[#184537961] Moved personal static ips to paas-trusted-people

concourse/pipelines/create-cloudfoundry.yml

@@ -1246,6 +1246,28 @@ jobs:
           - get: vpc-tfstate
           - get: concourse-tfstate
           - get: cf-tfstate
+          - get: paas-trusted-people
+
+      - task: create-static-cdrs
+        tags: [colocated-with-web]
+        config:
+          platform: linux
+          image_resource: *ruby-slim-image-resource
+          inputs:
+            - name: paas-cf
+            - name: paas-trusted-people
+          outputs:
+            - name: static-cidrs-tfvars
+          params:
+            AWS_ACCOUNT: ((aws_account))
+          run:
+            path: sh
+            args:
+            - -e
+            - -c
+            - |
+              cd paas-trusted-people
+              ruby ../paas-cf/concourse/scripts/get_static_cidrs.rb > ../static-cidrs-tfvars/user_static_cidrs.tfvars
 
       - task: extract-terraform-variables
         tags: [colocated-with-web]
@@ -1294,6 +1316,7 @@ jobs:
             - name: terraform-variables
             - name: paas-cf
             - name: cf-tfstate
+            - name: static-cidrs-tfvars
           outputs:
             - name: updated-tfstate
           params:
@@ -1319,6 +1342,7 @@ jobs:
 
                 terraform apply \
                   -auto-approve=true \
+                  -var-file="../../../static-cidrs-tfvars/user_static_cidrs.tfvars" \
                   -var-file="../../../paas-cf/terraform/((aws_account)).tfvars" \
                   -var-file="../../../paas-cf/terraform/cloudfoundry/((aws_account)).tfvars" \
                   -var-file="../../../paas-cf/terraform/((aws_region)).tfvars" \

concourse/scripts/get_static_cidrs.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "yaml"
+
+users = YAML.load_file("users.yml", aliases: true)
+
+deploy_env = ENV["AWS_ACCOUNT"]
+
+# Collect static IPs for users with the ssh-access role in the specified environment
+static_ips = users["users"].select { |user| user["roles"]&.dig(deploy_env)&.any? { |role| role["role"] == "aws-access" } }.map { |user| user["static_ip"] }.compact
+
+# Format the static IPs as a Terraform command line variable
+terraform_var = static_ips.empty? ? '' : "user_static_cidrs=[\"#{static_ips.join("/32\",\"")}/32\"]"
+
+# Print the Terraform variable
+puts terraform_var

terraform/cloudfoundry/prometheus.tf

@@ -31,7 +31,8 @@ resource "aws_security_group" "prometheus-lb" {
 
     cidr_blocks = concat(
       compact(var.admin_cidrs),
-      ["${var.concourse_elastic_ip}/32"]
+      ["${var.concourse_elastic_ip}/32"],
+      var.user_static_cidrs,
     )
   }
 

terraform/cloudfoundry/security-groups.tf

@@ -30,6 +30,7 @@ resource "aws_security_group" "cf_api_elb" {
       compact(var.api_access_cidrs),
       ["${var.concourse_elastic_ip}/32"],
       formatlist("%s/32", aws_eip.cf.*.public_ip),
+      var.user_static_cidrs,
     )
   }
 
@@ -101,6 +102,7 @@ resource "aws_security_group" "sshproxy" {
       compact(var.admin_cidrs),
       compact(var.api_access_cidrs),
       ["${var.concourse_elastic_ip}/32"],
+      var.user_static_cidrs,
     )
   }
 

terraform/globals.tf

@@ -13,8 +13,12 @@ variable "admin_cidrs" {
     "213.86.153.237/32",
     "51.149.8.0/25",     # New DR VPN
     "51.149.8.128/29",   # New DR BYOD VPN
-    "82.71.58.244/32",   # LP remote
-    "51.148.163.199/32", # TW remote
+    "90.155.48.192/26",  # ITHC 2023
+    "81.2.127.144/28",   # ITHC 2023
+    "81.187.169.170/32", # ITHC 2023
+    "88.97.60.11/32",    # ITHC 2023
+    "3.10.4.97/32",      # ITHC 2023
+    "51.104.217.191/32", # ITHC 2023
   ]
 }
 
@@ -137,3 +141,8 @@ variable "zones" {
   description = "AWS availability zones"
   type        = map(string)
 }
+
+variable "user_static_cidrs" {
+  description = "user static_cidrs populated with values from paas-trusted-people"
+  default     = []
+}