From 62210d7fdc1d2d2fcfd77c08ef041938250d9aac Mon Sep 17 00:00:00 2001
From: Christopher Weibel <christopher.weibel@gsa.gov>
Date: Tue, 3 Sep 2024 10:22:52 -0400
Subject: [PATCH 1/2] Adding new S3 ranges to trusted local asg

---
 terraform/stack/asg.tf | 44 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/terraform/stack/asg.tf b/terraform/stack/asg.tf
index a4cd111e..2e9ab40b 100644
--- a/terraform/stack/asg.tf
+++ b/terraform/stack/asg.tf
@@ -194,7 +194,28 @@ resource "cloudfoundry_asg" "trusted_local_networks" {
     destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_2
     ports       = "443"
   }
- 
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_3
+    ports       = "443"
+  }
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_4
+    ports       = "443"
+  }
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_5
+    ports       = "443"
+  }  
+
 }
 
 # New trusted networks asg to apply to spaces individually, not globally.
@@ -281,6 +302,27 @@ resource "cloudfoundry_asg" "trusted_local_networks_egress" {
     destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_2
     ports       = "443"
   }
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_3
+    ports       = "443"
+  }
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_4
+    ports       = "443"
+  }
+
+  rule {
+    protocol    = "tcp"
+    description = "Allow access to AWS S3 Gateway"
+    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_5
+    ports       = "443"
+  }
 }
 
 resource "cloudfoundry_asg" "brokers" {

From c748597c831411df4e1ee9015499eca648592456 Mon Sep 17 00:00:00 2001
From: Christopher Weibel <christopher.weibel@gsa.gov>
Date: Tue, 3 Sep 2024 11:21:06 -0400
Subject: [PATCH 2/2] Add looping for asg s3 gateway access

---
 terraform/stack/asg.tf | 65 ++++++------------------------------------
 1 file changed, 8 insertions(+), 57 deletions(-)

diff --git a/terraform/stack/asg.tf b/terraform/stack/asg.tf
index 2e9ab40b..e5c20a97 100644
--- a/terraform/stack/asg.tf
+++ b/terraform/stack/asg.tf
@@ -181,41 +181,16 @@ resource "cloudfoundry_asg" "trusted_local_networks" {
     ports       = "443"
   }
   # S3 Gateway access
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_1
-    ports       = "443"
-  }
-  
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_2
-    ports       = "443"
-  }
+  dynamic "rule" {
 
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_3
-    ports       = "443"
-  }
+    for_each = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidrs
+    iterator = rule
 
-  rule {
     protocol    = "tcp"
     description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_4
+    destination = rule.value
     ports       = "443"
   }
-
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_5
-    ports       = "443"
-  }  
-
 }
 
 # New trusted networks asg to apply to spaces individually, not globally.
@@ -289,38 +264,14 @@ resource "cloudfoundry_asg" "trusted_local_networks_egress" {
     ports       = "443"
   }
   # S3 Gateway access
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_1
-    ports       = "443"
-  }
-
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_2
-    ports       = "443"
-  }
-
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_3
-    ports       = "443"
-  }
+  dynamic "rule" {
 
-  rule {
-    protocol    = "tcp"
-    description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_4
-    ports       = "443"
-  }
+    for_each = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidrs
+    iterator = rule
 
-  rule {
     protocol    = "tcp"
     description = "Allow access to AWS S3 Gateway"
-    destination = data.terraform_remote_state.iaas.outputs.s3_gateway_endpoint_cidr_5
+    destination = rule.value
     ports       = "443"
   }
 }