Skip to content

Reduce internal CIDR to actual VPC size #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dylanratcliffe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Reduce internal CIDR to actual VPC size #416

dylanratcliffe wants to merge 1 commit into from

Conversation

@dylanratcliffe
Copy link
Member

@dylanratcliffe dylanratcliffe commented Dec 17, 2025

This was picked up in a recent audit. Turns out we had set the CIDR incorrectly and it was allowing too wide of communication. We need to restrict it back to the actual size of the VPC.

@dylanratcliffe
Reduce internal CIDR to actual VPC size
8497b22 
This was picked up in a recent audit. Turns out we had set the CIDR incorrectly and it was allowing too wide of communication. We need to restrict it back to the actual size of the VPC.
@env0
Copy link

env0 bot commented Dec 17, 2025
edited
Loading

🚀  env0 had composed a PR Plan for environment Terraform Example / production :

Plan: 0 to add, 2 to change, 0 to destroy.
Plan Details 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place

Terraform will perform the following actions:


  # module.api_access[0].aws_security_group.internal_services will be updated in-place
!   resource "aws_security_group" "internal_services" {
        id                     = "sg-08c3767d4eeede7b5"
!       ingress                = [
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Health check endpoint"
-               from_port        = 8080
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 8080
            },
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Internal HTTPS - monitoring, service mesh, internal tools"
-               from_port        = 443
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 443
            },
-           {
-               cidr_blocks      = [
-                   "10.0.0.0/8",
                ]
-               description      = "Prometheus metrics scraping"
-               from_port        = 9090
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 9090
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Health check endpoint"
+               from_port        = 8080
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 8080
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Internal HTTPS - monitoring, service mesh, internal tools"
+               from_port        = 443
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 443
            },
+           {
+               cidr_blocks      = [
+                   "10.0.0.0/16",
                ]
+               description      = "Prometheus metrics scraping"
+               from_port        = 9090
+               ipv6_cidr_blocks = []
+               prefix_list_ids  = []
+               protocol         = "tcp"
+               security_groups  = []
+               self             = false
+               to_port          = 9090
            },
        ]
        name                   = "internal-services"
        tags                   = {
            "Critical"        = "true"
            "Environment"     = "production"
            "Name"            = "internal-services"
            "Purpose"         = "internal-mesh"
            "Team"            = "platform"
            "UpdateFrequency" = "low"
        }
        # (7 unchanged attributes hidden)
    }

  # module.heritage[0].aws_rds_cluster.face_database will be updated in-place
!   resource "aws_rds_cluster" "face_database" {
        id                                    = "facial-recognition-terraform-example"
        tags                                  = {}
        # (46 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Failed to calculate cost estimation

Full PR Plan logs on env0

@github-actions
Copy link

github-actions bot commented Dec 17, 2025

Overmind

Open in Overmind ↗

model|risks_v6

🟢 Change Signals

Routine 🟢 2 events/day for the last day

View signals ↗

🔥 Risks

Narrowing sg-08c3767d4eeede7b5 to 10.0.0.0/16 will block NLB health checks from 10.50.0.0/16 and break monitoring on 9090 ❗Medium Open Risk ↗
Ingress on sg-08c3767d4eeede7b5 will be narrowed from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. This group is attached to eni-0d6892f82adf8a4d2 (10.0.101.239), which is registered as an IP target in the api-health-terraform-example target group behind the internal NLB mon-internal-terraform-example in VPC 10.50.0.0/16 via peering pcx-05328111681313df4.

When deployed, health checks and monitoring traffic originating from 10.50.0.0/16 to 10.0.101.239:9090 will be blocked by the new 10.0.0.0/16 ingress. The currently healthy target will flip to unhealthy and be deregistered from the target group, breaking cross-VPC health/metrics collection.

🟣 Expected Changes

~ ec2-security-group › sg-08c3767d4eeede7b5 
--- current
+++ proposed
@@ -15,5 +15,5 @@
   ingress:
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Health check endpoint
       from_port: 8080
@@ -22,5 +22,5 @@
       to_port: 8080
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Internal HTTPS - monitoring, service mesh, internal tools
       from_port: 443
@@ -29,5 +29,5 @@
       to_port: 443
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Prometheus metrics scraping
       from_port: 9090

💥 Blast Radius

Items 87

Edges 367

github-actions[bot]
github-actions bot approved these changes Dec 17, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overmind

✅ Auto-Approved

🟢 Decision

Auto-approved: All safety checks passed

📊 Signals Summary

Routine 🟢 +1

🔥 Risks Summary

High 0 · Medium 1 · Low 0

💥 Blast Radius

Items 87 · Edges 367

View full analysis in Overmind ↗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dylanratcliffe