Setting var.redirect_http_to_https doesn't add

• the port 80 target group
• the port 80 listener on the nlb
• the port 80 ingress on the security group

It would be nice if this module had this since the cloudformation template has this.

https://github.com/banyansecurity/installer/blob/master/cloudformation/banyan-elastic-access-tier.json#L275

After PRs are merged, it would be nice to rerun terraform-docs latest 0.12 version to keep all inputs up to date.

Proposal

• var.security_group_tags
• var.autoscaling_group_tags
• var.lb_tags
• var.target_group_tags

Examples that use this system

• hashicorp supported module for vpcs has var.tags but also has var.vpc_tags, var.intra_subnet_tags, var.customer_gateway_tags, etc.
• hashicorp supported module for atlantis has var.tags but also has var.atlantis_security_group_tags, var.alb_http_security_group_tags, var.alb_https_security_group_tags, etc.

When refresh token is passed as a sensitive variable from terraform cloud, terraform is throwing the following error - refer to the screenshot below.

output "conf" { value = aws_launch_configuration.conf description = "The aws_launch_configuration.confresource" }

above block is causing the error. I checked the source.

`resource aws_launch_configuration "conf" {
name_prefix = "${var.name_prefix}-accesstier-conf-"
image_id = var.ami_id != "" ? var.ami_id : data.aws_ami.default_ami.id
instance_type = var.instance_type
key_name = var.ssh_key_name

.....
.....
.....

user_data = join("", concat([

"./install ${var.refresh_token} ${var.cluster_name} \n",
`

So when this aws_launch_configuration is trying to output the values, it seems to throw the error.

banyan instances were flagged for IMDSv2 check. Need adding configuration in the launch configuration to enabled IMDSv2
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}

Feature Request: Limit Access Tier Outbound Traffic

Currently, the AWS Security Group autogenerated by the Terraform module allows unrestricted egress traffic.

Unrestricted egress traffic represents a security risk to any organization, as it enables sending unwanted traffic out to the Internet. If a compromise of the Access Tier host occurs, attackers could exploit this misconfiguration in order to communicate with malicious external servers and exfiltrate information, among others. On top of that, unrestricted egress traffic goes against security best practices and compliance standards such as PCI DSS, HIPAA or NIST SP 800-53.

According to the Banyan Access Tier network configuration guide, required outbound traffic is limited to:

• TCP connectivity to its Shield (Cluster Coordinator) to register with the Command Center, receive policies, and send event data.
• TCP 443 connectivity to the Command Center ({ccname}.console.banyanops.com) to obtain a one-time-key required for installation when using automated bootstrapping.
• TCP 443 connectivity to the Command Center TrustProvider component ({orgname}.trust.banyanops.com) in order to authenticate OIDC JWT tokens used for web access.
• Connectivity to all the internal applications and services secured behind Banyan.

Considering the aforementioned, I'd like to request any module changes required to enable outbound traffic filtering.

Incorporate production tuning guidance from https://docs.banyanops.com/docs/banyan-components/netagent/tuning/.