Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ISO template users can optionally provide a TF_VAR_resource_ip_whitelist env-var to control the VNET white-list #356

Closed
wants to merge 4 commits into from
Closed

ISO template users can optionally provide a TF_VAR_resource_ip_whitelist env-var to control the VNET white-list #356

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e4f5e86
introduce a helper module to convert simple CSV strings into TF lists
Oct 2, 2019
9cde114
move the existing whitelist IP info into a string
Oct 2, 2019
51c0c45
bring the docs up-to-date with the change
Oct 2, 2019
7cae0ba
lint fix
ThePhen Oct 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions infra/templates/az-isolated-service-single-region/app.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,17 @@ data "external" "ase_subnets" {
]
}

module "resource_ip_wl_helper" {
source = "./helper-ips"
comma_sep_ip_list = var.resource_ip_whitelist
}

module "keyvault" {
source = "../../modules/providers/azure/keyvault"
keyvault_name = local.kv_name
resource_group_name = azurerm_resource_group.app_rg.name
subnet_id_whitelist = values(data.external.ase_subnets.result)
resource_ip_whitelist = var.resource_ip_whitelist
resource_ip_whitelist = module.resource_ip_wl_helper.ips_as_list
providers = {
"azurerm" = "azurerm.app_dev"
}
Expand All @@ -55,7 +60,7 @@ module "container_registry" {
// Note: only premium ACRs allow configuration of network access restrictions
container_registry_sku = "Premium"
subnet_id_whitelist = values(data.external.ase_subnets.result)
resource_ip_whitelist = var.resource_ip_whitelist
resource_ip_whitelist = module.resource_ip_wl_helper.ips_as_list
providers = {
"azurerm" = "azurerm.app_dev"
}
Expand Down
2 changes: 1 addition & 1 deletion infra/templates/az-isolated-service-single-region/docs/design.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ App Dev Subscription and Networking
| name | type | default | description |
|---|---|---|---|
| `App Dev Subscription` | string | | Subscription in which the application dependencies will be deployed to |
| `resource_ip_whitelist` | list[string] | | A list of IPs and/or IP ranges that should have access to VNET isolated resources provisioned by this template |
| `resource_ip_whitelist` | string | | A comma-separated list of IPs and/or IP ranges that should have access to VNET isolated resources provisioned by this template |

**Notes**

Expand Down
5 changes: 5 additions & 0 deletions infra/templates/az-isolated-service-single-region/helper-ips/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
locals {
split_list = split(",", var.comma_sep_ip_list)
trimmed_list = [for ip in local.split_list : trimspace(ip)]
ips_as_list = compact(concat(local.trimmed_list, var.tail_list))
}
4 changes: 4 additions & 0 deletions infra/templates/az-isolated-service-single-region/helper-ips/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "ips_as_list" {
description = "A list of IP addreses, as a TF List of Strings"
value = local.ips_as_list
}
54 changes: 54 additions & 0 deletions infra/templates/az-isolated-service-single-region/helper-ips/tests/unit/unit_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package test

import (
"testing"

"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)

func TestDoesNotRequireTailList(t *testing.T) {
expectedList := []string{"a.a.a.a/aa", "b.b.b.b/bb"}
terraformOptions := &terraform.Options{
TerraformDir: "../..",
Vars: map[string]interface{}{
"comma_sep_ip_list": "a.a.a.a/aa, b.b.b.b/bb",
},
NoColor: true,
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
actualExampleList := terraform.OutputList(t, terraformOptions, "ips_as_list")
assert.Equal(t, expectedList, actualExampleList)
}

func TestPreservesTailList(t *testing.T) {
expectedList := []string{"a.a.a.a/aa", "b.b.b.b/bb", "c.c.c.c/cc"}
terraformOptions := &terraform.Options{
TerraformDir: "../..",
Vars: map[string]interface{}{
"comma_sep_ip_list": "a.a.a.a/aa, b.b.b.b/bb",
"tail_list": []string{"c.c.c.c/cc"},
},
NoColor: true,
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
actualExampleList := terraform.OutputList(t, terraformOptions, "ips_as_list")
assert.Equal(t, expectedList, actualExampleList)
}

func TestBlankInputIsEmptyList(t *testing.T) {
expectedList := []string{}
terraformOptions := &terraform.Options{
TerraformDir: "../..",
Vars: map[string]interface{}{
"comma_sep_ip_list": "",
},
NoColor: true,
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
actualExampleList := terraform.OutputList(t, terraformOptions, "ips_as_list")
assert.Equal(t, expectedList, actualExampleList)
}
13 changes: 13 additions & 0 deletions infra/templates/az-isolated-service-single-region/helper-ips/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
variable "comma_sep_ip_list" {
description = "A comma-separated list of IPs and/or CIDR/IP ranges that will be converted to a TF list/array, e.g. \"1.1.1.1/32, 8.8.8.8/24\"."
type = string
}

variable "tail_list" {
description = <<HERE
A TF list that will be combined with the `comma_sep_ip_list`, if provided. Items
from the `comma_sep_ip_list` will appear to the left of items from this `tail_list` value."
HERE
type = list(string)
default = []
}
15 changes: 0 additions & 15 deletions infra/templates/az-isolated-service-single-region/terraform.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,21 +28,6 @@ unauthn_deployment_targets = [
}
]

# Note: this is configured as such only to test IP Whitelists. This is a well
# known DNS address
resource_ip_whitelist = ["13.89.34.162/32",
"13.107.6.0/24",
"13.107.9.0/24",
"13.107.42.0/24",
"13.107.43.0/24",
"40.74.0.0/15",
"40.76.0.0/14",
"40.80.0.0/12",
"40.96.0.0/12",
"40.112.0.0/13",
"40.120.0.0/14",
"40.124.0.0/16",
"40.125.0.0/17"]
ase_name = "co-static-ase"
ase_resource_group = "co-static-ase-rg"
ase_vnet_name = "co-static-ase-vnet"
20 changes: 17 additions & 3 deletions infra/templates/az-isolated-service-single-region/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,9 +169,23 @@ variable "app_dev_subscription_id" {
// ---- Networking For App Dev Resources ----

variable "resource_ip_whitelist" {
description = "A list of IPs and/or IP ranges that should have access to VNET isolated resources provisioned by this template"
type = list(string)
default = []
description = "A comma-separated list of IPs and/or IP ranges that should have access to VNET isolated resources provisioned by this template"
type = string
default = <<HEREDOC
13.89.34.162/32,
13.107.6.0/24,
13.107.9.0/24,
13.107.42.0/24,
13.107.43.0/24,
40.74.0.0/15,
40.76.0.0/14,
40.80.0.0/12,
40.96.0.0/12,
40.112.0.0/13,
40.120.0.0/14,
40.124.0.0/16,
40.125.0.0/17
HEREDOC
}

# Note: We won't be supporting monitoring rules until we have more direction from the
Expand Down