BigAnimal Module networking - 'allowed_machines' spec option added to…

… allow machines access to the database. By default, it is a wildcard and appends all machines ips: '[*]'.

It can be set to a machines keyname to restrict which machines have access.
This will also cause BigAnimal to delay its provisioning until all machine instances are first created.

edbterraform/data/templates/aws/biganimal.tf.j2

@@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" {
   password                  = each.value.spec.password
   pgvector                  = each.value.spec.pgvector
   allowed_ip_ranges         = each.value.spec.allowed_ip_ranges
+  allowed_machines          = each.value.spec.allowed_machines
   service_cidrblocks        = local.biganimal_service_cidrblocks
+  machine_cidrblocks        = local.machine_cidrblocks
 
   settings                  = each.value.spec.settings
 

edbterraform/data/templates/azure/biganimal.tf.j2

@@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" {
   password                  = each.value.spec.password
   pgvector                  = each.value.spec.pgvector
   allowed_ip_ranges         = each.value.spec.allowed_ip_ranges
+  allowed_machines          = each.value.spec.allowed_machines
   service_cidrblocks        = local.biganimal_service_cidrblocks
+  machine_cidrblocks        = local.machine_cidrblocks
 
   settings                  = each.value.spec.settings
 

edbterraform/data/templates/gcloud/biganimal.tf.j2

@@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" {
   password                  = each.value.spec.password
   pgvector                  = each.value.spec.pgvector
   allowed_ip_ranges         = each.value.spec.allowed_ip_ranges
+  allowed_machines          = each.value.spec.allowed_machines
   service_cidrblocks        = local.biganimal_service_cidrblocks
+  machine_cidrblocks        = local.machine_cidrblocks
 
   settings                  = each.value.spec.settings
 

edbterraform/data/terraform/aws/modules/biganimal/variables.tf

@@ -86,6 +86,18 @@ variable "allowed_ip_ranges" {
   default = []
 }
 
+variable "allowed_machines" {
+  type = list(string)
+  nullable = false
+  default = ["*"]
+}
+
+variable "machine_cidrblocks" {
+  type = map(list(string))
+  default = {}
+  nullable = false
+}
+
 variable "service_cidrblocks" {
   description = "Default cidr blocks for service ports"
   type = list(string)
@@ -106,9 +118,19 @@ locals {
       description = "Service CIDR"
     }
   ]
+  machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"])
+  machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines
+  machine_cidrblocks = flatten([
+    for machine_name in local.machine_names : flatten([
+      for cidr in var.machine_cidrblocks[machine_name] : {
+          cidr_block = cidr
+          description = "Machine CIDR - ${machine_name}"
+        }
+    ])
+  ])
   # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used.
   # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list.
-  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : []
+  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : []
 }
 
 variable "tags" {

edbterraform/data/terraform/aws/modules/specification/variables.tf

@@ -179,6 +179,7 @@ variable "spec" {
         cidr_block = string
         description = optional(string, "default description")
       })))
+      allowed_machines = optional(list(string))
       tags = optional(map(string), {})
     })), {})
     kubernetes = optional(map(object({

edbterraform/data/terraform/azure/modules/biganimal/variables.tf

@@ -76,6 +76,18 @@ variable "allowed_ip_ranges" {
   default = []
 }
 
+variable "allowed_machines" {
+  type = list(string)
+  nullable = false
+  default = ["*"]
+}
+
+variable "machine_cidrblocks" {
+  type = map(list(string))
+  default = {}
+  nullable = false
+}
+
 variable "service_cidrblocks" {
   description = "Default cidr blocks for service ports"
   type = list(string)
@@ -96,9 +108,19 @@ locals {
       description = "Service CIDR"
     }
   ]
+  machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"])
+  machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines
+  machine_cidrblocks = flatten([
+    for machine_name in local.machine_names : flatten([
+      for cidr in var.machine_cidrblocks[machine_name] : {
+          cidr_block = cidr
+          description = "Machine CIDR - ${machine_name}"
+        }
+    ])
+  ])
   # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used.
   # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list.
-  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : []
+  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : []
 }
 
 variable "tags" {

edbterraform/data/terraform/azure/modules/specification/variables.tf

@@ -138,6 +138,7 @@ variable "spec" {
         cidr_block = string
         description = optional(string, "default description")
       })))
+      allowed_machines = optional(list(string))
       tags = optional(map(string), {})
     })), {})
     kubernetes = optional(map(object({

edbterraform/data/terraform/gcloud/modules/biganimal/variables.tf

@@ -76,6 +76,18 @@ variable "allowed_ip_ranges" {
   default = []
 }
 
+variable "allowed_machines" {
+  type = list(string)
+  nullable = false
+  default = ["*"]
+}
+
+variable "machine_cidrblocks" {
+  type = map(list(string))
+  default = {}
+  nullable = false
+}
+
 variable "service_cidrblocks" {
   description = "Default cidr blocks for service ports"
   type = list(string)
@@ -96,9 +108,19 @@ locals {
       description = "Service CIDR"
     }
   ]
+  machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"])
+  machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines
+  machine_cidrblocks = flatten([
+    for machine_name in local.machine_names : flatten([
+      for cidr in var.machine_cidrblocks[machine_name] : {
+          cidr_block = cidr
+          description = "Machine CIDR - ${machine_name}"
+        }
+    ])
+  ])
   # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used.
   # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list.
-  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : []
+  allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : []
 }
 
 variable "tags" {

edbterraform/data/terraform/gcloud/modules/specification/variables.tf

@@ -151,6 +151,7 @@ variable "spec" {
         cidr_block = string
         description = optional(string, "default description")
       })))
+      allowed_machines = optional(list(string))
       tags = optional(map(string), {})
     })), {})
     kubernetes = optional(map(object({