From 58410fa2b5d21a2494ba6d03f5ebb7dc95ff460e Mon Sep 17 00:00:00 2001
From: Nemo <commits@captnemo.in>
Date: Fri, 15 Dec 2023 13:40:51 +0530
Subject: [PATCH] v1.3.0
- Added new outputs for various regions
- New regions added: UK/India
---
README.md | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
locals.tf | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
outputs.tf | 137 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
3 files changed, 269 insertions(+), 52 deletions(-)
diff --git a/README.md b/README.md
index 443ec49..9b2918b 100644
--- a/README.md
+++ a/README.md
@@ -1,27 +1,90 @@
# terraform-data-duo-ips   
-This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337
+This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337.
+Supported on both Terraform and OpenTofu.
+
# Usage
```hcl
+// Import the module
module "duo-ips" {
source = "captn3m0/duo-ips/data"
- version = "1.2.0"
+ version = "1.3.0"
}
+// Allow traffic for MFA APIs for all region CIDRs
+// Also open traffic from these to your LDAP Server port 636 if you're using LDAP
resource "aws_security_group_rule" "allow_all_to_duo" {
- type = "egress"
- from_port = 0
- to_port = 443
- protocol = "tcp"
- cidr_blocks = ["${module.duo-ips.cidr}"]
+ type = "egress"
+ from_port = 0
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["${module.duo-ips.cidrs}"]
+ security_group_id = "sg-123456"
+}
+
+// Limit MFA traffic to specific regions
+resource "aws_security_group_rule" "allow_all_to_duo_uk" {
+ type = "egress"
+ from_port = 0
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["${module.duo-ips.uk-cidrs}"]
+ security_group_id = "sg-123456"
+}
+
+// trusted endpoint requests are made from these ranges
+// depending on what port your origin is using, pick the correct port here as well.
+resource "aws_security_group_rule" "allow_all_from_duo_in_ingress" {
+ type = "ingress"
+ from_port = 0
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["${module.duo-ips.trusted-endpoint-india-cidrs}"]
security_group_id = "sg-123456"
}
```
+
+## Outputs
+| Name | Description |
+|------|-------------|
+| ad\_hostnames\_asean | Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments |
+| ad\_hostnames\_au | Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments |
+| ad\_hostnames\_ca | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments |
+| ad\_hostnames\_eu | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments |
+| ad\_hostnames\_in | Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments |
+| ad\_hostnames\_jp | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments |
+| ad\_hostnames\_uk | Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments |
+| ad\_hostnames\_us | Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments |
+| australia-cidrs | List of Duo's Service CIDRs for australia deployments |
+| canada-cidrs | List of Duo's Service CIDRs for canada deployments |
+| central-europe-cidrs | List of Duo's Service CIDRs for central-europe deployments |
+| cidrs | List of all Duo Service CIDRs. Allow for egress to Duo |
+| emea-cidrs | List of Duo's Service CIDRs for EMEA deployments |
+| india-cidrs | List of Duo's Service CIDRs for india deployments |
+| japan-cidrs | List of Duo's Service CIDRs for japan deployments |
+| southeast-asia-cidrs | List of Duo's Service CIDRs for southeast-asia deployments |
+| trusted-endpoint-australia-cidrs | List of Duo's Trusted Endpoint CIDRs for Australia Deployments |
+| trusted-endpoint-canada-cidrs | List of Duo's Trusted Endpoint CIDRs for Canda Deployments |
+| trusted-endpoint-central-europe-cidrs | List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments |
+| trusted-endpoint-emea-cidrs | List of Duo's Trusted Endpoint CIDRs for EMEA Deployments |
+| trusted-endpoint-india-cidrs | List of Duo's Trusted Endpoint CIDRs for India Deployments |
+| trusted-endpoint-japan-cidrs | List of Duo's Trusted Endpoint CIDRs for Japan Deployments |
+| trusted-endpoint-southeast-asia-cidrs | List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments |
+| trusted-endpoint-uk-cidrs | List of Duo's Trusted Endpoint CIDRs for UK Deployments |
+| trusted-endpoint-us-cidrs | List of Duo's Trusted Endpoint CIDRs for US Deployments |
+| trusted\_endpoints\_cidrs | List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo |
+| uk-cidrs | List of Duo's Service CIDRs for UK deployments |
+| us-cidrs | List of Duo's Service CIDRs for US deployments |
+
## Changelog
+### 1.3.0
+- Added new outputs for various regions
+- New regions added: UK/India
+
### 1.2.0
- Added new CIDRs
@@ -33,30 +96,6 @@
- Changed the terraform registry module name from [`duo-whitelist`](https://registry.terraform.io/modules/captn3m0/duo-whitelist) to [`duo-ips`](https://registry.terraform.io/modules/captn3m0/duo-ips).
