Merge pull request #11 from terraform-modules/add-ip_restrictions

v1.7.1: add ip restrictions to general policies
terraform-modules · Mar 18, 2021 · a5b2411 · a5b2411
2 parents 0af014e + 39808e5
commit a5b2411
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 1 deletion.
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.7.0"
+  _module_version = "1.7.1"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
@@ -28,6 +28,16 @@ module "general_full" {
     }
   }
 }
+```  
+Once IP addresses are available for NAT Gateways or VPC, they can be added like:
+```hcl
+module "general" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+
+  ipr_vpc_cidr_blocks = [ data.terraform_remote_state.vpc_w1-vpc1.outputs.vpc_cidr_block ]
+  ipr_nat_gateway_cidr_blocks = data.terraform_remote_state.vpc_w1-vpc6.outputs.nat_ip_list
+  ipr_extra_cidr_blocks = [ ]
+}
 ```
 
 # Managed Policies  
@@ -106,6 +116,10 @@ No Modules.
 | account\_alias | AWS Account Alias | `string` | `""` | no |
 | account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | component\_tags | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
+| ipr\_additional\_cidr\_blocks | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| ipr\_base\_cidr\_blocks | Base CIDR blocks for IP based API restrictions (default: census public network) | `list(string)` | <pre>[<br>  "148.129.0.0/16"<br>]</pre> | no |
+| ipr\_nat\_gateway\_cidr\_blocks | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| ipr\_vpc\_cidr\_blocks | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
 | override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 

diff --git a/iam-general-policies/custom_policies.tf b/iam-general-policies/custom_policies.tf
@@ -21,6 +21,14 @@ locals {
       policy        = data.aws_iam_policy_document.deny_billing.json
       create_policy = true
     }
+    "ip_restriction" = {
+      name          = "ip-restriction"
+      path          = "/"
+      description   = "Policy to deny access to unexpected and external IP address sources"
+      policy        = data.aws_iam_policy_document.ip_restriction.json
+      create_policy = true
+    }
+
     "ec2_assume" = {
       name          = "ec2_assume"
       description   = "Policy document for EC2 sts:assumerole (instance role)"

diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
@@ -30,6 +30,16 @@
 *   }
 * }
 * ```
+* Once IP addresses are available for NAT Gateways or VPC, they can be added like:
+* ```hcl
+* module "general" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-general-policies"
+* 
+*   ipr_vpc_cidr_blocks = [ data.terraform_remote_state.vpc_w1-vpc1.outputs.vpc_cidr_block ]
+*   ipr_nat_gateway_cidr_blocks = data.terraform_remote_state.vpc_w1-vpc6.outputs.nat_ip_list
+*   ipr_extra_cidr_blocks = [ ]
+* }
+* ```
 *
 * # Managed Policies
 * This provides a number of AWS manged policies
@@ -79,6 +89,8 @@ locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
+  ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
     "boc:tf_module_version" = local._module_version

diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
@@ -63,6 +63,24 @@ data "aws_iam_policy_document" "deny_billing" {
   }
 }
 
+data "aws_iam_policy_document" "ip_restriction" {
+  statement {
+    sid       = "IpAddressRestriction"
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+    condition {
+      test     = "NotIpAddress"
+      variable = "aws:SourceIp"
+      values   = local.ip_cidr_blocks
+    }
+    condition {
+      test     = "Bool"
+      variable = "aws:ViaAWSService"
+      values   = ["false"]
+    }
+  }
+}
 
 #---
 # sts (for roles)

diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
@@ -18,3 +18,30 @@ variable "component_tags" {
   type        = map(map(string))
   default     = { "policy" = {} }
 }
+
+#---
+# for ip restriction policy
+#---
+variable "ipr_base_cidr_blocks" {
+  description = "Base CIDR blocks for IP based API restrictions (default: census public network)"
+  type        = list(string)
+  default     = ["148.129.0.0/16"]
+}
+
+variable "ipr_vpc_cidr_blocks" {
+  description = "VPC CIDR blocks for IP based API restrictions (default: none)"
+  type        = list(string)
+  default     = []
+}
+
+variable "ipr_nat_gateway_cidr_blocks" {
+  description = "NAT Gateway CIDR blocks for IP based API restrictions (default: none)"
+  type        = list(string)
+  default     = []
+}
+
+variable "ipr_additional_cidr_blocks" {
+  description = "Additional CIDR blocks for IP based API restrictions (default: none)"
+  type        = list(string)
+  default     = []
+}