From ffc3285fbe4a041d3a3be0511d6d2b1533738b44 Mon Sep 17 00:00:00 2001
From: Alex Applebaum <a.applebaum@f5.com>
Date: Wed, 5 Jul 2017 22:07:24 -0700
Subject: [PATCH] some more security group cleanup

---
 modules/providers/aws/application/app.tf   |  4 ++--
 modules/providers/azure/application/app.tf |  4 ++--
 modules/providers/gce/application/app.tf   | 15 ++++++++++++++-
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/modules/providers/aws/application/app.tf b/modules/providers/aws/application/app.tf
index f922d27..6593e26 100644
--- a/modules/providers/aws/application/app.tf
+++ b/modules/providers/aws/application/app.tf
@@ -12,7 +12,7 @@ variable region                 { default = "us-west-2" }
 variable vpc_id                 {}
 variable availability_zones     { default = "us-west-2a,us-west-2b"}
 variable subnet_ids             {}
-
+variable restricted_src_address { default = "0.0.0.0/0" }
 
 # APPLICATION
 variable docker_image   { default = "f5devcentral/f5-demo-app:AWS" }
@@ -43,7 +43,7 @@ resource "aws_security_group" "sg" {
     from_port   = 22 
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["${var.restricted_src_address}"]
   }
 
   ingress {
diff --git a/modules/providers/azure/application/app.tf b/modules/providers/azure/application/app.tf
index 14b42ab..8645a15 100644
--- a/modules/providers/azure/application/app.tf
+++ b/modules/providers/azure/application/app.tf
@@ -81,7 +81,7 @@ resource "azurerm_network_security_group" "sg" {
     protocol                   = "Tcp"
     source_port_range          = "*"
     destination_port_range     = "80"
-    source_address_prefix      = "${var.restricted_src_address}"
+    source_address_prefix      = "0.0.0.0/0"
     destination_address_prefix = "*"
   }
 
@@ -93,7 +93,7 @@ resource "azurerm_network_security_group" "sg" {
     protocol                   = "Tcp"
     source_port_range          = "*"
     destination_port_range     = "443"
-    source_address_prefix      = "${var.restricted_src_address}"
+    source_address_prefix      = "0.0.0.0/0"
     destination_address_prefix = "*"
   }
 
diff --git a/modules/providers/gce/application/app.tf b/modules/providers/gce/application/app.tf
index 2765d12..1435c54 100644
--- a/modules/providers/gce/application/app.tf
+++ b/modules/providers/gce/application/app.tf
@@ -47,18 +47,31 @@ resource "google_compute_firewall" "app-firewall" {
   name    = "${var.application}-app-firewall"
   network = "${var.network}"
 
+  allow {
+    protocol = "tcp"
+    ports    = [ "80", "443" ]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+}
+
+resource "google_compute_firewall" "app-firewall-management" {
+  name    = "${var.application}-app-firewall-management"
+  network = "${var.network}"
+
   allow {
     protocol = "icmp"
   }
 
   allow {
     protocol = "tcp"
-    ports    = ["22", "80", "443" ]
+    ports    = ["22"]
   }
 
   source_ranges = ["${var.restricted_src_address}"]
 }
 
+
 data "template_file" "user_data" {
   template = "${file("${path.module}/user_data.tpl")}"