From daecd557ee103221676c8c647c3f4f89ef26cdd8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 14:54:42 +0000 Subject: [PATCH 1/2] Initial plan From c2d364e7bf806b80cb4e1a9f72dddfdf234f4963 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 14:56:55 +0000 Subject: [PATCH 2/2] Fix: restrict EC2 security group ingress on SSH (22) and RDP (3389) ports Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com> --- infra/security_group.tf | 41 +++++++++++++++++++++++++++++++++++++++++ infra/variables.tf | 11 +++++++++++ 2 files changed, 52 insertions(+) create mode 100644 infra/security_group.tf create mode 100644 infra/variables.tf diff --git a/infra/security_group.tf b/infra/security_group.tf new file mode 100644 index 0000000..8b967bd --- /dev/null +++ b/infra/security_group.tf @@ -0,0 +1,41 @@ +resource "aws_security_group" "authentication_service" { + name = "authentication-service-sg" + description = "Security group for AuthenticationService – restricted access to high-risk ports" + vpc_id = var.vpc_id + + # SSH access is restricted to approved administrative networks only. + # Provide appropriate CIDR values via the trusted_admin_cidr variable. + ingress { + description = "SSH from trusted admin network" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.trusted_admin_cidr + } + + # RDP access is restricted to approved administrative networks only. + # Provide appropriate CIDR values via the trusted_admin_cidr variable. + ingress { + description = "RDP from trusted admin network" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = var.trusted_admin_cidr + } + + egress { + description = "Allow all outbound traffic" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "authentication-service-sg" + Environment = "production" + Owner = "platform-security" + Purpose = "Restrict high-risk port access for AuthenticationService" + ManagedBy = "terraform" + } +} diff --git a/infra/variables.tf b/infra/variables.tf new file mode 100644 index 0000000..554ee8f --- /dev/null +++ b/infra/variables.tf @@ -0,0 +1,11 @@ +variable "trusted_admin_cidr" { + description = "List of approved CIDR ranges for administrative access (SSH and RDP). Supply your organization's trusted admin network or jump-host CIDR(s) as the value." + type = list(string) + # Example: ["10.0.0.0/24", "192.168.1.0/28"] + # No default is intentionally provided; callers must supply approved CIDRs explicitly. +} + +variable "vpc_id" { + description = "ID of the VPC in which the security group resides." + type = string +}