[#184537961] Moved personal static ips to paas-trusted-people

concourse/pipelines/create-cloudfoundry.yml

@@ -1256,6 +1256,7 @@ jobs:
           - get: vpc-tfstate
           - get: concourse-tfstate
           - get: cf-tfstate
+          - get: paas-trusted-people
 
       - task: extract-terraform-variables
         tags: [colocated-with-web]
@@ -1266,8 +1267,11 @@ jobs:
             - name: paas-cf
             - name: vpc-tfstate
             - name: concourse-tfstate
+            - name: paas-trusted-people
           outputs:
             - name: terraform-variables
+          params:
+            AWS_ACCOUNT=((aws_account))
           run:
             path: sh
             args:
@@ -1295,6 +1299,9 @@ jobs:
                 export TF_VAR_csls_kinesis_destination_arn="((cyber_csls_kinesis_destination_arn))"
                 EOF
 
+                cd paas-trusted-people
+                ruby get_static_cidrs.rb > ../terraform-variables/user_static_cidrs.tfvars.sh
+
       - task: terraform-apply
         tags: [colocated-with-web]
         config:
@@ -1304,6 +1311,7 @@ jobs:
             - name: terraform-variables
             - name: paas-cf
             - name: cf-tfstate
+            - name: static-cidrs-tfvars
           outputs:
             - name: updated-tfstate
           params:
@@ -1320,6 +1328,7 @@ jobs:
                 . terraform-variables/vpc.tfvars.sh
                 . terraform-variables/concourse.tfvars.sh
                 . terraform-variables/cf-secrets.tfvars.sh
+                . terraform-variables/user_static_cidrs.tfvars.sh
 
                 cp cf-tfstate/cf.tfstate updated-tfstate/cf.tfstate
                 sh paas-cf/terraform/./update-terraform-providers.sh updated-tfstate/cf.tfstate

concourse/scripts/get_static_cidrs.rb

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'yaml'
+
+users = YAML.load_file('users.yml', aliases: true)
+
+deploy_env = ENV['AWS_ACCOUNT']
+
+# Collect static IPs for users with the ssh-access role in the specified environment
+static_ips = users['users'].select do |user|
+user['roles']&.dig(deploy_env)&.any? { |role| role['role'] == 'aws-access' }
+end.map { |user| user['static_ip'] }.compact
+
+# Format the static IPs as a Terraform command line variable
+terraform_var = static_ips.empty? ? '' : 'user_static_cidrs=[\"#{static_ips.join("/32\",\"")}/32\"]'
+
+# Print the Terraform variable
+puts terraform_var

terraform/cloudfoundry/prometheus.tf

@@ -31,7 +31,8 @@ resource "aws_security_group" "prometheus-lb" {
 
     cidr_blocks = concat(
       compact(var.admin_cidrs),
-      ["${var.concourse_elastic_ip}/32"]
+      ["${var.concourse_elastic_ip}/32"],
+      var.personal_static_cidrs,
     )
   }
 

terraform/cloudfoundry/security-groups.tf

@@ -30,6 +30,7 @@ resource "aws_security_group" "cf_api_elb" {
       compact(var.api_access_cidrs),
       ["${var.concourse_elastic_ip}/32"],
       formatlist("%s/32", aws_eip.cf.*.public_ip),
+      var.personal_static_cidrs,
     )
   }
 
@@ -101,6 +102,7 @@ resource "aws_security_group" "sshproxy" {
       compact(var.admin_cidrs),
       compact(var.api_access_cidrs),
       ["${var.concourse_elastic_ip}/32"],
+      var.personal_static_cidrs,
     )
   }
 

terraform/globals.tf

@@ -13,8 +13,6 @@ variable "admin_cidrs" {
     "213.86.153.237/32",
     "51.149.8.0/25",     # New DR VPN
     "51.149.8.128/29",   # New DR BYOD VPN
-    "82.71.58.244/32",   # LP remote
-    "51.148.163.199/32", # TW remote
     "90.155.48.192/26",  # ITHC 2023
     "81.2.127.144/28",   # ITHC 2023
     "81.187.169.170/32", # ITHC 2023
@@ -143,3 +141,8 @@ variable "zones" {
   description = "AWS availability zones"
   type        = map(string)
 }
+
+variable "personal_static_cidrs" {
+  description = "personal static_cidrs populated with values from paas-trusted-people"
+  default     = []
+}