdp_tcp_gw = { - description = "3389: Allow RDP ingress from domain services RDGateway" + description = "3389: Allow RDP ingress from hmpps domain services RDGateway" from_port = 3389 to_port = 3389 protocol = "TCP" - # cidr_blocks = local.security_group_cidrs.rdgateway - cidr_blocks = ["10.27.0.0/16"] + cidr_blocks = local.security_group_cidrs.rdgateway } rdp_udp_gw = { - description = "3389: Allow RDP ingress from domain services RDGateway" + description = "3389: Allow RDP ingress from hmpps domain services RDGateway" from_port = 3389 to_port = 3389 protocol = "UDP" - # cidr_blocks = local.security_group_cidrs.rdgateway - cidr_blocks = ["10.27.0.0/16"] + cidr_blocks = local.security_group_cidrs.rdgateway } winrm_web = { description = "5985-6: Allow WinRM ingress" @@ -343,20 +337,18 @@ locals { cidr_blocks = local.security_group_cidrs.jumpservers } rdp_tcp_gw = { - description = "3389: Allow RDP ingress from domain services RDGateway" + description = "3389: Allow RDP ingress from hmpps domain services RDGateway" from_port = 3389 to_port = 3389 protocol = "TCP" - # cidr_blocks = local.security_group_cidrs.rdgateway - cidr_blocks = ["10.27.0.0/16"] + cidr_blocks = local.security_group_cidrs.rdgateway } rdp_udp_gw = { - description = "3389: Allow RDP ingress from domain services RDGateway" + description = "3389: Allow RDP ingress from hmpps domain services RDGateway" from_port = 3389 to_port = 3389 protocol = "UDP" - # cidr_blocks = local.security_group_cidrs.rdgateway - cidr_blocks = ["10.27.0.0/16"] + cidr_blocks = local.security_group_cidrs.rdgateway } winrm_app = { description = "5985-6: Allow WinRM ingress"