From 772d2452927291d729f563b13102a3f787812f32 Mon Sep 17 00:00:00 2001 From: James Herr Date: Fri, 2 Aug 2024 10:19:00 -0500 Subject: [PATCH 1/7] Changed resources to data sources --- operations/template/net.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index 4fad72189..e5289aac1 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -151,7 +151,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "db_network_link" { } } -resource "azurerm_network_security_group" "db_security_group" { +data "azurerm_network_security_group" "db_security_group" { name = "database-security-group" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name @@ -174,7 +174,7 @@ resource "azurerm_network_security_group" "db_security_group" { } } -resource "azurerm_route_table" "database" { +data "azurerm_route_table" "database" { name = "database-route-table" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name @@ -301,7 +301,7 @@ resource "azurerm_subnet_network_security_group_association" "database_security_ network_security_group_id = azurerm_network_security_group.db_security_group.id } -resource "azurerm_network_security_group" "app_security_group" { +data "azurerm_network_security_group" "app_security_group" { name = "app-security-group" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name From cd8bec1561e30729f9d45e0cce047883d565f3d3 Mon Sep 17 00:00:00 2001 From: James Herr Date: Fri, 2 Aug 2024 11:58:56 -0500 Subject: [PATCH 2/7] Remove lifecycle section from data blocks --- operations/template/net.tf | 52 -------------------------------------- 1 file changed, 52 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index e5289aac1..274f04a9a 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -155,47 +155,12 @@ data "azurerm_network_security_group" "db_security_group" { name = "database-security-group" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name - # below tags are managed by CDC - lifecycle { - ignore_changes = [ - tags["business_steward"], - tags["center"], - tags["environment"], - tags["escid"], - tags["funding_source"], - tags["pii_data"], - tags["security_compliance"], - tags["security_steward"], - tags["support_group"], - tags["system"], - tags["technical_steward"], - tags["zone"] - ] - } } data "azurerm_route_table" "database" { name = "database-route-table" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name - - # below tags are managed by CDC - lifecycle { - ignore_changes = [ - tags["business_steward"], - tags["center"], - tags["environment"], - tags["escid"], - tags["funding_source"], - tags["pii_data"], - tags["security_compliance"], - tags["security_steward"], - tags["support_group"], - tags["system"], - tags["technical_steward"], - tags["zone"] - ] - } } resource "azurerm_route" "entra_internet" { @@ -305,23 +270,6 @@ data "azurerm_network_security_group" "app_security_group" { name = "app-security-group" location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name - # below tags are managed by CDC - lifecycle { - ignore_changes = [ - tags["business_steward"], - tags["center"], - tags["environment"], - tags["escid"], - tags["funding_source"], - tags["pii_data"], - tags["security_compliance"], - tags["security_steward"], - tags["support_group"], - tags["system"], - tags["technical_steward"], - tags["zone"] - ] - } } resource "azurerm_network_security_rule" "App_Splunk_UF_omhsinf" { From ea3bb7b53382bfb7bf3b881fc61f36a3e8772d62 Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Fri, 2 Aug 2024 14:10:23 -0400 Subject: [PATCH 3/7] Fixing data tag change --- operations/template/net.tf | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index 274f04a9a..d4ef20d84 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -166,14 +166,14 @@ data "azurerm_route_table" "database" { resource "azurerm_route" "entra_internet" { name = "entra_internet" resource_group_name = data.azurerm_resource_group.group.name - route_table_name = azurerm_route_table.database.name + route_table_name = data.azurerm_route_table.database.name address_prefix = "AzureActiveDirectory" next_hop_type = "Internet" } resource "azurerm_subnet_route_table_association" "database_database" { subnet_id = azurerm_subnet.database.id - route_table_id = azurerm_route_table.database.id + route_table_id = data.azurerm_route_table.database.id } resource "azurerm_network_security_rule" "DB_Splunk_UF_omhsinf" { @@ -187,7 +187,7 @@ resource "azurerm_network_security_rule" "DB_Splunk_UF_omhsinf" { source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } resource "azurerm_network_security_rule" "DB_Splunk_Indexer_Discovery_omhsinf" { @@ -201,7 +201,7 @@ resource "azurerm_network_security_rule" "DB_Splunk_Indexer_Discovery_omhsinf" { source_address_prefix = "10.11.7.22/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } @@ -216,7 +216,7 @@ resource "azurerm_network_security_rule" "DB_Safe_Encase_Monitoring_omhsinf" { source_address_prefix = "10.11.6.145/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } resource "azurerm_network_security_rule" "DB_ForeScout_Manager_omhsinf" { @@ -230,7 +230,7 @@ resource "azurerm_network_security_rule" "DB_ForeScout_Manager_omhsinf" { source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } resource "azurerm_network_security_rule" "DB_BigFix_omhsinf" { @@ -244,7 +244,7 @@ resource "azurerm_network_security_rule" "DB_BigFix_omhsinf" { source_address_prefix = "10.11.4.84/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } resource "azurerm_network_security_rule" "DB_Allow_All_Out_omhsinf" { @@ -258,12 +258,12 @@ resource "azurerm_network_security_rule" "DB_Allow_All_Out_omhsinf" { source_address_prefix = "*" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.db_security_group.name + network_security_group_name = data.azurerm_network_security_group.db_security_group.name } resource "azurerm_subnet_network_security_group_association" "database_security_group" { subnet_id = azurerm_subnet.database.id - network_security_group_id = azurerm_network_security_group.db_security_group.id + network_security_group_id = data.azurerm_network_security_group.db_security_group.id } data "azurerm_network_security_group" "app_security_group" { @@ -283,7 +283,7 @@ resource "azurerm_network_security_rule" "App_Splunk_UF_omhsinf" { source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } resource "azurerm_network_security_rule" "App_Splunk_Indexer_Discovery_omhsinf" { @@ -297,7 +297,7 @@ resource "azurerm_network_security_rule" "App_Splunk_Indexer_Discovery_omhsinf" source_address_prefix = "10.11.7.22/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } @@ -312,7 +312,7 @@ resource "azurerm_network_security_rule" "App_Safe_Encase_Monitoring_omhsinf" { source_address_prefix = "10.11.6.145/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } resource "azurerm_network_security_rule" "App_ForeScout_Manager_omhsinf" { @@ -326,7 +326,7 @@ resource "azurerm_network_security_rule" "App_ForeScout_Manager_omhsinf" { source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } resource "azurerm_network_security_rule" "App_BigFix_omhsinf" { @@ -340,7 +340,7 @@ resource "azurerm_network_security_rule" "App_BigFix_omhsinf" { source_address_prefix = "10.11.4.84/32" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } resource "azurerm_network_security_rule" "App_Allow_All_Out_omhsinf" { @@ -354,10 +354,10 @@ resource "azurerm_network_security_rule" "App_Allow_All_Out_omhsinf" { source_address_prefix = "*" destination_address_prefix = "*" resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = azurerm_network_security_group.app_security_group.name + network_security_group_name = data.azurerm_network_security_group.app_security_group.name } resource "azurerm_subnet_network_security_group_association" "app_security_group" { subnet_id = azurerm_subnet.app.id - network_security_group_id = azurerm_network_security_group.app_security_group.id + network_security_group_id = data.azurerm_network_security_group.app_security_group.id } From a54d30f1b7f71ad7977b936fb73ff7b667d24f0d Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Fri, 2 Aug 2024 15:58:07 -0400 Subject: [PATCH 4/7] Fixing locations --- operations/template/net.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index d4ef20d84..4e085e51e 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -153,13 +153,11 @@ resource "azurerm_private_dns_zone_virtual_network_link" "db_network_link" { data "azurerm_network_security_group" "db_security_group" { name = "database-security-group" - location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name } data "azurerm_route_table" "database" { name = "database-route-table" - location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name } @@ -268,7 +266,6 @@ resource "azurerm_subnet_network_security_group_association" "database_security_ data "azurerm_network_security_group" "app_security_group" { name = "app-security-group" - location = data.azurerm_resource_group.group.location resource_group_name = data.azurerm_resource_group.group.name } From ba5b87b2a8427ab9b02da426d1b2b6fa508a64c8 Mon Sep 17 00:00:00 2001 