From c694e84ec7a5ae47d65a7e4ae6a4dbe06aaf1346 Mon Sep 17 00:00:00 2001 From: knavapbc <127874626+knavapbc@users.noreply.github.com> Date: Fri, 14 Jun 2024 10:32:14 -0700 Subject: [PATCH] add security group for zscaler (#82) Co-authored-by: HK Co-authored-by: klin Co-authored-by: HK Co-authored-by: Sean Fern --- .../zscaler-security-groups-apply.yml | 40 ++++++++++++++++ .../zscaler-security-groups-plan.yml | 46 +++++++++++++++++++ terraform/modules/vpc/main.tf | 1 + terraform/modules/vpc/variables.tf | 4 +- .../zscaler-security-groups/README.md | 3 ++ .../services/zscaler-security-groups/main.tf | 20 ++++++++ .../zscaler-security-groups/variables.tf | 18 ++++++++ .../zscaler-security-groups/versions.tf | 23 ++++++++++ 8 files changed, 153 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/zscaler-security-groups-apply.yml create mode 100644 .github/workflows/zscaler-security-groups-plan.yml create mode 100644 terraform/services/zscaler-security-groups/README.md create mode 100644 terraform/services/zscaler-security-groups/main.tf create mode 100644 terraform/services/zscaler-security-groups/variables.tf create mode 100644 terraform/services/zscaler-security-groups/versions.tf diff --git a/.github/workflows/zscaler-security-groups-apply.yml b/.github/workflows/zscaler-security-groups-apply.yml new file mode 100644 index 00000000..297ca93c --- /dev/null +++ b/.github/workflows/zscaler-security-groups-apply.yml @@ -0,0 +1,40 @@ +name: zscaler-security-groups apply terraform + +on: + push: + branches: + - main + paths: + - .github/workflows/zscaler-security-groups-apply.yml + - terraform/services/zscaler-security-groups/** + workflow_dispatch: # Allow manual trigger + +jobs: + terraform-apply: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./terraform/services/zscaler-security-groups + strategy: + fail-fast: false + matrix: + app: [ab2d, bcda, dpc] + env: [dev, test, sbx, prod] + include: + - app: bcda + env: mgmt + steps: + - uses: actions/checkout@v4 + - uses: ./actions/setup-tfenv-terraform + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ matrix.app == 'ab2d' && secrets[format('{0}_{1}_ACCOUNT', matrix.app, matrix.env)] || secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions + aws-region: ${{ vars.AWS_REGION }} + - run: terraform init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend + - run: terraform apply -auto-approve + env: + TF_VAR_app: ${{ matrix.app }} + TF_VAR_env: ${{ matrix.env }} diff --git a/.github/workflows/zscaler-security-groups-plan.yml b/.github/workflows/zscaler-security-groups-plan.yml new file mode 100644 index 00000000..5aaeb3b7 --- /dev/null +++ b/.github/workflows/zscaler-security-groups-plan.yml @@ -0,0 +1,46 @@ +name: zscaler-security-groups plan terraform + +on: + pull_request: + paths: + - .github/workflows/zscaler-security-groups-plan.yml + - terraform/services/zscaler-security-groups/** + workflow_dispatch: # Allow manual trigger + +jobs: + check-terraform-fmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./actions/setup-tfenv-terraform + - run: terraform fmt -check -diff -recursive terraform/services/zscaler-security-groups + + terraform-plan: + needs: check-terraform-fmt + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./terraform/services/zscaler-security-groups + strategy: + fail-fast: false + matrix: + app: [ab2d, bcda, dpc] + env: [dev, test, sbx, prod] + include: + - app: bcda + env: mgmt + steps: + - uses: actions/checkout@v4 + - uses: ./actions/setup-tfenv-terraform + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ matrix.app == 'ab2d' && secrets[format('{0}_{1}_ACCOUNT', matrix.app, matrix.env)] || secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions + aws-region: ${{ vars.AWS_REGION }} + - run: terraform