diff --git a/README.md b/README.md index 443ec49..9b2918b 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,90 @@ # terraform-data-duo-ips ![License:MIT](https://img.shields.io/badge/license-MIT-blue.svg) ![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/captn3m0/terraform-data-duo-ips?sort=semver) ![GitHub last commit](https://img.shields.io/github/last-commit/captn3m0/terraform-data-duo-ips) -This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337 +This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337. + +Supported on both Terraform and OpenTofu. # Usage ```hcl +// Import the module module "duo-ips" { source = "captn3m0/duo-ips/data" - version = "1.2.0" + version = "1.3.0" } +// Allow traffic for MFA APIs for all region CIDRs +// Also open traffic from these to your LDAP Server port 636 if you're using LDAP resource "aws_security_group_rule" "allow_all_to_duo" { - type = "egress" - from_port = 0 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["${module.duo-ips.cidr}"] + type = "egress" + from_port = 0 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["${module.duo-ips.cidrs}"] + security_group_id = "sg-123456" +} + +// Limit MFA traffic to specific regions +resource "aws_security_group_rule" "allow_all_to_duo_uk" { + type = "egress" + from_port = 0 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["${module.duo-ips.uk-cidrs}"] + security_group_id = "sg-123456" +} + +// trusted endpoint requests are made from these ranges +// depending on what port your origin is using, pick the correct port here as well. +resource "aws_security_group_rule" "allow_all_from_duo_in_ingress" { + type = "ingress" + from_port = 0 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["${module.duo-ips.trusted-endpoint-india-cidrs}"] security_group_id = "sg-123456" } ``` +## Outputs + +| Name | Description | +|------|-------------| +| ad\_hostnames\_asean | Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments | +| ad\_hostnames\_au | Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments | +| ad\_hostnames\_ca | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments | +| ad\_hostnames\_eu | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments | +| ad\_hostnames\_in | Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments | +| ad\_hostnames\_jp | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments | +| ad\_hostnames\_uk | Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments | +| ad\_hostnames\_us | Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments | +| australia-cidrs | List of Duo's Service CIDRs for australia deployments | +| canada-cidrs | List of Duo's Service CIDRs for canada deployments | +| central-europe-cidrs | List of Duo's Service CIDRs for central-europe deployments | +| cidrs | List of all Duo Service CIDRs. Allow for egress to Duo | +| emea-cidrs | List of Duo's Service CIDRs for EMEA deployments | +| india-cidrs | List of Duo's Service CIDRs for india deployments | +| japan-cidrs | List of Duo's Service CIDRs for japan deployments | +| southeast-asia-cidrs | List of Duo's Service CIDRs for southeast-asia deployments | +| trusted-endpoint-australia-cidrs | List of Duo's Trusted Endpoint CIDRs for Australia Deployments | +| trusted-endpoint-canada-cidrs | List of Duo's Trusted Endpoint CIDRs for Canda Deployments | +| trusted-endpoint-central-europe-cidrs | List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments | +| trusted-endpoint-emea-cidrs | List of Duo's Trusted Endpoint CIDRs for EMEA Deployments | +| trusted-endpoint-india-cidrs | List of Duo's Trusted Endpoint CIDRs for India Deployments | +| trusted-endpoint-japan-cidrs | List of Duo's Trusted Endpoint CIDRs for Japan Deployments | +| trusted-endpoint-southeast-asia-cidrs | List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments | +| trusted-endpoint-uk-cidrs | List of Duo's Trusted Endpoint CIDRs for UK Deployments | +| trusted-endpoint-us-cidrs | List of Duo's Trusted Endpoint CIDRs for US Deployments | +| trusted\_endpoints\_cidrs | List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo | +| uk-cidrs | List of Duo's Service CIDRs for UK deployments | +| us-cidrs | List of Duo's Service CIDRs for US deployments | + ## Changelog +### 1.3.0 +- Added new outputs for various regions +- New regions added: UK/India + ### 1.2.0 - Added new CIDRs @@ -34,30 +97,6 @@ resource "aws_security_group_rule" "allow_all_to_duo" { - Changed the terraform registry module name from [`duo-whitelist`](https://registry.terraform.io/modules/captn3m0/duo-whitelist) to [`duo-ips`](https://registry.terraform.io/modules/captn3m0/duo-ips). - Renamed `duo_ad_hostnames_us` to `ad_hostnames_us` -## Outputs - -The following outputs are exported: - -### ad\_hostnames\_ca - -Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments - -### ad\_hostnames\_eu - -Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments - -### cidrs - -Description: List of all Duo Service CIDRs. Allow for egress to Duo - -### ad\_hostnames\_us - -Description: Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments - -### trusted\_endpoints\_cidrs - -Description: List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo - # LICENSE Licensed under MIT. See [nemo.mit-license.org](https://nemo.mit-license.org/) for complete text. diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..4e0005f --- /dev/null +++ b/locals.tf @@ -0,0 +1,83 @@ +locals { + us-cidrs = [ + "3.145.240.0/25", + "52.32.63.128/26", + "54.236.251.192/26", + "54.241.191.128/26", + ] + + emea-cidrs = [ + "13.39.113.0/26", + "52.19.127.192/26", + ] + + central-europe-cidrs = [ + "16.62.194.128/26", + "52.59.243.192/26", + ] + + canada-cidrs = [ + "35.182.14.128/26", + ] + + australia-cidrs = [ + "3.25.48.128/26", + ] + + japan-cidrs = [ + "15.168.49.0/26", + "35.74.77.64/26" + ] + + southeast-asia-cidrs = [ + "13.213.75.128/26", + "43.218.17.0/26", + "43.218.17.64/26", + ] + + india-cidrs = [ + "3.110.73.128/26", + "18.60.199.0/26", + ] + + uk-cidrs = [ + "13.40.93.64/26", + ] + + trusted-endpoint-us-cidrs = [ + "13.56.32.240/29", + "52.32.63.176/30" + ] + + trusted-endpoint-emea-cidrs = [ + "52.19.127.200/30" + ] + trusted-endpoint-central-europe-cidrs = [ + "52.59.243.200/30" + ] + + trusted-endpoint-canada-cidrs = [ + "35.182.14.128/30" + ] + + trusted-endpoint-australia-cidrs = [ + "3.25.48.188/30" + ] + + trusted-endpoint-japan-cidrs = [ + "35.74.77.124/30" + ] + + trusted-endpoint-southeast-asia-cidrs = [ + "13.213.75.172/30" + ] + + trusted-endpoint-india-cidrs = [ + "3.110.73.188/30" + ] + + trusted-endpoint-uk-cidrs = [ + "13.40.93.124/30" + ] + +} diff --git a/outputs.tf b/outputs.tf index a920cbd..9d5726e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,32 +1,107 @@ output "cidrs" { description = "List of all Duo Service CIDRs. Allow for egress to Duo" - value = [ - "54.241.191.128/26", - "54.236.251.192/26", - "52.19.127.192/26", - "52.32.63.128/26", - "52.59.243.192/26", - "35.182.14.128/26", - "3.25.48.128/26", - "35.74.77.64/26", - "13.213.75.128/26" - ] + value = concat( + local.us-cidrs, + local.emea-cidrs, + local.central-europe-cidrs, + local.canada-cidrs, + local.australia-cidrs, + local.japan-cidrs, + local.southeast-asia-cidrs, + local.india-cidrs, + local.uk-cidrs, + ) +} + +output "us-cidrs" { + description = "List of Duo's Service CIDRs for US deployments" + value = local.us-cidrs +} +output "emea-cidrs" { + description = "List of Duo's Service CIDRs for EMEA deployments" + value = local.emea-cidrs +} +output "central-europe-cidrs" { + description = "List of Duo's Service CIDRs for central-europe deployments" + value = local.central-europe-cidrs +} +output "canada-cidrs" { + description = "List of Duo's Service CIDRs for canada deployments" + value = local.canada-cidrs +} +output "australia-cidrs" { + description = "List of Duo's Service CIDRs for australia deployments" + value = local.australia-cidrs +} +output "japan-cidrs" { + description = "List of Duo's Service CIDRs for japan deployments" + value = local.japan-cidrs +} +output "southeast-asia-cidrs" { + description = "List of Duo's Service CIDRs for southeast-asia deployments" + value = local.southeast-asia-cidrs +} +output "india-cidrs" { + description = "List of Duo's Service CIDRs for india deployments" + value = local.india-cidrs +} +output "uk-cidrs" { + description = "List of Duo's Service CIDRs for UK deployments" + value = local.uk-cidrs } output "trusted_endpoints_cidrs" { description = "List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo" - value = [ - "13.56.32.240/29", - "52.32.63.176/30", - "52.19.127.200/30", - "52.59.243.200/30", - "35.182.14.128/30", - "3.24.48.188/30", - "35.74.77.124/30", - "13.213.75.172/30" - ] + value = concat( + local.trusted-endpoint-us-cidrs, + local.trusted-endpoint-emea-cidrs, + local.trusted-endpoint-central-europe-cidrs, + local.trusted-endpoint-canada-cidrs, + local.trusted-endpoint-australia-cidrs, + local.trusted-endpoint-japan-cidrs, + local.trusted-endpoint-southeast-asia-cidrs, + local.trusted-endpoint-india-cidrs, + local.trusted-endpoint-uk-cidrs, + ) +} + +output "trusted-endpoint-us-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for US Deployments" + value = local.trusted-endpoint-us-cidrs +} +output "trusted-endpoint-emea-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for EMEA Deployments" + value = local.a-trusted-endpoint-emea-cidrs +} +output "trusted-endpoint-central-europe-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments" + value = local.ope-trusted-endpoint-central-europe-cidrs +} +output "trusted-endpoint-canada-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for Canda Deployments" + value = local.ada-trusted-endpoint-canada-cidrs +} +output "trusted-endpoint-australia-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for Australia Deployments" + value = local.tralia-trusted-endpoint-australia-cidrs +} +output "trusted-endpoint-japan-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for Japan Deployments" + value = local.an-trusted-endpoint-japan-cidrs +} +output "trusted-endpoint-southeast-asia-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments" + value = local.a-trusted-endpoint-southeast-asia-cidrs +} +output "trusted-endpoint-india-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for India Deployments" + value = local.ia-trusted-endpoint-india-cidrs +} +output "trusted-endpoint-uk-cidrs" { + description = "List of Duo's Trusted Endpoint CIDRs for UK Deployments" + value = local.trusted-endpoint-uk-cidrs } output "ad_hostnames_ca" { @@ -51,3 +126,23 @@ output "ad_hostnames_au" { description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments" values = ["ase2.azureauth.duosecurity.com"] } + +output "ad_hostnames_asean" { + description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments" + values = ["ase1.azureauth.duosecurity.com"] +} + +output "ad_hostnames_jp" { + description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments" + values = ["ane1.azureauth.duosecurity.com"] +} + +output "ad_hostnames_uk" { + description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments" + values = ["ew2.azureauth.duosecurity.com"] +} + +output "ad_hostnames_in" { + description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments" + values = ["as1.azureauth.duosecurity.com"] +}