Adds IP whitelisting to storage buckets

terraform/providers/dev/buckets.tf

@@ -1,3 +1,5 @@
+# Task order bucket is required to be accessible publicly by the users.
+# which is why the policy here is "Allow"
 module "task_order_bucket" {
   source       = "../../modules/bucket"
   service_name = "jeditasksatat"
@@ -5,10 +7,15 @@ module "task_order_bucket" {
   name         = var.name
   environment  = var.environment
   region       = var.region
-  policy       = "Deny"
+  policy       = "Allow"
   subnet_ids   = [module.vpc.subnets]
+  whitelist    = var.admin_user_whitelist
 }
 
+# TF State should be restricted to admins only, but IP protected
+# This has to be public due to a chicken/egg issue of VPN not 
+# existing until TF is run. If this bucket is private, you would
+# not be able to access it when running TF without being on a VPN.
 module "tf_state" {
   source       = "../../modules/bucket"
   service_name = "jedidevtfstate"
@@ -16,6 +23,7 @@ module "tf_state" {
   name         = var.name
   environment  = var.environment
   region       = var.region
-  policy       = "Allow"
+  policy       = "Deny"
   subnet_ids   = []
+  whitelist    = var.admin_user_whitelist
 }

terraform/providers/dev/variables.tf

@@ -87,3 +87,10 @@ variable "admin_users" {
     "Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc"
   }
 }
+
+variable "admin_user_whitelist" {
+  type = map
+  default = {
+    "Rob Gil" = "66.220.238.246"
+  }
+}