Merge pull request #503 from mdr-engineering/feature/ftd_MSOCI-2281_MoveVPNtoPrivateSubnets

Moves VPN to private subnets; Updates employee_ips / trusted_ips / admin_ips

base/aws_client_vpn/vpn.tf

@@ -58,14 +58,14 @@ resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
   count = local.redundancy_count
 
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
-  subnet_id              = var.public_subnets[count.index]
+  subnet_id              = var.private_subnets[count.index]
 
-  lifecycle {
-    // The issue why we are ignoring changes is that on every change
-    // terraform screws up most of the vpn assosciations
-    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
-    ignore_changes = [subnet_id]
-  }
+  #  lifecycle {
+  #    // The issue why we are ignoring changes is that on every change
+  #    // terraform screws up most of the vpn assosciations
+  #    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
+  #    ignore_changes = [subnet_id]
+  #  }
 }
 
 resource "aws_ec2_client_vpn_route" "default" {

base/customer_portal/elb.tf

@@ -1,10 +1,9 @@
-
 # ---------------------------------------------------------------------------------------------------------------------
 # LOAD BALANCER FOR PORTAL
 # ---------------------------------------------------------------------------------------------------------------------
 resource "aws_alb" "portal" {
-	# checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
-	# checkov:skip=CKV2_AWS_28: Portal is protected by WAF
+  # checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
+  # checkov:skip=CKV2_AWS_28: Portal is protected by WAF
   name                       = "portal-alb-${var.environment}"
   security_groups            = [aws_security_group.customer_portal_alb.id, ]
   internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
@@ -129,7 +128,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https_test" {
   from_port         = 443
   to_port           = 443
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = flatten(distinct(concat(local.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips), local.trusted_ips)))
+  cidr_blocks       = flatten(distinct(concat(local.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips), local.admin_ips)))
 }
 
 ## Needed for HTTPs redirect

base/github/elb.tf

@@ -61,7 +61,7 @@ module "elb" {
   excluded_set_AWSManagedRulesUnixRuleSet            = true
   #additional_blocked_ips = []
   #allowed_ips = []
-  admin_ips = local.trusted_ips
+  admin_ips = local.admin_ips
 
   # Optional Variables
   healthcheck_port     = 443

base/github/securitygroups-load-balancers.tf

@@ -24,11 +24,6 @@ locals {
     "18.252.61.81/32",   # Salt master dev - proxy
     "18.253.226.199/32", # salt aster dev
   ]
-  # Locking down sources on 2021-12-10 due to log4j vulnerability
-  #allowed_sources = local.zscalar_cidrs
-  #allowed_sources = concat(local.trusted_ips, local.zscalar_cidrs)
-  #allowed_sources = concat(local.zscalar_cidrs, local.trusted_ips, local.salt_masters)
-  # Restored access on 2021-12-14
   allowed_sources = ["0.0.0.0/0"]
 }
 
@@ -36,7 +31,7 @@ locals {
 # SG for the Internal ELB
 #----------------------------------------------------------------
 resource "aws_security_group" "ghe_elb_internal" {
-	# checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
+  # checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
   name_prefix = "ghe_elb_internal"
   tags        = merge(local.standard_tags, var.tags, { Name = "github-internal-lb" })
   vpc_id      = var.vpc_id

base/jira/instance_jira/elb.tf

@@ -12,7 +12,7 @@ module "external_elb" {
   server_port     = 8080   # default 443
   server_protocol = "HTTP" # default HTTPS
   # health_check_path = "/" # default /
-  inbound_cidrs = var.environment == "test" ? local.trusted_ips : ["0.0.0.0/0"] # default 0.0.0.0/0
+  inbound_cidrs = var.environment == "test" ? local.admin_ips : ["0.0.0.0/0"] # default 0.0.0.0/0
   # sticky_sessions = true # default true
 
   # inherited

base/standalone_vpc/security-groups.tf

@@ -31,7 +31,7 @@ module "allow_all_from_trusted_sg" {
   tags            = merge(local.standard_tags, var.tags)
   vpc_id          = module.vpc.vpc_id
 
