From 41a2e9ea5a474e505c5bb9572cb82e4184f88712 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 13 Jul 2021 09:29:17 -0400
Subject: [PATCH] v1.13.2: [general] change ip_restriction to be a dynamic
 condition block to also include VpcSourceIp

---
 CHANGELOG.md                        |  4 ++++
 common/version.tf                   |  2 +-
 iam-general-policies/main.tf        | 19 ++++++++++++++++++-
 iam-general-policies/policy_data.tf | 18 +++++++++---------
 4 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3d8f9fa..a5b2f4e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -118,3 +118,7 @@
 
 * v1.13.1 -- 20210608
   - add lifecycle ignore tags["boc:tf_module_version"]
+
+* v1.13.2 -- 20210713
+  - general
+    - change ip_restriction to be a dynamic condition block to also include VpcSourceIp
diff --git a/common/version.tf b/common/version.tf
index 636499f..0d97837 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.13.1"
+  _module_version = "1.13.2"
 }
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
index 2e82e41..c810960 100644
--- a/iam-general-policies/main.tf
+++ b/iam-general-policies/main.tf
@@ -96,6 +96,24 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
   ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+  ipr_conditions_list = [
+    {
+      test : "Bool"
+      variable : "aws:ViaAWSService"
+      values : ["false"]
+    },
+    {
+      test : "NotIpAddressIfExists"
+      variable : "aws:sourceIp"
+      values : local.ipr_cidr_blocks
+    },
+    {
+      test : "NotIpAddressIfExists"
+      variable : "aws:VpcSourceIp"
+      values : var.ipr_vpc_cidr_blocks
+    },
+  ]
+  ipr_conditions = [for x in local.ipr_conditions_list : x if length(x.values) > 0]
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
@@ -144,4 +162,3 @@ resource "aws_iam_policy" "general" {
     ignore_changes = [tags["boc:tf_module_version"]]
   }
 }
-
diff --git a/iam-general-policies/policy_data.tf b/iam-general-policies/policy_data.tf
index bbbf042..9cf5539 100644
--- a/iam-general-policies/policy_data.tf
+++ b/iam-general-policies/policy_data.tf
@@ -63,21 +63,21 @@ data "aws_iam_policy_document" "deny_billing" {
   }
 }
 
+# generated dynamically based on passing cidr blocks
 data "aws_iam_policy_document" "ip_restriction" {
   statement {
     sid       = "IpAddressRestriction"
     effect    = "Deny"
     actions   = ["*"]
     resources = ["*"]
-    condition {
-      test     = "NotIpAddress"
-      variable = "aws:SourceIp"
-      values   = local.ipr_cidr_blocks
-    }
-    condition {
-      test     = "Bool"
-      variable = "aws:ViaAWSService"
-      values   = ["false"]
+    dynamic "condition" {
+      for_each = local.ipr_conditions
+      iterator = c
+      content {
+        test     = c.value.test
+        variable = c.value.variable
+        values   = c.value.values
+      }
     }
   }
 }