From: James Herr Date: Fri, 2 Aug 2024 16:09:44 -0500 Subject: [PATCH 5/7] Removed security rules for privilege changes --- operations/template/net.tf | 170 ------------------------------------- 1 file changed, 170 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index 4e085e51e..ab9125c07 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -174,91 +174,6 @@ resource "azurerm_subnet_route_table_association" "database_database" { route_table_id = data.azurerm_route_table.database.id } -resource "azurerm_network_security_rule" "DB_Splunk_UF_omhsinf" { - name = "Splunk_UF_omhsinf" - priority = 103 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9997-9998" - source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - -resource "azurerm_network_security_rule" "DB_Splunk_Indexer_Discovery_omhsinf" { - name = "Splunk_Indexer_Discovery_omhsinf" - priority = 104 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "8089" - source_address_prefix = "10.11.7.22/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - - -resource "azurerm_network_security_rule" "DB_Safe_Encase_Monitoring_omhsinf" { - name = "Safe_Encase_Monitoring_omhsinf" - priority = 105 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "34445" - source_address_prefix = "10.11.6.145/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - -resource "azurerm_network_security_rule" "DB_ForeScout_Manager_omhsinf" { - name = "ForeScout_Manager_omhsinf" - priority = 106 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_ranges = ["556", "443", "10003-10006"] - source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - -resource "azurerm_network_security_rule" "DB_BigFix_omhsinf" { - name = "BigFix_omhsinf" - priority = 107 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "52314" - source_address_prefix = "10.11.4.84/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - -resource "azurerm_network_security_rule" "DB_Allow_All_Out_omhsinf" { - name = "Allow_All_Out_omhsinf" - priority = 109 - direction = "Outbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.db_security_group.name -} - resource "azurerm_subnet_network_security_group_association" "database_security_group" { subnet_id = azurerm_subnet.database.id network_security_group_id = data.azurerm_network_security_group.db_security_group.id @@ -269,91 +184,6 @@ data "azurerm_network_security_group" "app_security_group" { resource_group_name = data.azurerm_resource_group.group.name } -resource "azurerm_network_security_rule" "App_Splunk_UF_omhsinf" { - name = "Splunk_UF_omhsinf" - priority = 103 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9997-9998" - source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - -resource "azurerm_network_security_rule" "App_Splunk_Indexer_Discovery_omhsinf" { - name = "Splunk_Indexer_Discovery_omhsinf" - priority = 104 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "8089" - source_address_prefix = "10.11.7.22/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - - -resource "azurerm_network_security_rule" "App_Safe_Encase_Monitoring_omhsinf" { - name = "Safe_Encase_Monitoring_omhsinf" - priority = 105 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "34445" - source_address_prefix = "10.11.6.145/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - -resource "azurerm_network_security_rule" "App_ForeScout_Manager_omhsinf" { - name = "ForeScout_Manager_omhsinf" - priority = 106 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_ranges = ["556", "443", "10003-10006"] - source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - -resource "azurerm_network_security_rule" "App_BigFix_omhsinf" { - name = "BigFix_omhsinf" - priority = 107 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "52314" - source_address_prefix = "10.11.4.84/32" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - -resource "azurerm_network_security_rule" "App_Allow_All_Out_omhsinf" { - name = "Allow_All_Out_omhsinf" - priority = 109 - direction = "Outbound" - access = "Allow" - protocol = "*" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.group.name - network_security_group_name = data.azurerm_network_security_group.app_security_group.name -} - resource "azurerm_subnet_network_security_group_association" "app_security_group" { subnet_id = azurerm_subnet.app.id network_security_group_id = data.azurerm_network_security_group.app_security_group.id From c18a8ff4d1415b85167f068ad7c48921113cc188 Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Mon, 5 Aug 2024 10:28:34 -0400 Subject: [PATCH 6/7] Removing route --- operations/template/net.