Add inbound security rules for CHIPS connectivity

companieshouse · May 13, 2021 · b3ffbc4 · b3ffbc4
1 parent aab66ba
commit b3ffbc4
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/groups/frontend/instance.tf b/groups/frontend/instance.tf
@@ -116,6 +116,38 @@ resource "aws_security_group" "common" {
     cidr_blocks = var.deployment_cidrs
   }
 
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo CEU services"
+    from_port   = 38000
+    to_port     = 38000
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo CHD services"
+    from_port   = 38100
+    to_port     = 38100
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo EWF services"
+    from_port   = 38200
+    to_port     = 38200
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo XML services"
+    from_port   = 38300
+    to_port     = 38300
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
   egress {
     description = "Allow outbound traffic"
     from_port   = 0

diff --git a/groups/frontend/variables.tf b/groups/frontend/variables.tf
@@ -20,6 +20,11 @@ variable "aws_account" {
   description = "The name of the AWS account; used in Vault path when looking up account identifier"
 }
 
+variable "chips_cidr" {
+  type        = string
+  description = "A string representing the CIDR range from which CHIPS instances will connect to Tuxedo services"
+}
+
 variable "default_log_retention_in_days" {
   type        = string
   description = "The default log retention period in days for CloudWatch log groups"