Skip to content

security: narrow internal ingress CIDR (JIRA-4521) #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dylanratcliffe wants to merge 4 commits into from
Closed

security: narrow internal ingress CIDR (JIRA-4521) #431

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
62c597c
Allow us to target non-main branches for the demo
dylanratcliffe Dec 26, 2025
332a954
Restrict automatic workflow to main branch only
dylanratcliffe Dec 26, 2025
ad5c8c3
chore: update customer IP ranges
Dec 26, 2025
47256dd
security: narrow internal ingress CIDR (JIRA-4521)
Dec 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/workflows/automatic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:

policy-checks:
runs-on: ubuntu-latest
if: github.event.action != 'closed'
if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
needs: execute
permissions:
contents: read
Expand Down Expand Up @@ -51,6 +51,7 @@ jobs:

execute:
runs-on: ubuntu-latest
if: github.event.pull_request.base.ref == 'main'
outputs:
run-url: ${{ steps.submit-plan.outputs.run-url }}
permissions:
Expand Down Expand Up @@ -139,7 +140,7 @@ jobs:

cost-analysis:
runs-on: ubuntu-latest
if: github.event.action != 'closed'
if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
permissions:
contents: read
id-token: write
Expand Down Expand Up @@ -168,7 +169,7 @@ jobs:

auto-approval:
runs-on: ubuntu-latest
if: github.event.action != 'closed'
if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
needs: execute
permissions:
pull-requests: write
Expand Down
16 changes: 15 additions & 1 deletion .github/workflows/signals-demo.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,16 @@ on:
type: boolean
required: false
default: false
target_branch:
description: Target branch for pull request (only used when include_needle is true)
type: choice
required: false
default: main
options:
- main
- demo/env0
- demo/spacelift
- demo/tfc

concurrency:
group: signals-demo
Expand Down Expand Up @@ -261,6 +271,10 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GH_PAT }}
run: |
# Use target_branch input if provided, otherwise default to main
TARGET_BRANCH="${{ github.event.inputs.target_branch || 'main' }}"
echo "Creating PR targeting branch: $TARGET_BRANCH"

BODY="$(printf '%s\n' \
'## Summary' \
'- Narrow internal ingress CIDR used for service/monitoring access.' \
Expand All @@ -276,7 +290,7 @@ jobs:
)"

gh pr create \
--base main \
--base "$TARGET_BRANCH" \
--head "$BRANCH" \
--title "security: narrow internal ingress CIDR (JIRA-4521)" \
--body "$BODY"
12 changes: 11 additions & 1 deletion main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,16 @@ module "shared_security_group" {
# Customer API access configuration
locals {
api_customer_cidrs = {
newco_9 = {
cidr = "203.0.113.109/32"
name = "NewCo 9"
}

newco_8 = {
cidr = "203.0.113.108/32"
name = "NewCo 8"
}

newco_7 = {
cidr = "203.0.113.107/32"
name = "NewCo 7"
Expand Down Expand Up @@ -124,7 +134,7 @@ locals {
}
}

api_internal_cidr = "10.0.0.0/8"
api_internal_cidr = "10.0.0.0/16" # SECURITY HARDENING: Narrowed to VPC CIDR per audit findings
api_domain = "signals-demo-test.demo"
api_alert_email = "[email protected]"
}
Expand Down