Compare commits
14 Commits
Author | SHA1 | Date |
---|---|---|
Nemo | 58410fa2b5 | |
Nemo | 9eeba0e3b9 | |
Nemo | 20e6cba80a | |
Nemo | 708dd80d8f | |
dependabot-preview[bot] | 964408414a | |
Nemo | 2ae5692fc9 | |
Nemo | 7ffa8fad10 | |
Nemo | e357e4aa54 | |
Nemo | dab85dc53a | |
Nemo | cb310119e7 | |
Nemo | 504209e5e1 | |
Nemo | eb3e8c9195 | |
Nemo | b24c9442d1 | |
Nemo | b018e58799 |
|
@ -0,0 +1,3 @@
|
|||
ko_fi: captn3m0
|
||||
liberapay: captn3m0
|
||||
github: captn3m0
|
|
@ -0,0 +1,8 @@
|
|||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: terraform
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: daily
|
||||
time: "23:30"
|
||||
open-pull-requests-limit: 99
|
2
LICENSE
2
LICENSE
|
@ -1,6 +1,6 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2019 Abhay Rana
|
||||
Copyright (c) 2021 Abhay Rana
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
|
96
README.md
96
README.md
|
@ -1,37 +1,101 @@
|
|||
# terraform-http-duo-whitelist ![](https://img.shields.io/badge/license-MIT-blue.svg)
|
||||
# terraform-data-duo-ips ![License:MIT](https://img.shields.io/badge/license-MIT-blue.svg) ![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/captn3m0/terraform-data-duo-ips?sort=semver) ![GitHub last commit](https://img.shields.io/github/last-commit/captn3m0/terraform-data-duo-ips)
|
||||
|
||||
This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337
|
||||
This module provides an updated list of Duo's public CIDRs. These are maintained against the Duo Documentation: https://help.duo.com/s/article/1337.
|
||||
|
||||
Supported on both Terraform and OpenTofu.
|
||||
|
||||
# Usage
|
||||
|
||||
```hcl
|
||||
module "duo-whitelist" {
|
||||
source = "captn3m0/duo-whitelist/http"
|
||||
version = "1.0.0"
|
||||
// Import the module
|
||||
module "duo-ips" {
|
||||
source = "captn3m0/duo-ips/data"
|
||||
version = "1.3.0"
|
||||
}
|
||||
|
||||
// Allow traffic for MFA APIs for all region CIDRs
|
||||
// Also open traffic from these to your LDAP Server port 636 if you're using LDAP
|
||||
resource "aws_security_group_rule" "allow_all_to_duo" {
|
||||
type = "egress"
|
||||
from_port = 0
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["${module.duo-whitelist.cidr}"]
|
||||
type = "egress"
|
||||
from_port = 0
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["${module.duo-ips.cidrs}"]
|
||||
security_group_id = "sg-123456"
|
||||
}
|
||||
|
||||
// Limit MFA traffic to specific regions
|
||||
resource "aws_security_group_rule" "allow_all_to_duo_uk" {
|
||||
type = "egress"
|
||||
from_port = 0
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["${module.duo-ips.uk-cidrs}"]
|
||||
security_group_id = "sg-123456"
|
||||
}
|
||||
|
||||
// trusted endpoint requests are made from these ranges
|
||||
// depending on what port your origin is using, pick the correct port here as well.
|
||||
resource "aws_security_group_rule" "allow_all_from_duo_in_ingress" {
|
||||
type = "ingress"
|
||||
from_port = 0
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["${module.duo-ips.trusted-endpoint-india-cidrs}"]
|
||||
security_group_id = "sg-123456"
|
||||
}
|
||||
```
|
||||
|
||||
# Outputs
|
||||
## Outputs
|
||||
|
||||
The following outputs are exported:
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| ad\_hostnames\_asean | Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments |
|
||||
| ad\_hostnames\_au | Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments |
|
||||
| ad\_hostnames\_ca | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments |
|
||||
| ad\_hostnames\_eu | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments |
|
||||
| ad\_hostnames\_in | Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments |
|
||||
| ad\_hostnames\_jp | Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments |
|
||||
| ad\_hostnames\_uk | Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments |
|
||||
| ad\_hostnames\_us | Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments |
|
||||
| australia-cidrs | List of Duo's Service CIDRs for australia deployments |
|
||||
| canada-cidrs | List of Duo's Service CIDRs for canada deployments |
|
||||
| central-europe-cidrs | List of Duo's Service CIDRs for central-europe deployments |
|
||||
| cidrs | List of all Duo Service CIDRs. Allow for egress to Duo |
|
||||
| emea-cidrs | List of Duo's Service CIDRs for EMEA deployments |
|
||||
| india-cidrs | List of Duo's Service CIDRs for india deployments |
|
||||
| japan-cidrs | List of Duo's Service CIDRs for japan deployments |
|
||||
| southeast-asia-cidrs | List of Duo's Service CIDRs for southeast-asia deployments |
|
||||
| trusted-endpoint-australia-cidrs | List of Duo's Trusted Endpoint CIDRs for Australia Deployments |
|
||||
