From cbe635ab4a878c7885a06b0ddeb9a4ecba4120cf Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Thu, 12 Oct 2023 11:28:51 +0100 Subject: [PATCH 1/3] CC-2131: Added pingdom probes to whitelist of WAF --- terraform/environments/ccms-ebs/ccms-waf.tf | 118 +++++++++++++++++++- 1 file changed, 116 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-waf.tf b/terraform/environments/ccms-ebs/ccms-waf.tf index 4f1eb95e2f5..fb2f95dd6ac 100644 --- a/terraform/environments/ccms-ebs/ccms-waf.tf +++ b/terraform/environments/ccms-ebs/ccms-waf.tf @@ -42,8 +42,122 @@ resource "aws_wafv2_ip_set" "ebs_waf_ip_set" { "10.27.67.0/25", // PROD NLB Subnet eu-west-2a "10.27.68.0/25", // PROD NLB Subnet eu-west-2b "10.27.67.128/25", // PROD NLB Subnet eu-west-2c - "2.124.117.99/32", // Aurinelle (V1) Personal Access Temporarily - "86.148.198.53/32" // Richard (V1) Personal Access Temporarily + "5.172.196.188", // PINGDOM + "13.232.220.164", // PINGDOM + "23.22.2.46", // PINGDOM + "23.83.129.219", // PINGDOM + "23.92.127.2", // PINGDOM + "23.106.37.99", // PINGDOM + "23.111.152.74", // PINGDOM + "23.111.159.174", // PINGDOM + "37.252.231.50", // PINGDOM + "43.225.198.122", // PINGDOM + "43.229.84.12", // PINGDOM + "46.20.45.18", // PINGDOM + "46.246.122.10", // PINGDOM + "50.2.185.66", // PINGDOM + "50.16.153.186", // PINGDOM + "52.0.204.16", // PINGDOM + "52.24.42.103", // PINGDOM + "52.48.244.35", // PINGDOM + "52.52.34.158", // PINGDOM + "52.52.95.213", // PINGDOM + "52.52.118.192", // PINGDOM + "52.57.132.90", // PINGDOM + "52.59.46.112", // PINGDOM + "52.59.147.246", // PINGDOM + "52.62.12.49", // PINGDOM + "52.63.142.2", // PINGDOM + "52.63.164.147", // PINGDOM + "52.63.167.55", // PINGDOM + "52.67.148.55", // PINGDOM + "52.73.209.122", // PINGDOM + "52.89.43.70", // PINGDOM + "52.194.115.181", // PINGDOM + "52.197.31.124", // PINGDOM + "52.197.224.235", // PINGDOM + "52.198.25.184", // PINGDOM + "52.201.3.199", // PINGDOM + "52.209.34.226", // PINGDOM + "52.209.186.226", // PINGDOM + "52.210.232.124", // PINGDOM + "54.68.48.199", // PINGDOM + "54.70.202.58", // PINGDOM + "54.94.206.111", // PINGDOM + "64.237.49.203", // PINGDOM + "64.237.55.3", // PINGDOM + "66.165.229.130", // PINGDOM + "66.165.233.234", // PINGDOM + "72.46.130.18", // PINGDOM + "72.46.131.10", // PINGDOM + "76.72.167.154", // PINGDOM + "76.72.172.208", // PINGDOM + "76.164.234.106", // PINGDOM + "76.164.234.130", // PINGDOM + "82.103.136.16", // PINGDOM + "82.103.139.165", // PINGDOM + "82.103.145.126", // PINGDOM + "85.195.116.134", // PINGDOM + "89.163.146.247", // PINGDOM + "89.163.242.206", // PINGDOM + "94.75.211.73", // PINGDOM + "94.75.211.74", // PINGDOM + "94.247.174.83", // PINGDOM + "96.47.225.18", // PINGDOM + "103.10.197.10", // PINGDOM + "103.47.211.210", // PINGDOM + "104.129.24.154", // PINGDOM + "104.129.30.18", // PINGDOM + "107.182.234.77", // PINGDOM + "108.181.70.3", // PINGDOM + "148.72.170.233", // PINGDOM + "148.72.171.17", // PINGDOM + "151.106.52.134", // PINGDOM + "159.122.168.9", // PINGDOM + "162.208.48.94", // PINGDOM + "162.218.67.34", // PINGDOM + "162.253.128.178", // PINGDOM + "168.1.203.46", // PINGDOM + "169.51.2.18", // PINGDOM + "169.54.70.214", // PINGDOM + "169.56.174.151", // PINGDOM + "172.241.112.86", // PINGDOM + "173.248.147.18", // PINGDOM + "173.254.206.242", // PINGDOM + "174.34.156.130", // PINGDOM + "175.45.132.20", // PINGDOM + "178.162.206.244", // PINGDOM + "178.255.152.2", // PINGDOM + "178.255.153.2", // PINGDOM + "179.50.12.212", // PINGDOM + "184.75.208.210", // PINGDOM + "184.75.209.18", // PINGDOM + "184.75.210.90", // PINGDOM + "184.75.210.226", // PINGDOM + "184.75.214.66", // PINGDOM + "184.75.214.98", // PINGDOM + "185.39.146.214", // PINGDOM + "185.39.146.215", // PINGDOM + "185.70.76.23", // PINGDOM + "185.93.3.65", // PINGDOM + "185.136.156.82", // PINGDOM + "185.152.65.167", // PINGDOM + "185.180.12.65", // PINGDOM + "185.246.208.82", // PINGDOM + "188.172.252.34", // PINGDOM + "190.120.230.7", // PINGDOM + "196.240.207.18", // PINGDOM + "196.244.191.18", // PINGDOM + "196.245.151.42", // PINGDOM + "199.87.228.66", // PINGDOM + "200.58.101.248", // PINGDOM + "201.33.21.5", // PINGDOM + "207.244.80.239", // PINGDOM + "209.58.139.193", // PINGDOM + "209.58.139.194", // PINGDOM + "209.95.50.14", // PINGDOM + "212.78.83.12", // PINGDOM + "212.78.83.16" // PINGDOM ] tags = merge(local.tags, From 033972c94b05354cbb7854a374960af3fffe125b Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Thu, 12 Oct 2023 14:53:51 +0100 Subject: [PATCH 2/3] CC-2131: Added pingdom probes to whitelist of WAF --- terraform/environments/ccms-ebs/ccms-waf.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/ccms-ebs/ccms-waf.tf b/terraform/environments/ccms-ebs/ccms-waf.tf index fb2f95dd6ac..de0658c7938 100644 --- a/terraform/environments/ccms-ebs/ccms-waf.tf +++ b/terraform/environments/ccms-ebs/ccms-waf.tf @@ -64,7 +64,6 @@ resource "aws_wafv2_ip_set" "ebs_waf_ip_set" { "52.52.95.213", // PINGDOM "52.52.118.192", // PINGDOM "52.57.132.90", // PINGDOM - "52.59.46.112", // PINGDOM "52.59.147.246", // PINGDOM "52.62.12.49", // PINGDOM "52.63.142.2", // PINGDOM From 83d33b0ed7079491f430804879ca3533ccfc3103 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Thu, 12 Oct 2023 14:59:02 +0100 Subject: [PATCH 3/3] CC-2131: Added pingdom probes to whitelist of WAF --- terraform/environments/ccms-ebs/ccms-waf.tf | 303 ++++++++++---------- 1 file changed, 152 insertions(+), 151 deletions(-) diff --git a/terraform/environments/ccms-ebs/ccms-waf.tf b/terraform/environments/ccms-ebs/ccms-waf.tf index de0658c7938..9905d536a11 100644 --- a/terraform/environments/ccms-ebs/ccms-waf.tf +++ b/terraform/environments/ccms-ebs/ccms-waf.tf @@ -7,156 +7,157 @@ resource "aws_wafv2_ip_set" "ebs_waf_ip_set" { description = "List of trusted IP Addresses allowing access via WAF" addresses = [ - "81.134.202.29/32", // MoJ Digital