Merge pull request #1613 from cloud-gov/cidr_blocks

Switch to list of ip cidrs to block
cloud-gov · Mar 15, 2024 · 9b2956a · 9b2956a
2 parents 1209de8 + ccacc7b
commit 9b2956a
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 29 deletions.
diff --git a/ci/pipeline.yml b/ci/pipeline.yml
@@ -523,7 +523,7 @@ jobs:
       TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn))
       TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn))
       TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
-      TF_VAR_block_range_20: ((block_range_20))
+      TF_VAR_cidr_blocks: ((cidr_blocks))
   - *notify-slack
 
 - name: bootstrap-development
@@ -684,7 +684,7 @@ jobs:
       TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn))
       TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn))
       TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
-      TF_VAR_block_range_20: ((block_range_20))
+      TF_VAR_cidr_blocks: ((cidr_blocks))
   - *notify-slack
 
 - name: bootstrap-staging
@@ -843,7 +843,7 @@ jobs:
       TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn))
       TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn))
       TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn))
-      TF_VAR_block_range_20: ((block_range_20))
+      TF_VAR_cidr_blocks: ((cidr_blocks))
 
   - *notify-slack
 

diff --git a/terraform/modules/bosh_vpc/variables.tf b/terraform/modules/bosh_vpc/variables.tf
@@ -66,7 +66,8 @@ variable "s3_gateway_policy_accounts" {
   default = []
 }
 
-#Placeholder for real value, passed as a secret
-variable "block_range_20" {
-  default = "192.168.0.0/32"
-}
+variable "cidr_blocks" {
+  type    = list(string)
+  default = []
+}
+
diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf
@@ -78,25 +78,27 @@ data "aws_network_acls" "default" {
   vpc_id = aws_vpc.main_vpc.id
 }
 
-resource "aws_network_acl_rule" "deny_rule_ingress_rule_20" {
-  count          = length(data.aws_network_acls.default.ids)
-  rule_number    = 20
-  network_acl_id = data.aws_network_acls.default.ids[count.index]
+resource "aws_network_acl_rule" "deny_rule_ingress_rules" {
+  count = length(var.cidr_blocks)
+
+  rule_number    = 20 + count.index
+  network_acl_id = data.aws_network_acls.default.ids[0]
   rule_action    = "deny"
   protocol       = "-1"
-  cidr_block     = var.block_range_20
+  cidr_block     = var.cidr_blocks[count.index]
   from_port      = 0
   to_port        = 0
   egress         = false
 }
 
-resource "aws_network_acl_rule" "deny_rule_egress_rule_20" {
-  count          = length(data.aws_network_acls.default.ids)
-  rule_number    = 20
-  network_acl_id = data.aws_network_acls.default.ids[count.index]
+resource "aws_network_acl_rule" "deny_rule_egress_rules" {
+  count = length(var.cidr_blocks)
+
+  rule_number    = 20 + count.index
+  network_acl_id = data.aws_network_acls.default.ids[0]
   rule_action    = "deny"
   protocol       = "-1"
-  cidr_block     = var.block_range_20
+  cidr_block     = var.cidr_blocks[count.index]
   from_port      = 0
   to_port        = 0
   egress         = true

diff --git a/terraform/modules/stack/base/base.tf b/terraform/modules/stack/base/base.tf
@@ -17,7 +17,7 @@ module "vpc" {
   concourse_security_group_cidrs    = var.target_concourse_security_group_cidrs
   bosh_default_ssh_public_key       = var.bosh_default_ssh_public_key
   s3_gateway_policy_accounts        = var.s3_gateway_policy_accounts
-  block_range_20                    = var.block_range_20
+  cidr_blocks                       = var.cidr_blocks
 }
 
 module "rds_network" {

diff --git a/terraform/modules/stack/base/variables.tf b/terraform/modules/stack/base/variables.tf
@@ -186,7 +186,7 @@ variable "s3_gateway_policy_accounts" {
 }
 
 
-#Placeholder for real value, passed as a secret
-variable "block_range_20" {
-  default = "192.168.0.0/32"
+variable "cidr_blocks" {
+  type    = list(string)
+  default = []
 }
diff --git a/terraform/modules/stack/spoke/spoke.tf b/terraform/modules/stack/spoke/spoke.tf
@@ -29,7 +29,7 @@ module "base" {
   restricted_ingress_web_ipv6_cidrs = var.restricted_ingress_web_ipv6_cidrs
   bosh_default_ssh_public_key       = var.bosh_default_ssh_public_key
   s3_gateway_policy_accounts        = var.s3_gateway_policy_accounts
-  block_range_20                    = var.block_range_20
+  cidr_blocks                       = var.cidr_blocks
 
   rds_security_groups = [
     module.base.bosh_security_group,

diff --git a/terraform/modules/stack/spoke/variables.tf b/terraform/modules/stack/spoke/variables.tf
@@ -169,7 +169,7 @@ variable "s3_gateway_policy_accounts" {
 }
 
 
-#Placeholder for real value, passed as a secret
-variable "block_range_20" {
-  default = "192.168.0.0/32"
+variable "cidr_blocks" {
+  type    = list(string)
+  default = []
 }
diff --git a/terraform/stacks/main/stack.tf b/terraform/stacks/main/stack.tf
@@ -213,7 +213,7 @@ module "stack" {
   target_account_id                 = data.aws_caller_identity.tooling.account_id
   bosh_default_ssh_public_key       = var.bosh_default_ssh_public_key
   s3_gateway_policy_accounts        = var.s3_gateway_policy_accounts
-  block_range_20                    = var.block_range_20
+  cidr_blocks                       = var.cidr_blocks
 
   target_vpc_id          = data.terraform_remote_state.target_vpc.outputs.vpc_id
   target_vpc_cidr        = data.terraform_remote_state.target_vpc.outputs.production_concourse_subnet_cidr

diff --git a/terraform/stacks/main/variables.tf b/terraform/stacks/main/variables.tf
@@ -204,7 +204,7 @@ variable "cg_egress_ip_set_arn" {
   description = "ARN of IP set identifying egress IP CIDR ranges for cloud.gov"
 }
 
-#Placeholder for real value, passed as a secret
-variable "block_range_20" {
-  default = "192.168.0.0/32"
+variable "cidr_blocks" {
+  type    = list(string)
+  default = []
 }