* 2.4.11 -- 2023-11-02

  - iam-general-policies
    - add 10/8 and 172.16/12 to the allowed cidr blocks to fix problems with calling api from our vpcs, and from other
      vpcs in our network

CHANGELOG.md

@@ -307,3 +307,9 @@
   - config, added
     - bucket_key_enabled: default false
     - use_kms_encryptioon: default true
+
+* 2.4.11 -- 2023-11-02
+  - iam-general-policies
+    - add 10/8 and 172.16/12 to the allowed cidr blocks to fix problems with calling api from our vpcs, and from other
+      vpcs in our network
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.10"
+  _module_version = "2.4.11"
 }

iam-general-policies/README.md

@@ -152,3 +152,160 @@ No modules.
 | <a name="output_custom_policies_arn"></a> [custom\_policies\_arn](#output\_custom\_policies\_arn) | Custom Policies ARN |
 | <a name="output_custom_policy_documents"></a> [custom\_policy\_documents](#output\_custom\_policy\_documents) | Custom Policy Documents (no IAM policy) |
 | <a name="output_managed_policies"></a> [managed\_policies](#output\_managed\_policies) | AWS Managed Policy name to ARN mapping |
+
+<!-- BEGIN_TF_DOCS -->
+# aws-inf-setup :: iam-general-policies
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "general" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "general_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+  # optional
+  account_alias         = "do2-govcloud"
+
+  # flowlogs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+Once IP addresses are available for NAT Gateways or VPC, they can be added like:
+```hcl
+module "general" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+  ipr_vpc_cidr_blocks = [ data.terraform_remote_state.vpc_w1-vpc1.outputs.vpc_cidr_block ]
+  ipr_nat_gateway_cidr_blocks = data.terraform_remote_state.vpc_w1-vpc6.outputs.nat_ip_list
+  ipr_extra_cidr_blocks = [ ]
+}
+```
+
+# Managed Policies
+This provides a number of AWS manged policies
+> `module.general.managed_policies[KEY] = ARN`
+* AdministratorAccess
+* ReadOnlyAccess
+* AmazonVPCFullAccess
+* AWSSupportAccess
+* CloudWatchAWSSupportAccess
+* Billing
+* NetworkAdministrator
+
+# Custom Policies
+
+This provides some custom policies that are to be applied to some accounts and groups.
+> `module.general.custom_policies[KEY] = { object }`
+ ```hcl
+ object = {
+   "name"
+   "path"          
+   "description"   
+   "policy"       
+   "create_policy"
+   "policy_arn"
+ }
+ ```
+* manage-access-keys
+  Allows for self-managing access keys (for rotating)
+* manage-credentials
+  Allows for self-managing password credentials
+* deny-billing
+  Denies access to Billing functions
+* deny-readonly-data
+  When combined with a ReadOnly permission set, denies read access on S3, DynamodDB items, and others
+
+These are policy documents, used liberally, as needed by applications (typically, EC2 instance roles).
+> `module.general.custom_policy_documents[KEY] = { object }`
+ ```hcl
+ object = {
+   "name"
+   "description"   
+   "policy"       
+   "create_policy"
+ }
+ ```
+* ec2\_assume
+* sts\_assume
+* root\_assume
+* lambda\_assume
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudforms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudforms_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ip_restriction](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
+| <a name="input_ipr_additional_cidr_blocks"></a> [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B) | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "2610:20:2000::0/38",<br>  "10.0.0.0/8",<br>  "172.16.0.0/12"<br>]</pre> | no |
+| <a name="input_ipr_nat_gateway_cidr_blocks"></a> [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_vpc_endpoints"></a> [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | <pre>[<br>  "vpce-047c17aeb6c23cab8",<br>  "vpce-0bc724bf64e6aeb64"<br>]</pre> | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_regions"></a> [regions](#input\_regions) | List of regions for which multiple regions are used in creating region-based policies | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_custom_policies"></a> [custom\_policies](#output\_custom\_policies) | Custom Policies |
+| <a name="output_custom_policies_arn"></a> [custom\_policies\_arn](#output\_custom\_policies\_arn) | Custom Policies ARN |
+| <a name="output_custom_policy_documents"></a> [custom\_policy\_documents](#output\_custom\_policy\_documents) | Custom Policy Documents (no IAM policy) |
+| <a name="output_managed_policies"></a> [managed\_policies](#output\_managed\_policies) | AWS Managed Policy name to ARN mapping |
+<!-- END_TF_DOCS -->

iam-general-policies/variables.tf

@@ -23,9 +23,14 @@ variable "component_tags" {
 # for ip restriction policy
 #---
 variable "ipr_base_cidr_blocks" {
-  description = "Base CIDR blocks for IP based API restrictions (default: census public network)"
+  description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B)"
   type        = list(string)
-  default     = ["148.129.0.0/16", "2610:20:2000::0/38"]
+  default = [
+    "148.129.0.0/16",
+    "2610:20:2000::0/38",
+    "10.0.0.0/8",
+    "172.16.0.0/12",
+  ]
 }
 
 variable "ipr_vpc_cidr_blocks" {