init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend + - run: terraform plan + env: + TF_VAR_app: ${{ matrix.app }} + TF_VAR_env: ${{ matrix.env }} diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index b07da3e6..900566c3 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -4,6 +4,7 @@ data "aws_vpc" "this" { values = [ var.env == "sbx" && var.app == "ab2d" ? "sandbox" : var.env == "sbx" && var.app == "bcda" ? "opensbx" : + var.env == "mgmt" && var.app == "bcda" ? "managed" : var.env == "sbx" && var.app == "dpc" ? "prod-sbx" : var.env == "test" && var.app == "ab2d" ? "impl" : var.env diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf index 0a3dea4b..a0bcdf68 100644 --- a/terraform/modules/vpc/variables.tf +++ b/terraform/modules/vpc/variables.tf @@ -11,7 +11,7 @@ variable "env" { description = "The application environment (dev, test, sbx, prod)" type = string validation { - condition = contains(["dev", "test", "sbx", "prod"], var.env) - error_message = "Valid value for env is dev, test, sbx, or prod." + condition = contains(["dev", "test", "sbx", "prod", "mgmt"], var.env) + error_message = "Valid value for env is dev, test, sbx, prod, or mgmt." } } diff --git a/terraform/services/zscaler-security-groups/README.md b/terraform/services/zscaler-security-groups/README.md new file mode 100644 index 00000000..749dd043 --- /dev/null +++ b/terraform/services/zscaler-security-groups/README.md @@ -0,0 +1,3 @@ +# Terraform for zscaler security groups + +This terraform service creates and manages security groups for access from public and private Zscaler IP ranges. diff --git a/terraform/services/zscaler-security-groups/main.tf b/terraform/services/zscaler-security-groups/main.tf new file mode 100644 index 00000000..7ae76893 --- /dev/null +++ b/terraform/services/zscaler-security-groups/main.tf @@ -0,0 +1,20 @@ +### Get vpc reference +module "vpc" { + source = "../../modules/vpc" + app = var.app + env = var.env +} + +### public +resource "aws_security_group" "zscaler_public" { + name = "${var.app}-${var.env}-allow-zscaler-public" + description = "Allow public zscaler traffic" + vpc_id = module.vpc.id +} + +### private +resource "aws_security_group" "zscaler_private" { + name = "${var.app}-${var.env}-allow-zscaler-private" + description = "Allow internet zscaler traffic private" + vpc_id = module.vpc.id +} diff --git a/terraform/services/zscaler-security-groups/variables.tf b/terraform/services/zscaler-security-groups/variables.tf new file mode 100644 index 00000000..5dd19b44 --- /dev/null +++ b/terraform/services/zscaler-security-groups/variables.tf @@ -0,0 +1,18 @@ +variable "app" { + description = "The application name (ab2d, bcda, dpc)" + type = string + validation { + condition = contains(["ab2d", "bcda", "dpc"], var.app) + error_message = "Valid value for app is ab2d, bcda, or dpc." + } +} + +variable "env" { + description = "The application environment (dev, test, mgmt, sbx, prod)" + type = string + validation { + condition = contains(["dev", "test", "mgmt", "sbx", "prod"], var.env) + error_message = "Valid value for env is dev, test, mgmt, sbx, or prod." + } +} + diff --git a/terraform/services/zscaler-security-groups/versions.tf b/terraform/services/zscaler-security-groups/versions.tf new file mode 100644 index 00000000..e6787795 --- /dev/null +++ b/terraform/services/zscaler-security-groups/versions.tf @@ -0,0 +1,23 @@ +provider "aws" { + region = "us-east-1" + default_tags { + tags = { + business = "oeda" + code = "https://github.com/CMSgov/ab2d-bcda-dpc-platform/tree/main/terraform/services/zscaler-security-groups" + terraform = true + } + } +} + +terraform { + backend "s3" { + key = "zscaler-security-groups/terraform.tfstate" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.8.0" + } + } + required_version = "~> 1.5.5" +}