security: narrow internal ingress CIDR (JIRA-4521)

[dylanratcliffe]

Summary

• Narrow internal ingress CIDR used for service/monitoring access.

Context

• JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

• Terraform plan reviewed in CI.

Rollout / Risk

• If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

[github-actions]

Warning

[Medium Risk] Narrowing internal-services ingress to 10.0.0.0/16 will block cross-network health checks, HTTPS, and metrics traffic

The internal-services security group 540044833068.eu-west-2.ec2-security-group.sg-089e5107637083db5 is narrowing ingress on 8080, 443, and 9090 from 10.0.0.0/8 to 10.0.0.0/16. The current VPC itself is 10.0.0.0/16, so this change stops all traffic from other private 10.x.x.x networks outside this VPC, including peered VPCs, hybrid links, and other environments that previously matched the broader rule.

Because this group is explicitly used for internal service mesh, monitoring, and health checks, the new CIDR will block legitimate health probes, internal HTTPS calls, and Prometheus scrapes from any non-local 10/8 source. That will cause service reachability regressions and observability gaps immediately after rollout.
_{View reasoning tree here.}

Signals

Routine → Multiple network and compute resources are showing unusual routine changes at only 1-2 events/week for the last 4-5 months, while one resource recorded 2 events/day for the last day.

_{Additional Change Details:} Items 14 Edges 41 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation