[Bug] ALB Ingress Security Group too restrictive

[gwright99]

Background

Reported by a client with the following characteristics:

• VPC A
  • All private subnets
  • Tower instance
  • Internal ALB (fronting Tower)
  • Transit Gateway attachment
• VPC B
  • VPN entrypoint
  • Transit Gateway attachment (to route VPN traffic to Tower)

The Problem

Client could not connect to the ALB, despite the VPN being active and functional. The problem ended up being due to an assumption I made while populating `local.alb_ingress_cidrs':

• I assumed that a pre-existing VPC would have the VPN terminating inside it, and this meant we could limit ingress to the Internal ALB to only the CIDR block of the VPC.
• This appears to be a naive works-for-happy-path-only assumption.

How to Fix

The client confirmed that the problem was resolved once they added their VPN CIDR to the [data.aws_vpc.preexisting.cidr_block] (_i.e. [data.aws_vpc.preexisting.cidr_block, VIPN_CIDR_HERE]_).

I think it would make sense to leverage the pre-existing sg_ingress_cidrs value in terraform.tfvar and append this into the local.alb_ingress_cidrs array generated for non-public implementations.

[gwright99]

@schaluva -- thoughts on the proposal above?

[gwright99]

While working on the solution, I realized I was using the wrong value to control SSH security ingress rules. I was using var.sg_ingress_rules instead of var.sg_ssh_cidrs. Fixed.