feat: Allow more than 5 CIDRs in whitelist_unauthenticated_cidr_blocks (#220)

luggage66 · web-flow · commit df10f7bc3d70 · 2022-01-07T12:16:27.000+01:00
diff --git a/main.tf b/main.tf
@@ -104,6 +104,12 @@ locals {
   )
 
   policies_arn = var.policies_arn != null ? var.policies_arn : ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+
+  # Chunk these into groups of 5, the limit for IPs in an AWS lb listener
+  whitelist_unauthenticated_cidr_block_chunks = chunklist(
+    sort(compact(concat(var.allow_github_webhooks ? var.github_webhooks_cidr_blocks : [], var.whitelist_unauthenticated_cidr_blocks))),
+    5
+  )
 }
 
 data "aws_partition" "current" {}
@@ -257,10 +263,10 @@ module "alb" {
 
 # Forward action for certain CIDR blocks to bypass authentication (eg. GitHub webhooks)
 resource "aws_lb_listener_rule" "unauthenticated_access_for_cidr_blocks" {
-  count = var.allow_unauthenticated_access ? 1 : 0
+  count = var.allow_unauthenticated_access ? length(local.whitelist_unauthenticated_cidr_block_chunks) : 0
 
   listener_arn = module.alb.https_listener_arns[0]
-  priority     = var.allow_unauthenticated_access_priority
+  priority     = var.allow_unauthenticated_access_priority + count.index
 
   action {
     type             = "forward"
@@ -269,7 +275,7 @@ resource "aws_lb_listener_rule" "unauthenticated_access_for_cidr_blocks" {
 
   condition {
     source_ip {
-      values = sort(compact(concat(var.allow_github_webhooks ? var.github_webhooks_cidr_blocks : [], var.whitelist_unauthenticated_cidr_blocks)))
+      values = local.whitelist_unauthenticated_cidr_block_chunks[count.index]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,12 @@ locals {`
`104`	`104`	`)`
`105`	`105`
`106`	`106`	`policies_arn = var.policies_arn != null ? var.policies_arn : ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]`
	`107`	`+`
	`108`	`+ # Chunk these into groups of 5, the limit for IPs in an AWS lb listener`
	`109`	`+ whitelist_unauthenticated_cidr_block_chunks = chunklist(`
	`110`	`+ sort(compact(concat(var.allow_github_webhooks ? var.github_webhooks_cidr_blocks : [], var.whitelist_unauthenticated_cidr_blocks))),`
	`111`	`+ 5`
	`112`	`+ )`
`107`	`113`	`}`
`108`	`114`
`109`	`115`	`data "aws_partition" "current" {}`
`@@ -257,10 +263,10 @@ module "alb" {`
`257`	`263`
`258`	`264`	`# Forward action for certain CIDR blocks to bypass authentication (eg. GitHub webhooks)`
`259`	`265`	`resource "aws_lb_listener_rule" "unauthenticated_access_for_cidr_blocks" {`
`260`		`- count = var.allow_unauthenticated_access ? 1 : 0`
	`266`	`+ count = var.allow_unauthenticated_access ? length(local.whitelist_unauthenticated_cidr_block_chunks) : 0`
`261`	`267`
`262`	`268`	`listener_arn = module.alb.https_listener_arns[0]`
`263`		`- priority = var.allow_unauthenticated_access_priority`
	`269`	`+ priority = var.allow_unauthenticated_access_priority + count.index`
`264`	`270`
`265`	`271`	`action {`
`266`	`272`	`type = "forward"`
`@@ -269,7 +275,7 @@ resource "aws_lb_listener_rule" "unauthenticated_access_for_cidr_blocks" {`
`269`	`275`
`270`	`276`	`condition {`
`271`	`277`	`source_ip {`
`272`		`- values = sort(compact(concat(var.allow_github_webhooks ? var.github_webhooks_cidr_blocks : [], var.whitelist_unauthenticated_cidr_blocks)))`
	`278`	`+ values = local.whitelist_unauthenticated_cidr_block_chunks[count.index]`
`273`	`279`	`}`
`274`	`280`	`}`
`275`	`281`	`}`