diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 5d4105daa..db83716ad 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -523,7 +523,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack - name: bootstrap-development @@ -684,7 +684,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack - name: bootstrap-staging @@ -843,7 +843,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack diff --git a/terraform/modules/bosh_vpc/variables.tf b/terraform/modules/bosh_vpc/variables.tf index 50f31485f..b10a373d6 100644 --- a/terraform/modules/bosh_vpc/variables.tf +++ b/terraform/modules/bosh_vpc/variables.tf @@ -66,7 +66,8 @@ variable "s3_gateway_policy_accounts" { default = [] } -#Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" -} \ No newline at end of file +variable "cidr_blocks" { + type = list(string) + default = [] +} + diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index 5f0b761ff..8fd418c60 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -78,25 +78,27 @@ data "aws_network_acls" "default" { vpc_id = aws_vpc.main_vpc.id } -resource "aws_network_acl_rule" "deny_rule_ingress_rule_20" { - count = length(data.aws_network_acls.default.ids) - rule_number = 20 - network_acl_id = data.aws_network_acls.default.ids[count.index] +resource "aws_network_acl_rule" "deny_rule_ingress_rules" { + count = length(var.cidr_blocks) + + rule_number = 20 + count.index + network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" - cidr_block = var.block_range_20 + cidr_block = var.cidr_blocks[count.index] from_port = 0 to_port = 0 egress = false } -resource "aws_network_acl_rule" "deny_rule_egress_rule_20" { - count = length(data.aws_network_acls.default.ids) - rule_number = 20 - network_acl_id = data.aws_network_acls.default.ids[count.index] +resource "aws_network_acl_rule" "deny_rule_egress_rules" { + count = length(var.cidr_blocks) + + rule_number = 20 + count.index + network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" - cidr_block = var.block_range_20 + cidr_block = var.cidr_blocks[count.index] from_port = 0 to_port = 0 egress = true diff --git a/terraform/modules/stack/base/base.tf b/terraform/modules/stack/base/base.tf index b25c3bce1..6186defd2 100644 --- a/terraform/modules/stack/base/base.tf +++ b/terraform/modules/stack/base/base.tf @@ -17,7 +17,7 @@ module "vpc" { concourse_security_group_cidrs = var.target_concourse_security_group_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks } module "rds_network" { diff --git a/terraform/modules/stack/base/variables.tf b/terraform/modules/stack/base/variables.tf index fc1e965ba..0987e1f4f 100644 --- a/terraform/modules/stack/base/variables.tf +++ b/terraform/modules/stack/base/variables.tf @@ -186,7 +186,7 @@ variable "s3_gateway_policy_accounts" { } -#Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = [] } \ No newline at end of file diff --git a/terraform/modules/stack/spoke/spoke.tf b/terraform/modules/stack/spoke/spoke.tf index 5edcc42d6..24a5375ac 100644 --- a/terraform/modules/stack/spoke/spoke.tf +++ b/terraform/modules/stack/spoke/spoke.tf @@ -29,7 +29,7 @@ module "base" { restricted_ingress_web_ipv6_cidrs = var.restricted_ingress_web_ipv6_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks rds_security_groups = [ module.base.bosh_security_group, diff --git a/terraform/modules/stack/spoke/variables.tf b/terraform/modules/stack/spoke/variables.tf index 88dcc9a52..fdaab6a89 100644 --- a/terraform/modules/stack/spoke/variables.tf +++ b/terraform/modules/stack/spoke/variables.tf @@ -169,7 +169,7 @@ variable "s3_gateway_policy_accounts" { } -#Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = [] } \ No newline at end of file diff --git a/terraform/stacks/main/stack.tf b/terraform/stacks/main/stack.tf index a783c5caa..85bcf76aa 100644 --- a/terraform/stacks/main/stack.tf +++ b/terraform/stacks/main/stack.tf @@ -213,7 +213,7 @@ module "stack" { target_account_id = data.aws_caller_identity.tooling.account_id bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks target_vpc_id = data.terraform_remote_state.target_vpc.outputs.vpc_id target_vpc_cidr = data.terraform_remote_state.target_vpc.outputs.production_concourse_subnet_cidr diff --git a/terraform/stacks/main/variables.tf b/terraform/stacks/main/variables.tf index b4b5cbe54..199e9e2db 100644 --- a/terraform/stacks/main/variables.tf +++ b/terraform/stacks/main/variables.tf @@ -204,7 +204,7 @@ variable "cg_egress_ip_set_arn" { description = "ARN of IP set identifying egress IP CIDR ranges for cloud.gov" } -#Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = [] } \ No newline at end of file