fixes for whitelisting

chrispsheehan · Feb 26, 2024 · 2f34489 · 2f34489
1 parent 50fe525
commit 2f34489
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 10 deletions.
diff --git a/tf/data.tf b/tf/data.tf
@@ -13,17 +13,18 @@ data "aws_iam_policy_document" "assume_role" {
 
 data "aws_iam_policy_document" "whitelist_ips" {
   statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-
     effect    = "Allow"
     actions   = ["execute-api:Invoke"]
-    resources = [aws_api_gateway_rest_api.this.execution_arn]
+    resources = ["${aws_api_gateway_rest_api.this.execution_arn}/*/*/*"]
+  }
+
+  statement {
+    effect    = "Deny"
+    actions   = ["execute-api:Invoke"]
+    resources = ["${aws_api_gateway_rest_api.this.execution_arn}/*/*/*"]
 
     condition {
-      test     = "IpAddress"
+      test     = "NotIpAddress"
       variable = "aws:SourceIp"
       values   = var.whitelist_ips
     }

diff --git a/tf/main.tf b/tf/main.tf
@@ -96,8 +96,6 @@ resource "aws_api_gateway_method_settings" "this" {
 }
 
 resource "aws_api_gateway_rest_api_policy" "whitelist" {
-  count = length(var.whitelist_ips) > 0 ? 1 : 0
-
   rest_api_id = aws_api_gateway_rest_api.this.id
   policy      = data.aws_iam_policy_document.whitelist_ips.json
 }
diff --git a/tf/variables.tf b/tf/variables.tf
@@ -22,6 +22,5 @@ variable "lambda-zip-path" {
 }
 
 variable "whitelist_ips" {
-  //default = []
   default = ["0.0.0.0/0"]
 }