diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb734e8..ee534ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -313,3 +313,7 @@
- add 10/8 and 172.16/12 to the allowed cidr blocks to fix problems with calling api from our vpcs, and from other
vpcs in our network
+* 2.4.12 -- 2023-11-03
+ - iam-general-policies
+ - add 10/8 and 172.16/12 to the allowed VPC cidr blocks and remove it from from the base cid (only public IPs)
+ - add network-prod s3 interface endpints
diff --git a/common/version.tf b/common/version.tf
index 7c677ff..a7d3afb 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.4.11"
+ _module_version = "2.4.12"
}
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
index 3fec9f7..911c20e 100644
--- a/iam-general-policies/README.md
+++ b/iam-general-policies/README.md
@@ -292,10 +292,10 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| [component\_tags](#input\_component\_tags) | Additional tags for Components (policy) | `map(map(string))` | {
"policy": {}
} | no |
| [ipr\_additional\_cidr\_blocks](#input\_ipr\_additional\_cidr\_blocks) | Additional CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B) | `list(string)` | [
"148.129.0.0/16",
"2610:20:2000::0/38",
"10.0.0.0/8",
"172.16.0.0/12"
]
| no |
+| [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only) | `list(string)` | [
"148.129.0.0/16",
"2610:20:2000::0/38"
]
| no |
| [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
-| [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | [
"vpce-047c17aeb6c23cab8",
"vpce-0bc724bf64e6aeb64"
]
| no |
+| [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | [
"10.0.0.0/8",
"172.16.0.0/12"
]
| no |
+| [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud and network-prod) | `list(string)` | [
"vpce-047c17aeb6c23cab8",
"vpce-0bc724bf64e6aeb64",
"vpce-012898031dcb55506",
"vpce-03542311475976023"
]
| no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [regions](#input\_regions) | List of regions for which multiple regions are used in creating region-based policies | `list(string)` | `[]` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
index cb995ed..c86c40c 100644
--- a/iam-general-policies/main.tf
+++ b/iam-general-policies/main.tf
@@ -95,7 +95,8 @@ locals {
account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
- ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+ # ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
+ ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
ipr_conditions_list = [
{
test = "Bool"
diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
index fd28baa..64e4eed 100644
--- a/iam-general-policies/variables.tf
+++ b/iam-general-policies/variables.tf
@@ -23,20 +23,21 @@ variable "component_tags" {
# for ip restriction policy
#---
variable "ipr_base_cidr_blocks" {
- description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6, and RFC1918 class A and B)"
+ description = "Base CIDR blocks for IP based API restrictions (default: census class B network, IPv6; public IPs only)"
type = list(string)
default = [
"148.129.0.0/16",
"2610:20:2000::0/38",
- "10.0.0.0/8",
- "172.16.0.0/12",
]
}
variable "ipr_vpc_cidr_blocks" {
description = "VPC CIDR blocks for IP based API restrictions (default: none)"
type = list(string)
- default = []
+ default = [
+ "10.0.0.0/8",
+ "172.16.0.0/12",
+ ]
}
variable "ipr_nat_gateway_cidr_blocks" {
@@ -52,9 +53,14 @@ variable "ipr_additional_cidr_blocks" {
}
variable "ipr_vpc_endpoints" {
- description = "VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud)"
+ description = "VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud and network-prod)"
type = list(string)
- default = ["vpce-047c17aeb6c23cab8", "vpce-0bc724bf64e6aeb64"]
+ default = [
+ "vpce-047c17aeb6c23cab8", # do2-gov east
+ "vpce-0bc724bf64e6aeb64", # do2-gov west
+ "vpce-012898031dcb55506", # network-prod east
+ "vpce-03542311475976023", # network-prod west
+ ]
}
variable "regions" {