Skip to content

Instantly share code, notes, and snippets.

@scarolan
Created May 20, 2019 20:09
Show Gist options
  • Save scarolan/db303774dbbc001a1eb5d694acebf919 to your computer and use it in GitHub Desktop.
Save scarolan/db303774dbbc001a1eb5d694acebf919 to your computer and use it in GitHub Desktop.
resource "azurerm_network_security_group" "catapp-sg" {
name = "${var.prefix}-sg"
location = "${var.location}"
resource_group_name = "${azurerm_resource_group.myresourcegroup.name}"
security_rule {
name = "HTTP"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "HTTPS"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "SSH"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
import "tfplan"
get_sgs = func() {
sgs = []
for tfplan.module_paths as path {
sgs += values(tfplan.module(path).resources.azurerm_network_security_group) else []
}
return sgs
}
network_sgs = get_sgs()
disallowed_cidr_blocks = [
"0.0.0.0/0",
"0.0.0.0",
"*",
]
block_allow_all = rule {
all network_sgs as _, instances {
all instances as _, sg {
all sg.applied.security_rule as _, sr {
not (sr.destination_port_range == "80" and sr.source_address_prefix not in disallowed_cidr_blocks) or (sr.access == "Deny")
}
}
}
}
main = rule {
(block_allow_all) else true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment