From 98e836e9ad8c818df717673e1acaa82ae241cf64 Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Thu, 14 Mar 2024 16:10:03 -0400 Subject: [PATCH 1/9] Switch to list of ip ranges to block --- ci/pipeline.yml | 4 ++-- terraform/modules/bosh_vpc/variables.tf | 8 +++++--- terraform/modules/bosh_vpc/vpc.tf | 22 ++++++++++++---------- terraform/modules/stack/base/base.tf | 2 +- terraform/modules/stack/base/variables.tf | 5 +++-- terraform/modules/stack/spoke/spoke.tf | 2 +- terraform/modules/stack/spoke/variables.tf | 5 +++-- terraform/stacks/main/stack.tf | 2 +- terraform/stacks/main/variables.tf | 6 ++++-- 9 files changed, 32 insertions(+), 24 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 5d4105daa..8b208396c 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -523,7 +523,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack - name: bootstrap-development @@ -1407,7 +1407,7 @@ resources: - name: cg-provision-repo-development type: git source: - uri: ((cg_provision_git_url)) + uri: cidr_blocks #((cg_provision_git_url)) branch: ((cg_provision_git_branch_development)) commit_verification_keys: ((cloud-gov-pgp-keys)) diff --git a/terraform/modules/bosh_vpc/variables.tf b/terraform/modules/bosh_vpc/variables.tf index 50f31485f..920978733 100644 --- a/terraform/modules/bosh_vpc/variables.tf +++ b/terraform/modules/bosh_vpc/variables.tf @@ -67,6 +67,8 @@ variable "s3_gateway_policy_accounts" { } #Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" -} \ No newline at end of file +variable "cidr_blocks" { + type = list(string) + default = ["192.168.0.0/32", "192.168.0.1/32"] +} + diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index 5f0b761ff..2427994cd 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -78,25 +78,27 @@ data "aws_network_acls" "default" { vpc_id = aws_vpc.main_vpc.id } -resource "aws_network_acl_rule" "deny_rule_ingress_rule_20" { - count = length(data.aws_network_acls.default.ids) - rule_number = 20 - network_acl_id = data.aws_network_acls.default.ids[count.index] +resource "aws_network_acl_rule" "deny_rule_ingress_rules" { + count = length(data.aws_network_acls.default.ids) * length(var.cidr_blocks) + + rule_number = 201 + count.index + network_acl_id = data.aws_network_acls.default.ids[count.index / length(var.cidr_blocks)] rule_action = "deny" protocol = "-1" - cidr_block = var.block_range_20 + cidr_block = var.cidr_blocks[count.index % length(var.cidr_blocks)] from_port = 0 to_port = 0 egress = false } -resource "aws_network_acl_rule" "deny_rule_egress_rule_20" { - count = length(data.aws_network_acls.default.ids) - rule_number = 20 - network_acl_id = data.aws_network_acls.default.ids[count.index] +resource "aws_network_acl_rule" "deny_rule_egress_rules" { + count = length(data.aws_network_acls.default.ids) * length(var.cidr_blocks) + + rule_number = 201 + count.index + network_acl_id = data.aws_network_acls.default.ids[count.index / length(var.cidr_blocks)] rule_action = "deny" protocol = "-1" - cidr_block = var.block_range_20 + cidr_block = var.cidr_blocks[count.index % length(var.cidr_blocks)] from_port = 0 to_port = 0 egress = true diff --git a/terraform/modules/stack/base/base.tf b/terraform/modules/stack/base/base.tf index b25c3bce1..6186defd2 100644 --- a/terraform/modules/stack/base/base.tf +++ b/terraform/modules/stack/base/base.tf @@ -17,7 +17,7 @@ module "vpc" { concourse_security_group_cidrs = var.target_concourse_security_group_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks } module "rds_network" { diff --git a/terraform/modules/stack/base/variables.tf b/terraform/modules/stack/base/variables.tf index fc1e965ba..c30867313 100644 --- a/terraform/modules/stack/base/variables.tf +++ b/terraform/modules/stack/base/variables.tf @@ -187,6 +187,7 @@ variable "s3_gateway_policy_accounts" { #Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = ["192.168.0.0/32", "192.168.0.1/32"] } \ No newline at end of file diff --git a/terraform/modules/stack/spoke/spoke.tf b/terraform/modules/stack/spoke/spoke.tf index 5edcc42d6..24a5375ac 100644 --- a/terraform/modules/stack/spoke/spoke.tf +++ b/terraform/modules/stack/spoke/spoke.tf @@ -29,7 +29,7 @@ module "base" { restricted_ingress_web_ipv6_cidrs = var.restricted_ingress_web_ipv6_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks rds_security_groups = [ module.base.bosh_security_group, diff --git a/terraform/modules/stack/spoke/variables.tf b/terraform/modules/stack/spoke/variables.tf index 88dcc9a52..26b782e47 100644 --- a/terraform/modules/stack/spoke/variables.tf +++ b/terraform/modules/stack/spoke/variables.tf @@ -170,6 +170,7 @@ variable "s3_gateway_policy_accounts" { #Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = ["192.168.0.0/32", "192.168.0.1/32"] } \ No newline at end of file diff --git a/terraform/stacks/main/stack.tf b/terraform/stacks/main/stack.tf index a783c5caa..85bcf76aa 100644 --- a/terraform/stacks/main/stack.tf +++ b/terraform/stacks/main/stack.tf @@ -213,7 +213,7 @@ module "stack" { target_account_id = data.aws_caller_identity.tooling.account_id bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts - block_range_20 = var.block_range_20 + cidr_blocks = var.cidr_blocks target_vpc_id = data.terraform_remote_state.target_vpc.outputs.vpc_id target_vpc_cidr = data.terraform_remote_state.target_vpc.outputs.production_concourse_subnet_cidr diff --git a/terraform/stacks/main/variables.tf b/terraform/stacks/main/variables.tf index b4b5cbe54..971905655 100644 --- a/terraform/stacks/main/variables.tf +++ b/terraform/stacks/main/variables.tf @@ -204,7 +204,9 @@ variable "cg_egress_ip_set_arn" { description = "ARN of IP set identifying egress IP CIDR ranges for cloud.gov" } + #Placeholder for real value, passed as a secret -variable "block_range_20" { - default = "192.168.0.0/32" +variable "cidr_blocks" { + type = list(string) + default = ["192.168.0.0/32", "192.168.0.1/32"] } \ No newline at end of file From beaa794e4b147ee2625ad4254e8985a32a5b1e6d Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Thu, 14 Mar 2024 16:18:46 -0400 Subject: [PATCH 2/9] Switch to list of ip ranges to block --- ci/pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 8b208396c..0b10ae616 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -1407,8 +1407,8 @@ resources: - name: cg-provision-repo-development type: git source: - uri: cidr_blocks #((cg_provision_git_url)) - branch: ((cg_provision_git_branch_development)) + uri: ((cg_provision_git_url)) + branch: cidr_blocks #((cg_provision_git_branch_development)) commit_verification_keys: ((cloud-gov-pgp-keys)) - name: pull-request From bcaf5aa547165109b2b56ddb0357747f7bf6306a Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Thu, 14 Mar 2024 16:28:17 -0400 Subject: [PATCH 3/9] Switch to list of ip ranges to block --- terraform/modules/bosh_vpc/vpc.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index 2427994cd..c0aeb70ea 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -79,26 +79,26 @@ data "aws_network_acls" "default" { } resource "aws_network_acl_rule" "deny_rule_ingress_rules" { - count = length(data.aws_network_acls.default.ids) * length(var.cidr_blocks) + count = length(var.cidr_blocks) rule_number = 201 + count.index - network_acl_id = data.aws_network_acls.default.ids[count.index / length(var.cidr_blocks)] + network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" - cidr_block = var.cidr_blocks[count.index % length(var.cidr_blocks)] + cidr_block = var.cidr_blocks[count.index] from_port = 0 to_port = 0 egress = false } resource "aws_network_acl_rule" "deny_rule_egress_rules" { - count = length(data.aws_network_acls.default.ids) * length(var.cidr_blocks) + count = length(var.cidr_blocks) rule_number = 201 + count.index - network_acl_id = data.aws_network_acls.default.ids[count.index / length(var.cidr_blocks)] + network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" - cidr_block = var.cidr_blocks[count.index % length(var.cidr_blocks)] + cidr_block = var.cidr_blocks[count.index] from_port = 0 to_port = 0 egress = true From 79bb3b69a2810a102a178110227b93cd46eadf13 Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Thu, 14 Mar 2024 16:50:00 -0400 Subject: [PATCH 4/9] Switch to list of ip ranges to block --- terraform/modules/bosh_vpc/vpc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index c0aeb70ea..68207226d 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -81,7 +81,7 @@ data "aws_network_acls" "default" { resource "aws_network_acl_rule" "deny_rule_ingress_rules" { count = length(var.cidr_blocks) - rule_number = 201 + count.index + rule_number = 10 + count.index network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" @@ -94,7 +94,7 @@ resource "aws_network_acl_rule" "deny_rule_ingress_rules" { resource "aws_network_acl_rule" "deny_rule_egress_rules" { count = length(var.cidr_blocks) - rule_number = 201 + count.index + rule_number = 10 + count.index network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" From bfe3c90361050c1173bd509b283f5c31c720651a Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Thu, 14 Mar 2024 16:50:39 -0400 Subject: [PATCH 5/9] Switch to list of ip ranges to block --- terraform/modules/bosh_vpc/vpc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index 68207226d..5c0ed8929 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -81,7 +81,7 @@ data "aws_network_acls" "default" { resource "aws_network_acl_rule" "deny_rule_ingress_rules" { count = length(var.cidr_blocks) - rule_number = 10 + count.index + rule_number = 20 + count.index network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" @@ -94,7 +94,7 @@ resource "aws_network_acl_rule" "deny_rule_ingress_rules" { resource "aws_network_acl_rule" "deny_rule_egress_rules" { count = length(var.cidr_blocks) - rule_number = 10 + count.index + rule_number = 20 + count.index network_acl_id = data.aws_network_acls.default.ids[0] rule_action = "deny" protocol = "-1" From ab9228644bcb8d473eac3df9544ada82914dc8e7 Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Fri, 15 Mar 2024 09:58:12 -0400 Subject: [PATCH 6/9] Switch to list of ip ranges to block --- ci/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 0b10ae616..68ea031f6 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -1408,7 +1408,7 @@ resources: type: git source: uri: ((cg_provision_git_url)) - branch: cidr_blocks #((cg_provision_git_branch_development)) + branch: ((cg_provision_git_branch_development)) commit_verification_keys: ((cloud-gov-pgp-keys)) - name: pull-request From 17ac4085863dd1f31ca4250f5b545740ffb6ff00 Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Fri, 15 Mar 2024 10:07:38 -0400 Subject: [PATCH 7/9] Remove default ranges --- terraform/modules/bosh_vpc/variables.tf | 3 +-- terraform/modules/stack/base/variables.tf | 3 +-- terraform/modules/stack/spoke/variables.tf | 3 +-- terraform/stacks/main/variables.tf | 4 +--- 4 files changed, 4 insertions(+), 9 deletions(-) diff --git a/terraform/modules/bosh_vpc/variables.tf b/terraform/modules/bosh_vpc/variables.tf index 920978733..b10a373d6 100644 --- a/terraform/modules/bosh_vpc/variables.tf +++ b/terraform/modules/bosh_vpc/variables.tf @@ -66,9 +66,8 @@ variable "s3_gateway_policy_accounts" { default = [] } -#Placeholder for real value, passed as a secret variable "cidr_blocks" { type = list(string) - default = ["192.168.0.0/32", "192.168.0.1/32"] + default = [] } diff --git a/terraform/modules/stack/base/variables.tf b/terraform/modules/stack/base/variables.tf index c30867313..0987e1f4f 100644 --- a/terraform/modules/stack/base/variables.tf +++ b/terraform/modules/stack/base/variables.tf @@ -186,8 +186,7 @@ variable "s3_gateway_policy_accounts" { } -#Placeholder for real value, passed as a secret variable "cidr_blocks" { type = list(string) - default = ["192.168.0.0/32", "192.168.0.1/32"] + default = [] } \ No newline at end of file diff --git a/terraform/modules/stack/spoke/variables.tf b/terraform/modules/stack/spoke/variables.tf index 26b782e47..fdaab6a89 100644 --- a/terraform/modules/stack/spoke/variables.tf +++ b/terraform/modules/stack/spoke/variables.tf @@ -169,8 +169,7 @@ variable "s3_gateway_policy_accounts" { } -#Placeholder for real value, passed as a secret variable "cidr_blocks" { type = list(string) - default = ["192.168.0.0/32", "192.168.0.1/32"] + default = [] } \ No newline at end of file diff --git a/terraform/stacks/main/variables.tf b/terraform/stacks/main/variables.tf index 971905655..199e9e2db 100644 --- a/terraform/stacks/main/variables.tf +++ b/terraform/stacks/main/variables.tf @@ -204,9 +204,7 @@ variable "cg_egress_ip_set_arn" { description = "ARN of IP set identifying egress IP CIDR ranges for cloud.gov" } - -#Placeholder for real value, passed as a secret variable "cidr_blocks" { type = list(string) - default = ["192.168.0.0/32", "192.168.0.1/32"] + default = [] } \ No newline at end of file From b10c76a897ea52b6d5cf2f4c01238b62c1ce7453 Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Fri, 15 Mar 2024 10:10:45 -0400 Subject: [PATCH 8/9] terraform fmt fix --- terraform/modules/bosh_vpc/vpc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index 5c0ed8929..8fd418c60 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -79,7 +79,7 @@ data "aws_network_acls" "default" { } resource "aws_network_acl_rule" "deny_rule_ingress_rules" { - count = length(var.cidr_blocks) + count = length(var.cidr_blocks) rule_number = 20 + count.index network_acl_id = data.aws_network_acls.default.ids[0] @@ -92,7 +92,7 @@ resource "aws_network_acl_rule" "deny_rule_ingress_rules" { } resource "aws_network_acl_rule" "deny_rule_egress_rules" { - count = length(var.cidr_blocks) + count = length(var.cidr_blocks) rule_number = 20 + count.index network_acl_id = data.aws_network_acls.default.ids[0] From ccacc7bf2dc5af910e25367bd331bfc238c25bcf Mon Sep 17 00:00:00 2001 From: Christopher Weibel Date: Fri, 15 Mar 2024 10:15:18 -0400 Subject: [PATCH 9/9] Adding new cidr_blocks to staging and prod --- ci/pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 68ea031f6..db83716ad 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -684,7 +684,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack - name: bootstrap-staging @@ -843,7 +843,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) - TF_VAR_block_range_20: ((block_range_20)) + TF_VAR_cidr_blocks: ((cidr_blocks)) - *notify-slack