* 2.4.12 -- 2023-11-03

- iam-general-policies - add 10/8 and 172.16/12 to the allowed VPC cidr blocks and remove it from from the base cid (only public IPs) - add network-prod s3 interface endpints
terraform-modules · Nov 3, 2023 · eb19ef5 · eb19ef5
1 parent 29ae342
commit eb19ef5
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -313,3 +313,7 @@
     - add 10/8 and 172.16/12 to the allowed cidr blocks to fix problems with calling api from our vpcs, and from other
       vpcs in our network
 
+* 2.4.12 -- 2023-11-03
+  - iam-general-policies
+    - add 10/8 and 172.16/12 to the allowed VPC cidr blocks and remove it from from the base cid (only public IPs)
+    - add network-prod s3 interface endpints
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.11"
+  _module_version = "2.4.12"
 }
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
@@ -292,10 +292,10 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | <pre>{<br>  "policy": {}<br>}</pre> | no |
 | <a name="input_ipr_additional_cidr_blocks"></a> [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B) | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "2610:20:2000::0/38",<br>  "10.0.0.0/8",<br>  "172.16.0.0/12"<br>]</pre> | no |
+| <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only) | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "2610:20:2000::0/38"<br>]</pre> | no |
 | <a name="input_ipr_nat_gateway_cidr_blocks"></a> [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| <a name="input_ipr_vpc_endpoints"></a> [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | <pre>[<br>  "vpce-047c17aeb6c23cab8",<br>  "vpce-0bc724bf64e6aeb64"<br>]</pre> | no |
+| <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12"<br>]</pre> | no |
+| <a name="input_ipr_vpc_endpoints"></a> [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud and network-prod) | `list(string)` | <pre>[<br>  "vpce-047c17aeb6c23cab8",<br>  "vpce-0bc724bf64e6aeb64",<br>  "vpce-012898031dcb55506",<br>  "vpce-03542311475976023"<br>]</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_regions"></a> [regions](#input\_regions) | List of regions for which multiple regions are used in creating region-based policies | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |

diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
@@ -95,7 +95,8 @@ locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
-  ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+  #  ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+  ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
   ipr_conditions_list = [
     {
       test     = "Bool"

diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
@@ -23,20 +23,21 @@ variable "component_tags" {
 # for ip restriction policy
 #---
 variable "ipr_base_cidr_blocks" {
-  description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B)"
+  description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only)"
   type        = list(string)
   default = [
     "148.129.0.0/16",
     "2610:20:2000::0/38",
-    "10.0.0.0/8",
-    "172.16.0.0/12",
   ]
 }
 
 variable "ipr_vpc_cidr_blocks" {
   description = "VPC CIDR blocks for IP based API restrictions (default: none)"
   type        = list(string)
-  default     = []
+  default = [
+    "10.0.0.0/8",
+    "172.16.0.0/12",
+  ]
 }
 
 variable "ipr_nat_gateway_cidr_blocks" {
@@ -52,9 +53,14 @@ variable "ipr_additional_cidr_blocks" {
 }
 
 variable "ipr_vpc_endpoints" {
-  description = "VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud)"
+  description = "VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud and network-prod)"
   type        = list(string)
-  default     = ["vpce-047c17aeb6c23cab8", "vpce-0bc724bf64e6aeb64"]
+  default = [
+    "vpce-047c17aeb6c23cab8", # do2-gov east
+    "vpce-0bc724bf64e6aeb64", # do2-gov west
+    "vpce-012898031dcb55506", # network-prod east
+    "vpce-03542311475976023", # network-prod west
+  ]
 }
 
 variable "regions" {