feat: Add new customers + tighten internal SG per security audit #408
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🚀 env0 had composed a PR Plan for environment Terraform Example / production : Plan DetailsTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
! update in-place
Terraform will perform the following actions:
# module.api_access[0].aws_security_group.customer_access will be updated in-place
! resource "aws_security_group" "customer_access" {
id = "sg-085ee012c9855643f"
! ingress = [
- {
- cidr_blocks = [
- "100.64.5.8/29",
]
- description = "Cyberdyne Systems"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "192.0.2.56/32",
]
- description = "Initech"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "198.18.106.0/24",
]
- description = "Umbrella Corp"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "198.51.105.8/29",
]
- description = "Globex Industries"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "203.0.113.16/32",
]
- description = "Acme Corp"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
+ {
+ cidr_blocks = [
+ "100.64.5.0/29",
]
+ description = "Cyberdyne Systems"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "192.0.2.55/32",
]
+ description = "Initech"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "198.18.105.0/24",
]
+ description = "Umbrella Corp"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "198.51.105.0/29",
]
+ description = "Globex Industries"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "203.0.113.15/32",
]
+ description = "Acme Corp"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
]
name = "customer-api-access"
tags = {
"Environment" = "production"
"Name" = "customer-api-access"
"Purpose" = "customer-whitelist"
"Team" = "platform"
"UpdateFrequency" = "high"
}
# (7 unchanged attributes hidden)
}
# module.api_access[0].aws_security_group.internal_services will be updated in-place
! resource "aws_security_group" "internal_services" {
id = "sg-08c3767d4eeede7b5"
! ingress = [
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Health check endpoint"
- from_port = 8080
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8080
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Internal HTTPS - monitoring, service mesh, internal tools"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Prometheus metrics scraping"
- from_port = 9090
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 9090
},
+ {
+ cidr_blocks = [
+ "10.50.0.0/16",
]
+ description = "Health check endpoint"
+ from_port = 8080
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8080
},
+ {
+ cidr_blocks = [
+ "10.50.0.0/16",
]
+ description = "Internal HTTPS - monitoring, service mesh, internal tools"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "10.50.0.0/16",
]
+ description = "Prometheus metrics scraping"
+ from_port = 9090
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 9090
},
]
name = "internal-services"
tags = {
"Critical" = "true"
"Environment" = "production"
"Name" = "internal-services"
"Purpose" = "internal-mesh"
"Team" = "platform"
"UpdateFrequency" = "low"
}
# (7 unchanged attributes hidden)
}
# module.heritage[0].aws_rds_cluster.face_database will be updated in-place
! resource "aws_rds_cluster" "face_database" {
id = "facial-recognition-terraform-example"
tags = {}
# (46 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
╷
│ Warning: Argument is deprecated
│
│ with aws_iam_role.deploy_role,
│ on terraform.tf line 56, in resource "aws_iam_role" "deploy_role":
│ 56: resource "aws_iam_role" "deploy_role" {
│
│ inline_policy is deprecated. Use the aws_iam_role_policy resource instead.
│ If Terraform should exclusively manage all inline policy associations (the
│ current behavior of this argument), use the aws_iam_role_policies_exclusive
│ resource as well.
│
│ (and 4 more similar warnings elsewhere)
╵
╷
│ Warning: Most Recent Image Not Filtered
│
│ with module.baseline.data.aws_ami.amazon_linux,
│ on modules/baseline/main.tf line 2, in data "aws_ami" "amazon_linux":
│ 2: data "aws_ami" "amazon_linux" {
│
│ "most_recent" is set to "true" and results are not filtered by owner or
│ image ID. With this configuration, a third party may introduce a new image
│ which will be returned by this data source. Consider filtering by owner or
│ image ID to avoid this possibility.
╵ |
|
Open in Overmind ↗
⚪ Change SignalsRoutine ⚪ 🔥 RisksIngress CIDR replacements and internal range tightening will block existing partners and internal callers on 443/8080/9090 Second, the internal-services SG sg-08c3767d4eeede7b5 narrows ingress on ports 8080/443/9090 from 10.0.0.0/8 to 10.50.0.0/16. Internal clients and ALB ENIs in the VPC such as 10.0.101.36, 10.0.101.117, and 10.0.101.200 will no longer be able to reach services that use this SG, including the production-api-server. This will sever API client access and break internal monitoring and health/metrics traffic, leading to outages and alarms. 🟣 Expected Changes~ ec2-security-group › sg-085ee012c9855643f--- current
+++ proposed
@@ -15,5 +15,5 @@
ingress:
- cidr_blocks:
- - 100.64.5.8/29
+ - 100.64.5.0/29
description: Cyberdyne Systems
from_port: 443
@@ -22,5 +22,5 @@
to_port: 443
- cidr_blocks:
- - 192.0.2.56/32
+ - 192.0.2.55/32
description: Initech
from_port: 443
@@ -29,5 +29,5 @@
to_port: 443
- cidr_blocks:
- - 198.18.106.0/24
+ - 198.18.105.0/24
description: Umbrella Corp
from_port: 443
@@ -36,5 +36,5 @@
to_port: 443
- cidr_blocks:
- - 198.51.105.8/29
+ - 198.51.105.0/29
description: Globex Industries
from_port: 443
@@ -43,5 +43,5 @@
to_port: 443
- cidr_blocks:
- - 203.0.113.16/32
+ - 203.0.113.15/32
description: Acme Corp
from_port: 443
~ ec2-security-group › sg-08c3767d4eeede7b5--- current
+++ proposed
@@ -15,5 +15,5 @@
ingress:
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.50.0.0/16
description: Health check endpoint
from_port: 8080
@@ -22,5 +22,5 @@
to_port: 8080
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.50.0.0/16
description: Internal HTTPS - monitoring, service mesh, internal tools
from_port: 443
@@ -29,5 +29,5 @@
to_port: 443
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.50.0.0/16
description: Prometheus metrics scraping
from_port: 9090
💥 Blast RadiusItems Edges |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
10.0.0.0/8to10.50.0.0/16per audit findings.Notes
This change looks safer (more restrictive) and passes typical policy checks, but can break monitoring/health checks and other internal tooling that is not within the VPC CIDR.