From 4043fa1b265c17f18ca27265b22af2dfa14c484f Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 30 May 2024 16:08:06 +0100 Subject: [PATCH 1/3] add all moj ips --- .../delius-core/modules/delius_environment/alb_frontend.tf | 6 +++--- .../delius-core/modules/delius_environment/locals.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf index 39dfd39593f..0515a6f3f1c 100644 --- a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf +++ b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf @@ -27,7 +27,7 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress } resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_https_global_protect_allowlist" { - for_each = toset(local.globalprotect_ips) + for_each = toset(local.moj_ips) security_group_id = aws_security_group.delius_frontend_alb_security_group.id description = "access into delius core frontend alb over https" from_port = "443" @@ -37,7 +37,7 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress } resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" { - for_each = toset(local.globalprotect_ips) + for_each = toset(local.moj_ips) security_group_id = aws_security_group.delius_frontend_alb_security_group.id description = "access into delius core frontend alb over http (will redirect)" from_port = "80" @@ -151,4 +151,4 @@ resource "aws_lb_listener_rule" "blocked_paths_listener_rule" { status_code = "404" } } -} \ No newline at end of file +} diff --git a/terraform/environments/delius-core/modules/delius_environment/locals.tf b/terraform/environments/delius-core/modules/delius_environment/locals.tf index 333ae85c623..0ee1201ea5e 100644 --- a/terraform/environments/delius-core/modules/delius_environment/locals.tf +++ b/terraform/environments/delius-core/modules/delius_environment/locals.tf @@ -21,7 +21,7 @@ locals { certificate_arn = aws_acm_certificate.external.arn - globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha + moj_ips = concat(module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, module.ip_addresses.moj_cidrs.trusted_moj_enduser_internal, module.ip_addresses.moj_cidrs.trusted_mojo_public) unilink_ips = [ "194.75.210.216/29", # Unilink AOVPN "83.98.63.176/29", # Unilink AOVPN @@ -36,7 +36,7 @@ locals { "217.138.45.109/32", # Unilink AOVPN "217.138.45.110/32", # Unilink AOVPN ] - all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips) + all_ingress_ips = concat(local.moj_ips, local.unilink_ips) secret_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}" application_secret_name = "${local.secret_prefix}-application-passwords" From 43d9f513f453574b4372626843cec7347a037fbf Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 30 May 2024 17:45:03 +0100 Subject: [PATCH 2/3] add ark egress IPs --- terraform/modules/ip_addresses/moj.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/terraform/modules/ip_addresses/moj.tf b/terraform/modules/ip_addresses/moj.tf index c7a0daaf2d1..149cb51c062 100644 --- a/terraform/modules/ip_addresses/moj.tf +++ b/terraform/modules/ip_addresses/moj.tf @@ -24,9 +24,17 @@ locals { mojo_arkf_internet_egress_exponential_e = "51.149.249.32/29" mojo_arkf_internet_egress_vodafone = "194.33.248.0/29" + + ark_dc_external_internet = [ + "195.59.75.0/24", + "194.33.192.0/25", + "194.33.193.0/25", + "194.33.196.0/25", + "194.33.197.0/25" + ] + # for devices connected to Prison Networks vodafone_wan_nicts_aggregate = "10.80.0.0/12" - # For users without an MOJ Official device, e.g. private prisons mojo_azure_landing_zone = "10.192.0.0/16" @@ -53,6 +61,7 @@ locals { local.moj_cidr.mojo_arkc_internet_egress_vodafone, local.moj_cidr.mojo_arkf_internet_egress_exponential_e, local.moj_cidr.mojo_arkf_internet_egress_vodafone, + local.moj_cidr.ark_dc_external_internet, ]) trusted_moj_enduser_internal = [ From 9acc444df775a215435b8cc82cec0b30f70f891e Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 30 May 2024 17:54:04 +0100 Subject: [PATCH 3/3] 443 only --- .../delius_environment/alb_ancillary.tf | 18 +++++++++--------- .../modules/delius_environment/alb_frontend.tf | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf index 66deec7d241..559b696900b 100644 --- a/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf +++ b/terraform/environments/delius-core/modules/delius_environment/alb_ancillary.tf @@ -18,15 +18,15 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_glob cidr_ipv4 = each.key # Global Protect VPN } -resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" { - for_each = toset(local.all_ingress_ips) - security_group_id = aws_security_group.ancillary_alb_security_group.id - description = "Access into alb over http (will redirect)" - from_port = "80" - to_port = "80" - ip_protocol = "tcp" - cidr_ipv4 = each.key # Global Protect VPN -} +# resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" { +# for_each = toset(local.all_ingress_ips) +# security_group_id = aws_security_group.ancillary_alb_security_group.id +# description = "Access into alb over http (will redirect)" +# from_port = "80" +# to_port = "80" +# ip_protocol = "tcp" +# cidr_ipv4 = each.key # Global Protect VPN +# } resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" { security_group_id = aws_security_group.ancillary_alb_security_group.id diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf index 0515a6f3f1c..f74de6b131d 100644 --- a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf +++ b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf @@ -36,15 +36,15 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress cidr_ipv4 = each.key # Global Protect VPN } -resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" { - for_each = toset(local.moj_ips) - security_group_id = aws_security_group.delius_frontend_alb_security_group.id - description = "access into delius core frontend alb over http (will redirect)" - from_port = "80" - to_port = "80" - ip_protocol = "tcp" - cidr_ipv4 = each.key # Global Protect VPN -} +# resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" { +# for_each = toset(local.moj_ips) +# security_group_id = aws_security_group.delius_frontend_alb_security_group.id +# description = "access into delius core frontend alb over http (will redirect)" +# from_port = "80" +# to_port = "80" +# ip_protocol = "tcp" +# cidr_ipv4 = each.key # Global Protect VPN +# } # tfsec:ignore:aws-elb-alb-not-public resource "aws_lb" "delius_core_frontend" {