| trusted-endpoint-canada-cidrs | List of Duo's Trusted Endpoint CIDRs for Canda Deployments |
|
||||
| trusted-endpoint-central-europe-cidrs | List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments |
|
||||
| trusted-endpoint-emea-cidrs | List of Duo's Trusted Endpoint CIDRs for EMEA Deployments |
|
||||
| trusted-endpoint-india-cidrs | List of Duo's Trusted Endpoint CIDRs for India Deployments |
|
||||
| trusted-endpoint-japan-cidrs | List of Duo's Trusted Endpoint CIDRs for Japan Deployments |
|
||||
| trusted-endpoint-southeast-asia-cidrs | List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments |
|
||||
| trusted-endpoint-uk-cidrs | List of Duo's Trusted Endpoint CIDRs for UK Deployments |
|
||||
| trusted-endpoint-us-cidrs | List of Duo's Trusted Endpoint CIDRs for US Deployments |
|
||||
| trusted\_endpoints\_cidrs | List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo |
|
||||
| uk-cidrs | List of Duo's Service CIDRs for UK deployments |
|
||||
| us-cidrs | List of Duo's Service CIDRs for US deployments |
|
||||
|
||||
## cidrs
|
||||
## Changelog
|
||||
|
||||
Description: List of all Duo Service CIDRs. Whitelist for egress
|
||||
### 1.3.0
|
||||
- Added new outputs for various regions
|
||||
- New regions added: UK/India
|
||||
|
||||
## trusted\_endpoints\_cidrs
|
||||
### 1.2.0
|
||||
- Added new CIDRs
|
||||
|
||||
Description: Duo's Trusted Endpoint CIDRs. Whitelist for ingress
|
||||
### 1.1.0
|
||||
|
||||
- Removed `http://` from hostname values.
|
||||
|
||||
### 1.0.3
|
||||
|
||||
- Changed the terraform registry module name from [`duo-whitelist`](https://registry.terraform.io/modules/captn3m0/duo-whitelist) to [`duo-ips`](https://registry.terraform.io/modules/captn3m0/duo-ips).
|
||||
- Renamed `duo_ad_hostnames_us` to `ad_hostnames_us`
|
||||
|
||||
# LICENSE
|
||||
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
locals {
|
||||
us-cidrs = [
|
||||
"3.145.240.0/25",
|
||||
"52.32.63.128/26",
|
||||
"54.236.251.192/26",
|
||||
"54.241.191.128/26",
|
||||
]
|
||||
|
||||
emea-cidrs = [
|
||||
"13.39.113.0/26",
|
||||
"52.19.127.192/26",
|
||||
]
|
||||
|
||||
central-europe-cidrs = [
|
||||
"16.62.194.128/26",
|
||||
"52.59.243.192/26",
|
||||
]
|
||||
|
||||
canada-cidrs = [
|
||||
"35.182.14.128/26",
|
||||
]
|
||||
|
||||
australia-cidrs = [
|
||||
"3.25.48.128/26",
|
||||
]
|
||||
|
||||
japan-cidrs = [
|
||||
"15.168.49.0/26",
|
||||
"35.74.77.64/26"
|
||||
]
|
||||
|
||||
southeast-asia-cidrs = [
|
||||
"13.213.75.128/26",
|
||||
"43.218.17.0/26",
|
||||
"43.218.17.64/26",
|
||||
]
|
||||
|
||||
india-cidrs = [
|
||||
"3.110.73.128/26",
|
||||
"18.60.199.0/26",
|
||||
]
|
||||
|
||||
uk-cidrs = [
|
||||
"13.40.93.64/26",
|
||||
]
|
||||
|
||||
trusted-endpoint-us-cidrs = [
|
||||
"13.56.32.240/29",
|
||||
"52.32.63.176/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-emea-cidrs = [
|
||||
"52.19.127.200/30"
|
||||
]
|
||||
trusted-endpoint-central-europe-cidrs = [
|
||||
"52.59.243.200/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-canada-cidrs = [
|
||||
"35.182.14.128/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-australia-cidrs = [
|
||||
"3.25.48.188/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-japan-cidrs = [
|
||||
"35.74.77.124/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-southeast-asia-cidrs = [
|
||||
"13.213.75.172/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-india-cidrs = [
|
||||
"3.110.73.188/30"
|
||||
]
|
||||
|
||||
trusted-endpoint-uk-cidrs = [
|
||||
"13.40.93.124/30"
|
||||
]
|
||||
|
||||
}
|
156
outputs.tf
156
outputs.tf
|
@ -1,24 +1,148 @@
|
|||
output "cidrs" {
|
||||
description = "List of all Duo Service CIDRs. Whitelist for egress"
|
||||
description = "List of all Duo Service CIDRs. Allow for egress to Duo"
|
||||
|
||||
value = [
|
||||
"54.241.191.128/26",
|
||||
"54.236.251.192/26",
|
||||
"52.19.127.192/26",
|
||||
"52.32.63.128/26",
|
||||
"52.59.243.192/26",
|
||||
"35.182.14.128/26",
|
||||
]
|
||||
value = concat(
|
||||
local.us-cidrs,
|
||||
local.emea-cidrs,
|
||||
local.central-europe-cidrs,
|
||||
local.canada-cidrs,
|
||||
local.australia-cidrs,
|
||||
local.japan-cidrs,
|
||||
local.southeast-asia-cidrs,
|
||||
local.india-cidrs,
|
||||
local.uk-cidrs,
|
||||
)
|
||||
}
|
||||
|
||||
output "us-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for US deployments"
|
||||
value = local.us-cidrs
|
||||
}
|
||||
output "emea-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for EMEA deployments"
|
||||
value = local.emea-cidrs
|
||||
}
|
||||
output "central-europe-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for central-europe deployments"
|
||||
value = local.central-europe-cidrs
|
||||
}
|
||||
