add cte agents to cm sg (#488)

Author: sivan-hajbi-imperva

examples/aws/poc/dsf_deployment/cm.tf

@@ -23,6 +23,7 @@ module "ciphertrust_manager" {
   allowed_web_console_and_api_cidrs = var.web_console_cidr
   allowed_ssh_cidrs                 = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
   allowed_cluster_nodes_cidrs       = [data.aws_subnet.ciphertrust_manager.cidr_block]
+  allowed_cte_agents_cidrs          = [data.aws_subnet.cte_ddc_agent.cidr_block]
   allowed_ddc_agents_cidrs          = [data.aws_subnet.cte_ddc_agent.cidr_block]
   allowed_all_cidrs                 = local.workstation_cidr
   tags                              = local.tags

modules/aws/ciphertrust-manager/sg.tf

@@ -24,6 +24,13 @@ locals {
       tcp             = [5432]
       cidrs           = concat(var.allowed_cluster_nodes_cidrs, var.allowed_all_cidrs)
     },
+    {
+      name            = ["cte", "agents"]
+      internet_access = false
+      udp             = []
+      tcp             = [443]
+      cidrs           = concat(var.allowed_cte_agents_cidrs, var.allowed_all_cidrs)
+    },
     {
       name            = ["ddc", "agents"]
       internet_access = false

modules/aws/ciphertrust-manager/variables.tf

@@ -67,6 +67,16 @@ variable "allowed_cluster_nodes_cidrs" {
   default = []
 }
 
+variable "allowed_cte_agents_cidrs" {
+  type        = list(string)
+  description = "List of ingress CIDR patterns allowing CTE agents to access the CipherTrust Manager instance"
+  validation {
+    condition     = alltrue([for item in var.allowed_cte_agents_cidrs : can(cidrnetmask(item))])
+    error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]"
+  }
+  default = []
+}
+
 variable "allowed_ddc_agents_cidrs" {
   type        = list(string)
   description = "List of ingress CIDR patterns allowing DDC agents to access the CipherTrust Manager instance"