Merge pull request #26 from terraform-modules/general-add-vpcsourceip

general add vpcsourceip
terraform-modules · Jul 13, 2021 · ade6b32 · ade6b32
2 parents fae9fd2 + 41a2e9e
commit ade6b32
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -118,3 +118,7 @@
 
 * v1.13.1 -- 20210608
   - add lifecycle ignore tags["boc:tf_module_version"]
+
+* v1.13.2 -- 20210713
+  - general
+    - change ip_restriction to be a dynamic condition block to also include VpcSourceIp
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.13.1"
+  _module_version = "1.13.2"
 }
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
@@ -96,6 +96,24 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
   ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+  ipr_conditions_list = [
+    {
+      test : "Bool"
+      variable : "aws:ViaAWSService"
+      values : ["false"]
+    },
+    {
+      test : "NotIpAddressIfExists"
+      variable : "aws:sourceIp"
+      values : local.ipr_cidr_blocks
+    },
+    {
+      test : "NotIpAddressIfExists"
+      variable : "aws:VpcSourceIp"
+      values : var.ipr_vpc_cidr_blocks
+    },
+  ]
+  ipr_conditions = [for x in local.ipr_conditions_list : x if length(x.values) > 0]
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
@@ -144,4 +162,3 @@ resource "aws_iam_policy" "general" {
     ignore_changes = [tags["boc:tf_module_version"]]
   }
 }
-
diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
@@ -63,21 +63,21 @@ data "aws_iam_policy_document" "deny_billing" {
   }
 }
 
+# generated dynamically based on passing cidr blocks
 data "aws_iam_policy_document" "ip_restriction" {
   statement {
     sid       = "IpAddressRestriction"
     effect    = "Deny"
     actions   = ["*"]
     resources = ["*"]
-    condition {
-      test     = "NotIpAddress"
-      variable = "aws:SourceIp"
-      values   = local.ipr_cidr_blocks
-    }
-    condition {
-      test     = "Bool"
-      variable = "aws:ViaAWSService"
-      values   = ["false"]
+    dynamic "condition" {
+      for_each = local.ipr_conditions
+      iterator = c
+      content {
+        test     = c.value.test
+        variable = c.value.variable
+        values   = c.value.values
+      }
     }
   }
 }