diff --git a/terraform/environments/xhibit-portal/network-infrastructure.tf b/terraform/environments/xhibit-portal/network-infrastructure.tf index 1a2739a69cd..62c3f0c0a4a 100644 --- a/terraform/environments/xhibit-portal/network-infrastructure.tf +++ b/terraform/environments/xhibit-portal/network-infrastructure.tf @@ -84,667 +84,657 @@ resource "aws_security_group" "iisrelay_server" { vpc_id = local.vpc_id } +# AWS Security Group Rules + resource "aws_security_group_rule" "build-inbound-bastion" { - depends_on = [aws_security_group.build_server] - security_group_id = aws_security_group.build_server.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.build_server.id + depends_on = [aws_security_group.build_server] } resource "aws_security_group_rule" "build-outbound-bastion" { - depends_on = [aws_security_group.build_server] - security_group_id = aws_security_group.build_server.id + description = "allow all traffic to bastion" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.build_server.id + depends_on = [aws_security_group.build_server] } resource "aws_security_group_rule" "exchange-inbound-importmachine" { - depends_on = [aws_security_group.exchange_server] - security_group_id = aws_security_group.exchange_server.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from importmachine" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.exchange_server.id + depends_on = [aws_security_group.exchange_server] } resource "aws_security_group_rule" "exchange-outbound-all" { - depends_on = [aws_security_group.exchange_server] - security_group_id = aws_security_group.exchange_server.id + description = "allow all traffic to any IP address" type = "egress" - description = "allow all" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.exchange_server.id + depends_on = [aws_security_group.exchange_server] } resource "aws_security_group_rule" "exchange-inbound-app" { - depends_on = [aws_security_group.exchange_server] - security_group_id = aws_security_group.exchange_server.id + description = "allow all traffic from app_servers" type = "ingress" - description = "allow all" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.exchange_server.id + depends_on = [aws_security_group.exchange_server] } resource "aws_security_group_rule" "exchange-inbound-bastion" { - depends_on = [aws_security_group.exchange_server] - security_group_id = aws_security_group.exchange_server.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.exchange_server.id + depends_on = [aws_security_group.exchange_server] } resource "aws_security_group_rule" "sms-inbound-bastion" { + description = "allow RDP traffic from bastion" + type = "ingress" from_port = 3389 - protocol = "TCP" - security_group_id = aws_security_group.sms_server.id to_port = 3389 - type = "ingress" + protocol = "TCP" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.sms_server.id } resource "aws_security_group_rule" "sms-inbound-importmachine" { - depends_on = [aws_security_group.sms_server] - security_group_id = aws_security_group.sms_server.id - type = "ingress" - # description update gg 21 Oct - description = "allow all from importmachine" + description = "allow all traffic from importmachine" + type = "ingress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.sms_server.id + depends_on = [aws_security_group.sms_server] } resource "aws_security_group_rule" "sms-inbound-app" { - depends_on = [aws_security_group.sms_server] - security_group_id = aws_security_group.sms_server.id + description = "allow all traffic from app_servers" type = "ingress" - description = "allow all from app" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.sms_server.id + depends_on = [aws_security_group.sms_server] } resource "aws_security_group_rule" "sms-outbound-importmachine" { - depends_on = [aws_security_group.sms_server] - security_group_id = aws_security_group.sms_server.id + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.sms_server.id + depends_on = [aws_security_group.sms_server] } - - -resource "aws_security_group_rule" "sms-outbound-all-ipv4" { - depends_on = [aws_security_group.sms_server] - security_group_id = aws_security_group.sms_server.id +resource "aws_security_group_rule" "sms-outbound-all" { + description = "allow all traffic to any IP address" type = "egress" - description = "allow all ipv4" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "sms-outbound-all-ipv6" { - depends_on = [aws_security_group.sms_server] - security_group_id = aws_security_group.sms_server.id - type = "egress" - description = "allow all ipv6" - from_port = 0 - to_port = 0 - protocol = "-1" ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.sms_server.id + depends_on = [aws_security_group.sms_server] } resource "aws_security_group_rule" "waf_lb-inbound-importmachine" { - depends_on = [aws_security_group.waf_lb] - security_group_id = aws_security_group.waf_lb.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.waf_lb.id + depends_on = [aws_security_group.waf_lb] } resource "aws_security_group_rule" "waf_lb-outbound-importmachine" { - depends_on = [aws_security_group.waf_lb] - security_group_id = aws_security_group.waf_lb.id + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id -} - -resource "aws_security_group_rule" "prtg_lb-inbound-importmachine" { - depends_on = [aws_security_group.prtg_lb] - security_group_id = aws_security_group.prtg_lb.id - type = "ingress" - description = "allow HTTPS from prtg-lb to importmachine" - from_port = 443 - to_port = 443 - protocol = "TCP" - source_security_group_id = aws_security_group.importmachine.id -} - -resource "aws_security_group_rule" "prtg_lb-outbound-importmachine" { - depends_on = [aws_security_group.prtg_lb] - security_group_id = aws_security_group.prtg_lb.id - type = "egress" - description = "allow HTTPS to prtg-lb from importmachine" - from_port = 443 - to_port = 443 - protocol = "TCP" - source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.waf_lb.id + depends_on = [aws_security_group.waf_lb] } resource "aws_security_group_rule" "egress-to-portal" { - depends_on = [aws_security_group.waf_lb] - security_group_id = aws_security_group.waf_lb.id + description = "allow HTTP traffic to portal_server" type = "egress" - description = "allow web traffic to get to portal" from_port = 80 to_port = 80 protocol = "TCP" source_security_group_id = aws_security_group.portal_server.id + security_group_id = aws_security_group.waf_lb.id + depends_on = [aws_security_group.waf_lb] } resource "aws_security_group_rule" "waf_lb_allow_web_users" { - depends_on = [aws_security_group.waf_lb] - security_group_id = aws_security_group.waf_lb.id + description = "allow HTTPS traffic to waf_lb" type = "ingress" - description = "allow web traffic to get to ingestion server" from_port = 443 to_port = 443 protocol = "TCP" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.waf_lb.id + depends_on = [aws_security_group.waf_lb] +} + +resource "aws_security_group_rule" "prtg_lb-inbound-importmachine" { + description = "allow HTTPS traffic from importmachine" + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "TCP" + source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.prtg_lb.id + depends_on = [aws_security_group.prtg_lb] +} + +resource "aws_security_group_rule" "prtg_lb-outbound-importmachine" { + description = "allow HTTPS traffic to importmachine" + type = "egress" + from_port = 443 + to_port = 443 + protocol = "TCP" + source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.prtg_lb.id + depends_on = [aws_security_group.prtg_lb] } resource "aws_security_group_rule" "prtg_lb_allow_web_users" { - depends_on = [aws_security_group.prtg_lb] - security_group_id = aws_security_group.prtg_lb.id + description = "allow HTTPS traffic from any IP address" type = "ingress" - description = "allow web traffic to get to prtg Load Balancer over SSL " from_port = 443 to_port = 443 protocol = "TCP" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.prtg_lb.id + depends_on = [aws_security_group.prtg_lb] } - resource "aws_security_group_rule" "ingestion_server-inbound-bastion" { - depends_on = [aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion_server-outbound-bastion" { - depends_on = [aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id + description = "allow all traffic to bastion" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion_server-inbound-importmachine" { - depends_on = [aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion_server-outbound-importmachine" { - depends_on = [aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_server] } resource "aws_security_group_rule" "portal_server-inbound-bastion" { - depends_on = [aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.portal_server] } resource "aws_security_group_rule" "portal_server-outbound-bastion" { + description = "allow all traffic to bastion" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.portal_server.id depends_on = [aws_security_group.portal_server] +} + +resource "aws_security_group_rule" "portal-inbound-importmachine" { + description = "allow all traffic from importmachine" + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + source_security_group_id = aws_security_group.importmachine.id security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.portal_server] +} + +resource "aws_security_group_rule" "portal-outbound-importmachine" { + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = module.bastion_linux.bastion_security_group + source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.portal_server] +} + +resource "aws_security_group_rule" "portal-http-from-waf-lb" { + description = "allow HTTP traffic from waf_lb" + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "TCP" + source_security_group_id = aws_security_group.waf_lb.id + security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.waf_lb, aws_security_group.portal_server] +} + +resource "aws_security_group_rule" "portal-http-to-waf-lb" { + description = "allow HTTP traffic to waf_lb" + type = "egress" + from_port = 80 + to_port = 80 + protocol = "TCP" + source_security_group_id = aws_security_group.waf_lb.id + security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.waf_lb, aws_security_group.portal_server] } resource "aws_security_group_rule" "app_servers-inbound-importmachine" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] } resource "aws_security_group_rule" "app_servers-outbound-importmachine" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] } resource "aws_security_group_rule" "app_servers-inbound-bastion" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] } resource "aws_security_group_rule" "app_servers-outbound-bastion" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id + description = "allow all traffic to bastion" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] } -resource "aws_security_group_rule" "portal-inbound-importmachine" { - depends_on = [aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id +resource "aws_security_group_rule" "app-all-from-self" { + description = "allow all traffic from local server" + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + self = true + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] +} + +resource "aws_security_group_rule" "app-all-to-self" { + description = "allow all traffic to local server" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + self = true + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers] +} + +resource "aws_security_group_rule" "app-all-from-ingestion" { + description = "allow all traffic from ingestion_server" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.importmachine.id + source_security_group_id = aws_security_group.ingestion_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] } -resource "aws_security_group_rule" "portal-outbound-importmachine" { - depends_on = [aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id +resource "aws_security_group_rule" "app-all-to-ingestion" { + description = "allow all traffic from ingestion_server" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.importmachine.id -} - -resource "aws_security_group_rule" "portal-http-from-waf-lb" { - depends_on = [aws_security_group.waf_lb, aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id - type = "ingress" - description = "allow HTTP traffic from WAF LB" - from_port = 80 - to_port = 80 - protocol = "TCP" - source_security_group_id = aws_security_group.waf_lb.id + source_security_group_id = aws_security_group.ingestion_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] } -resource "aws_security_group_rule" "portal-http-to-waf-lb" { - depends_on = [aws_security_group.waf_lb, aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id - type = "egress" - description = "allow HTTP traffic to WAF LB" - from_port = 80 - to_port = 80 - protocol = "TCP" - source_security_group_id = aws_security_group.waf_lb.id -} resource "aws_security_group_rule" "ingestion-lb-inbound-importmachine" { - depends_on = [aws_security_group.ingestion_lb] - security_group_id = aws_security_group.ingestion_lb.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.ingestion_lb.id + depends_on = [aws_security_group.ingestion_lb] } resource "aws_security_group_rule" "ingestion-lb-outbound-importmachine" { - depends_on = [aws_security_group.ingestion_lb] - security_group_id = aws_security_group.ingestion_lb.id + description = "allow all traffic to importmachine" type = "egress" - description = "allow all to bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.ingestion_lb.id + depends_on = [aws_security_group.ingestion_lb] } resource "aws_security_group_rule" "ingestion-lb-http-from-ingestion-server" { - depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_lb.id + description = "allow all traffic from ingestion_server" type = "ingress" - description = "allow all traffic from ingestion server" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.ingestion_server.id + security_group_id = aws_security_group.ingestion_lb.id + depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion-lb-http-to-ingestion-server" { - depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_lb.id + description = "allow all traffic to ingestion_server" type = "egress" - description = "allow all traffic to ingestion server" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.ingestion_server.id + security_group_id = aws_security_group.ingestion_lb.id + depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion-server-http-from-ingestion-lb" { - depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id - type = "ingress" description = "allow all traffic from ingestion LB" + type = "ingress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.ingestion_lb.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion-server-http-to-ingestion-lb" { - depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id - type = "egress" description = "allow all traffic to ingestion LB" + type = "egress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.ingestion_lb.id -} - -resource "aws_security_group_rule" "app-all-from-self" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id - type = "ingress" - description = "allow all traffic from local server" - from_port = 0 - to_port = 0 - protocol = "-1" - self = true -} - -resource "aws_security_group_rule" "app-all-to-self" { - depends_on = [aws_security_group.app_servers] - security_group_id = aws_security_group.app_servers.id - type = "egress" - description = "allow all traffic to local server" - from_port = 0 - to_port = 0 - protocol = "-1" - self = true -} - -resource "aws_security_group_rule" "app-all-from-ingestion" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.app_servers.id - type = "ingress" - description = "allow all traffic from ingestion server" - from_port = 0 - to_port = 0 - protocol = "-1" - source_security_group_id = aws_security_group.ingestion_server.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.ingestion_lb, aws_security_group.ingestion_server] } resource "aws_security_group_rule" "ingestion-all-from-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id + description = "allow all traffic from app_servers" type = "ingress" - description = "allow all traffic from app" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] } -resource "aws_security_group_rule" "app-all-to-ingestion" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.app_servers.id +resource "aws_security_group_rule" "ingestion-all-to-app" { + description = "allow all traffic to app_servers" type = "egress" - description = "allow all traffic from ingestion server" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.ingestion_server.id + source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.ingestion_server.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] } -resource "aws_security_group_rule" "ingestion-all-to-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.ingestion_server.id - type = "egress" - description = "allow all traffic to ingestion server" +resource "aws_security_group_rule" "exchange-all-to-app" { + description = "allow all traffic from exchange_server" + type = "ingress" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.app_servers.id + source_security_group_id = aws_security_group.exchange_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } resource "aws_security_group_rule" "exchange-all-from-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id + description = "allow all traffic to exchange_server" type = "egress" - description = "allow all traffic to Exchange server" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.exchange_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } -resource "aws_security_group_rule" "exchange-all-to-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id +resource "aws_security_group_rule" "sms-all-to-app" { + description = "allow all traffic from SMS