output "canada-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for canada deployments"
|
||||
value = local.canada-cidrs
|
||||
}
|
||||
output "australia-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for australia deployments"
|
||||
value = local.australia-cidrs
|
||||
}
|
||||
output "japan-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for japan deployments"
|
||||
value = local.japan-cidrs
|
||||
}
|
||||
output "southeast-asia-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for southeast-asia deployments"
|
||||
value = local.southeast-asia-cidrs
|
||||
}
|
||||
output "india-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for india deployments"
|
||||
value = local.india-cidrs
|
||||
}
|
||||
output "uk-cidrs" {
|
||||
description = "List of Duo's Service CIDRs for UK deployments"
|
||||
value = local.uk-cidrs
|
||||
}
|
||||
|
||||
output "trusted_endpoints_cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs. Whitelist for ingress"
|
||||
description = "List of Duo's Trusted Endpoint CIDRs. Allow for ingress from Duo"
|
||||
|
||||
value = [
|
||||
"13.56.32.240/29",
|
||||
"52.32.63.176/30",
|
||||
"52.19.127.200/30",
|
||||
"52.59.243.200/30",
|
||||
"35.182.14.128/30",
|
||||
value = concat(
|
||||
local.trusted-endpoint-us-cidrs,
|
||||
local.trusted-endpoint-emea-cidrs,
|
||||
local.trusted-endpoint-central-europe-cidrs,
|
||||
local.trusted-endpoint-canada-cidrs,
|
||||
local.trusted-endpoint-australia-cidrs,
|
||||
local.trusted-endpoint-japan-cidrs,
|
||||
local.trusted-endpoint-southeast-asia-cidrs,
|
||||
local.trusted-endpoint-india-cidrs,
|
||||
local.trusted-endpoint-uk-cidrs,
|
||||
)
|
||||
}
|
||||
|
||||
output "trusted-endpoint-us-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for US Deployments"
|
||||
value = local.trusted-endpoint-us-cidrs
|
||||
}
|
||||
output "trusted-endpoint-emea-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for EMEA Deployments"
|
||||
value = local.a-trusted-endpoint-emea-cidrs
|
||||
}
|
||||
output "trusted-endpoint-central-europe-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for Central Europe Deployments"
|
||||
value = local.ope-trusted-endpoint-central-europe-cidrs
|
||||
}
|
||||
output "trusted-endpoint-canada-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for Canda Deployments"
|
||||
value = local.ada-trusted-endpoint-canada-cidrs
|
||||
}
|
||||
output "trusted-endpoint-australia-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for Australia Deployments"
|
||||
value = local.tralia-trusted-endpoint-australia-cidrs
|
||||
}
|
||||
output "trusted-endpoint-japan-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for Japan Deployments"
|
||||
value = local.an-trusted-endpoint-japan-cidrs
|
||||
}
|
||||
output "trusted-endpoint-southeast-asia-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for Southeast Asia Deployments"
|
||||
value = local.a-trusted-endpoint-southeast-asia-cidrs
|
||||
}
|
||||
output "trusted-endpoint-india-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for India Deployments"
|
||||
value = local.ia-trusted-endpoint-india-cidrs
|
||||
}
|
||||
output "trusted-endpoint-uk-cidrs" {
|
||||
description = "List of Duo's Trusted Endpoint CIDRs for UK Deployments"
|
||||
value = local.trusted-endpoint-uk-cidrs
|
||||
}
|
||||
|
||||
output "ad_hostnames_ca" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Canada deployments"
|
||||
values = ["cc1.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_eu" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Europe deployments"
|
||||
values = [
|
||||
"ec1.azureauth.duosecurity.com",
|
||||
"eu-west.azureauth.duosecurity.com"
|
||||
]
|
||||
}
|
||||
|
||||
output "ad_hostnames_us" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for US deployments"
|
||||
values = ["us.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_au" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for AU deployments"
|
||||
values = ["ase2.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_asean" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for ASEAN deployments"
|
||||
values = ["ase1.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_jp" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for Japan deployments"
|
||||
values = ["ane1.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_uk" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for UK deployments"
|
||||
values = ["ew2.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
||||
output "ad_hostnames_in" {
|
||||
description = "Map of Duo's Microsoft Azure Active Directory Conditional Access application for IN deployments"
|
||||
values = ["as1.azureauth.duosecurity.com"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue