feat: Added support for unauthenticated access (eg, Github webhook) (#123)

antonbabenko · web-flow · commit 057f9452ef29 · 2020-05-13T16:36:54.000+02:00
diff --git a/README.md b/README.md
@@ -119,6 +119,13 @@ alb_authenticate_oidc = {
 
 Read more in [this post](https://medium.com/@sandrinodm/securing-your-applications-with-aws-alb-built-in-authentication-and-auth0-310ad84c8595).
 
+If you are using GitHub, you may allow it to trigger webhooks without authentication on ALB:
+
+```
+allow_unauthenticated_access = true
+allow_github_webhooks        = true
+```
+
 ## Notes
 
 1. AWS Route53 zone is not created by this module, so zone specified as a value in `route53_zone_name` should be created before using this module. Check documentation for [aws_route53_zone](https://www.terraform.io/docs/providers/aws/r/route53_zone.html).
@@ -154,7 +161,10 @@ No requirements.
 | alb\_log\_bucket\_name | S3 bucket (externally created) for storing load balancer access logs. Required if alb\_logging\_enabled is true. | `string` | `""` | no |
 | alb\_log\_location\_prefix | S3 prefix within the log\_bucket\_name under which logs are stored. | `string` | `""` | no |
 | alb\_logging\_enabled | Controls if the ALB will log requests to S3. | `bool` | `false` | no |
+| allow\_github\_webhooks | Whether to allow access for GitHub webhooks | `bool` | `false` | no |
 | allow\_repo\_config | When true allows the use of atlantis.yaml config files within the source repos. | `string` | `"false"` | no |
+| allow\_unauthenticated\_access | Whether to create ALB listener rule to allow unauthenticated access for certain CIDR blocks (eg. allow GitHub webhooks to bypass OIDC authentication) | `bool` | `false` | no |
+| allow\_unauthenticated\_access\_priority | ALB listener rule priority for allow unauthenticated access rule | `number` | `10` | no |
 | atlantis\_allowed\_repo\_names | Git repositories where webhook should be created | `list(string)` | `[]` | no |
 | atlantis\_bitbucket\_base\_url | Base URL of Bitbucket Server, use for Bitbucket on prem (Stash) | `string` | `""` | no |
 | atlantis\_bitbucket\_user | Bitbucket username that is running the Atlantis command | `string` | `""` | no |
@@ -189,6 +199,7 @@ No requirements.
 | ecs\_service\_desired\_count | The number of instances of the task definition to place and keep running | `number` | `1` | no |
 | ecs\_task\_cpu | The number of cpu units used by the task | `number` | `256` | no |
 | ecs\_task\_memory | The amount (in MiB) of memory used by the task | `number` | `512` | no |
+| github\_webhooks\_cidr\_blocks | List of CIDR blocks used by GitHub webhooks | `list(string)` | <pre>[<br>  "140.82.112.0/20",<br>  "185.199.108.0/22",<br>  "192.30.252.0/22"<br>]</pre> | no |
 | internal | Whether the load balancer is internal or external | `bool` | `false` | no |
 | name | Name to use on all resources created (VPC, ALB, etc) | `string` | `"atlantis"` | no |
 | policies\_arn | A list of the ARN of the policies you want to apply | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"<br>]</pre> | no |
@@ -203,6 +214,7 @@ No requirements.
 | tags | A map of tags to use on all resources | `map(string)` | `{}` | no |
 | vpc\_id | ID of an existing VPC where resources will be created | `string` | `""` | no |
 | webhook\_ssm\_parameter\_name | Name of SSM parameter to keep webhook secret | `string` | `"/atlantis/webhook/secret"` | no |
+| whitelist\_unauthenticated\_cidr\_blocks | List of allowed CIDR blocks to bypass authentication | `list(string)` | `[]` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -230,6 +230,25 @@ module "alb" {
   tags = local.tags
 }
 
+# Forward action for certain CIDR blocks to bypass authentication (eg. GitHub webhooks)
+resource "aws_lb_listener_rule" "unauthenticated_access_for_cidr_blocks" {
+  count = var.allow_unauthenticated_access ? 1 : 0
+
+  listener_arn = module.alb.https_listener_arns[0]
+  priority     = var.allow_unauthenticated_access_priority
+
+  action {
+    type             = "forward"
+    target_group_arn = module.alb.target_group_arns[0]
+  }
+
+  condition {
+    source_ip {
+      values = sort(compact(concat(var.allow_github_webhooks ? var.github_webhooks_cidr_blocks : [], var.whitelist_unauthenticated_cidr_blocks)))
+    }
+  }
+}
+
 ###################
 # Security groups
 ###################
diff --git a/variables.tf b/variables.tf
@@ -96,6 +96,36 @@ variable "alb_authenticate_oidc" {
   default     = {}
 }
 
+variable "allow_unauthenticated_access" {
+  description = "Whether to create ALB listener rule to allow unauthenticated access for certain CIDR blocks (eg. allow GitHub webhooks to bypass OIDC authentication)"
+  type        = bool
+  default     = false
+}
+
+variable "allow_unauthenticated_access_priority" {
+  description = "ALB listener rule priority for allow unauthenticated access rule"
+  type        = number
+  default     = 10
+}
+
+variable "allow_github_webhooks" {
+  description = "Whether to allow access for GitHub webhooks"
+  type        = bool
+  default     = false
+}
+
+variable "github_webhooks_cidr_blocks" {
+  description = "List of CIDR blocks used by GitHub webhooks" # This is hardcoded to avoid dependency on github provider. Source: https://api.github.com/meta
+  type        = list(string)
+  default     = ["140.82.112.0/20", "185.199.108.0/22", "192.30.252.0/22"]
+}
+
+variable "whitelist_unauthenticated_cidr_blocks" {
+  description = "List of allowed CIDR blocks to bypass authentication"
+  type        = list(string)
+  default     = []
+}
+
 # ACM
 variable "certificate_arn" {
   description = "ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS"
