Fix access for Teleport DB support

Signed-off-by: Stavros Foteinopoulos <[email protected]>

aws/awat/README.md

@@ -81,6 +81,7 @@
 | <a name="input_open_oidc_provider_url"></a> [open\_oidc\_provider\_url](#input\_open\_oidc\_provider\_url) | The Open OIDC Provider URL for a specific cluster | `string` | n/a | yes |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `list(string)` | n/a | yes |
 | <a name="input_serviceaccount"></a> [serviceaccount](#input\_serviceaccount) | Service Account, with which we want to associate IAM permission | `string` | n/a | yes |
+| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | The Teleport CIDR block to allow access | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
 
 ## Outputs

aws/awat/awat_db.tf

@@ -11,6 +11,14 @@ resource "aws_security_group" "cnc_to_awat_db" {
     security_groups = [data.terraform_remote_state.cnc_cluster.outputs.workers_security_group]
   }
 
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.teleport_cidr
+    description = "Allow the Teleport DB Service"
+  }
+
   ingress {
     from_port   = 5432
     to_port     = 5432

aws/awat/variables.tf

@@ -186,3 +186,8 @@ variable "iam_database_authentication_enabled" {
   description = "Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
   default     = false
 }
+
+variable "teleport_cidr" {
+  type        = string
+  description = "The Teleport CIDR block to allow access"
+}

aws/customer-web-server/README.md

@@ -66,6 +66,7 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_iam_database_authentication_enabled"></a> [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. | `bool` | `false` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | The Teleport CIDR block to allow access | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
 
 ## Outputs

aws/customer-web-server/variables.tf

@@ -163,3 +163,8 @@ variable "iam_database_authentication_enabled" {
   description = "Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
   default     = false
 }
+
+variable "teleport_cidr" {
+  type        = string
+  description = "The Teleport CIDR block to allow access"
+}

aws/customer-web-server/web-server.tf

@@ -30,6 +30,14 @@ resource "aws_security_group" "cws_postgres_sg" {
     description = "CLOUD VPN"
   }
 
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.teleport_cidr
+    description = "Allow the Teleport DB Service"
+  }
+
   egress {
     from_port   = 0
     to_port     = 0

aws/elrond/README.md

@@ -64,6 +64,7 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment to deploy the Elrond resources, dev, test, etc. | `string` | n/a | yes |
 | <a name="input_iam_database_authentication_enabled"></a> [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. | `bool` | `false` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The Elrond DB private subnets | `list(string)` | n/a | yes |
+| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | The Teleport CIDR block to allow access | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC to deploy the Elrond resources | `string` | n/a | yes |
 
 ## Outputs

aws/elrond/elrond-db.tf

@@ -11,6 +11,14 @@ resource "aws_security_group" "cnc_to_elrond_postgress" {
     security_groups = [data.terraform_remote_state.cluster.outputs.workers_security_group]
   }
 
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.teleport_cidr
+    description = "Allow the Teleport DB Service"
+  }
+
   ingress {
     from_port   = 5432
     to_port     = 5432

aws/elrond/variables.tf

@@ -164,3 +164,8 @@ variable "iam_database_authentication_enabled" {
   description = "Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
   default     = false
 }
+
+variable "teleport_cidr" {
+  type        = string
+  description = "The Teleport CIDR block to allow access"
+}

aws/provisioner/README.md

@@ -68,6 +68,7 @@
 | <a name="input_provisioner_replica_min"></a> [provisioner\_replica\_min](#input\_provisioner\_replica\_min) | n/a | `number` | n/a | yes |
 | <a name="input_provisioner_service_name"></a> [provisioner\_service\_name](#input\_provisioner\_service\_name) | n/a | `string` | `"provisioner"` | no |
 | <a name="input_provisioner_users"></a> [provisioner\_users](#input\_provisioner\_users) | n/a | `list(string)` | n/a | yes |
+| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | The Teleport CIDR block to allow access | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
 
 ## Outputs

aws/provisioner/provisioner-db.tf

@@ -19,6 +19,14 @@ resource "aws_security_group" "cec_to_postgress" {
     description = "CLOUD VPN"
   }
 
