From c5c976d797c79d7c84643170ea9b2955b3e3f842 Mon Sep 17 00:00:00 2001
From: Nemo <commits@captnemo.in>
Date: Sat, 04 Jan 2025 19:31:26 +0530
Subject: [PATCH] Adds auth_cidr_by_deployment and UAE CIDRs

---
 README.md  |  10 ++++++++++
 locals.tf  |   9 +++++++++
 outputs.tf | 150 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 145 insertions(+), 24 deletions(-)

diff --git a/README.md b/README.md
index 9b2918b..e7e23b6 100644
--- a/README.md
+++ a/README.md
@@ -34,6 +34,16 @@
   security_group_id = "sg-123456"
 }
 
+// Limit MFA traffic as per your DUO Deployment ID
+resource "aws_security_group_rule" "allow_all_to_duo_auth" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = module.duo-ips.auth_cidr_by_deployment["DUO48"]
+  security_group_id = "sg-123456"
+}
+
 // trusted endpoint requests are made from these ranges
 // depending on what port your origin is using, pick the correct port here as well.
 resource "aws_security_group_rule" "allow_all_from_duo_in_ingress" {
diff --git a/locals.tf b/locals.tf
index 4e0005f..03b7342 100644
--- a/locals.tf
+++ a/locals.tf
@@ -44,6 +44,11 @@
     "13.40.93.64/26",
   ]
 
+  uae-cidrs = [
+    "51.112.11.128/26",
+    "16.24.91.0/26"
+  ]
+
   trusted-endpoint-us-cidrs = [
     "13.56.32.240/29",
     "52.32.63.176/30"
@@ -78,6 +83,10 @@
 
   trusted-endpoint-uk-cidrs = [
     "13.40.93.124/30"
+  ]
+
+  trusted-endpoint-uae-cidrs = [
+    "51.112.11.135/30"
   ]
 
 }
diff --git a/outputs.tf b/outputs.tf
index 9d5726e..d730cd2 100644
--- a/outputs.tf
+++ a/outputs.tf
@@ -14,12 +14,104 @@
   )
 }
 
+output "auth_cidr_by_deployment" {
+
+  description = "Map of Duo's Service CIDRs by deployment. Lookup by Deployment ID (DUOXX) for a list of CIDRs to allow for egress for authentication"
+  value = {
+    DUO1  = local.us-cidrs
+    DUO2  = local.us-cidrs
+    DUO4  = local.us-cidrs
+    DUO5  = local.us-cidrs
+    DUO6  = local.us-cidrs
+    DUO7  = local.us-cidrs
+    DUO9  = local.us-cidrs
+    DUO10 = local.us-cidrs
+    DUO13 = local.us-cidrs
+    DUO14 = local.us-cidrs
+    DUO15 = local.us-cidrs
+    DUO16 = local.us-cidrs
+    DUO17 = local.us-cidrs
+    DUO18 = local.us-cidrs
+    DUO19 = local.us-cidrs
+    DUO20 = local.us-cidrs
+    DUO21 = local.us-cidrs
+    DUO22 = local.us-cidrs
+    DUO23 = local.us-cidrs
+    DUO24 = local.us-cidrs
+    DUO28 = local.us-cidrs
+    DUO31 = local.us-cidrs
+    DUO32 = local.us-cidrs
+    DUO33 = local.us-cidrs
+    DUO35 = local.us-cidrs
+    DUO36 = local.us-cidrs
+    DUO37 = local.us-cidrs
+    DUO39 = local.us-cidrs
+    DUO40 = local.us-cidrs
+    DUO41 = local.us-cidrs
+    DUO42 = local.us-cidrs
+    DUO44 = local.us-cidrs
+    DUO45 = local.us-cidrs
+    DUO49 = local.us-cidrs
+    DUO50 = local.us-cidrs
+    DUO52 = local.us-cidrs
+    DUO55 = local.us-cidrs
+    DUO56 = local.us-cidrs
+    DUO58 = local.us-cidrs
+    DUO60 = local.us-cidrs
+    DUO62 = local.us-cidrs
+    DUO63 = local.us-cidrs
+    DUO64 = local.us-cidrs
+    DUO65 = local.us-cidrs
+    DUO71 = local.us-cidrs
+    DUO72 = local.us-cidrs
+    DUO73 = local.us-cidrs
+    DUO74 = local.us-cidrs
+    DUO75 = local.us-cidrs
+    DUO76 = local.us-cidrs
+    DUO77 = local.us-cidrs
+    DUO78 = local.us-cidrs
+    DUO79 = local.us-cidrs
+    DUO80 = local.us-cidrs
+
+    DUO3  = local.emea-cidrs
+    DUO47 = local.emea-cidrs
+    DUO57 = local.emea-cidrs
+
+    DUO38 = local.central-europe-cidrs
+    DUO48 = local.central-europe-cidrs
+
+    DUO53 = local.canada-cidrs
+
+    DUO66 = local.australia-cidrs
+
+    DUO67 = local.japan-cidrs
+
+    DUO68 = local.southeast-asia-cidrs
+
+    DUO69 = local.india-cidrs
+
+    DUO70 = local.uk-cidrs
+
+    DUO81 = local.uae-cidrs
+
+  }
+
+}
+
 output "us-cidrs" {
   description = "List of Duo's Service CIDRs for US deployments"
   value       = local.us-cidrs
 }
+
+# Maintained for backward compatibility
 output "emea-cidrs" {
-  description = "List of Duo's Service CIDRs for EMEA deployments"
+  description = "List of Duo's Service CIDRs for EMEA deployments. Same as eu-cidrs"
+  value       = local.emea-cidrs
+}
+
+# This was renamed from EMEA CIDRs
+output "eu-cidrs" {
+  description = "List of Duo's Service CIDRs for EMEA deployments. Same as emea-cidrs"
   value       = local.emea-cidrs
 }
 output "central-europe-cidrs" {
@@ -49,6 +141,11 @@
 output "uk-cidrs" {
   description = "List of Duo's Service CIDRs for UK deployments"
   value       = local.uk-cidrs
+}
+
+output "uae-cidrs" {
+  description = "List of Duo's Service CIDRs for UAE deployments"
+  value       = local.uae-cidrs
 }
 
