fix: condense http and https into one rule

Author: sean-freeman

aws_ec2_instance/host_network_access_sap/network_security_groups_sap_hana.tf

@@ -105,12 +105,13 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_index_mdc_1"
 
 
 # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
 resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_http_soap" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   security_group_id = var.module_var_host_security_group_id
   type              = "ingress"
   from_port         = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}14")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]
 }
@@ -119,27 +120,6 @@ resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_http
   security_group_id = var.module_var_host_security_group_id
   type              = "egress"
   from_port         = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
-
-
-# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_ingress_saphana_startsrv_https_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "ingress"
-  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}14")
-  to_port           = tonumber("5${var.module_var_sap_hana_instance_no}14")
-  protocol          = "tcp"
-  cidr_blocks  = ["${local.target_subnet_ip_range}"]
-}
-resource "aws_security_group_rule" "vpc_sg_rule_tcp_egress_saphana_startsrv_https_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  security_group_id = var.module_var_host_security_group_id
-  type              = "egress"
-  from_port         = tonumber("5${var.module_var_sap_hana_instance_no}14")
   to_port           = tonumber("5${var.module_var_sap_hana_instance_no}14")
   protocol          = "tcp"
   cidr_blocks  = ["${local.target_subnet_ip_range}"]

gcp_ce_vm/host_network_access_sap/network_security_fw_rules_sap_hana.tf

@@ -167,14 +167,15 @@ resource "google_compute_firewall" "vpc_fw_rule_tcp_egress_saphana_index_mdc_1"
 
 
 # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
 resource "google_compute_firewall" "vpc_fw_rule_tcp_ingress_saphana_startsrv_http_soap" {
   count   = local.network_rules_sap_hana_boolean ? 1 : 0
   name    = "${var.module_var_resource_prefix}-vpc-fw-ingress-saphana-startsrv-http"
   network = local.target_vpc_name
 
   allow {
     protocol = "tcp"
-    ports    = [tonumber("5${var.module_var_sap_hana_instance_no}13")]
+    ports    = ["5${var.module_var_sap_hana_instance_no}13-5${var.module_var_sap_hana_instance_no}14"]
   }
 
   direction  = "INGRESS"
@@ -188,38 +189,7 @@ resource "google_compute_firewall" "vpc_fw_rule_tcp_egress_saphana_startsrv_http
 
   allow {
     protocol = "tcp"
-    ports    = [tonumber("5${var.module_var_sap_hana_instance_no}13")]
-  }
-
-  direction  = "EGRESS"
-  destination_ranges = ["${local.target_vpc_subnet_range}"]
-#  source_ranges      = 
-}
-
-
-# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
-resource "google_compute_firewall" "vpc_fw_rule_tcp_ingress_saphana_startsrv_https_soap" {
-  count   = local.network_rules_sap_hana_boolean ? 1 : 0
-  name    = "${var.module_var_resource_prefix}-vpc-fw-ingress-saphana-startsrv-https"
-  network = local.target_vpc_name
-
-  allow {
-    protocol = "tcp"
-    ports    = [tonumber("5${var.module_var_sap_hana_instance_no}14")]
-  }
-
-  direction  = "INGRESS"
-#  destination_ranges = 
-  source_ranges      = ["${local.target_vpc_subnet_range}"]
-}
-resource "google_compute_firewall" "vpc_fw_rule_tcp_egress_saphana_startsrv_https_soap" {
-  count   = local.network_rules_sap_hana_boolean ? 1 : 0
-  name    = "${var.module_var_resource_prefix}-vpc-fw-egress-saphana-startsrv-https"
-  network = local.target_vpc_name
-
-  allow {
-    protocol = "tcp"
-    ports    = [tonumber("5${var.module_var_sap_hana_instance_no}14")]
+    ports    = ["5${var.module_var_sap_hana_instance_no}13-5${var.module_var_sap_hana_instance_no}14"]
   }
 
   direction  = "EGRESS"

