diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86622d1..bb734e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -307,3 +307,9 @@
- config, added
- bucket_key_enabled: default false
- use_kms_encryptioon: default true
+
+* 2.4.11 -- 2023-11-02
+ - iam-general-policies
+ - add 10/8 and 172.16/12 to the allowed cidr blocks to fix problems with calling api from our vpcs, and from other
+ vpcs in our network
+
diff --git a/common/version.tf b/common/version.tf
index 197391f..7c677ff 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.4.10"
+ _module_version = "2.4.11"
}
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index 017f8d4..3fec9f7 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -152,3 +152,160 @@ No modules.
| [custom\_policies\_arn](#output\_custom\_policies\_arn) | Custom Policies ARN |
| [custom\_policy\_documents](#output\_custom\_policy\_documents) | Custom Policy Documents (no IAM policy) |
| [managed\_policies](#output\_managed\_policies) | AWS Managed Policy name to ARN mapping |
+
+
+# aws-inf-setup :: iam-general-policies
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "general" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "general_full" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+ # optional
+ account_alias = "do2-govcloud"
+
+ # flowlogs is generally not needed and not recommended
+ component_tags = {
+ "s3" = {
+ "SpecialTag1" = "something"
+ "SpecialTag2" = "somethingElse"
+ }
+ }
+}
+```
+Once IP addresses are available for NAT Gateways or VPC, they can be added like:
+```hcl
+module "general" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+ ipr_vpc_cidr_blocks = [ data.terraform_remote_state.vpc_w1-vpc1.outputs.vpc_cidr_block ]
+ ipr_nat_gateway_cidr_blocks = data.terraform_remote_state.vpc_w1-vpc6.outputs.nat_ip_list
+ ipr_extra_cidr_blocks = [ ]
+}
+```
+
+# Managed Policies
+This provides a number of AWS manged policies
+> `module.general.managed_policies[KEY] = ARN`
+* AdministratorAccess
+* ReadOnlyAccess
+* AmazonVPCFullAccess
+* AWSSupportAccess
+* CloudWatchAWSSupportAccess
+* Billing
+* NetworkAdministrator
+
+# Custom Policies
+
+This provides some custom policies that are to be applied to some accounts and groups.
+> `module.general.custom_policies[KEY] = { object }`
+ ```hcl
+ object = {
+ "name"
+ "path"
+ "description"
+ "policy"
+ "create_policy"
+ "policy_arn"
+ }
+ ```
+* manage-access-keys
+ Allows for self-managing access keys (for rotating)
+* manage-credentials
+ Allows for self-managing password credentials
+* deny-billing
+ Denies access to Billing functions
+* deny-readonly-data
+ When combined with a ReadOnly permission set, denies read access on S3, DynamodDB items, and others
+
+These are policy documents, used liberally, as needed by applications (typically, EC2 instance roles).
+> `module.general.custom_policy_documents[KEY] = { object }`
+ ```hcl
+ object = {
+ "name"
+ "description"
+ "policy"
+ "create_policy"
+ }
+ ```
+* ec2\_assume
+* sts\_assume
+* root\_assume
+* lambda\_assume
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.general](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudforms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudforms_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_readonly_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ip_restriction](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.manage_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.network_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | {
"policy": {}
} | no |
+| [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B) | `list(string)` | [
"148.129.0.0/16",
"2610:20:2000::0/38",
"10.0.0.0/8",
"172.16.0.0/12"
]
| no |
+| [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | [
"vpce-047c17aeb6c23cab8",
"vpce-0bc724bf64e6aeb64"
]
| no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [regions](#input\_regions) | List of regions for which multiple regions are used in creating region-based policies | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [custom\_policies](#output\_custom\_policies) | Custom Policies |
+| [custom\_policies\_arn](#output\_custom\_policies\_arn) | Custom Policies ARN |
+| [custom\_policy\_documents](#output\_custom\_policy\_documents) | Custom Policy Documents (no IAM policy) |
+| [managed\_policies](#output\_managed\_policies) | AWS Managed Policy name to ARN mapping |
+
\ No newline at end of file
diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
index 6fefebb..fd28baa 100644
--- a/iam-general-policies/variables.tf
+++ b/iam-general-policies/variables.tf
@@ -23,9 +23,14 @@ variable "component_tags" {
# for ip restriction policy
#---
variable "ipr_base_cidr_blocks" {
- description = "Base CIDR blocks for IP based API restrictions (default: census public network)"
+ description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B)"
type = list(string)
- default = ["148.129.0.0/16", "2610:20:2000::0/38"]
+ default = [
+ "148.129.0.0/16",
+ "2610:20:2000::0/38",
+ "10.0.0.0/8",
+ "172.16.0.0/12",
+ ]
}
variable "ipr_vpc_cidr_blocks" {