Update Integration tests to restrict bastion host to specific netbloc…

…ks (#3370) * Update main.tf setting specific net blocks vs anything * Update variables.tf * Update main.tf * Update variables.tf * Update variables.tf * Update variables.tf * Update variables.tf * Update variables.tf * Update variables.tf * Update main.tf * Update .travis.yml * Update main.tf * Update variables.tf * Update variables.tf * Update .travis.yml * Update variables.tf
forseti-security · Oct 26, 2019 · cbb97da · cbb97da
1 parent 14d9410
commit cbb97da
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 7 deletions.
diff --git a/integration_tests/fixtures/bastion/main.tf b/integration_tests/fixtures/bastion/main.tf
@@ -76,13 +76,7 @@ resource "google_compute_firewall" "main" {
 
   direction     = "INGRESS"
   priority      = "100"
-
-  # It is okay to leave this open to everyone as SSH key is also required to
-  # SSH into the server VM and SSH key is generated dynamically. Also, the host
-  # is ephemeral and the environment itself is deconstructed soon after tests
-  # are executed. Narrowing it down to few IP addresses makes it difficult for
-  # the developers to test on their local dev environment.
-  source_ranges = ["0.0.0.0/0"]
+  source_ranges = "${var.bastion_firewall_netblocks}"
   target_tags   = ["bastion"]
   project       = "${var.project_id}"
 }

diff --git a/integration_tests/fixtures/bastion/variables.tf b/integration_tests/fixtures/bastion/variables.tf
@@ -24,6 +24,46 @@ variable "project_id" {
   type        = "string"
 }
 
+/**
+ * Travis netblocks documentation:  https://docs.travis-ci.com/user/ip-addresses/
+ * Example shell command to build netblock list dynamically from Travis DNS entry: 
+ * dig +short nat.travisci.net | sort | awk '{printf "\"" $0 "/32\","}' | awk '{print substr($0, 1, length($0)-1)}'
+ */
+variable "bastion_firewall_netblocks" {
+  description = "Trusted Travis CI firewall network blocks for Forseti bastion host ssh access. "
+  type        = list
+  default     = [
+    "104.154.113.151/32",
+    "104.154.120.187/32",
+    "104.197.122.201/32",
+    "104.198.131.58/32",
+    "207.254.16.35/32",
+    "207.254.16.36/32",
+    "207.254.16.37/32",
+    "207.254.16.38/32",
+    "207.254.16.39/32",
+    "34.66.178.120/32",
+    "34.66.200.49/32",
+    "34.66.25.221/32",
+    "34.66.50.208/32",
+    "34.68.144.114/32",
+    "35.184.226.236/32",
+    "35.188.15.155/32",
+    "35.188.1.99/32",
+    "35.188.73.34/32",
+    "35.192.10.37/32",
+    "35.192.136.167/32",
+    "35.192.187.174/32",
+    "35.192.85.2/32",
+    "35.192.91.101/32",
+    "35.193.14.140/32",
+    "35.193.7.13/32",
+    "35.202.145.110/32",
+    "35.202.245.105/32",
+    "35.222.7.205/32",
+    "35.224.112.202/32"]
+}
+
 variable "subnetwork" {
   description = "The name of the subnetwork in which the bastion host will be deployed."
   type        = "string"