Merge pull request #27 from star3am/feature/extend-whitelist-cidrs-cl…

…eanup-my-ipaddress clean up my ip address used for build agents and extend whitelist cid…
star3am · Jan 31, 2024 · 276a735 · 276a735
2 parents 0eed5c2 + 9bffc20
commit 276a735
Show file tree

Hide file tree

Showing 11 changed files with 131 additions and 47 deletions.
diff --git a/main.tf b/main.tf
@@ -91,7 +91,7 @@ module "gcp_hashiqube" {
   deploy_to_aws                           = var.deploy_to_aws
   deploy_to_azure                         = var.deploy_to_azure
   deploy_to_gcp                           = var.deploy_to_gcp
-  whitelist_cidr                          = var.whitelist_cidr
+  whitelist_cidrs                         = var.whitelist_cidrs
   gcp_project                             = var.gcp_project
   gcp_credentials                         = var.gcp_credentials
   gcp_cluster_description                 = var.gcp_cluster_description
@@ -134,7 +134,7 @@ module "aws_hashiqube" {
   aws_instance_type          = var.aws_instance_type
   # aws_profile          = var.aws_profile
   # aws_credentials      = var.aws_credentials
-  whitelist_cidr                          = var.whitelist_cidr
+  whitelist_cidrs                         = var.whitelist_cidrs
   azure_hashiqube_ip                      = var.deploy_to_azure ? try(module.azure_hashiqube[0].hashiqube_ip, null) : null
   gcp_hashiqube_ip                        = var.deploy_to_gcp ? try(module.gcp_hashiqube[0].hashiqube_ip, null) : null
   vagrant_provisioners                    = var.vagrant_provisioners
@@ -153,7 +153,7 @@ module "azure_hashiqube" {
   deploy_to_aws                           = var.deploy_to_aws
   deploy_to_azure                         = var.deploy_to_azure
   deploy_to_gcp                           = var.deploy_to_gcp
-  whitelist_cidr                          = var.whitelist_cidr
+  whitelist_cidrs                         = var.whitelist_cidrs
   ssh_public_key                          = var.ssh_public_key
   ssh_private_key                         = var.ssh_private_key
   debug_user_data                         = var.debug_user_data

diff --git a/modules/aws-hashiqube/README.md b/modules/aws-hashiqube/README.md
@@ -30,7 +30,7 @@ The following resources are used by this module:
 - [aws_security_group_rule.gcp_hashiqube](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) (resource)
 - [aws_security_group_rule.terraform_cloud_api_ip_ranges](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) (resource)
 - [aws_security_group_rule.terraform_cloud_notifications_ip_ranges](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) (resource)
-- [aws_security_group_rule.whitelist_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) (resource)
+- [aws_security_group_rule.whitelist_cidrs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) (resource)
 - [null_resource.debug](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) (resource)
 - [null_resource.hashiqube](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) (resource)
 - [aws_ami.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) (data source)
@@ -125,6 +125,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_docker_version"></a> [docker_version](#input_docker_version)
+
+Description: The Docker version you would like to install
+
+Type: `string`
+
+Default: `"latest"`
+
 ### <a name="input_gcp_hashiqube_ip"></a> [gcp_hashiqube_ip](#input_gcp_hashiqube_ip)
 
 Description: GCP Hahiqube IP address
@@ -199,13 +207,24 @@ Type: `string`
 
 Default: `"basetools,docker,consul,vault,nomad,boundary,waypoint"`
 
-### <a name="input_whitelist_cidr"></a> [whitelist_cidr](#input_whitelist_cidr)
+### <a name="input_whitelist_cidrs"></a> [whitelist_cidrs](#input_whitelist_cidrs)
 
-Description: Additional CIDR to whitelist
+Description: Additional CIDRs to whitelist
 
-Type: `string`
+Type: `list(any)`
 
-Default: `"20.191.210.171/32"`
+Default:
+
+```json
+[
+  "52.86.200.106/32",
+  "52.86.201.227/32",
+  "52.70.186.109/32",
+  "44.236.246.186/32",
+  "54.185.161.84/32",
+  "44.238.78.236/32"
+]
+```
 
