Skip to content

security: narrow internal ingress CIDR (JIRA-4521) #413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dylanratcliffe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security: narrow internal ingress CIDR (JIRA-4521) #413

dylanratcliffe wants to merge 1 commit into from
+2 −2

Conversation

@dylanratcliffe
Copy link
Member

@dylanratcliffe dylanratcliffe commented Dec 12, 2025

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@env0
Copy link

env0 bot commented Dec 12, 2025
edited
Loading

🚀  env0 had composed a PR Plan for environment Terraform Example / production :

Plan: 0 to add, 3 to change, 0 to destroy.
Plan Details 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place

Terraform will perform the following actions:


  # module.api_access[0].aws_security_group.customer_access will be updated in-place
!   resource "aws_security_group" "customer_access" {
        id                     = "sg-085ee012c9855643f"
!       ingress                = [
-           {
-               cidr_blocks      = [
-                   "192.0.2.56/32",
                ]
-               description      = "Initech"
-               from_port        = 443
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 443
            },
+           {
+               cidr_blocks      = [
+                   "192.0.2.56/31",
                ]
+               description      = "Initech"
+               from_port        = 443
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 443
            },
            # (4 unchanged elements hidden)
        ]
        name                   = "customer-api-access"
        tags                   = {
            "Environment"     = "production"
            "Name"            = "customer-api-access"
            "Purpose"         = "customer-whitelist"
            "Team"            = "platform"
            "UpdateFrequency" = "high"
        }
        # (7 unchanged attributes hidden)
    }

  # module.api_access[0].aws_security_group.internal_services will be updated in-place
!   resource "aws_security_group" "internal_services" {
        id                     = "sg-08c3767d4eeede7b5"
!       ingress                = [
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Health check endpoint"
-               from_port        = 8080
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 8080
            },
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Internal HTTPS - monitoring, service mesh, internal tools"
-               from_port        = 443
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 443
            },
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Prometheus metrics scraping"
-               from_port        = 9090
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 9090
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Health check endpoint"
+               from_port        = 8080
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 8080
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Internal HTTPS - monitoring, service mesh, internal tools"
+               from_port        = 443
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 443
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Prometheus metrics scraping"
+               from_port        = 9090
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 9090
            },
        ]
        name                   = "internal-services"
        tags                   = {
            "Critical"        = "true"
            "Environment"     = "production"
            "Name"            = "internal-services"
            "Purpose"         = "internal-mesh"
            "Team"            = "platform"
            "UpdateFrequency" = "low"
        }
        # (7 unchanged attributes hidden)
    }

  # module.heritage[0].aws_rds_cluster.face_database will be updated in-place
!   resource "aws_rds_cluster" "face_database" {
        id                                    = "facial-recognition-terraform-example"
        tags                                  = {}
        # (46 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

Failed to calculate cost estimation

Full PR Plan logs on env0

@github-actions
Copy link

github-actions bot commented Dec 12, 2025

Overmind

Open in Overmind ↗

model|risks_v6

🟢 Change Signals

Routine 🟢 Ingress resources maintaining typical patterns with 8 and 2 events/day for the last day.

View signals ↗

🔥 Risks

Expanding 443 whitelist from /32 to /31 permits an additional external IP to reach the endpoint ❗Medium Open Risk ↗
The customer-api-access security group (sg-085ee012c9855643f) is updating its HTTPS ingress from 192.0.2.56/32 to 192.0.2.56/31. This expands the whitelist to include 192.0.2.57 in addition to 192.0.2.56.

Because this group is attached to a publicly reachable interface (eni-0d6892f82adf8a4d2 on 18.132.149.19), the change will allow an extra external host to connect to port 443 where previously only a single source IP was permitted. This weakens strict IP allowlisting and can grant unintended access if 192.0.2.57 has not been explicitly vetted, increasing the external attack surface for services behind this group.

Cross‑VPC monitoring and health checks from 10.50.0.0/16 will be blocked by narrowing SG ingress to 10.0.0.0/16 ❗Medium Open Risk ↗
Security group 540044833068.eu-west-2.ec2-security-group.sg-08c3767d4eeede7b5 is narrowing ingress on ports 8080, 443, and 9090 from 10.0.0.0/8 to 10.0.0.0/16. This SG is attached to the target at 10.0.101.239, which is being health-checked on 9090 by the internal NLB mon-internal-terraform-example in a peered VPC with CIDR 10.50.0.0/16.

NLB nodes in the 10.50.0.0/16 VPC (10.50.101.220 and 10.50.102.245) will no longer match the tightened 10.0.0.0/16 rule, so their health checks and monitoring traffic to 10.0.101.239:9090 will be blocked. The target is currently healthy via api-health-terraform-example, so the change will flip it unhealthy and cut off cross‑VPC observability and health visibility for this service.

🟣 Expected Changes

~ ec2-security-group › sg-085ee012c9855643f 
--- current
+++ proposed
@@ -22,5 +22,5 @@
       to_port: 443
     - cidr_blocks:
-        - 192.0.2.56/32
+        - 192.0.2.56/31
       description: Initech
       from_port: 443
~ ec2-security-group › sg-08c3767d4eeede7b5 
--- current
+++ proposed
@@ -15,5 +15,5 @@
   ingress:
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Health check endpoint
       from_port: 8080
@@ -22,5 +22,5 @@
       to_port: 8080
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Internal HTTPS - monitoring, service mesh, internal tools
       from_port: 443
@@ -29,5 +29,5 @@
       to_port: 443
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Prometheus metrics scraping
       from_port: 9090

💥 Blast Radius

Items 91

Edges 308

github-actions[bot]
github-actions bot approved these changes Dec 12, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overmind

✅ Auto-Approved

🟢 Decision

Auto-approved: All safety checks passed

📊 Signals Summary

Routine 🟢 +1

🔥 Risks Summary

High 0 · Medium 2 · Low 0

💥 Blast Radius

Items 91 · Edges 308

View full analysis in Overmind ↗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dylanratcliffe