From 71658560670411485f956abb5670950726656af6 Mon Sep 17 00:00:00 2001
From: Zachary Hill <zhill@octo.ventures>
Date: Sun, 21 Jul 2024 12:22:51 -0400
Subject: [PATCH] added new variables to ssh and snmp security groups

---
 modules/aws/vendor/velocloud/main.tf      | 42 +++++++++++++++--------
 modules/aws/vendor/velocloud/variables.tf | 26 ++++++++++----
 2 files changed, 47 insertions(+), 21 deletions(-)

diff --git a/modules/aws/vendor/velocloud/main.tf b/modules/aws/vendor/velocloud/main.tf
index 94964e39..072d9ab8 100644
--- a/modules/aws/vendor/velocloud/main.tf
+++ b/modules/aws/vendor/velocloud/main.tf
@@ -18,27 +18,41 @@ data "aws_region" "current" {}
 # Security Groups
 ############################################
 
-resource "aws_security_group" "velocloud_sdwan_mgmt_sg" {
+resource "aws_security_group" "sdwan_mgmt_sg" {
   name        = var.wan_mgmt_sg_name
   description = "Security group applied to the VeloCloud SDWAN instance WAN and MGMT NICs for VeloCloud communication"
   vpc_id      = var.vpc_id
 
-  egress {
-    description = "HTTPS Tunnel"
-    from_port   = 443
-    to_port     = 443
+  ingress {
+    description = "SSH access for support"
+    from_port   = 22
+    to_port     = 22
     protocol    = "TCP"
-    # CATO Cloud requires this port to be open to the internet
-    #tfsec:ignore:aws-ec2-no-public-egress-sgr
+    cidr_blocks = var.ssh_mgmt_access_cidr_blocks
+  }
+
+  ingress {
+    description = "SNMP access for management"
+    from_port   = 161
+    to_port     = 161
+    protocol    = "UDP"
+    cidr_blocks = var.snmp_mgmt_access_cidr_blocks
+  }
+
+  ingress {
+    description = "VMware Multipath Protocol"
+    from_port = 2426
+    to_port = 2426
+    protocol = "UDP"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   egress {
-    description = "HTTPS Tunnel"
-    from_port   = 443
-    to_port     = 443
-    protocol    = "UDP"
-    # CATO Cloud requires this port to be open to the internet
+    description = "All traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    # VeloCloud SDWAN requires this port to be open to the internet
     #tfsec:ignore:aws-ec2-no-public-egress-sgr
     cidr_blocks = ["0.0.0.0/0"]
   }
@@ -96,7 +110,7 @@ resource "aws_network_interface" "mgmt_nic" {
   count           = var.number
   description     = var.mgmt_nic_description
   private_ips     = var.mgmt_ips
-  security_groups = [aws_security_group.cato_wan_mgmt_sg.id]
+  security_groups = [aws_security_group.sdwan_mgmt_sg.id]
   subnet_id       = element(var.mgmt_subnet_id, count.index)
   tags            = merge(var.tags, ({ "Name" = format("%s%d_mgmt", var.instance_name_prefix, count.index + 1) }))
 }
@@ -106,7 +120,7 @@ resource "aws_network_interface" "public_nic" {
   count           = var.number
   description     = var.public_nic_description
   private_ips     = [element(var.public_ips, count.index)]
-  security_groups = [aws_security_group.cato_wan_mgmt_sg.id]
+  security_groups = [aws_security_group.sdwan_mgmt_sg.id]
   subnet_id       = element(var.public_subnet_id, count.index)
   tags            = merge(var.tags, ({ "Name" = format("%s%d_public", var.instance_name_prefix, count.index + 1) }))
 
diff --git a/modules/aws/vendor/velocloud/variables.tf b/modules/aws/vendor/velocloud/variables.tf
index 63d953b3..dc6df118 100644
--- a/modules/aws/vendor/velocloud/variables.tf
+++ b/modules/aws/vendor/velocloud/variables.tf
@@ -2,20 +2,27 @@
 # Security Groups
 ############################################
 
-variable "wan_mgmt_sg_name" {
+variable "lan_sg_name" {
   description = "(Optional, Forces new resource) Name of the security group. If omitted, Terraform will assign a random, unique name."
-  default     = "velocloud_wan_mgmt_sg"
+  default     = "velocloud_lan_sg"
   type        = string
 }
 
-variable "vpc_id" {
-  description = "(Required, Forces new resource) VPC ID. Defaults to the region's default VPC."
-  type        = string
+variable "snmp_mgmt_access_cidr_blocks" {
+  description = "(Optional) List of CIDR blocks allowed to SNMP into the VeloCloud instance."
+  default     = []
+  type        = list(string)
 }
 
-variable "lan_sg_name" {
+variable "ssh_mgmt_access_cidr_blocks" {
+  description = "(Optional) List of CIDR blocks allowed to SSH into the VeloCloud instance."
+  default     = []
+  type        = list(string)
+}
+
+variable "wan_mgmt_sg_name" {
   description = "(Optional, Forces new resource) Name of the security group. If omitted, Terraform will assign a random, unique name."
-  default     = "velocloud_lan_sg"
+  default     = "velocloud_wan_mgmt_sg"
   type        = string
 }
 
@@ -25,6 +32,11 @@ variable "velocloud_lan_cidr_blocks" {
   default     = null
 }
 
+variable "vpc_id" {
+  description = "(Required, Forces new resource) VPC ID. Defaults to the region's default VPC."
+  type        = string
+}
+
 ############################################
 # ENI
 ############################################