OCTOPUS-558: restrict tcp/80 and tcp/443 to Load Balancers

Signed-off-by: Paul Bastide <[email protected]>
IBM · Dec 15, 2023 · ed536e0 · ed536e0
1 parent 547edd2
commit ed536e0
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/modules/1_vpc_prepare/security_groups.tf b/modules/1_vpc_prepare/security_groups.tf
@@ -65,24 +65,30 @@ resource "ibm_is_security_group_rule" "worker_all_powervs_cidr" {
   }
 }
 
-# TCP Inbound 80
+locals {
+  lbs_sg = [for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "-ocp-sec-group")]
+}
+
+# TCP Inbound 80 - Security group *ocp-sec-group
+# Dev Note: Only opens to the Load Balancers SG
+# If it exists, it implies that the SG needs to be updated.
 resource "ibm_is_security_group_rule" "lbs_to_workers_http" {
-  count     = !var.skip_create_security_group ? 1 : 0
+  count     = length(lbs_sg) > 0 ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "inbound"
-  remote    = "0.0.0.0/0"
+  remote    = local.lbs_sg[0].id
   tcp {
     port_min = 80
     port_max = 80
   }
 }
 
-# TCP Inbound 443
+# TCP Inbound 443 - Security group *ocp-sec-group
 resource "ibm_is_security_group_rule" "lbs_to_workers_https" {
-  count     = !var.skip_create_security_group ? 1 : 0
+  count     = length(lbs_sg) > 0 ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "inbound"
-  remote    = "0.0.0.0/0"
+  remote    = local.lbs_sg[0].id
   tcp {
     port_min = 443
     port_max = 443