Moves VPN to private subnets; Updates employee_ips / trusted_ips / admin_ips

VPN will be on private subnet so that the IP addresses will be static.

The `admin_ips` and `trusted_ips` local variables have been cleaned up
and better documented, and modules that use them updated.

Brandon Naughton had two IPs, and it turns out neither was correct.
That's fixed now, too.

Removed Jose Alvarez

To be tagged v5.3.0

base/aws_client_vpn/vpn.tf

@@ -58,14 +58,14 @@ resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
   count = local.redundancy_count
 
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
-  subnet_id              = var.public_subnets[count.index]
+  subnet_id              = var.private_subnets[count.index]
 
-  lifecycle {
-    // The issue why we are ignoring changes is that on every change
-    // terraform screws up most of the vpn assosciations
-    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
-    ignore_changes = [subnet_id]
-  }
+  #  lifecycle {
+  #    // The issue why we are ignoring changes is that on every change
+  #    // terraform screws up most of the vpn assosciations
+  #    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
+  #    ignore_changes = [subnet_id]
+  #  }
 }
 
 resource "aws_ec2_client_vpn_route" "default" {

base/customer_portal/elb.tf

@@ -1,10 +1,9 @@
-
 # ---------------------------------------------------------------------------------------------------------------------
 # LOAD BALANCER FOR PORTAL
 # ---------------------------------------------------------------------------------------------------------------------
 resource "aws_alb" "portal" {
-	# checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
-	# checkov:skip=CKV2_AWS_28: Portal is protected by WAF
+  # checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
+  # checkov:skip=CKV2_AWS_28: Portal is protected by WAF
   name                       = "portal-alb-${var.environment}"
   security_groups            = [aws_security_group.customer_portal_alb.id, ]
   internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
@@ -129,7 +128,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https_test" {
   from_port         = 443
   to_port           = 443
   security_group_id = aws_security_group.customer_portal_alb.id
-  cidr_blocks       = flatten(distinct(concat(local.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips), local.trusted_ips)))
+  cidr_blocks       = flatten(distinct(concat(local.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips), local.admin_ips)))
 }
 
 ## Needed for HTTPs redirect

base/github/elb.tf

@@ -61,7 +61,7 @@ module "elb" {
   excluded_set_AWSManagedRulesUnixRuleSet            = true
   #additional_blocked_ips = []
   #allowed_ips = []
-  admin_ips = local.trusted_ips
+  admin_ips = local.admin_ips
 
   # Optional Variables
   healthcheck_port     = 443

base/github/securitygroups-load-balancers.tf

@@ -24,11 +24,6 @@ locals {
     "18.252.61.81/32",   # Salt master dev - proxy
     "18.253.226.199/32", # salt aster dev
   ]
-  # Locking down sources on 2021-12-10 due to log4j vulnerability
-  #allowed_sources = local.zscalar_cidrs
-  #allowed_sources = concat(local.trusted_ips, local.zscalar_cidrs)
-  #allowed_sources = concat(local.zscalar_cidrs, local.trusted_ips, local.salt_masters)
-  # Restored access on 2021-12-14
   allowed_sources = ["0.0.0.0/0"]
 }
 
@@ -36,7 +31,7 @@ locals {
 # SG for the Internal ELB
 #----------------------------------------------------------------
 resource "aws_security_group" "ghe_elb_internal" {
-	# checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
+  # checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
   name_prefix = "ghe_elb_internal"
   tags        = merge(local.standard_tags, var.tags, { Name = "github-internal-lb" })
   vpc_id      = var.vpc_id

base/jira/instance_jira/elb.tf

@@ -12,7 +12,7 @@ module "external_elb" {
   server_port     = 8080   # default 443
   server_protocol = "HTTP" # default HTTPS
   # health_check_path = "/" # default /
-  inbound_cidrs = var.environment == "test" ? local.trusted_ips : ["0.0.0.0/0"] # default 0.0.0.0/0
+  inbound_cidrs = var.environment == "test" ? local.admin_ips : ["0.0.0.0/0"] # default 0.0.0.0/0
   # sticky_sessions = true # default true
 
   # inherited

base/standalone_vpc/security-groups.tf

@@ -31,7 +31,7 @@ module "allow_all_from_trusted_sg" {
   tags            = merge(local.standard_tags, var.tags)
   vpc_id          = module.vpc.vpc_id
 
-  ingress_cidr_blocks = concat(local.trusted_ips, ["10.0.0.0/8"])
+  ingress_cidr_blocks = local.trusted_ips
   egress_cidr_blocks  = ["0.0.0.0/0"]
   ingress_rules       = ["all-all"]
   egress_rules        = ["all-all"]

variables/employee_ips.tf

@@ -3,53 +3,54 @@
 # Fred dreams of deleting this file completely.
 locals {
 
-  trusted_ips = [        # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
+  # "Trusted IPs" are used for the bastion host and for testing direct access to things like alsi.
+  # These are sensitive, so keep the list small! Consider using 'admin_ips' instead!
+  trusted_ips = [
     "108.203.37.38/32",  # Duane Waddle
     "24.11.231.98/32",   # George Starcher
     "99.151.37.185/32",  # Wesley Leonard
     "73.10.53.113/32",   # Rick Page Home
     "74.211.32.26/32",   # Brad Poulton
-    "70.160.60.248/32",  # Brandon Naughton
+    "71.120.148.108/32", # Brandon Naughton
     "67.167.142.200/32", # Fred Damstra
     "188.210.17.19/32",  # Jeremy Cooper
-    "97.117.127.174/32", # Colby Williams
-    # We currently have the VPN in a public subnet and we are using a internet gateway. If we want a static egress IP we need to use a private subnet for the VPN and a NAT gateway.
-    # https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-static-ip-address/
-    "18.252.173.222/32", # Test AWS VPN Internet GW Dynamic IP
-    "18.252.186.82/32",  # Prod AWS VPN Internet GW Dynamic IP
   ]
 
-  portal_test_whitelist = [ # IPs for Portal Test and vmray
-    "12.245.107.250/32",    # DPS Office Legato
-    "12.204.167.162/32",    # DPS Office San Antonio
-    "54.86.98.62/32",       # DPS AWS User VPN
-    "108.203.37.38/32",     # Duane Waddle
-    "24.11.231.98/32",      # George Starcher
-    "99.151.37.185/32",     # Wesley Leonard
-    "73.10.53.113/32",      # Rick Page Home
-    "74.211.32.26/32",      # Brad Poulton
-    "70.160.60.248/32",     # Brandon Naughton
-    "67.167.142.200/32",    # Frederick Damstra
-    "97.117.127.174/32",    # Colby Williams
-    "188.210.17.19/32",     # Jeremy Cooper
-    "73.213.108.186/32",    # LaDonia Wicks
-  ]
+  # Admin IPs are allowed to access the admin pages of systems
+  # Automatically includes "trusted IPs" above
+  admin_ips = flatten(distinct(concat(
+    [
+      "108.28.25.119/32",   # James Kerr Home
+      "104.9.149.90/32",    # Greg Rivas Home
+      "170.248.173.247/32", # AFS site
+      "170.248.173.245/32", # AFS site
+      "107.207.74.118/32",  # Angelita Crawley Home
+      "69.207.192.131/32",  # Aaron Flores Home
+      "70.120.19.33/32",    # Hilda Colon-Martinez Home
+      "198.13.82.11/32",    # Hussein Carrenard Home
+      # Access while on the Test VPN:
+      "18.252.69.251/32", # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1a
+      "18.253.180.54/32", # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1b
+      "18.253.72.90/32",  # Test VPN NAT GW - vpc-access-afs-mdr-test-c2-gov-us-gov-east-1c
+      # Access while on the Prod VPN:
+      "18.252.61.226/32",  # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1a
+      "18.252.100.113/32", # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1b
+      "18.252.105.2/32",   # Prod VPN NAT GW - vpc-access-afs-mdr-prod-c2-gov-us-gov-east-1c
+    ],
+    local.trusted_ips
+  )))
 
-  admin_ips = [
-    "108.28.25.119/32",   # James Kerr Home
-    "73.10.53.113/32",    # Rick Page Home
-    "99.151.37.185/32",   # Wesley Leonard Home
-    "74.211.32.26/32",    # Brad Poulton Home
-    "104.9.149.90/32",    # Greg Rivas Home
-    "100.4.76.3/32",      # Brandon Naughton Home
-    "170.248.173.247/32", # AFS site
-    "170.248.173.245/32", # AFS site
-    "107.207.74.118/32",  # Angelita Crawley Home
-    "69.207.192.131/32",  # Aaron Flores Home
-    "70.120.19.33/32",    # Hilda Colon-Martinez Home
-    "198.13.82.11/32",    # Hussein Carrenard Home
-    "136.226.18.198/32",  # Jose Alvarez Home
-  ]
+  # portal_test_whitelist allows access to the test portal
+  # Automatically includes admin_ips and trusted_ips
+  portal_test_whitelist = flatten(distinct(concat(
+    [
+      "12.245.107.250/32", # DPS Office Legato
+      "12.204.167.162/32", # DPS Office San Antonio
+      "54.86.98.62/32",    # DPS AWS User VPN
+      "73.213.108.186/32", # LaDonia Wicks
+    ],
+    local.admin_ips
+  )))
 
   # from https://config.zscaler.com/zscalergov.net/cenr
   zscalar_ips = [