AWS support for client_cidrs alongside mgmt_cidr

chadgeary · Nov 17, 2020 · 6090fd3 · 6090fd3
1 parent 595c710
commit 6090fd3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/aws/aws-generic.tf b/aws/aws-generic.tf
@@ -29,6 +29,11 @@ variable "mgmt_cidr" {
   description              = "Subnet CIDR allowed to access WebUI and SSH, e.g. <home ip address>/32"
 }
 
+variable "client_cidrs" {
+  type                     = list
+  description              = "List of subnets (in CIDR notation) granted access to DNS without VPN"
+}
+
 variable "vpn_cidr" {
   type                     = string
   description              = "Subnet CIDR allowed to access the VPN, e.g. 0.0.0.0/0 for world access (enrollment still required)"

diff --git a/aws/aws-security.tf b/aws/aws-security.tf
@@ -40,6 +40,17 @@ resource "aws_security_group_rule" "ph-pubsg-mgmt-dnstcp-in" {
   cidr_blocks             = [var.mgmt_cidr]
 }
 
+resource "aws_security_group_rule" "ph-pubsg-client-dnstcp-in" {
+  count                   = length(var.client_cidrs) == 0 ? 0 : 1
+  security_group_id       = aws_security_group.ph-pubsg.id
+  type                    = "ingress"
+  description             = "IN FROM CLIENT - DNS TCP"
+  from_port               = "53"
+  to_port                 = "53"
+  protocol                = "tcp"
+  cidr_blocks             = var.client_cidrs
+}
+
 resource "aws_security_group_rule" "ph-pubsg-mgmt-dnsudp-in" {
   count                   = var.dns_novpn * 1
   security_group_id       = aws_security_group.ph-pubsg.id
@@ -51,6 +62,17 @@ resource "aws_security_group_rule" "ph-pubsg-mgmt-dnsudp-in" {
   cidr_blocks             = [var.mgmt_cidr]
 }
 
+resource "aws_security_group_rule" "ph-pubsg-client-dnsudp-in" {
+  count                   = length(var.client_cidrs) == 0 ? 0 : 1
+  security_group_id       = aws_security_group.ph-pubsg.id
+  type                    = "ingress"
+  description             = "IN FROM CLIENT - DNS TCP"
+  from_port               = "53"
+  to_port                 = "53"
+  protocol                = "udp"
+  cidr_blocks             = var.client_cidrs
+}
+
 resource "aws_security_group_rule" "ph-pubsg-mgmt-wireguard-in" {
   security_group_id       = aws_security_group.ph-pubsg.id
   type                    = "ingress"

diff --git a/aws/aws.tfvars b/aws/aws.tfvars
@@ -24,6 +24,10 @@ vpn_traffic = "dns"
 # a value of 1 permits mgmt_cidr access to DNS without the VPN
 dns_novpn = 1
 
+# additional client networks granted access pihole DNS without the VPN, example format:
+# client_cidrs = ["127.0.0.1/32","8.8.8.8/32"]
+client_cidrs = []
+
 ## UNCOMMON ##
 aws_region = "us-east-1"