Wifi - "35.177.125.252/32", // MoJ VPN Gateway Proxies - "35.177.137.160/32", // MoJ VPN Gateway Proxies - "35.176.127.232/32", // Management DMZ Subnet A - London Non-Prod NAT Gateway - "35.177.145.193/32", // Management DMZ Subnet B - London Non-Prod NAT Gateway - "18.130.39.94/32", // Management DMC Subnet C - London Non-Prod NAT Gateway - "52.56.212.11/32", // Management DMZ Subnet A - London Prod NAT Gateway - "35.176.254.38/32", // Management DMZ Subnet B - London Prod NAT Gateway - "35.177.173.197/32", // Management DMC Subnet C - London Prod NAT Gateway - "195.59.75.0/24", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP - "194.33.192.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP - "194.33.193.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP - "194.33.196.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP - "194.33.197.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP - "51.149.250.0/24", // MoJO Production Account BYOIP CIDR range - "51.149.249.0/27", // ARK Corsham Internet Egress Exponential-E - "51.149.249.32/27", // ARK Corsham Internet Egress Exponential-E - "194.33.249.0/27", // ARK Corsham Internet Egress Vodafone - "194.33.248.0/27", // ARK Corsham Internet Egress Vodafone - "20.49.214.199/32", // Azure Landing Zone Egress - "20.49.214.228/32", // Azure Landing Zone Egress - "51.155.225.100/32", // Jide Personal Access Temporarily - "82.12.34.69/32", // Jide Personal Access Temporarily - "10.26.59.0/25", // DEV NLB Subnet eu-west-2a - "10.26.59.128/25", // DEV NLB Subnet eu-west-2b - "10.26.60.0/25", // DEV NLB Subnet eu-west-2c - "10.26.99.0/25", // TEST NLB Subnet eu-west-2a - "10.26.99.128/25", // TEST NLB Subnet eu-west-2b - "10.26.100.0/25", // TEST NLB Subnet eu-west-2c - "10.27.75.0/25", // PREPROD NLB Subnet eu-west-2a - "10.27.75.128/25", // PREPROD NLB Subnet eu-west-2b - "10.27.76.0/25", // PREPROD NLB Subnet eu-west-2c - "10.27.67.0/25", // PROD NLB Subnet eu-west-2a - "10.27.68.0/25", // PROD NLB Subnet eu-west-2b - "10.27.67.128/25", // PROD NLB Subnet eu-west-2c - "5.172.196.188", // PINGDOM - "13.232.220.164", // PINGDOM - "23.22.2.46", // PINGDOM - "23.83.129.219", // PINGDOM - "23.92.127.2", // PINGDOM - "23.106.37.99", // PINGDOM - "23.111.152.74", // PINGDOM - "23.111.159.174", // PINGDOM - "37.252.231.50", // PINGDOM - "43.225.198.122", // PINGDOM - "43.229.84.12", // PINGDOM - "46.20.45.18", // PINGDOM - "46.246.122.10", // PINGDOM - "50.2.185.66", // PINGDOM - "50.16.153.186", // PINGDOM - "52.0.204.16", // PINGDOM - "52.24.42.103", // PINGDOM - "52.48.244.35", // PINGDOM - "52.52.34.158", // PINGDOM - "52.52.95.213", // PINGDOM - "52.52.118.192", // PINGDOM - "52.57.132.90", // PINGDOM - "52.59.147.246", // PINGDOM - "52.62.12.49", // PINGDOM - "52.63.142.2", // PINGDOM - "52.63.164.147", // PINGDOM - "52.63.167.55", // PINGDOM - "52.67.148.55", // PINGDOM - "52.73.209.122", // PINGDOM - "52.89.43.70", // PINGDOM - "52.194.115.181", // PINGDOM - "52.197.31.124", // PINGDOM - "52.197.224.235", // PINGDOM - "52.198.25.184", // PINGDOM - "52.201.3.199", // PINGDOM - "52.209.34.226", // PINGDOM - "52.209.186.226", // PINGDOM - "52.210.232.124", // PINGDOM - "54.68.48.199", // PINGDOM - "54.70.202.58", // PINGDOM - "54.94.206.111", // PINGDOM - "64.237.49.203", // PINGDOM - "64.237.55.3", // PINGDOM - "66.165.229.130", // PINGDOM - "66.165.233.234", // PINGDOM - "72.46.130.18", // PINGDOM - "72.46.131.10", // PINGDOM - "76.72.167.154", // PINGDOM - "76.72.172.208", // PINGDOM - "76.164.234.106", // PINGDOM - "76.164.234.130", // PINGDOM - "82.103.136.16", // PINGDOM - "82.103.139.165", // PINGDOM - "82.103.145.126", // PINGDOM - "85.195.116.134", // PINGDOM - "89.163.146.247", // PINGDOM - "89.163.242.206", // PINGDOM - "94.75.211.73", // PINGDOM - "94.75.211.74", // PINGDOM - "94.247.174.83", // PINGDOM - "96.47.225.18", // PINGDOM - "103.10.197.10", // PINGDOM - "103.47.211.210", // PINGDOM - "104.129.24.154", // PINGDOM - "104.129.30.18", // PINGDOM - "107.182.234.77", // PINGDOM - "108.181.70.3", // PINGDOM - "148.72.170.233", // PINGDOM - "148.72.171.17", // PINGDOM - "151.106.52.134", // PINGDOM - "159.122.168.9", // PINGDOM - "162.208.48.94", // PINGDOM - "162.218.67.34", // PINGDOM - "162.253.128.178", // PINGDOM - "168.1.203.46", // PINGDOM - "169.51.2.18", // PINGDOM - "169.54.70.214", // PINGDOM - "169.56.174.151", // PINGDOM - "172.241.112.86", // PINGDOM - "173.248.147.18", // PINGDOM - "173.254.206.242", // PINGDOM - "174.34.156.130", // PINGDOM - "175.45.132.20", // PINGDOM - "178.162.206.244", // PINGDOM - "178.255.152.2", // PINGDOM - "178.255.153.2", // PINGDOM - "179.50.12.212", // PINGDOM - "184.75.208.210", // PINGDOM - "184.75.209.18", // PINGDOM - "184.75.210.90", // PINGDOM - "184.75.210.226", // PINGDOM - "184.75.214.66", // PINGDOM - "184.75.214.98", // PINGDOM - "185.39.146.214", // PINGDOM - "185.39.146.215", // PINGDOM - "185.70.76.23", // PINGDOM - "185.93.3.65", // PINGDOM - "185.136.156.82", // PINGDOM - "185.152.65.167", // PINGDOM - "185.180.12.65", // PINGDOM - "185.246.208.82", // PINGDOM - "188.172.252.34", // PINGDOM - "190.120.230.7", // PINGDOM - "196.240.207.18", // PINGDOM - "196.244.191.18", // PINGDOM - "196.245.151.42", // PINGDOM - "199.87.228.66", // PINGDOM - "200.58.101.248", // PINGDOM - "201.33.21.5", // PINGDOM - "207.244.80.239", // PINGDOM - "209.58.139.193", // PINGDOM - "209.58.139.194", // PINGDOM - "209.95.50.14", // PINGDOM - "212.78.83.12", // PINGDOM - "212.78.83.16" // PINGDOM + "81.134.202.29/32", // MoJ Digital Wifi + "35.177.125.252/32", // MoJ VPN Gateway Proxies + "35.177.137.160/32", // MoJ VPN Gateway Proxies + "35.176.127.232/32", // Management DMZ Subnet A - London Non-Prod NAT Gateway + "35.177.145.193/32", // Management DMZ Subnet B - London Non-Prod NAT Gateway + "18.130.39.94/32", // Management DMC Subnet C - London Non-Prod NAT Gateway + "52.56.212.11/32", // Management DMZ Subnet A - London Prod NAT Gateway + "35.176.254.38/32", // Management DMZ Subnet B - London Prod NAT Gateway + "35.177.173.197/32", // Management DMC Subnet C - London Prod NAT Gateway + "195.59.75.0/24", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP + "194.33.192.