- Renamed `duo_ad_hostnames_us` to `ad_hostnames_us`
-
-## Outputs
-
-The following outputs are exported:
-
-### ad\_hostnames\_ca
-
-Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments
-
-### ad\_hostnames\_eu
-
-Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments
-
-### cidrs
-
-Description: List of all Duo Service CIDRs. Allow for egress to Duo
-
-### ad\_hostnames\_us
-
-Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments
-
-### trusted\_endpoints\_cidrs
-
-Description: List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo
# LICENSE
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..4e0005f 100644
--- /dev/null
+++ a/locals.tf
@@ -1,0 +1,83 @@
+locals {
+ us-cidrs = [
+ "3.145.240.0/25",
+ "52.32.63.128/26",
+ "54.236.251.192/26",
+ "54.241.191.128/26",
+ ]
+
+ emea-cidrs = [
+ "13.39.113.0/26",
+ "52.19.127.192/26",
+ ]
+
+ central-europe-cidrs = [
+ "16.62.194.128/26",
+ "52.59.243.192/26",
+ ]
+
+ canada-cidrs = [
+ "35.182.14.128/26",
+ ]
+
+ australia-cidrs = [
+ "3.25.48.128/26",
+ ]
+
+ japan-cidrs = [
+ "15.168.49.0/26",
+ "35.74.77.64/26"
+ ]
+
+ southeast-asia-cidrs = [
+ "13.213.75.128/26",
+ "43.218.17.0/26",
+ "43.218.17.64/26",
+ ]
+
+ india-cidrs = [
+ "3.110.73.128/26",
+ "18.60.199.0/26",
+ ]
+
+ uk-cidrs = [
+ "13.40.93.64/26",
+ ]
+
+ trusted-endpoint-us-cidrs = [
+ "13.56.32.240/29",
+ "52.32.63.176/30"
+ ]
+
+ trusted-endpoint-emea-cidrs = [
+ "52.19.127.200/30"
+ ]
+ trusted-endpoint-central-europe-cidrs = [
+ "52.59.243.200/30"
+ ]
+
+ trusted-endpoint-canada-cidrs = [
+ "35.182.14.128/30"
+ ]
+
+ trusted-endpoint-australia-cidrs = [
+ "3.25.48.188/30"
+ ]
+
+ trusted-endpoint-japan-cidrs = [
+ "35.74.77.124/30"
+ ]
+
+ trusted-endpoint-southeast-asia-cidrs = [
+ "13.213.75.172/30"
+ ]
+
+ trusted-endpoint-india-cidrs = [
+ "3.110.73.188/30"
+ ]
+
+ trusted-endpoint-uk-cidrs = [
+ "13.40.93.124/30"
+ ]
+
+}
diff --git a/outputs.tf b/outputs.tf
index a920cbd..9d5726e 100644
--- a/outputs.tf
+++ a/outputs.tf
@@ -1,33 +1,108 @@
output "cidrs" {
description = "List of all Duo Service CIDRs. Allow for egress to Duo"
- value = [
- "54.241.191.128/26",
- "54.236.251.192/26",
- "52.19.127.192/26",
- "52.32.63.128/26",
- "52.59.243.192/26",
- "35.182.14.128/26",
- "3.25.48.128/26",
- "35.74.77.64/26",
- "13.213.75.128/26"
- ]
+ value = concat(
+ local.us-cidrs,
+ local.emea-cidrs,
+ local.central-europe-cidrs,
+ local.canada-cidrs,
+ local.australia-cidrs,
+ local.japan-cidrs,
+ local.southeast-asia-cidrs,
+ local.india-cidrs,
+ local.uk-cidrs,
+ )
+}
+
+output "us-cidrs" {
+ description = "List of Duo's Service CIDRs for US deployments"
+ value = local.us-cidrs
+}
+output "emea-cidrs" {
+ description = "List of Duo's Service CIDRs for EMEA deployments"
+ value = local.emea-cidrs
+}
+output "central-europe-cidrs" {
+ description = "List of Duo's Service CIDRs for central-europe deployments"
+ value = local.central-europe-cidrs
+}
+output "canada-cidrs" {
+ description = "List of Duo's Service CIDRs for canada deployments"
+ value = local.canada-cidrs
+}
+output "australia-cidrs" {
+ description = "List of Duo's Service CIDRs for australia deployments"
+ value = local.australia-cidrs
}
+output "japan-cidrs" {
+ description = "List of Duo's Service CIDRs for japan deployments"
+ value = local.japan-cidrs
+}
+output "southeast-asia-cidrs" {
