Merge branch 'moj_ip_cidrs_delius_core' into nextcloud-config-file

terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf

@@ -18,15 +18,15 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_glob
   cidr_ipv4         = each.key # Global Protect VPN
 }
 
-resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" {
-  for_each          = toset(local.all_ingress_ips)
-  security_group_id = aws_security_group.ancillary_alb_security_group.id
-  description       = "Access into alb over http (will redirect)"
-  from_port         = "80"
-  to_port           = "80"
-  ip_protocol       = "tcp"
-  cidr_ipv4         = each.key # Global Protect VPN
-}
+# resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" {
+#   for_each          = toset(local.all_ingress_ips)
+#   security_group_id = aws_security_group.ancillary_alb_security_group.id
+#   description       = "Access into alb over http (will redirect)"
+#   from_port         = "80"
+#   to_port           = "80"
+#   ip_protocol       = "tcp"
+#   cidr_ipv4         = each.key # Global Protect VPN
+# }
 
 resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" {
   security_group_id = aws_security_group.ancillary_alb_security_group.id

terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf

@@ -27,7 +27,7 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress
 }
 
 resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_https_global_protect_allowlist" {
-  for_each          = toset(local.globalprotect_ips)
+  for_each          = toset(local.moj_ips)
   security_group_id = aws_security_group.delius_frontend_alb_security_group.id
   description       = "access into delius core frontend alb over https"
   from_port         = "443"
@@ -36,15 +36,15 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress
   cidr_ipv4         = each.key # Global Protect VPN
 }
 
-resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" {
-  for_each          = toset(local.globalprotect_ips)
-  security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  description       = "access into delius core frontend alb over http (will redirect)"
-  from_port         = "80"
-  to_port           = "80"
-  ip_protocol       = "tcp"
-  cidr_ipv4         = each.key # Global Protect VPN
-}
+# resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" {
+#   for_each          = toset(local.moj_ips)
+#   security_group_id = aws_security_group.delius_frontend_alb_security_group.id
+#   description       = "access into delius core frontend alb over http (will redirect)"
+#   from_port         = "80"
+#   to_port           = "80"
+#   ip_protocol       = "tcp"
+#   cidr_ipv4         = each.key # Global Protect VPN
+# }
 
 # tfsec:ignore:aws-elb-alb-not-public
 resource "aws_lb" "delius_core_frontend" {
@@ -151,4 +151,4 @@ resource "aws_lb_listener_rule" "blocked_paths_listener_rule" {
       status_code  = "404"
     }
   }
-}
+}

terraform/environments/delius-core/modules/delius_environment/locals.tf

@@ -21,7 +21,7 @@ locals {
 
   certificate_arn = aws_acm_certificate.external.arn
 
-  globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
+  moj_ips = concat(module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, module.ip_addresses.moj_cidrs.trusted_moj_enduser_internal, module.ip_addresses.moj_cidrs.trusted_mojo_public)
   unilink_ips = [
     "194.75.210.216/29", # Unilink AOVPN
     "83.98.63.176/29",   # Unilink AOVPN
@@ -36,7 +36,7 @@ locals {
     "217.138.45.109/32", # Unilink AOVPN
     "217.138.45.110/32", # Unilink AOVPN
   ]
-  all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
+  all_ingress_ips = concat(local.moj_ips, local.unilink_ips)
 
   secret_prefix           = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}"
   application_secret_name = "${local.secret_prefix}-application-passwords"

terraform/modules/ip_addresses/moj.tf

@@ -24,9 +24,17 @@ locals {
     mojo_arkf_internet_egress_exponential_e = "51.149.249.32/29"
     mojo_arkf_internet_egress_vodafone      = "194.33.248.0/29"
 
+
+    ark_dc_external_internet = [
+      "195.59.75.0/24",
+      "194.33.192.0/25",
+      "194.33.193.0/25",
+      "194.33.196.0/25",
+      "194.33.197.0/25"
+    ]
+
     # for devices connected to Prison Networks
     vodafone_wan_nicts_aggregate = "10.80.0.0/12"
-
     # For users without an MOJ Official device, e.g. private prisons
     mojo_azure_landing_zone = "10.192.0.0/16"
 
@@ -53,6 +61,7 @@ locals {
       local.moj_cidr.mojo_arkc_internet_egress_vodafone,
       local.moj_cidr.mojo_arkf_internet_egress_exponential_e,
       local.moj_cidr.mojo_arkf_internet_egress_vodafone,
+      local.moj_cidr.ark_dc_external_internet,
     ])
 
     trusted_moj_enduser_internal = [