diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 229fbfda6..5d4105daa 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -523,6 +523,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) + TF_VAR_block_range_20: ((block_range_20)) - *notify-slack - name: bootstrap-development @@ -683,6 +684,7 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) + TF_VAR_block_range_20: ((block_range_20)) - *notify-slack - name: bootstrap-staging @@ -841,6 +843,8 @@ jobs: TF_VAR_customer_whitelist_source_ip_ranges_set_arn: ((customer_whitelist_source_ip_ranges_set_arn)) TF_VAR_internal_vpc_cidrs_set_arn: ((internal_vpc_cidrs_set_arn)) TF_VAR_cg_egress_ip_set_arn: ((cg_egress_ip_set_arn)) + TF_VAR_block_range_20: ((block_range_20)) + - *notify-slack - name: bootstrap-production diff --git a/terraform/modules/bosh_vpc/variables.tf b/terraform/modules/bosh_vpc/variables.tf index 8a90bc78d..50f31485f 100644 --- a/terraform/modules/bosh_vpc/variables.tf +++ b/terraform/modules/bosh_vpc/variables.tf @@ -64,4 +64,9 @@ variable "bosh_default_ssh_public_key" { variable "s3_gateway_policy_accounts" { type = list(string) default = [] +} + +#Placeholder for real value, passed as a secret +variable "block_range_20" { + default = "192.168.0.0/32" } \ No newline at end of file diff --git a/terraform/modules/bosh_vpc/vpc.tf b/terraform/modules/bosh_vpc/vpc.tf index c954b1313..5f0b761ff 100644 --- a/terraform/modules/bosh_vpc/vpc.tf +++ b/terraform/modules/bosh_vpc/vpc.tf @@ -74,3 +74,30 @@ resource "aws_flow_log" "main_vpc_flow_log" { traffic_type = "ALL" } +data "aws_network_acls" "default" { + vpc_id = aws_vpc.main_vpc.id +} + +resource "aws_network_acl_rule" "deny_rule_ingress_rule_20" { + count = length(data.aws_network_acls.default.ids) + rule_number = 20 + network_acl_id = data.aws_network_acls.default.ids[count.index] + rule_action = "deny" + protocol = "-1" + cidr_block = var.block_range_20 + from_port = 0 + to_port = 0 + egress = false +} + +resource "aws_network_acl_rule" "deny_rule_egress_rule_20" { + count = length(data.aws_network_acls.default.ids) + rule_number = 20 + network_acl_id = data.aws_network_acls.default.ids[count.index] + rule_action = "deny" + protocol = "-1" + cidr_block = var.block_range_20 + from_port = 0 + to_port = 0 + egress = true +} diff --git a/terraform/modules/stack/base/base.tf b/terraform/modules/stack/base/base.tf index dd20e831e..b25c3bce1 100644 --- a/terraform/modules/stack/base/base.tf +++ b/terraform/modules/stack/base/base.tf @@ -17,6 +17,7 @@ module "vpc" { concourse_security_group_cidrs = var.target_concourse_security_group_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts + block_range_20 = var.block_range_20 } module "rds_network" { diff --git a/terraform/modules/stack/base/variables.tf b/terraform/modules/stack/base/variables.tf index 13ed8721a..fc1e965ba 100644 --- a/terraform/modules/stack/base/variables.tf +++ b/terraform/modules/stack/base/variables.tf @@ -184,3 +184,9 @@ variable "s3_gateway_policy_accounts" { type = list(string) default = [] } + + +#Placeholder for real value, passed as a secret +variable "block_range_20" { + default = "192.168.0.0/32" +} \ No newline at end of file diff --git a/terraform/modules/stack/spoke/spoke.tf b/terraform/modules/stack/spoke/spoke.tf index ef30fe3f7..5edcc42d6 100644 --- a/terraform/modules/stack/spoke/spoke.tf +++ b/terraform/modules/stack/spoke/spoke.tf @@ -29,6 +29,7 @@ module "base" { restricted_ingress_web_ipv6_cidrs = var.restricted_ingress_web_ipv6_cidrs bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts + block_range_20 = var.block_range_20 rds_security_groups = [ module.base.bosh_security_group, diff --git a/terraform/modules/stack/spoke/variables.tf b/terraform/modules/stack/spoke/variables.tf index d1753246c..88dcc9a52 100644 --- a/terraform/modules/stack/spoke/variables.tf +++ b/terraform/modules/stack/spoke/variables.tf @@ -167,3 +167,9 @@ variable "s3_gateway_policy_accounts" { type = list(string) default = [] } + + +#Placeholder for real value, passed as a secret +variable "block_range_20" { + default = "192.168.0.0/32" +} \ No newline at end of file diff --git a/terraform/stacks/main/stack.tf b/terraform/stacks/main/stack.tf index 40d7a364f..a783c5caa 100644 --- a/terraform/stacks/main/stack.tf +++ b/terraform/stacks/main/stack.tf @@ -213,6 +213,7 @@ module "stack" { target_account_id = data.aws_caller_identity.tooling.account_id bosh_default_ssh_public_key = var.bosh_default_ssh_public_key s3_gateway_policy_accounts = var.s3_gateway_policy_accounts + block_range_20 = var.block_range_20 target_vpc_id = data.terraform_remote_state.target_vpc.outputs.vpc_id target_vpc_cidr = data.terraform_remote_state.target_vpc.outputs.production_concourse_subnet_cidr @@ -424,4 +425,4 @@ module "cloudwatch" { stack_description = var.stack_description sns_arn = data.aws_sns_topic.cg_notifications.arn load_balancer_dns = module.cf.lb_arn_suffix -} +} \ No newline at end of file diff --git a/terraform/stacks/main/variables.tf b/terraform/stacks/main/variables.tf index d6d1978c0..b4b5cbe54 100644 --- a/terraform/stacks/main/variables.tf +++ b/terraform/stacks/main/variables.tf @@ -203,3 +203,8 @@ variable "cg_egress_ip_set_arn" { type = string description = "ARN of IP set identifying egress IP CIDR ranges for cloud.gov" } + +#Placeholder for real value, passed as a secret +variable "block_range_20" { + default = "192.168.0.0/32" +} \ No newline at end of file