Merge pull request #116 from mdr-engineering/feature/dw_MSOCI-1566_NIH_ips

[MSOCI-1566] Add c2_services_external_ips support

base/repo_server/main.tf

@@ -216,6 +216,33 @@ resource "aws_security_group_rule" "http-in" {
   security_group_id = aws_security_group.repo_server_security_group.id
 }
 
+resource "aws_security_group_rule" "http-in-external-c2-users" {
+
+  # This deserves some explanation.  Terraform "for_each" expects to be
+  # getting as input a map of values to iterate over as part of the foreach.
+  # The keys of the map are used to name each of these objects created.  Looking
+  # in the terraform plan output of a for_each you'll see things like:
+  #
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
+  #
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
+  # makes a new thing that is a map of maps, where the key value is the description with
+  # blanks removed.
+  #
+  # We could have made the variable more natively-friendly to for_each but this seemed
+  # like a better solution for what we were trying to accomplish.
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
+
+  description = "inbound repository requests - ${each.value.description}"
+  type = "ingress"
+  from_port = 80
+  to_port = 80
+  protocol = "tcp"
+  cidr_blocks = each.value.cidr_blocks
+  security_group_id = aws_security_group.repo_server_security_group.id
+}
+
+
 resource "aws_security_group_rule" "https-in" {
   description = "inbound repository requests"
   type = "ingress"
@@ -226,6 +253,19 @@ resource "aws_security_group_rule" "https-in" {
   security_group_id = aws_security_group.repo_server_security_group.id
 }
 
+resource "aws_security_group_rule" "https-in-external-c2-users" {
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
+
+  description = "inbound repository requests - ${each.value.description}"
+  type = "ingress"
+  from_port = 443
+  to_port = 443
+  protocol = "tcp"
+  cidr_blocks = each.value.cidr_blocks
+  security_group_id = aws_security_group.repo_server_security_group.id
+}
+
+
 # Repo server has an extra volume that is created separately, to keep it from being destroyed
 # with the instance.
 resource "aws_ebs_volume" "repo_server_drive" {

base/repo_server/vars.tf

@@ -41,6 +41,11 @@ variable "proxy" { type = string }
 variable "salt_master" { type = string }
 variable "repo_server_whitelist" { type = list(string) }
 
+variable "c2_services_external_ips" {
+  type = list(object({cidr_blocks=list(string),description=string}))
+  default = []
+}
+
 variable "cidr_map" { type = map }
 variable "dns_info" { type = map }
 variable "standard_tags" { type = map }

base/salt_master/main.tf

@@ -239,6 +239,32 @@ resource "aws_security_group_rule" "saltstack" {
   security_group_id = aws_security_group.salt_master_security_group.id
 }
 
+resource "aws_security_group_rule" "saltstack-external-ips" {
+
+  # This deserves some explanation.  Terraform "for_each" expects to be
+  # getting as input a map of values to iterate over as part of the foreach.
+  # The keys of the map are used to name each of these objects created.  Looking
+  # in the terraform plan output of a for_each you'll see things like:
+  #
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
+  #
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
+  # makes a new thing that is a map of maps, where the key value is the description with
+  # blanks removed.
+  #
+  # We could have made the variable more natively-friendly to for_each but this seemed
+  # like a better solution for what we were trying to accomplish.
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
+
+  description = "Saltstack - ${each.value.description}"
+  type = "ingress"
+  from_port = "4505"
+  to_port = "4506"
+  protocol = "tcp"
+  cidr_blocks = each.value.cidr_blocks
+  security_group_id = aws_security_group.salt_master_security_group.id
+}
+
 resource "aws_security_group_rule" "saltstack-afs-pop" {
   description = "SaltStack - AFS POP"
   type = "ingress"

base/salt_master/vars.tf

@@ -40,6 +40,11 @@ variable "afs_pop" { type = list(string) }
 variable "proxy" { type = string }
 variable "salt_master" { type = string }
 
+variable "c2_services_external_ips" {
+  type = list(object({cidr_blocks=list(string),description=string}))
+  default = []
+}
+
 variable "cidr_map" { type = map }
 variable "dns_info" { type = map }
 variable "standard_tags" { type = map }