-  ingress_cidr_blocks = concat(local.trusted_ips, ["10.0.0.0/8"])
+  ingress_cidr_blocks = local.trusted_ips
   egress_cidr_blocks  = ["0.0.0.0/0"]
   ingress_rules       = ["all-all"]
   egress_rules        = ["all-all"]

variables/employee_ips.tf

@@ -3,53 +3,54 @@
 # Fred dreams of deleting this file completely.
 locals {
 
-  trusted_ips = [        # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
+  # "Trusted IPs" are used for the bastion host and for testing direct access to things like alsi.
+  # These are sensitive, so keep the list small! Consider using 'admin_ips' instead!
+  trusted_ips = [
     "108.203.37.38/32",  # Duane Waddle
     "24.11.231.98/32",   # George Starcher
     "99.151.37.185/32",  # Wesley Leonard
     "73.10.53.113/32",   # Rick Page Home
     "74.211.32.26/32",   # Brad Poulton
-    "70.160.60.248/32",  # Brandon Naughton
+    "71.120.148.108/32", # Brandon Naughton
     "67.167.142.200/32", # Fred Damstra
     "188.210.17.19/32",  # Jeremy Cooper
-    "97.117.127.174/32", # Colby Williams
-    # We currently have the VPN in a public subnet and we are using a internet gateway. If we want a static egress IP we need to use a private subnet for the VPN and a NAT gateway.
-    # https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-static-ip-address/
-    "18.252.173.222/32", # Test AWS VPN Internet GW Dynamic IP
-    "18.252.186.82/32",  # Prod AWS VPN Internet GW Dynamic IP
   ]
 
-  portal_test_whitelist = [ # IPs for Portal Test and vmray
-    "12.245.107.250/32",    # DPS Office Legato
-    "12.204.167.162/32",    # DPS Office San Antonio
-    "54.86.98.62/32",       # DPS AWS User VPN
-    "108.203.37.38/32",     # Duane Waddle
-    "24.11.231.98/32",      # George Starcher
-    "99.151.37.185/32",     # Wesley Leonard
-    "73.10.53.113/32",      # Rick Page Home
-    "74.211.32.26/32",      # Brad Poulton
-    "70.160.60.248/32",     # Brandon Naughton
-    "67.167.142.200/32",    # Frederick Damstra
-    "97.117.127.174/32",    # Colby Williams
-    "188.210.17.19/32",     # Jeremy Cooper
-    "73.213.108.186/32",    # LaDonia Wicks
-  ]
+  # Admin IPs are allowed to access the admin pages of systems
+  # Automatically includes "trusted IPs" above
+  admin_ips = flatten(distinct(concat(
+    [
+      "108.28.25.119/32",   # James Kerr Home
+      "104.9.149.90/32",    # Greg Rivas Home
+      "170.248.173.247/32", # AFS site
+      "170.248.173.245/32", # AFS site
+      "107.207.74.118/32",  # Angelita Crawley Home
+      "69.207.192.131/32",  # Aaron Flores Home
+      "70.120.19.33/32",    # Hilda Colon-Martinez Home
+      "198.13.82.11/32",    # Hussein Carrenard Home
+      # Access while on the Test VPN:
+      "18.252.69.251/32", # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1a
+      "18.253.180.54/32", # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1b
+      "18.253.72.90/32",  # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1c
+      # Access while on the Prod VPN:
+      "18.252.61.226/32",  # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1a
+      "18.252.100.113/32", # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1b
+      "18.252.105.2/32",   # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1c
+    ],
+    local.trusted_ips
+  )))
 
-  admin_ips = [
-    "108.28.25.119/32",   # James Kerr Home
-    "73.10.53.113/32",    # Rick Page Home
-    "99.151.37.185/32",   # Wesley Leonard Home
-    "74.211.32.26/32",    # Brad Poulton Home
-    "104.9.149.90/32",    # Greg Rivas Home
-    "100.4.76.3/32",      # Brandon Naughton Home
-    "170.248.173.247/32", # AFS site
-    "170.248.173.245/32", # AFS site
-    "107.207.74.118/32",  # Angelita Crawley Home
-    "69.207.192.131/32",  # Aaron Flores Home
-    "70.120.19.33/32",    # Hilda Colon-Martinez Home
-    "198.13.82.11/32",    # Hussein Carrenard Home
-    "136.226.18.198/32",  # Jose Alvarez Home
-  ]
+  # portal_test_whitelist allows access to the test portal
+  # Automatically includes admin_ips and trusted_ips
+  portal_test_whitelist = flatten(distinct(concat(
+    [
+      "12.245.107.250/32", # DPS Office Legato
+      "12.204.167.162/32", # DPS Office San Antonio
+      "54.86.98.62/32",    # DPS AWS User VPN
+      "73.213.108.186/32", # LaDonia Wicks
+    ],
+    local.admin_ips
+  )))
 
   # from https://config.zscaler.com/zscalergov.net/cenr
   zscalar_ips = [