Add inbound security rules for CHIPS connectivity

marcransome · marcransome · commit b3ffbc45c10d · 2021-05-13T14:53:04.000+01:00
diff --git a/groups/frontend/instance.tf b/groups/frontend/instance.tf
@@ -116,6 +116,38 @@ resource "aws_security_group" "common" {
     cidr_blocks = var.deployment_cidrs
   }
 
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo CEU services"
+    from_port   = 38000
+    to_port     = 38000
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo CHD services"
+    from_port   = 38100
+    to_port     = 38100
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo EWF services"
+    from_port   = 38200
+    to_port     = 38200
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
+  ingress {
+    description = "Allow connectivity from CHIPS for Tuxedo XML services"
+    from_port   = 38300
+    to_port     = 38300
+    protocol    = "TCP"
+    cidr_blocks = [var.chips_cidr]
+  }
+
   egress {
     description = "Allow outbound traffic"
     from_port   = 0
diff --git a/groups/frontend/variables.tf b/groups/frontend/variables.tf
@@ -20,6 +20,11 @@ variable "aws_account" {
   description = "The name of the AWS account; used in Vault path when looking up account identifier"
 }
 
+variable "chips_cidr" {
+  type        = string
+  description = "A string representing the CIDR range from which CHIPS instances will connect to Tuxedo services"
+}
+
 variable "default_log_retention_in_days" {
   type        = string
   description = "The default log retention period in days for CloudWatch log groups"