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.teleport_cidr
+    description = "Allow the Teleport DB Service"
+  }
+
   ingress {
     from_port   = 5432
     to_port     = 5432

aws/provisioner/variables.tf

@@ -169,3 +169,8 @@ variable "iam_database_authentication_enabled" {
   description = "Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
   default     = false
 }
+
+variable "teleport_cidr" {
+  type        = string
+  description = "The Teleport CIDR block to allow access"
+}

aws/subnet-and-networking-3az/README.md

@@ -96,6 +96,7 @@ No modules.
 | [aws_security_group_rule.master_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_worker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.teleport_db_service_access_postgresql](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

aws/subnet-and-networking-3az/security_groups.tf

@@ -270,3 +270,15 @@ resource "aws_security_group_rule" "gitlab_access_postgresql" {
   to_port           = 5432
   type              = "ingress"
 }
+
+resource "aws_security_group_rule" "teleport_db_service_access_postgresql" {
+  for_each = toset(var.vpc_cidrs)
+
+  cidr_blocks       = var.teleport_cidr
+  description       = "Allow the Teleport DB Service"
+  from_port         = 5432
+  protocol          = "TCP"
+  security_group_id = aws_security_group.db_sg_postgresql[each.value]["id"]
+  to_port           = 5432
+  type              = "ingress"
+}

aws/subnet-and-networking-4az/README.md

@@ -110,6 +110,7 @@ No modules.
 | [aws_security_group_rule.master_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_worker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.teleport_db_service_access_postgresql](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

aws/subnet-and-networking-4az/security_groups.tf

@@ -270,3 +270,15 @@ resource "aws_security_group_rule" "gitlab_access_postgresql" {
   to_port           = 5432
   type              = "ingress"
 }
+
+resource "aws_security_group_rule" "teleport_db_service_access_postgresql" {
+  for_each = toset(var.vpc_cidrs)
+
+  cidr_blocks       = var.teleport_cidr
+  description       = "Allow the Teleport DB Service"
+  from_port         = 5432
+  protocol          = "TCP"
+  security_group_id = aws_security_group.db_sg_postgresql[each.value]["id"]
+  to_port           = 5432
+  type              = "ingress"
+}

aws/subnet-and-networking/README.md

@@ -139,6 +139,7 @@ No modules.
 | [aws_security_group_rule.master_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.master_ingress_worker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.teleport_db_service_access_postgresql](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.worker_ingress_teleport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -183,7 +184,7 @@ No modules.
 | <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Security Group Referencing allows to specify other SGs as references, or matching criterion in inbound security rules to allow instance-to-instance traffic | `string` | `"enable"` | no |
 | <a name="input_single_route_table_deployment"></a> [single\_route\_table\_deployment](#input\_single\_route\_table\_deployment) | This will defined whether a single route table for all subnets will be created. multi\_route\_table\_deployment and single\_route\_table\_deployment cannot be both set to true | `bool` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | n/a | yes |
-| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | n/a | `list(string)` | n/a | yes |
+| <a name="input_teleport_cidr"></a> [teleport\_cidr](#input\_teleport\_cidr) | The Teleport DB CIDR block to allow access | `string` | n/a | yes |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | n/a | `string` | n/a | yes |
 | <a name="input_transit_gtw_route_destination"></a> [transit\_gtw\_route\_destination](#input\_transit\_gtw\_route\_destination) | n/a | `string` | n/a | yes |
 | <a name="input_transit_gtw_route_destination_gitlab"></a> [transit\_gtw\_route\_destination\_gitlab](#input\_transit\_gtw\_route\_destination\_gitlab) | n/a | `string` | n/a | yes |

aws/subnet-and-networking/security_groups.tf

@@ -283,3 +283,15 @@ resource "aws_security_group_rule" "gitlab_access_postgresql" {
   to_port           = 5432
   type              = "ingress"
 }
+
+resource "aws_security_group_rule" "teleport_db_service_access_postgresql" {
+  for_each = toset(var.vpc_cidrs)
+
+  cidr_blocks       = var.teleport_cidr
+  description       = "Allow the Teleport DB Service"
+  from_port         = 5432
+  protocol          = "TCP"
+  security_group_id = aws_security_group.db_sg_postgresql[each.value]["id"]
+  to_port           = 5432
+  type              = "ingress"
+}

aws/subnet-and-networking/variables.tf

@@ -67,3 +67,8 @@ variable "security_group_referencing_support" {
   type        = string
   default     = "enable"
 }
+
+variable "teleport_cidr" {
+  type        = string
+  description = "The Teleport DB CIDR block to allow access"
+}