server" type = "ingress" - description = "allow all traffic from Exchange server" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.exchange_server.id + source_security_group_id = aws_security_group.sms_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } resource "aws_security_group_rule" "sms-all-from-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id - type = "egress" description = "allow all traffic to SMS server" + type = "egress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.sms_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } -resource "aws_security_group_rule" "sms-all-to-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id +resource "aws_security_group_rule" "app-all-from-portal" { + description = "allow all traffic from portal server" type = "ingress" - description = "allow all traffic from SMS server" from_port = 0 to_port = 0 protocol = "-1" - source_security_group_id = aws_security_group.sms_server.id + source_security_group_id = aws_security_group.portal_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } -resource "aws_security_group_rule" "app-all-from-portal" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id - type = "ingress" - description = "allow all traffic from portal server" +resource "aws_security_group_rule" "app-all-to-portal" { + description = "allow all traffic to portal server" + type = "egress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.portal_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } resource "aws_security_group_rule" "portal-all-from-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id + description = "allow all traffic from app_servers" type = "ingress" - description = "allow all traffic from app" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id -} - -resource "aws_security_group_rule" "app-all-to-portal" { + security_group_id = aws_security_group.portal_server.id depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.app_servers.id - type = "egress" - description = "allow all traffic to portal server" - from_port = 0 - to_port = 0 - protocol = "-1" - source_security_group_id = aws_security_group.portal_server.id } resource "aws_security_group_rule" "portal-all-to-app" { - depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] - security_group_id = aws_security_group.portal_server.id + description = "allow all traffic to app_servers" type = "egress" - description = "allow all traffic to app" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.portal_server.id + depends_on = [aws_security_group.app_servers, aws_security_group.portal_server] } resource "aws_security_group_rule" "iisrelay-inbound-importmachine" { - depends_on = [aws_security_group.iisrelay_server] - security_group_id = aws_security_group.iisrelay_server.id + description = "allow all traffic from importmachine" type = "ingress" - description = "allow all from importmachine" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.importmachine.id + security_group_id = aws_security_group.iisrelay_server.id + depends_on = [aws_security_group.iisrelay_server] } resource "aws_security_group_rule" "iisrelay-outbound-all" { - depends_on = [aws_security_group.iisrelay_server] - security_group_id = aws_security_group.iisrelay_server.id + description = "allow all traffic to any IP address" type = "egress" - description = "allow all" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.iisrelay_server.id + depends_on = [aws_security_group.iisrelay_server] } resource "aws_security_group_rule" "iisrelay-inbound-app" { - depends_on = [aws_security_group.iisrelay_server] - security_group_id = aws_security_group.iisrelay_server.id + description = "allow all traffic from app_servers" type = "ingress" - description = "allow all" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.app_servers.id + security_group_id = aws_security_group.iisrelay_server.id + depends_on = [aws_security_group.iisrelay_server] } resource "aws_security_group_rule" "iisrelay-inbound-bastion" { - depends_on = [aws_security_group.iisrelay_server] - security_group_id = aws_security_group.iisrelay_server.id + description = "allow all traffic from bastion" type = "ingress" - description = "allow all from bastion" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = module.bastion_linux.bastion_security_group + security_group_id = aws_security_group.iisrelay_server.id + depends_on = [aws_security_group.iisrelay_server] } resource "aws_security_group_rule" "iisrelay-inbound-exchange" { - depends_on = [aws_security_group.iisrelay_server] - security_group_id = aws_security_group.iisrelay_server.id + description = "allow all traffic from exchange_server" type = "ingress" - description = "allow from exchange" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.exchange_server.id + security_group_id = aws_security_group.iisrelay_server.id + depends_on = [aws_security_group.iisrelay_server] } -resource "aws_security_group_rule" "app-all-to-iisrelay" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.app_servers.id - type = "egress" - description = "allow all app traffic from iisrelay" +resource "aws_security_group_rule" "iisrelay-to-app-all" { + description = "allow all traffic from iisrelay_server" + type = "ingress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.iisrelay_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] } -resource "aws_security_group_rule" "iisrelay-to-app-all" { - depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] - security_group_id = aws_security_group.app_servers.id - type = "ingress" - description = "allow all iisrelay to appservers" +resource "aws_security_group_rule" "app-all-to-iisrelay" { + description = "allow all traffic to iisrelay_server" + type = "egress" from_port = 0 to_port = 0 protocol = "-1" source_security_group_id = aws_security_group.iisrelay_server.id + security_group_id = aws_security_group.app_servers.id + depends_on = [aws_security_group.app_servers, aws_security_group.ingestion_server] }