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP + "194.33.193.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP + "194.33.196.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP + "194.33.197.0/25", // ARK Data Center External Internet access addresses - NPS and HMCTS users transitioned under TTP + "51.149.250.0/24", // MoJO Production Account BYOIP CIDR range + "51.149.249.0/27", // ARK Corsham Internet Egress Exponential-E + "51.149.249.32/27", // ARK Corsham Internet Egress Exponential-E + "194.33.249.0/27", // ARK Corsham Internet Egress Vodafone + "194.33.248.0/27", // ARK Corsham Internet Egress Vodafone + "20.49.214.199/32", // Azure Landing Zone Egress + "20.49.214.228/32", // Azure Landing Zone Egress + "51.155.225.100/32", // Jide Personal Access Temporarily + "82.12.34.69/32", // Jide Personal Access Temporarily + "10.26.59.0/25", // DEV NLB Subnet eu-west-2a + "10.26.59.128/25", // DEV NLB Subnet eu-west-2b + "10.26.60.0/25", // DEV NLB Subnet eu-west-2c + "10.26.99.0/25", // TEST NLB Subnet eu-west-2a + "10.26.99.128/25", // TEST NLB Subnet eu-west-2b + "10.26.100.0/25", // TEST NLB Subnet eu-west-2c + "10.27.75.0/25", // PREPROD NLB Subnet eu-west-2a + "10.27.75.128/25", // PREPROD NLB Subnet eu-west-2b + "10.27.76.0/25", // PREPROD NLB Subnet eu-west-2c + "10.27.67.0/25", // PROD NLB Subnet eu-west-2a + "10.27.68.0/25", // PROD NLB Subnet eu-west-2b + "10.27.67.128/25", // PROD NLB Subnet eu-west-2c + "5.172.196.188/32", // PINGDOM + "13.232.220.164/32", // PINGDOM + "23.22.2.46/32", // PINGDOM + "23.83.129.219/32", // PINGDOM + "23.92.127.2/32", // PINGDOM + "23.106.37.99/32", // PINGDOM + "23.111.152.74/32", // PINGDOM + "23.111.159.174/32", // PINGDOM + "37.252.231.50/32", // PINGDOM + "43.225.198.122/32", // PINGDOM + "43.229.84.12/32", // PINGDOM + "46.20.45.18/32", // PINGDOM + "46.246.122.10/32", // PINGDOM + "50.2.185.66/32", // PINGDOM + "50.16.153.186/32", // PINGDOM + "52.0.204.16/32", // PINGDOM + "52.24.42.103/32", // PINGDOM + "52.48.244.35/32", // PINGDOM + "52.52.34.158/32", // PINGDOM + "52.52.95.213/32", // PINGDOM + "52.52.118.192/32", // PINGDOM + "52.57.132.90/32", // PINGDOM + "52.59.46.112/32", // PINGDOM + "52.59.147.246/32", // PINGDOM + "52.62.12.49/32", // PINGDOM + "52.63.142.2/32", // PINGDOM + "52.63.164.147/32", // PINGDOM + "52.63.167.55/32", // PINGDOM + "52.67.148.55/32", // PINGDOM + "52.73.209.122/32", // PINGDOM + "52.89.43.70/32", // PINGDOM + "52.194.115.181/32", // PINGDOM + "52.197.31.124/32", // PINGDOM + "52.197.224.235/32", // PINGDOM + "52.198.25.184/32", // PINGDOM + "52.201.3.199/32", // PINGDOM + "52.209.34.226/32", // PINGDOM + "52.209.186.226/32", // PINGDOM + "52.210.232.124/32", // PINGDOM + "54.68.48.199/32", // PINGDOM + "54.70.202.58/32", // PINGDOM + "54.94.206.111/32", // PINGDOM + "64.237.49.203/32", // PINGDOM + "64.237.55.3/32", // PINGDOM + "66.165.229.130/32", // PINGDOM + "66.165.233.234/32", // PINGDOM + "72.46.130.18/32", // PINGDOM + "72.46.131.10/32", // PINGDOM + "76.72.167.154/32", // PINGDOM + "76.72.172.208/32", // PINGDOM + "76.164.234.106/32", // PINGDOM + "76.164.234.130/32", // PINGDOM + "82.103.136.16/32", // PINGDOM + "82.103.139.165/32", // PINGDOM + "82.103.145.126/32", // PINGDOM + "85.195.116.134/32", // PINGDOM + "89.163.146.247/32", // PINGDOM + "89.163.242.206/32", // PINGDOM + "94.75.211.73/32", // PINGDOM + "94.75.211.74/32", // PINGDOM + "94.247.174.83/32", // PINGDOM + "96.47.225.18/32", // PINGDOM + "103.10.197.10/32", // PINGDOM + "103.47.211.210/32", // PINGDOM + "104.129.24.154/32", // PINGDOM + "104.129.30.18/32", // PINGDOM + "107.182.234.77/32", // PINGDOM + "108.181.70.3/32", // PINGDOM + "148.72.170.233/32", // PINGDOM + "148.72.171.17/32", // PINGDOM + "151.106.52.134/32", // PINGDOM + "159.122.168.9/32", // PINGDOM + "162.208.48.94/32", // PINGDOM + "162.218.67.34/32", // PINGDOM + "162.253.128.178/32", // PINGDOM + "168.1.203.46/32", // PINGDOM + "169.51.2.18/32", // PINGDOM + "169.54.70.214/32", // PINGDOM + "169.56.174.151/32", // PINGDOM + "172.241.112.86/32", // PINGDOM + "173.248.147.18/32", // PINGDOM + "173.254.206.242/32", // PINGDOM + "174.34.156.130/32", // PINGDOM + "175.45.132.20/32", // PINGDOM + "178.162.206.244/32", // PINGDOM + "178.255.152.2/32", // PINGDOM + "178.255.153.2/32", // PINGDOM + "179.50.12.212/32", // PINGDOM + "184.75.208.210/32", // PINGDOM + "184.75.209.18/32", // PINGDOM + "184.75.210.90/32", // PINGDOM + "184.75.210.226/32", // PINGDOM + "184.75.214.66/32", // PINGDOM + "184.75.214.98/32", // PINGDOM + "185.39.146.214/32", // PINGDOM + "185.39.146.215/32", // PINGDOM + "185.70.76.23/32", // PINGDOM + "185.93.3.65/32", // PINGDOM + "185.136.156.82/32", // PINGDOM + "185.152.65.167/32", // PINGDOM + "185.180.12.65/32", // PINGDOM + "185.246.208.82/32", // PINGDOM + "188.172.252.34/32", // PINGDOM + "190.120.230.7/32", // PINGDOM + "196.240.207.18/32", // PINGDOM + "196.244.191.18/32", // PINGDOM + "196.245.151.42/32", // PINGDOM + "199.87.228.66/32", // PINGDOM + "200.58.101.248/32", // PINGDOM + "201.33.21.5/32", // PINGDOM + "207.244.80.239/32", // PINGDOM + "209.58.139.193/32", // PINGDOM + "209.58.139.194/32", // PINGDOM + "209.95.50.14/32", // PINGDOM + "212.78.83.12/32", // PINGDOM + "212.78.83.16/32" // PINGDOM ] tags = merge(local.tags, @@ -217,4 +218,4 @@ resource "aws_cloudwatch_log_group" "ebs_waf_logs" { resource "aws_wafv2_web_acl_logging_configuration" "ebs_waf_logging" { log_destination_configs = [aws_cloudwatch_log_group.ebs_waf_logs.arn] resource_arn = aws_wafv2_web_acl.ebs_web_acl.arn -} \ No newline at end of file +}