Allow VPN Access into Dogfood (#6805)

.github/workflows/dogfood-deploy.yml

@@ -22,6 +22,7 @@ env:
   TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
   TF_VAR_cloudwatch_log_retention: 30
   TF_VAR_rds_backup_retention_period: 30
+  TF_VAR_extra_security_group_cidrs: '["10.255.1.0/24", "10.255.2.0/24", "10.255.3.0/24"]'
 
 permissions:
   id-token: write

infrastructure/dogfood/terraform/aws/rds.tf

@@ -32,7 +32,7 @@ resource "aws_secretsmanager_secret_version" "database_password_secret_version"
 //  vpc_id                = module.vpc.vpc_id
 //  subnets               = module.vpc.database_subnets
 //  create_security_group = true
-//  allowed_cidr_blocks   = module.vpc.private_subnets_cidr_blocks
+//  allowed_cidr_blocks   = concat(module.vpc.private_subnets_cidr_blocks, var.extra_security_group_cidrs)
 //
 //  replica_scale_enabled = false
 //  replica_count         = 0
@@ -84,7 +84,7 @@ module "aurora_mysql" {
   vpc_id                = module.vpc.vpc_id
   subnets               = module.vpc.database_subnets
   create_security_group = true
-  allowed_cidr_blocks   = module.vpc.private_subnets_cidr_blocks
+  allowed_cidr_blocks   = concat(module.vpc.private_subnets_cidr_blocks, var.extra_security_group_cidrs)
 
   replica_count         = 1
   replica_scale_enabled = true

infrastructure/dogfood/terraform/aws/redis.tf

@@ -46,7 +46,7 @@ resource "aws_security_group_rule" "ingress" {
   from_port         = "6379"
   to_port           = "6379"
   protocol          = "tcp"
-  cidr_blocks       = module.vpc.private_subnets_cidr_blocks
+  cidr_blocks       = concat(module.vpc.private_subnets_cidr_blocks, var.extra_security_group_cidrs)
   security_group_id = aws_security_group.redis.id
 }
 

infrastructure/dogfood/terraform/aws/variables.tf

@@ -115,3 +115,13 @@ variable "rds_backup_retention_period" {
   description = "number of days to keep snapshot backups"
   default     = 7
 }
+
+variable "extra_security_group_cidrs" {
+  description = "extra list of CIDRs to allow extra networks (such as a VPN) access to Redis/MySQL"
+  default     = []
+  type        = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.extra_security_group_cidrs: can(cidrhost(cidr, 32))])
+    error_message = "The extra security groups must be a list of valid CIDRs."
+  }
+}