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/operations/template/net.tf b/operations/template/net.tf index ab9125c07..554d0aa6c 100644 --- a/operations/template/net.tf +++ b/operations/template/net.tf @@ -161,13 +161,6 @@ data "azurerm_route_table" "database" { resource_group_name = data.azurerm_resource_group.group.name } -resource "azurerm_route" "entra_internet" { - name = "entra_internet" - resource_group_name = data.azurerm_resource_group.group.name - route_table_name = data.azurerm_route_table.database.name - address_prefix = "AzureActiveDirectory" - next_hop_type = "Internet" -} resource "azurerm_subnet_route_table_association" "database_database" { subnet_id = azurerm_subnet.database.id From b49efd0c7de5c464af5537dc60447f6d24724c12 Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Mon, 5 Aug 2024 11:05:37 -0400 Subject: [PATCH 7/7] Fixing PR environment Co-authored-by: halprin --- operations/environments/pr/main.tf | 27 ++- operations/environments/pr/net.tf | 257 +++++++++++++++++++++++++++++ 2 files changed, 277 insertions(+), 7 deletions(-) create mode 100644 operations/environments/pr/net.tf diff --git a/operations/environments/pr/main.tf b/operations/environments/pr/main.tf index eec32488b..6539b6981 100644 --- a/operations/environments/pr/main.tf +++ b/operations/environments/pr/main.tf @@ -28,13 +28,7 @@ resource "azurerm_resource_group" "group" { //create the PR resource group becau location = "East US" } -resource "azurerm_virtual_network" "vnet" { //create the PR Vnet because it has a dynamic name that cannot be always pre-created - name = "csels-rsti-pr${var.pr_number}-moderate-app-vnet" - location = azurerm_resource_group.group.location - resource_group_name = azurerm_resource_group.group.name - address_space = ["10.0.0.0/25"] -} module "template" { source = "../../template/" @@ -43,5 +37,24 @@ module "template" { deployer_id = "d59c2c86-de5e-41b7-a752-0869a73f5a60" //github app registration in Flexion Azure Entra alert_slack_email = var.alert_slack_email - depends_on = [azurerm_resource_group.group, azurerm_virtual_network.vnet] + depends_on = [ + azurerm_resource_group.group, + azurerm_virtual_network.vnet, + azurerm_route_table.database, + azurerm_route.entra_internet, + azurerm_network_security_group.db_security_group, + azurerm_network_security_rule.DB_Splunk_UF_omhsinf, + azurerm_network_security_rule.DB_Splunk_Indexer_Discovery_omhsinf, + azurerm_network_security_rule.DB_Safe_Encase_Monitoring_omhsinf, + azurerm_network_security_rule.DB_ForeScout_Manager_omhsinf, + azurerm_network_security_rule.DB_BigFix_omhsinf, + azurerm_network_security_rule.DB_Allow_All_Out_omhsinf, + azurerm_network_security_group.app_security_group, + azurerm_network_security_rule.App_Splunk_UF_omhsinf, + azurerm_network_security_rule.App_Splunk_Indexer_Discovery_omhsinf, + azurerm_network_security_rule.App_Safe_Encase_Monitoring_omhsinf, + azurerm_network_security_rule.App_ForeScout_Manager_omhsinf, + azurerm_network_security_rule.App_BigFix_omhsinf, + azurerm_network_security_rule.App_Allow_All_Out_omhsinf, + ] } diff --git a/operations/environments/pr/net.tf b/operations/environments/pr/net.tf new file mode 100644 index 000000000..540980845 --- /dev/null +++ b/operations/environments/pr/net.tf @@ -0,0 +1,257 @@ +resource "azurerm_virtual_network" "vnet" { //create the PR Vnet because it has a dynamic name that cannot be always pre-created + name = "csels-rsti-pr${var.pr_number}-moderate-app-vnet" + location = azurerm_resource_group.group.location + resource_group_name = azurerm_resource_group.group.name + + address_space = ["10.0.0.0/25"] +} + +resource "azurerm_route_table" "database" { + name = "database-route-table" + location = azurerm_resource_group.group.location + resource_group_name = azurerm_resource_group.group.name + + # below tags are managed by CDC + lifecycle { + ignore_changes = [ + tags["business_steward"], + tags["center"], + tags["environment"], + tags["escid"], + tags["funding_source"], + tags["pii_data"], + tags["security_compliance"], + tags["security_steward"], + tags["support_group"], + tags["system"], + tags["technical_steward"], + tags["zone"] + ] + } +} + +resource "azurerm_route" "entra_internet" { + name = "entra_internet" + resource_group_name = azurerm_resource_group.group.name + route_table_name = azurerm_route_table.database.name + address_prefix = "AzureActiveDirectory" + next_hop_type = "Internet" +} + +resource "azurerm_network_security_group" "db_security_group" { + name = "database-security-group" + location = azurerm_resource_group.group.location + resource_group_name = azurerm_resource_group.group.name + # below tags are managed by CDC + lifecycle { + ignore_changes = [ + tags["business_steward"], + tags["center"], + tags["environment"], + tags["escid"], + tags["funding_source"], + tags["pii_data"], + tags["security_compliance"], + tags["security_steward"], + tags["support_group"], + tags["system"], + tags["technical_steward"], + tags["zone"] + ] + } +} + +resource "azurerm_network_security_rule" "DB_Splunk_UF_omhsinf" { + name = "Splunk_UF_omhsinf" + priority = 103 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9997-9998" + source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + +resource "azurerm_network_security_rule" "DB_Splunk_Indexer_Discovery_omhsinf" { + name = "Splunk_Indexer_Discovery_omhsinf" + priority = 104 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "8089" + source_address_prefix = "10.11.7.22/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + + +resource "azurerm_network_security_rule" "DB_Safe_Encase_Monitoring_omhsinf" { + name = "Safe_Encase_Monitoring_omhsinf" + priority = 105 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "34445" + source_address_prefix = "10.11.6.145/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + +resource "azurerm_network_security_rule" "DB_ForeScout_Manager_omhsinf" { + name = "ForeScout_Manager_omhsinf" + priority = 106 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_ranges = ["556", "443", "10003-10006"] + source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + +resource "azurerm_network_security_rule" "DB_BigFix_omhsinf" { + name = "BigFix_omhsinf" + priority = 107 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "52314" + source_address_prefix = "10.11.4.84/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + +resource "azurerm_network_security_rule" "DB_Allow_All_Out_omhsinf" { + name = "Allow_All_Out_omhsinf" + priority = 109 + direction = "Outbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.db_security_group.name +} + +resource "azurerm_network_security_group" "app_security_group" { + name = "app-security-group" + location = azurerm_resource_group.group.location + resource_group_name = azurerm_resource_group.group.name + # below tags are managed by CDC + lifecycle { + ignore_changes = [ + tags["business_steward"], + tags["center"], + tags["environment"], + tags["escid"], + tags["funding_source"], + tags["pii_data"], + tags["security_compliance"], + tags["security_steward"], + tags["support_group"], + tags["system"], + tags["technical_steward"], + tags["zone"] + ] + } +} + + + +resource "azurerm_network_security_rule" "App_Splunk_UF_omhsinf" { + name = "Splunk_UF_omhsinf" + priority = 103 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9997-9998" + source_address_prefixes = ["10.65.8.211/32", "10.65.8.212/32", "10.65.7.212/32", "10.65.7.211/32", "10.65.8.210/32", "10.65.7.210/32"] + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +} + +resource "azurerm_network_security_rule" "App_Splunk_Indexer_Discovery_omhsinf" { + name = "Splunk_Indexer_Discovery_omhsinf" + priority = 104 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "8089" + source_address_prefix = "10.11.7.22/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +} + + +resource "azurerm_network_security_rule" "App_Safe_Encase_Monitoring_omhsinf" { + name = "Safe_Encase_Monitoring_omhsinf" + priority = 105 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "34445" + source_address_prefix = "10.11.6.145/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +} + +resource "azurerm_network_security_rule" "App_ForeScout_Manager_omhsinf" { + name = "ForeScout_Manager_omhsinf" + priority = 106 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_ranges = ["556", "443", "10003-10006"] + source_address_prefixes = ["10.64.8.184", "10.64.8.180/32"] + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +} + +resource "azurerm_network_security_rule" "App_BigFix_omhsinf" { + name = "BigFix_omhsinf" + priority = 107 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "52314" + source_address_prefix = "10.11.4.84/32" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +} + +resource "azurerm_network_security_rule" "App_Allow_All_Out_omhsinf" { + name = "Allow_All_Out_omhsinf" + priority = 109 + direction = "Outbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.group.name + network_security_group_name = azurerm_network_security_group.app_security_group.name +}