From 5a4a75f40ffa08b6496aa68a6be35e97574c2dd5 Mon Sep 17 00:00:00 2001 From: Bryan Barajas Date: Tue, 20 Feb 2024 19:26:18 +0000 Subject: [PATCH] BigAnimal Module networking - 'allowed_machines' spec option added to allow machines access to the database. By default, it is a wildcard and appends all machines ips: '[*]'. It can be set to a machines keyname to restrict which machines have access. This will also cause BigAnimal to delay its provisioning until all machine instances are first created. --- .../data/templates/aws/biganimal.tf.j2 | 2 ++ .../data/templates/azure/biganimal.tf.j2 | 2 ++ .../data/templates/gcloud/biganimal.tf.j2 | 2 ++ .../aws/modules/biganimal/variables.tf | 24 ++++++++++++++++++- .../aws/modules/specification/variables.tf | 1 + .../azure/modules/biganimal/variables.tf | 24 ++++++++++++++++++- .../azure/modules/specification/variables.tf | 1 + .../gcloud/modules/biganimal/variables.tf | 24 ++++++++++++++++++- .../gcloud/modules/specification/variables.tf | 1 + 9 files changed, 78 insertions(+), 3 deletions(-) diff --git a/edbterraform/data/templates/aws/biganimal.tf.j2 b/edbterraform/data/templates/aws/biganimal.tf.j2 index ed8cdafb..611aafbd 100644 --- a/edbterraform/data/templates/aws/biganimal.tf.j2 +++ b/edbterraform/data/templates/aws/biganimal.tf.j2 @@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" { password = each.value.spec.password pgvector = each.value.spec.pgvector allowed_ip_ranges = each.value.spec.allowed_ip_ranges + allowed_machines = each.value.spec.allowed_machines service_cidrblocks = local.biganimal_service_cidrblocks + machine_cidrblocks = local.machine_cidrblocks settings = each.value.spec.settings diff --git a/edbterraform/data/templates/azure/biganimal.tf.j2 b/edbterraform/data/templates/azure/biganimal.tf.j2 index ed8cdafb..611aafbd 100644 --- a/edbterraform/data/templates/azure/biganimal.tf.j2 +++ b/edbterraform/data/templates/azure/biganimal.tf.j2 @@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" { password = each.value.spec.password pgvector = each.value.spec.pgvector allowed_ip_ranges = each.value.spec.allowed_ip_ranges + allowed_machines = each.value.spec.allowed_machines service_cidrblocks = local.biganimal_service_cidrblocks + machine_cidrblocks = local.machine_cidrblocks settings = each.value.spec.settings diff --git a/edbterraform/data/templates/gcloud/biganimal.tf.j2 b/edbterraform/data/templates/gcloud/biganimal.tf.j2 index ed8cdafb..611aafbd 100644 --- a/edbterraform/data/templates/gcloud/biganimal.tf.j2 +++ b/edbterraform/data/templates/gcloud/biganimal.tf.j2 @@ -23,7 +23,9 @@ module "biganimal_{{ region_ }}" { password = each.value.spec.password pgvector = each.value.spec.pgvector allowed_ip_ranges = each.value.spec.allowed_ip_ranges + allowed_machines = each.value.spec.allowed_machines service_cidrblocks = local.biganimal_service_cidrblocks + machine_cidrblocks = local.machine_cidrblocks settings = each.value.spec.settings diff --git a/edbterraform/data/terraform/aws/modules/biganimal/variables.tf b/edbterraform/data/terraform/aws/modules/biganimal/variables.tf index f9052569..95352cc9 100644 --- a/edbterraform/data/terraform/aws/modules/biganimal/variables.tf +++ b/edbterraform/data/terraform/aws/modules/biganimal/variables.tf @@ -86,6 +86,18 @@ variable "allowed_ip_ranges" { default = [] } +variable "allowed_machines" { + type = list(string) + nullable = false + default = ["*"] +} + +variable "machine_cidrblocks" { + type = map(list(string)) + default = {} + nullable = false +} + variable "service_cidrblocks" { description = "Default cidr blocks for service ports" type = list(string) @@ -106,9 +118,19 @@ locals { description = "Service CIDR" } ] + machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"]) + machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines + machine_cidrblocks = flatten([ + for machine_name in local.machine_names : flatten([ + for cidr in var.machine_cidrblocks[machine_name] : { + cidr_block = cidr + description = "Machine CIDR - ${machine_name}" + } + ]) + ]) # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used. # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list. - allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : [] + allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : [] } variable "tags" { diff --git a/edbterraform/data/terraform/aws/modules/specification/variables.tf b/edbterraform/data/terraform/aws/modules/specification/variables.tf index 2a9dee44..bcc4fb1d 100644 --- a/edbterraform/data/terraform/aws/modules/specification/variables.tf +++ b/edbterraform/data/terraform/aws/modules/specification/variables.tf @@ -179,6 +179,7 @@ variable "spec" { cidr_block = string description = optional(string, "default description") }))) + allowed_machines = optional(list(string)) tags = optional(map(string), {}) })), {}) kubernetes = optional(map(object({ diff --git a/edbterraform/data/terraform/azure/modules/biganimal/variables.tf b/edbterraform/data/terraform/azure/modules/biganimal/variables.tf index 4e0a4106..ee0dd7d8 100644 --- a/edbterraform/data/terraform/azure/modules/biganimal/variables.tf +++ b/edbterraform/data/terraform/azure/modules/biganimal/variables.tf @@ -76,6 +76,18 @@ variable "allowed_ip_ranges" { default = [] } +variable "allowed_machines" { + type = list(string) + nullable = false + default = ["*"] +} + +variable "machine_cidrblocks" { + type = map(list(string)) + default = {} + nullable = false +} + variable "service_cidrblocks" { description = "Default cidr blocks for service ports" type = list(string) @@ -96,9 +108,19 @@ locals { description = "Service CIDR" } ] + machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"]) + machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines + machine_cidrblocks = flatten([ + for machine_name in local.machine_names : flatten([ + for cidr in var.machine_cidrblocks[machine_name] : { + cidr_block = cidr + description = "Machine CIDR - ${machine_name}" + } + ]) + ]) # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used. # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list. - allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : [] + allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : [] } variable "tags" { diff --git a/edbterraform/data/terraform/azure/modules/specification/variables.tf b/edbterraform/data/terraform/azure/modules/specification/variables.tf index 4d3fa156..05fab85e 100644 --- a/edbterraform/data/terraform/azure/modules/specification/variables.tf +++ b/edbterraform/data/terraform/azure/modules/specification/variables.tf @@ -138,6 +138,7 @@ variable "spec" { cidr_block = string description = optional(string, "default description") }))) + allowed_machines = optional(list(string)) tags = optional(map(string), {}) })), {}) kubernetes = optional(map(object({ diff --git a/edbterraform/data/terraform/gcloud/modules/biganimal/variables.tf b/edbterraform/data/terraform/gcloud/modules/biganimal/variables.tf index c756ac67..68a61e78 100644 --- a/edbterraform/data/terraform/gcloud/modules/biganimal/variables.tf +++ b/edbterraform/data/terraform/gcloud/modules/biganimal/variables.tf @@ -76,6 +76,18 @@ variable "allowed_ip_ranges" { default = [] } +variable "allowed_machines" { + type = list(string) + nullable = false + default = ["*"] +} + +variable "machine_cidrblocks" { + type = map(list(string)) + default = {} + nullable = false +} + variable "service_cidrblocks" { description = "Default cidr blocks for service ports" type = list(string) @@ -96,9 +108,19 @@ locals { description = "Service CIDR" } ] + machine_cidrblock_wildcard = anytrue([for machine in var.allowed_machines : machine == "*"]) + machine_names = local.machine_cidrblock_wildcard ? [for machine in keys(var.machine_cidrblocks) : machine] : var.allowed_machines + machine_cidrblocks = flatten([ + for machine_name in local.machine_names : flatten([ + for cidr in var.machine_cidrblocks[machine_name] : { + cidr_block = cidr + description = "Machine CIDR - ${machine_name}" + } + ]) + ]) # Private networking blocks setting of allowed_ip_ranges and forces private endpoints or vpc peering to be used. # The provider overrides with 0.0.0.0/0 but fails to create if allowed_ip_ranges is not an empty list. - allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks) : [] + allowed_ip_ranges = var.publicly_accessible ? concat(local.mod_ip_ranges, local.service_cidrblocks, local.machine_cidrblocks) : [] } variable "tags" { diff --git a/edbterraform/data/terraform/gcloud/modules/specification/variables.tf b/edbterraform/data/terraform/gcloud/modules/specification/variables.tf index a1df498b..9c34fc9c 100644 --- a/edbterraform/data/terraform/gcloud/modules/specification/variables.tf +++ b/edbterraform/data/terraform/gcloud/modules/specification/variables.tf @@ -151,6 +151,7 @@ variable "spec" { cidr_block = string description = optional(string, "default description") }))) + allowed_machines = optional(list(string)) tags = optional(map(string), {}) })), {}) kubernetes = optional(map(object({