 output "trusted_endpoints_cidrs" {
@@ -73,76 +170,81 @@
 }
 output "trusted-endpoint-emea-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for EMEA Deployments"
-  value       = local.a-trusted-endpoint-emea-cidrs
+  value       = local.trusted-endpoint-emea-cidrs
 }
 output "trusted-endpoint-central-europe-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments"
-  value       = local.ope-trusted-endpoint-central-europe-cidrs
+  value       = local.trusted-endpoint-central-europe-cidrs
 }
 output "trusted-endpoint-canada-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for Canda Deployments"
-  value       = local.ada-trusted-endpoint-canada-cidrs
+  value       = local.trusted-endpoint-canada-cidrs
 }
 output "trusted-endpoint-australia-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for Australia Deployments"
-  value       = local.tralia-trusted-endpoint-australia-cidrs
+  value       = local.trusted-endpoint-australia-cidrs
 }
 output "trusted-endpoint-japan-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for Japan Deployments"
-  value       = local.an-trusted-endpoint-japan-cidrs
+  value       = local.trusted-endpoint-japan-cidrs
 }
 output "trusted-endpoint-southeast-asia-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments"
-  value       = local.a-trusted-endpoint-southeast-asia-cidrs
+  value       = local.trusted-endpoint-southeast-asia-cidrs
 }
 output "trusted-endpoint-india-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for India Deployments"
-  value       = local.ia-trusted-endpoint-india-cidrs
+  value       = local.trusted-endpoint-india-cidrs
 }
 output "trusted-endpoint-uk-cidrs" {
   description = "List of Duo's Trusted Endpoint CIDRs for UK Deployments"
   value       = local.trusted-endpoint-uk-cidrs
+}
+
+output "trusted-endpoint-uae-cidrs" {
+  description = "List of Duo's Trusted Endpoint CIDRs for UAE Deployments"
+  value       = local.trusted-endpoint-uae-cidrs
 }
 
 output "ad_hostnames_ca" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments"
-  values      = ["cc1.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for Canada deployments"
+  value       = ["cc1.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_eu" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments"
-  values = [
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for EU deployments"
+  value = [
     "ec1.azureauth.duosecurity.com",
     "eu-west.azureauth.duosecurity.com"
   ]
 }
 
 output "ad_hostnames_us" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments"
-  values      = ["us.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for US deployments"
+  value       = ["us.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_au" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments"
-  values      = ["ase2.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for Australia deployments"
+  value       = ["ase2.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_asean" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments"
-  values      = ["ase1.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for ASEAN deployments"
+  value       = ["ase1.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_jp" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments"
-  values      = ["ane1.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for Japan deployments"
+  value       = ["ane1.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_uk" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments"
-  values      = ["ew2.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for UK deployments"
+  value       = ["ew2.azureauth.duosecurity.com"]
 }
 
 output "ad_hostnames_in" {
-  description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments"
-  values      = ["as1.azureauth.duosecurity.com"]
+  description = "List of Duo's Microsoft Entra ID Conditional Access hostnames (formerly Azure Conditional Access) for IND deployments"
+  value       = ["as1.azureauth.duosecurity.com"]
 }
--
rgit 0.1.5