 ## Outputs
 

diff --git a/modules/aws-hashiqube/main.tf b/modules/aws-hashiqube/main.tf
@@ -30,7 +30,6 @@ resource "null_resource" "hashiqube" {
     deploy_to_aws        = var.deploy_to_aws
     deploy_to_azure      = var.deploy_to_azure
     deploy_to_gcp        = var.deploy_to_gcp
-    whitelist_cidr       = var.whitelist_cidr
     my_ipaddress         = data.external.myipaddress.result.ip
     region               = var.aws_region
     ssh_public_key       = var.ssh_public_key
@@ -48,6 +47,7 @@ locals {
   timestamp = timestamp()
 }
 
+# Use latest Canonical Ubuntu AMI
 data "aws_ami" "ubuntu" {
   count = var.use_packer_image == true ? 0 : 1
 
@@ -63,6 +63,7 @@ data "aws_ami" "ubuntu" {
   owners = ["099720109477"] # Canonical
 }
 
+# Use Our own Packer built Private AMI
 data "aws_ami" "packer" {
   count = var.use_packer_image == true ? 1 : 0
 
@@ -236,13 +237,13 @@ resource "aws_security_group_rule" "gcp_hashiqube" {
 }
 
 # tfsec:ignore:aws-vpc-disallow-mixed-sgr
-resource "aws_security_group_rule" "whitelist_cidr" {
-  count             = var.whitelist_cidr != "" ? 1 : 0
+resource "aws_security_group_rule" "whitelist_cidrs" {
+  count             = var.whitelist_cidrs != "" ? 1 : 0
   description       = "Allow Your Whitelist CIDR addresses"
   type              = "ingress"
   to_port           = 65535
   protocol          = "all"
-  cidr_blocks       = [var.whitelist_cidr]
+  cidr_blocks       = var.whitelist_cidrs
   from_port         = 0
   security_group_id = aws_security_group.hashiqube.id
 }

diff --git a/modules/aws-hashiqube/variables.tf b/modules/aws-hashiqube/variables.tf
@@ -40,10 +40,17 @@ variable "gcp_hashiqube_ip" {
   description = "GCP Hahiqube IP address"
 }
 
-variable "whitelist_cidr" {
-  description = "Additional CIDR to whitelist"
-  type        = string
-  default     = "20.191.210.171/32" # Example: 0.0.0.0/0
+variable "whitelist_cidrs" {
+  description = "Additional CIDRs to whitelist"
+  type        = list(any)
+  default = [
+    "52.86.200.106/32",
+    "52.86.201.227/32",
+    "52.70.186.109/32",
+    "44.236.246.186/32",
+    "54.185.161.84/32",
+    "44.238.78.236/32",
+  ]
 }
 
 variable "ssh_public_key" {

diff --git a/modules/azure-hashiqube/README.md b/modules/azure-hashiqube/README.md
@@ -25,7 +25,7 @@ The following resources are used by this module:
 - [azurerm_network_security_group.my_ipaddress](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/network_security_group) (resource)
 - [azurerm_network_security_group.terraform_cloud_api_ip_ranges](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/network_security_group) (resource)
 - [azurerm_network_security_group.terraform_cloud_notifications_ip_ranges](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/network_security_group) (resource)
-- [azurerm_network_security_group.whitelist_cidr](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/network_security_group) (resource)
+- [azurerm_network_security_group.whitelist_cidrs](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/network_security_group) (resource)
 - [azurerm_public_ip.hashiqube](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/public_ip) (resource)
 - [azurerm_resource_group.hashiqube](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/resource_group) (resource)
 - [azurerm_subnet.hashiqube](https://registry.terraform.io/providers/hashicorp/azurerm/3.57.0/docs/resources/subnet) (resource)
@@ -106,6 +106,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_docker_version"></a> [docker_version](#input_docker_version)
+
+Description: The Docker version you would like to install
+
+Type: `string`
+
+Default: `"latest"`
+
 ### <a name="input_gcp_hashiqube_ip"></a> [gcp_hashiqube_ip](#input_gcp_hashiqube_ip)
 