ibmcloud_vs/host_network_access_sap/network_security_groups_sap_hana.tf

@@ -123,6 +123,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_index_md
 
 
 # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
 resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1]
@@ -131,42 +132,17 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_
   remote     = local.target_vpc_subnet_range
   tcp {
     port_min = tonumber("5${var.module_var_sap_hana_instance_no}13")
-    port_max = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  }
-}
-resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_http_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_index_mdc_1]
-  group      = var.module_var_host_security_group_id
-  direction  = "outbound"
-  remote     = local.target_vpc_subnet_range
-  tcp {
-    port_min = tonumber("5${var.module_var_sap_hana_instance_no}13")
-    port_max = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  }
-}
-
-
-# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
-resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_inbound_saphana_startsrv_https_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap]
-  group      = var.module_var_host_security_group_id
-  direction  = "inbound"
-  remote     = local.target_vpc_subnet_range
-  tcp {
-    port_min = tonumber("5${var.module_var_sap_hana_instance_no}14")
     port_max = tonumber("5${var.module_var_sap_hana_instance_no}14")
   }
 }
-resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_https_soap" {
+resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv_http_soap" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_http_soap]
   group      = var.module_var_host_security_group_id
   direction  = "outbound"
   remote     = local.target_vpc_subnet_range
   tcp {
-    port_min = tonumber("5${var.module_var_sap_hana_instance_no}14")
+    port_min = tonumber("5${var.module_var_sap_hana_instance_no}13")
     port_max = tonumber("5${var.module_var_sap_hana_instance_no}14")
   }
 }
@@ -178,7 +154,7 @@ resource "ibm_is_security_group_rule" "vpc_sg_rule_tcp_outbound_saphana_startsrv
 ## More details in README
 resource "ibm_is_security_group_rule" "vpc_sg_rule_sap_inbound_saphana_hsr1" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
-  depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_inbound_saphana_startsrv_https_soap]
+  depends_on = [ibm_is_security_group_rule.vpc_sg_rule_tcp_outbound_saphana_startsrv_http_soap]
   group      = var.module_var_host_security_group_id
   direction  = "inbound"
   remote     = local.target_vpc_subnet_range

msazure_vm/host_network_access_sap/network_security_groups_sap_hana.tf

@@ -175,6 +175,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_inde
 
 
 # SAP HANA for SOAP over HTTP for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
+# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
 resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_http_soap" {
   count = local.network_rules_sap_hana_boolean ? 1 : 0
   name      = "tcp_inbound_saphana_startsrv_http_soap"
@@ -185,7 +186,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_start
 
   source_port_range          = "*"
   source_address_prefix      = local.target_vnet_subnet_range
-  destination_port_range     = tonumber("5${var.module_var_sap_hana_instance_no}13")
+  destination_port_ranges    = ["5${var.module_var_sap_hana_instance_no}13-5${var.module_var_sap_hana_instance_no}14"]
   destination_address_prefix = local.target_vnet_subnet_range
 
   resource_group_name         = var.module_var_az_resource_group_name
@@ -201,42 +202,7 @@ resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_star
 
   source_port_range          = "*"
   source_address_prefix      = local.target_vnet_subnet_range
-  destination_port_range     = tonumber("5${var.module_var_sap_hana_instance_no}13")
-  destination_address_prefix = local.target_vnet_subnet_range
-
-  resource_group_name         = var.module_var_az_resource_group_name
-  network_security_group_name = var.module_var_host_security_group_name
-}
-
-
-# SAP HANA for SOAP over HTTPS (Secure) for SAP Instance Agent (SAPStartSrv, i.e. host:port/SAPControl?wsdl), access from within the same Subnet
-resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_inbound_saphana_startsrv_https_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  name      = "tcp_inbound_saphana_startsrv_https_soap"
-  priority  = 262
-  direction = "Inbound"
-  access    = "Allow"
-  protocol  = "Tcp"
-
-  source_port_range          = "*"
-  source_address_prefix      = local.target_vnet_subnet_range
-  destination_port_range     = tonumber("5${var.module_var_sap_hana_instance_no}14")
-  destination_address_prefix = local.target_vnet_subnet_range
-
-  resource_group_name         = var.module_var_az_resource_group_name
-  network_security_group_name = var.module_var_host_security_group_name
-}
-resource "azurerm_network_security_rule" "vnet_sg_rule_tcp_outbound_saphana_startsrv_https_soap" {
-  count = local.network_rules_sap_hana_boolean ? 1 : 0
-  name      = "tcp_outbound_saphana_startsrv_https_soap"
-  priority  = 263
-  direction = "Outbound"
-  access    = "Allow"
-  protocol  = "Tcp"
-
-  source_port_range          = "*"
-  source_address_prefix      = local.target_vnet_subnet_range
-  destination_port_range     = tonumber("5${var.module_var_sap_hana_instance_no}14")
+  destination_port_ranges    = ["5${var.module_var_sap_hana_instance_no}13-5${var.module_var_sap_hana_instance_no}14"]
   destination_address_prefix = local.target_vnet_subnet_range
 
   resource_group_name         = var.module_var_az_resource_group_name