Oasys: INC2742748: ip allow list update (#8747)

* oasys: add additional serco IPs * rename cidr allow list for azure landing zone * update security groups - add missing serco IPs and tidy up * fix * Fix * fix
ministryofjustice · Nov 22, 2024 · aa24d2d · aa24d2d
1 parent 9737f58
commit aa24d2d
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 20 deletions.
diff --git a/terraform/environments/delius-jitbit/locals.tf b/terraform/environments/delius-jitbit/locals.tf
@@ -41,7 +41,7 @@ locals {
     module.ip_addresses.moj_cidr.ark_dc_external_internet,
     module.ip_addresses.moj_cidr.vodafone_dia_networks,
     module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate,
-    module.ip_addresses.moj_cidr.digital_prisons,
+    module.ip_addresses.moj_cidr.mojo_azure_landing_zone_egress,
     [
       # Route53 Healthcheck Access Cidrs
       # London Region not support yet, so metrics are not yet publised, can be enabled at later stage for Route53 endpoint monitor

diff --git a/terraform/environments/oasys/locals_security_groups.tf b/terraform/environments/oasys/locals_security_groups.tf
@@ -37,16 +37,27 @@ locals {
     ])
     ssh = ["10.0.0.0/8"]
     https_internal = flatten([
-      module.ip_addresses.moj_cidr.aws_cloud_platform_vpc,
       "10.0.0.0/8",
+      module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16"
     ])
     https_external = flatten([
       module.ip_addresses.azure_fixngo_cidrs.internet_egress,
       module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16"
+      module.ip_addresses.moj_cidr.vodafone_dia_networks,
+      module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate,
       module.ip_addresses.external_cidrs.cloud_platform,
       module.ip_addresses.azure_studio_hosting_public.prod,
-      "10.0.0.0/8"
+      "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed
+      module.ip_addresses.external_cidrs.sodeco,
+      module.ip_addresses.external_cidrs.interserve,
+      module.ip_addresses.external_cidrs.meganexus,
+      module.ip_addresses.external_cidrs.serco,
+      module.ip_addresses.external_cidrs.rrp,
+      module.ip_addresses.external_cidrs.eos,
+      module.ip_addresses.external_cidrs.oasys_sscl,
+      module.ip_addresses.external_cidrs.dtv,
+      module.ip_addresses.external_cidrs.nps_wales,
+      module.ip_addresses.external_cidrs.dxw,
     ])
     https_external_monitoring = flatten([
       module.ip_addresses.mp_cidrs.live_eu_west_nat,
@@ -80,14 +91,11 @@ locals {
     https_external = flatten([
       module.ip_addresses.azure_fixngo_cidrs.internet_egress,
       module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
-      module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16"
       module.ip_addresses.moj_cidr.vodafone_dia_networks,
       module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate,
       module.ip_addresses.external_cidrs.cloud_platform,
       module.ip_addresses.azure_studio_hosting_public.prod,
-      "35.177.125.252/32", "35.177.137.160/32",                                                     # trusted_appgw_external_client_ips infra_ip.j5_phones
-      "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32",                  # Azure Landing Zone Egress
-      "195.59.75.0/24", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", # dom1_eucs_ras
+      "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed
       module.ip_addresses.external_cidrs.sodeco,
       module.ip_addresses.external_cidrs.interserve,
       module.ip_addresses.external_cidrs.meganexus,
@@ -226,14 +234,11 @@ locals {
           self        = true
         }
         http8080 = {
-          description = "Allow http8080 ingress"
-          from_port   = 0
-          to_port     = 8080
-          protocol    = "tcp"
-          cidr_blocks = flatten([
-            local.security_group_cidrs.https_internal,
-            local.security_group_cidrs.https_external,
-          ])
+          description     = "Allow http8080 ingress"
+          from_port       = 0
+          to_port         = 8080
+          protocol        = "tcp"
+          cidr_blocks     = local.security_group_cidrs.https_internal
           security_groups = ["private_lb", "public_lb"]
         }
       }

diff --git a/terraform/modules/ip_addresses/external.tf b/terraform/modules/ip_addresses/external.tf
@@ -30,7 +30,11 @@ locals {
       "49.248.250.6/32"
     ]
     serco = [
-      "217.22.14.0/24"
+      "217.22.14.0/24",
+      "18.135.54.44/32",
+      "18.175.105.241/32",
+      "35.177.142.157/32",
+      "128.77.110.45/32",
     ]
     rrp = [
       "62.253.83.37/32"

diff --git a/terraform/modules/ip_addresses/moj.tf b/terraform/modules/ip_addresses/moj.tf
@@ -27,7 +27,6 @@ locals {
     mojo_arkf_internet_egress_exponential_e = "51.149.249.32/29"
     mojo_arkf_internet_egress_vodafone      = "194.33.248.0/29"
 
-
     ark_dc_external_internet = [
       "195.59.75.0/24",
       "194.33.192.0/25",
@@ -42,7 +41,7 @@ locals {
       "194.33.218.0/24"
     ]
 
-    digital_prisons = [
+    mojo_azure_landing_zone_egress = [
       "20.49.214.199/32",
       "20.49.214.228/32",
       "20.26.11.71/32",
@@ -53,7 +52,6 @@ locals {
     palo_alto_primsa_access_third_party = "128.77.75.0/25"
     palo_alto_primsa_access_residents   = "128.77.75.128/26"
 
-
     ark_dc_external_internet = [
       "195.59.75.0/24",
       "194.33.192.0/25",
@@ -92,6 +90,7 @@ locals {
       local.moj_cidr.mojo_arkf_internet_egress_exponential_e,
       local.moj_cidr.mojo_arkf_internet_egress_vodafone,
       local.moj_cidr.ark_dc_external_internet,
+      local.moj_cidr.mojo_azure_landing_zone_egress
     ])
 
     trusted_moj_enduser_internal = [