 Description: GCP Hahiqube IP address
@@ -180,13 +188,24 @@ Type: `string`
 
 Default: `"basetools,docker,consul,vault,nomad,boundary,waypoint"`
 
-### <a name="input_whitelist_cidr"></a> [whitelist_cidr](#input_whitelist_cidr)
+### <a name="input_whitelist_cidrs"></a> [whitelist_cidrs](#input_whitelist_cidrs)
 
-Description: Additional CIDR to whitelist
+Description: Additional CIDRs to whitelist
 
-Type: `string`
+Type: `list(any)`
 
-Default: `"20.191.210.171/32"`
+Default:
+
+```json
+[
+  "52.86.200.106/32",
+  "52.86.201.227/32",
+  "52.70.186.109/32",
+  "44.236.246.186/32",
+  "54.185.161.84/32",
+  "44.238.78.236/32"
+]
+```
 
 ## Outputs
 

diff --git a/modules/azure-hashiqube/main.tf b/modules/azure-hashiqube/main.tf
@@ -27,7 +27,6 @@ resource "null_resource" "hashiqube" {
     deploy_to_aws        = var.deploy_to_aws
     deploy_to_azure      = var.deploy_to_azure
     deploy_to_gcp        = var.deploy_to_gcp
-    whitelist_cidr       = var.whitelist_cidr
     my_ipaddress         = data.external.myipaddress.result.ip
     ssh_public_key       = var.ssh_public_key
     aws_hashiqube_ip     = var.aws_hashiqube_ip
@@ -169,20 +168,20 @@ resource "azurerm_network_security_group" "gcp_hashiqube_ip" {
   }
 }
 
-resource "azurerm_network_security_group" "whitelist_cidr" {
-  count               = var.whitelist_cidr != "" ? 1 : 0
+resource "azurerm_network_security_group" "whitelist_cidrs" {
+  count               = var.whitelist_cidrs != "" ? 1 : 0
   name                = "whitelist_cidr"
   location            = var.azure_region
   resource_group_name = azurerm_resource_group.hashiqube.name
   security_rule {
-    name                         = "whitelist_cidr"
+    name                         = "whitelist_cidrs"
     priority                     = 1005
     direction                    = "Inbound"
     access                       = "Allow"
     protocol                     = "Tcp"
     source_port_range            = "*"
     destination_port_range       = "*"
-    source_address_prefixes      = [var.whitelist_cidr]
+    source_address_prefixes      = var.whitelist_cidrs
     destination_address_prefixes = [azurerm_network_interface.hashiqube.private_ip_address]
   }
   tags = {

diff --git a/modules/azure-hashiqube/variables.tf b/modules/azure-hashiqube/variables.tf
@@ -40,10 +40,17 @@ variable "gcp_hashiqube_ip" {
   description = "GCP Hahiqube IP address"
 }
 
-variable "whitelist_cidr" {
-  description = "Additional CIDR to whitelist"
-  type        = string
-  default     = "20.191.210.171/32" # Example: 0.0.0.0/0
+variable "whitelist_cidrs" {
+  description = "Additional CIDRs to whitelist"
+  type        = list(any)
+  default = [
+    "52.86.200.106/32",
+    "52.86.201.227/32",
+    "52.70.186.109/32",
+    "44.236.246.186/32",
+    "54.185.161.84/32",
+    "44.238.78.236/32",
+  ]
 }
 
 variable "ssh_public_key" {

diff --git a/modules/gcp-hashiqube/README.md b/modules/gcp-hashiqube/README.md
@@ -24,7 +24,7 @@ The following resources are used by this module:
 - [google_compute_firewall.my_ipaddress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)
 - [google_compute_firewall.terraform_cloud_api_ip_ranges](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)
 - [google_compute_firewall.terraform_cloud_notifications_ip_ranges](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)
-- [google_compute_firewall.whitelist_cidr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)
+- [google_compute_firewall.whitelist_cidrs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) (resource)
 - [google_compute_instance_template.hashiqube](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template) (resource)
 - [google_compute_region_instance_group_manager.hashiqube](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_instance_group_manager) (resource)
 - [google_project_iam_member.hashiqube](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) (resource)
@@ -98,6 +98,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_docker_version"></a> [docker_version](#input_docker_version)
+
+Description: The Docker version you would like to install
+
+Type: `string`
+
+Default: `"latest"`
+
 ### <a name="input_gcp_account_id"></a> [gcp_account_id](#input_gcp_account_id)
 
