security: narrow internal ingress CIDR (JIRA-4521)

[dylanratcliffe]

Summary

• Narrow internal ingress CIDR used for service/monitoring access.

Context

• JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

• Terraform plan reviewed in CI.

Rollout / Risk

• If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

[env0]

🚀  env0 had composed a PR Plan for environment Overmind / Terraform Example / terraform-example :

 🚨 PR Plan Failed 🚨

Failure Details

╷
│ Error: Invalid for_each argument
│ 
│   on monitoring_peering_and_nlb.tf line 105, in resource "aws_route" "baseline_to_monitoring":
│  105:   for_each = local.enable_signals_monitoring_vpc ? toset(module.baseline.public_route_table_ids) : toset([])
│     ├────────────────
│     │ local.enable_signals_monitoring_vpc is true
│     │ module.baseline.public_route_table_ids is tuple with 1 element
│ 
│ The "for_each" set includes values derived from resource attributes that
│ cannot be determined until apply, and so OpenTofu cannot determine the full
│ set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to use a map
│ value where the keys are defined statically in your configuration and where
│ only the values contain apply-time results.
│ 
│ Alternatively, you could use the planning option
│ -exclude=aws_route.baseline_to_monitoring to first apply without this
│ object, and then apply normally to converge.
╵

Full PR Plan logs on env0

Get instant insights with AI Summary

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Frontend Team Review

🟢 Change Signals

Routine 🟢 ▁ Ingress resources showing regular updates with 1 event/day for the last 13 days and 2 events/day for the last day.

View signals ↗

---

🔥 Risks

Narrowing SG to 10.0.0.0/16 will block monitoring VPC (10.50.0.0/16) health checks to 10.0.101.248 on 9090 and 443 ❗Medium Open Risk ↗
The internal-services security group on the api server is being tightened from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. The internal monitoring load balancer and tools live in a peered monitoring VPC with CIDR 10.50.0.0/16, and they currently probe the instance at 10.0.101.248 via the target group api-health-terraform-example on port 9090.

When the SG narrows to 10.0.0.0/16, sources in 10.50.0.0/16 will no longer match the ingress rules. The NLB’s health checks and any monitoring/metrics traffic from the monitoring VPC will be blocked, causing the target to flip unhealthy and creating visibility gaps for Prometheus/monitoring on 9090 and internal HTTPS on 443. The instance will remain reachable from 10.0.0.0/16, but cross‑VPC monitoring paths will fail.

---

🟣 Expected Changes

~ ec2-security-group › sg-085ee012c9855643f

--- current
+++ proposed
@@ -92,4 +92,11 @@
       to_port: 443
     - cidr_blocks:
+        - 203.0.113.108/32
+      description: NewCo 8
+      from_port: 443
+      protocol: tcp
+      self: false
+      to_port: 443
+    - cidr_blocks:
         - 203.0.113.16/30
       description: Acme Corp

~ ec2-security-group › sg-08c3767d4eeede7b5

--- current
+++ proposed
@@ -15,5 +15,5 @@
   ingress:
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Health check endpoint
       from_port: 8080
@@ -22,5 +22,5 @@
       to_port: 8080
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Internal HTTPS - monitoring, service mesh, internal tools
       from_port: 443
@@ -29,5 +29,5 @@
       to_port: 443
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Prometheus metrics scraping
       from_port: 9090

---

---

💥 Blast Radius

Items 55

Edges 200

[github-actions]

✅ Auto-Approved

---

🟢 Decision

Auto-approved: All safety checks passed

---

📊 Signals Summary

Routine 🟢 +1

---

🔥 Risks Summary

High 0 · Medium 1 · Low 0

---

💥 Blast Radius

Items 55 · Edges 200

---

View full analysis in Overmind ↗