diff --git a/infra/security_group.tf b/infra/security_group.tf new file mode 100644 index 0000000..8b967bd --- /dev/null +++ b/infra/security_group.tf @@ -0,0 +1,41 @@ +resource "aws_security_group" "authentication_service" { + name = "authentication-service-sg" + description = "Security group for AuthenticationService – restricted access to high-risk ports" + vpc_id = var.vpc_id + + # SSH access is restricted to approved administrative networks only. + # Provide appropriate CIDR values via the trusted_admin_cidr variable. + ingress { + description = "SSH from trusted admin network" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.trusted_admin_cidr + } + + # RDP access is restricted to approved administrative networks only. + # Provide appropriate CIDR values via the trusted_admin_cidr variable. + ingress { + description = "RDP from trusted admin network" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = var.trusted_admin_cidr + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "authentication-service-sg" + Environment = "production" + Owner = "platform-security" + Purpose = "Restrict high-risk port access for AuthenticationService" + ManagedBy = "terraform" + } +} diff --git a/infra/variables.tf b/infra/variables.tf new file mode 100644 index 0000000..554ee8f --- /dev/null +++ b/infra/variables.tf @@ -0,0 +1,11 @@ +variable "trusted_admin_cidr" { + description = "List of approved CIDR ranges for administrative access (SSH and RDP). Supply your organization's trusted admin network or jump-host CIDR(s) as the value." + type = list(string) + # Example: ["10.0.0.0/24", "192.168.1.0/28"] + # No default is intentionally provided; callers must supply approved CIDRs explicitly. +} + +variable "vpc_id" { + description = "ID of the VPC in which the security group resides." + type = string +}