 Description: Account ID
@@ -274,13 +282,24 @@ Type: `string`
 
 Default: `"basetools,docker,consul,vault,nomad,boundary,waypoint"`
 
-### <a name="input_whitelist_cidr"></a> [whitelist_cidr](#input_whitelist_cidr)
+### <a name="input_whitelist_cidrs"></a> [whitelist_cidrs](#input_whitelist_cidrs)
 
-Description: Additional CIDR to whitelist
+Description: Additional CIDRs to whitelist
 
-Type: `string`
+Type: `list(any)`
 
-Default: `"20.191.210.171/32"`
+Default:
+
+```json
+[
+  "52.86.200.106/32",
+  "52.86.201.227/32",
+  "52.70.186.109/32",
+  "44.236.246.186/32",
+  "54.185.161.84/32",
+  "44.238.78.236/32"
+]
+```
 
 ## Outputs
 

diff --git a/modules/gcp-hashiqube/main.tf b/modules/gcp-hashiqube/main.tf
@@ -30,7 +30,6 @@ resource "null_resource" "hashiqube" {
     deploy_to_aws        = var.deploy_to_aws
     deploy_to_azure      = var.deploy_to_azure
     deploy_to_gcp        = var.deploy_to_gcp
-    whitelist_cidr       = var.whitelist_cidr
     my_ipaddress         = data.external.myipaddress.result.ip
     gcp_project          = var.gcp_project
     gcp_credentials      = var.gcp_credentials
@@ -185,8 +184,8 @@ resource "google_compute_firewall" "gcp_hashiqube_ip" {
   source_ranges = ["${google_compute_address.hashiqube.address}/32"]
 }
 
-resource "google_compute_firewall" "whitelist_cidr" {
-  count   = var.whitelist_cidr != "" ? 1 : 0
+resource "google_compute_firewall" "whitelist_cidrs" {
+  count   = var.whitelist_cidrs != "" ? 1 : 0
   name    = "whitelist-cidr"
   network = "default"
   project = var.gcp_project
@@ -198,7 +197,7 @@ resource "google_compute_firewall" "whitelist_cidr" {
     protocol = "udp"
     ports    = ["0-65535"]
   }
-  source_ranges = [var.whitelist_cidr]
+  source_ranges = var.whitelist_cidrs
 }
 
 resource "google_compute_firewall" "debug_allow_ssh_cidr_range" {

diff --git a/modules/gcp-hashiqube/variables.tf b/modules/gcp-hashiqube/variables.tf
@@ -40,10 +40,17 @@ variable "azure_hashiqube_ip" {
   description = "Azure Hahiqube IP address"
 }
 
-variable "whitelist_cidr" {
-  description = "Additional CIDR to whitelist"
-  type        = string
-  default     = "20.191.210.171/32" # Example: 0.0.0.0/0
+variable "whitelist_cidrs" {
+  description = "Additional CIDRs to whitelist"
+  type        = list(any)
+  default = [
+    "52.86.200.106/32",
+    "52.86.201.227/32",
+    "52.70.186.109/32",
+    "44.236.246.186/32",
+    "54.185.161.84/32",
+    "44.238.78.236/32",
+  ]
 }
 
 variable "ssh_public_key" {

diff --git a/variables.tf b/variables.tf
@@ -41,10 +41,17 @@ variable "docker_version" {
   default     = "latest"
 }
 
-variable "whitelist_cidr" {
-  description = "Additional CIDR to whitelist"
-  type        = string
-  default     = "20.191.210.171/32" # Example: 0.0.0.0/0
+variable "whitelist_cidrs" {
+  description = "Additional CIDRs to whitelist"
+  type        = list(any)
+  default = [
+    "52.86.200.106/32",
+    "52.86.201.227/32",
+    "52.70.186.109/32",
+    "44.236.246.186/32",
+    "54.185.161.84/32",
+    "44.238.78.236/32",
+  ]
 }
 
 variable "ssh_public_key" {