+ description = "List of Duo's Service CIDRs for southeast-asia deployments"
+ value = local.southeast-asia-cidrs
+}
+output "india-cidrs" {
+ description = "List of Duo's Service CIDRs for india deployments"
+ value = local.india-cidrs
+}
+output "uk-cidrs" {
+ description = "List of Duo's Service CIDRs for UK deployments"
+ value = local.uk-cidrs
+}
output "trusted_endpoints_cidrs" {
description = "List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo"
- value = [
- "13.56.32.240/29",
- "52.32.63.176/30",
- "52.19.127.200/30",
- "52.59.243.200/30",
- "35.182.14.128/30",
- "3.24.48.188/30",
- "35.74.77.124/30",
- "13.213.75.172/30"
- ]
+ value = concat(
+ local.trusted-endpoint-us-cidrs,
+ local.trusted-endpoint-emea-cidrs,
+ local.trusted-endpoint-central-europe-cidrs,
+ local.trusted-endpoint-canada-cidrs,
+ local.trusted-endpoint-australia-cidrs,
+ local.trusted-endpoint-japan-cidrs,
+ local.trusted-endpoint-southeast-asia-cidrs,
+ local.trusted-endpoint-india-cidrs,
+ local.trusted-endpoint-uk-cidrs,
+ )
+}
+
+output "trusted-endpoint-us-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for US Deployments"
+ value = local.trusted-endpoint-us-cidrs
+}
+output "trusted-endpoint-emea-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for EMEA Deployments"
+ value = local.a-trusted-endpoint-emea-cidrs
}
+output "trusted-endpoint-central-europe-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments"
+ value = local.ope-trusted-endpoint-central-europe-cidrs
+}
+output "trusted-endpoint-canada-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for Canda Deployments"
+ value = local.ada-trusted-endpoint-canada-cidrs
+}
+output "trusted-endpoint-australia-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for Australia Deployments"
+ value = local.tralia-trusted-endpoint-australia-cidrs
+}
+output "trusted-endpoint-japan-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for Japan Deployments"
+ value = local.an-trusted-endpoint-japan-cidrs
+}
+output "trusted-endpoint-southeast-asia-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments"
+ value = local.a-trusted-endpoint-southeast-asia-cidrs
+}
+output "trusted-endpoint-india-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for India Deployments"
+ value = local.ia-trusted-endpoint-india-cidrs
+}
+output "trusted-endpoint-uk-cidrs" {
+ description = "List of Duo's Trusted Endpoint CIDRs for UK Deployments"
+ value = local.trusted-endpoint-uk-cidrs
+}
output "ad_hostnames_ca" {
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments"
@@ -50,4 +125,24 @@
output "ad_hostnames_au" {
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments"
values = ["ase2.azureauth.duosecurity.com"]
+}
+
+output "ad_hostnames_asean" {
+ description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments"
+ values = ["ase1.azureauth.duosecurity.com"]
+}
+
+output "ad_hostnames_jp" {
+ description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments"
+ values = ["ane1.azureauth.duosecurity.com"]
+}
+
+output "ad_hostnames_uk" {
+ description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments"
+ values = ["ew2.azureauth.duosecurity.com"]
+}
+
+output "ad_hostnames_in" {
+ description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments"
+ values = ["as1.azureauth.duosecurity.com"]
}
--
rgit 0.1.5