modules/nsg/bastion.tf (120 lines of code) (raw):
resource "azurerm_network_security_group" "bastion" {
name = "${var.nsg_name}-bastion"
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
security_rule {
name = "AllowHttpsInBound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "Internet"
destination_address_prefix = "*"
}
security_rule {
name = "AllowGatewayManagerInBound"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "GatewayManager"
destination_address_prefix = "*"
}
security_rule {
name = "AllowLoadBalancerInBound"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "AzureLoadBalancer"
destination_address_prefix = "*"
}
security_rule {
name = "AllowBastionHostCommunicationInBound"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["8080", "5701"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "*"
}
security_rule {
name = "DenyAllInBound"
priority = 1000
direction = "Inbound"
access = "Deny"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
security_rule {
name = "AllowSshRdpOutBound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["22", "3389"]
source_address_prefix = "*"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowAzureCloudCommunicationOutBound"
priority = 110
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
}
security_rule {
name = "AllowBastionHostCommunicationOutBound"
priority = 120
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["8080", "5701"]
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowGetSessionInformationOutBound"
priority = 130
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["80", "443"]
source_address_prefix = "*"
destination_address_prefix = "Internet"
}
security_rule {
name = "DenyAllOutBound"
priority = 1000
direction = "Outbound"
access = "Deny"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "nsg_bastion_association" {
subnet_id = var.bastion_subnet_id
network_security_group_id = azurerm_network_security_group.bastion.id
}