add security group for zscaler (#82)

Co-authored-by: HK <hk@HKs-MacBook-Pro.hsd1.ca.comcast.net> Co-authored-by: klin <k.lin@f5.com> Co-authored-by: HK <hk@HKs-MacBook-Pro.local> Co-authored-by: Sean Fern <seanfern@navapbc.com>
CMSgov · Jun 14, 2024 · c694e84 · c694e84
1 parent 0e7125e
commit c694e84
Show file tree

Hide file tree

Showing 8 changed files with 153 additions and 2 deletions.
diff --git a/.github/workflows/zscaler-security-groups-apply.yml b/.github/workflows/zscaler-security-groups-apply.yml
@@ -0,0 +1,40 @@
+name: zscaler-security-groups apply terraform
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/zscaler-security-groups-apply.yml
+      - terraform/services/zscaler-security-groups/**
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  terraform-apply:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./terraform/services/zscaler-security-groups
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [ab2d, bcda, dpc]
+        env: [dev, test, sbx, prod]
+        include:
+          - app: bcda
+            env: mgmt
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./actions/setup-tfenv-terraform
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ matrix.app == 'ab2d' && secrets[format('{0}_{1}_ACCOUNT', matrix.app, matrix.env)] || secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: terraform init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend
+      - run: terraform apply -auto-approve
+        env:
+          TF_VAR_app: ${{ matrix.app }}
+          TF_VAR_env: ${{ matrix.env }}
diff --git a/.github/workflows/zscaler-security-groups-plan.yml b/.github/workflows/zscaler-security-groups-plan.yml
@@ -0,0 +1,46 @@
+name: zscaler-security-groups plan terraform
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/zscaler-security-groups-plan.yml
+      - terraform/services/zscaler-security-groups/**
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  check-terraform-fmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./actions/setup-tfenv-terraform
+      - run: terraform fmt -check -diff -recursive terraform/services/zscaler-security-groups
+
+  terraform-plan:
+    needs: check-terraform-fmt
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./terraform/services/zscaler-security-groups
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [ab2d, bcda, dpc]
+        env: [dev, test, sbx, prod]
+        include:
+          - app: bcda
+            env: mgmt
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./actions/setup-tfenv-terraform
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ matrix.app == 'ab2d' && secrets[format('{0}_{1}_ACCOUNT', matrix.app, matrix.env)] || secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: terraform init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend
+      - run: terraform plan
+        env:
+          TF_VAR_app: ${{ matrix.app }}
+          TF_VAR_env: ${{ matrix.env }}
diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf
@@ -4,6 +4,7 @@ data "aws_vpc" "this" {
     values = [
       var.env == "sbx" && var.app == "ab2d" ? "sandbox" :
       var.env == "sbx" && var.app == "bcda" ? "opensbx" :
+      var.env == "mgmt" && var.app == "bcda" ? "managed" :
       var.env == "sbx" && var.app == "dpc" ? "prod-sbx" :
       var.env == "test" && var.app == "ab2d" ? "impl" :
       var.env

diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf
@@ -11,7 +11,7 @@ variable "env" {
   description = "The application environment (dev, test, sbx, prod)"
   type        = string
   validation {
-    condition     = contains(["dev", "test", "sbx", "prod"], var.env)
-    error_message = "Valid value for env is dev, test, sbx, or prod."
+    condition     = contains(["dev", "test", "sbx", "prod", "mgmt"], var.env)
+    error_message = "Valid value for env is dev, test, sbx, prod, or mgmt."
   }
 }
diff --git a/terraform/services/zscaler-security-groups/README.md b/terraform/services/zscaler-security-groups/README.md
@@ -0,0 +1,3 @@
+# Terraform for zscaler security groups
+
+This terraform service creates and manages security groups for access from public and private Zscaler IP ranges.
diff --git a/terraform/services/zscaler-security-groups/main.tf b/terraform/services/zscaler-security-groups/main.tf
@@ -0,0 +1,20 @@
+### Get vpc reference
+module "vpc" {
+  source = "../../modules/vpc"
+  app    = var.app
+  env    = var.env
+}
+
+### public
+resource "aws_security_group" "zscaler_public" {
+  name        = "${var.app}-${var.env}-allow-zscaler-public"
+  description = "Allow public zscaler traffic"
+  vpc_id      = module.vpc.id
+}
+
+### private
+resource "aws_security_group" "zscaler_private" {
+  name        = "${var.app}-${var.env}-allow-zscaler-private"
+  description = "Allow internet zscaler traffic private"
+  vpc_id      = module.vpc.id
+}
diff --git a/terraform/services/zscaler-security-groups/variables.tf b/terraform/services/zscaler-security-groups/variables.tf
@@ -0,0 +1,18 @@
+variable "app" {
+  description = "The application name (ab2d, bcda, dpc)"
+  type        = string
+  validation {
+    condition     = contains(["ab2d", "bcda", "dpc"], var.app)
+    error_message = "Valid value for app is ab2d, bcda, or dpc."
+  }
+}
+
+variable "env" {
+  description = "The application environment (dev, test, mgmt, sbx, prod)"
+  type        = string
+  validation {
+    condition     = contains(["dev", "test", "mgmt", "sbx", "prod"], var.env)
+    error_message = "Valid value for env is dev, test, mgmt, sbx, or prod."
+  }
+}
+
diff --git a/terraform/services/zscaler-security-groups/versions.tf b/terraform/services/zscaler-security-groups/versions.tf
@@ -0,0 +1,23 @@
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      business  = "oeda"
+      code      = "https://github.com/CMSgov/ab2d-bcda-dpc-platform/tree/main/terraform/services/zscaler-security-groups"
+      terraform = true
+    }
+  }
+}
+
+terraform {
+  backend "s3" {
+    key = "zscaler-security-groups/terraform.tfstate"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.8.0"
+    }
+  }
+  required_version = "~> 1.5.5"
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Terraform for zscaler security groups

		This terraform service creates and manages security groups for access from public and private Zscaler IP ranges.