security: narrow internal ingress CIDR (JIRA-4521) #411
Conversation
|
🚀 env0 had composed a PR Plan for environment Terraform Example / production : Plan DetailsTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
! update in-place
Terraform will perform the following actions:
# module.api_access[0].aws_security_group.customer_access will be updated in-place
! resource "aws_security_group" "customer_access" {
id = "sg-085ee012c9855643f"
! ingress = [
- {
- cidr_blocks = [
- "100.64.5.8/29",
]
- description = "Cyberdyne Systems"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "192.0.2.56/32",
]
- description = "Initech"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "198.18.106.0/24",
]
- description = "Umbrella Corp"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "198.51.105.8/29",
]
- description = "Globex Industries"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "203.0.113.16/32",
]
- description = "Acme Corp"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
+ {
+ cidr_blocks = [
+ "100.64.5.0/29",
]
+ description = "Cyberdyne Systems"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "192.0.2.55/32",
]
+ description = "Initech"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "198.18.106.0/25",
]
+ description = "Umbrella Corp"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "198.51.105.0/29",
]
+ description = "Globex Industries"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "203.0.113.15/32",
]
+ description = "Acme Corp"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
]
name = "customer-api-access"
tags = {
"Environment" = "production"
"Name" = "customer-api-access"
"Purpose" = "customer-whitelist"
"Team" = "platform"
"UpdateFrequency" = "high"
}
# (7 unchanged attributes hidden)
}
# module.api_access[0].aws_security_group.internal_services will be updated in-place
! resource "aws_security_group" "internal_services" {
id = "sg-08c3767d4eeede7b5"
! ingress = [
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Health check endpoint"
- from_port = 8080
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8080
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Internal HTTPS - monitoring, service mesh, internal tools"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Prometheus metrics scraping"
- from_port = 9090
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 9090
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Health check endpoint"
+ from_port = 8080
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8080
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Internal HTTPS - monitoring, service mesh, internal tools"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Prometheus metrics scraping"
+ from_port = 9090
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 9090
},
]
name = "internal-services"
tags = {
"Critical" = "true"
"Environment" = "production"
"Name" = "internal-services"
"Purpose" = "internal-mesh"
"Team" = "platform"
"UpdateFrequency" = "low"
}
# (7 unchanged attributes hidden)
}
# module.heritage[0].aws_rds_cluster.face_database will be updated in-place
! resource "aws_rds_cluster" "face_database" {
id = "facial-recognition-terraform-example"
tags = {}
# (46 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
|
|
Open in Overmind ↗
⚪ Change SignalsRoutine ⚪ 🔥 RisksPort 443 CIDR changes will block existing customer IPs and permit new sources, causing client outages and exposure Because the new ranges either exclude part of the previously allowed space or shift to different addresses and there are no other overlapping ingress rules in this group, clients sourcing from the old addresses will be blocked while new addresses become permitted. This will immediately break HTTPS access for any customers still using the prior IPs and simultaneously allow traffic from new sources not previously authorized, impacting workloads attached to eni-0d6892f82adf8a4d2. Narrowing SG to 10.0.0.0/16 will block 10.50.0.0/16 health checks and monitoring to 10.0.101.239 on 9090/443/8080 Once ingress is narrowed to 10.0.0.0/16, traffic from 10.50.0.0/16 will be rejected on 9090/443/8080. The NLB’s health checks will fail and the target will be marked unhealthy, breaking monitoring reachability from the monitoring VPC and triggering unhealthy-target alarms. This degrades observability and removes the target from that load balancer’s backend set. 🟣 Expected Changes~ ec2-security-group › sg-085ee012c9855643f--- current
+++ proposed
@@ -15,5 +15,5 @@
ingress:
- cidr_blocks:
- - 100.64.5.8/29
+ - 100.64.5.0/29
description: Cyberdyne Systems
from_port: 443
@@ -22,5 +22,5 @@
to_port: 443
- cidr_blocks:
- - 192.0.2.56/32
+ - 192.0.2.55/32
description: Initech
from_port: 443
@@ -29,5 +29,5 @@
to_port: 443
- cidr_blocks:
- - 198.18.106.0/24
+ - 198.18.106.0/25
description: Umbrella Corp
from_port: 443
@@ -36,5 +36,5 @@
to_port: 443
- cidr_blocks:
- - 198.51.105.8/29
+ - 198.51.105.0/29
description: Globex Industries
from_port: 443
@@ -43,5 +43,5 @@
to_port: 443
- cidr_blocks:
- - 203.0.113.16/32
+ - 203.0.113.15/32
description: Acme Corp
from_port: 443
~ ec2-security-group › sg-08c3767d4eeede7b5--- current
+++ proposed
@@ -15,5 +15,5 @@
ingress:
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Health check endpoint
from_port: 8080
@@ -22,5 +22,5 @@
to_port: 8080
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Internal HTTPS - monitoring, service mesh, internal tools
from_port: 443
@@ -29,5 +29,5 @@
to_port: 443
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Prometheus metrics scraping
from_port: 9090
💥 Blast RadiusItems Edges |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Summary
Context
Testing
Rollout / Risk