From c432274ec8162b882337960280b73a4723e8771d Mon Sep 17 00:00:00 2001 From: cdklabs-automation <90142015+cdklabs-automation@users.noreply.github.com> Date: Thu, 12 Oct 2023 07:02:52 -0700 Subject: [PATCH] chore: upgrade network ACL allow-lists (#1331) Updated the network ACL allow-lists from authoritative sources. --------- Signed-off-by: github-actions Co-authored-by: github-actions --- resources/vpc-allow-lists/github.api-IPv4.txt | 2 +- resources/vpc-allow-lists/github.git-IPv4.txt | 4 +- resources/vpc-allow-lists/github.web-IPv4.txt | 2 +- .../_limited-internet-access.test.ts.snap | 38 ++--- .../__snapshots__/construct-hub.test.ts.snap | 152 +++++++++--------- 5 files changed, 99 insertions(+), 99 deletions(-) diff --git a/resources/vpc-allow-lists/github.api-IPv4.txt b/resources/vpc-allow-lists/github.api-IPv4.txt index bb46cf4c5..e3f6f5228 100644 --- a/resources/vpc-allow-lists/github.api-IPv4.txt +++ b/resources/vpc-allow-lists/github.api-IPv4.txt @@ -4,7 +4,7 @@ 143.55.64.0/20 20.201.28.148/32 20.205.243.168/32 -20.87.225.211/32 +20.87.245.6/32 20.248.137.49/32 20.207.73.85/32 20.27.177.116/32 diff --git a/resources/vpc-allow-lists/github.git-IPv4.txt b/resources/vpc-allow-lists/github.git-IPv4.txt index d0dfdc576..85f0f0e6a 100644 --- a/resources/vpc-allow-lists/github.git-IPv4.txt +++ b/resources/vpc-allow-lists/github.git-IPv4.txt @@ -4,7 +4,7 @@ 143.55.64.0/20 20.201.28.151/32 20.205.243.166/32 -20.87.225.212/32 +20.87.245.0/32 20.248.137.48/32 20.207.73.82/32 20.27.177.113/32 @@ -14,7 +14,7 @@ 20.29.134.23/32 20.201.28.152/32 20.205.243.160/32 -20.87.225.214/32 +20.87.245.4/32 20.248.137.50/32 20.207.73.83/32 20.27.177.118/32 diff --git a/resources/vpc-allow-lists/github.web-IPv4.txt b/resources/vpc-allow-lists/github.web-IPv4.txt index fdd1c1f5c..94f64627d 100644 --- a/resources/vpc-allow-lists/github.web-IPv4.txt +++ b/resources/vpc-allow-lists/github.web-IPv4.txt @@ -4,7 +4,7 @@ 143.55.64.0/20 20.201.28.151/32 20.205.243.166/32 -20.87.225.212/32 +20.87.245.0/32 20.248.137.48/32 20.207.73.82/32 20.27.177.113/32 diff --git a/src/__tests__/__snapshots__/_limited-internet-access.test.ts.snap b/src/__tests__/__snapshots__/_limited-internet-access.test.ts.snap index d4c6c9f4f..6d0757ccd 100644 --- a/src/__tests__/__snapshots__/_limited-internet-access.test.ts.snap +++ b/src/__tests__/__snapshots__/_limited-internet-access.test.ts.snap @@ -926,7 +926,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "githubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33": { + "githubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -970,7 +970,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` "Cidr": "20.29.134.17/32", }, { - "Cidr": "20.87.225.211/32", + "Cidr": "20.87.245.6/32", }, ], "MaxEntries": 14, @@ -978,7 +978,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::PrefixList", }, - "githubapiIPv426236bf7f4af9960e4101988140b9b9839c54f3304B361CC": { + "githubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd251C927A": { "Properties": { "GroupDescription": "TestStack/github.api-IPv4", "Tags": [ @@ -993,19 +993,19 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroup", }, - "githubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33toTestStackgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f334435AB20CDC": { + "githubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fdtoTestStackgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd443F0E2ED4C": { "Properties": { "Description": "to github.api (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "githubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33", + "githubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "githubapiIPv426236bf7f4af9960e4101988140b9b9839c54f3304B361CC", + "githubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd251C927A", "GroupId", ], }, @@ -1014,7 +1014,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "githubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f2322": { + "githubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -1085,10 +1085,10 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` "Cidr": "20.29.134.23/32", }, { - "Cidr": "20.87.225.212/32", + "Cidr": "20.87.245.0/32", }, { - "Cidr": "20.87.225.214/32", + "Cidr": "20.87.245.4/32", }, ], "MaxEntries": 24, @@ -1096,7 +1096,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::PrefixList", }, - "githubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23229E1404BC": { + "githubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6E6D9AA46": { "Properties": { "GroupDescription": "TestStack/github.git-IPv4", "Tags": [ @@ -1111,19 +1111,19 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroup", }, - "githubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f2322toTestStackgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f232244389685F29": { + "githubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6toTestStackgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd64435BB6F08D": { "Properties": { "Description": "to github.git (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "githubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f2322", + "githubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "githubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23229E1404BC", + "githubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6E6D9AA46", "GroupId", ], }, @@ -1132,7 +1132,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "githubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb": { + "githubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -1176,7 +1176,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` "Cidr": "20.29.134.23/32", }, { - "Cidr": "20.87.225.212/32", + "Cidr": "20.87.245.0/32", }, ], "MaxEntries": 14, @@ -1184,7 +1184,7 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::PrefixList", }, - "githubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb0813810B": { + "githubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0DA6125DB": { "Properties": { "GroupDescription": "TestStack/github.web-IPv4", "Tags": [ @@ -1199,19 +1199,19 @@ exports[`createRestrictedSecurityGroups creates the correct resources 1`] = ` }, "Type": "AWS::EC2::SecurityGroup", }, - "githubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83ebtoTestStackgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb44314573257": { + "githubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0toTestStackgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0443F40AADC9": { "Properties": { "Description": "to github.web (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "githubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb", + "githubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "githubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb0813810B", + "githubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0DA6125DB", "GroupId", ], }, diff --git a/src/__tests__/__snapshots__/construct-hub.test.ts.snap b/src/__tests__/__snapshots__/construct-hub.test.ts.snap index aeb85fa58..241465c5d 100644 --- a/src/__tests__/__snapshots__/construct-hub.test.ts.snap +++ b/src/__tests__/__snapshots__/construct-hub.test.ts.snap @@ -56362,21 +56362,21 @@ Direct link to function: /lambda/home#/functions/", "","", { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, "","", { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, "","", { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], }, @@ -62163,19 +62163,19 @@ Direct link to Lambda function: /lambda/home#/functions/", }, { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], }, @@ -62244,19 +62244,19 @@ Direct link to Lambda function: /lambda/home#/functions/", }, { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], }, @@ -62348,19 +62348,19 @@ Direct link to Lambda function: /lambda/home#/functions/", }, { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], }, @@ -64865,19 +64865,19 @@ Direct link to Lambda function: /lambda/home#/functions/", }, { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], }, @@ -65885,7 +65885,7 @@ function handler(event) { }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF": { + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243": { "Properties": { "GroupDescription": "Test/ConstructHub/github.api-IPv4", "SecurityGroupIngress": [ @@ -65928,7 +65928,7 @@ function handler(event) { }, "Type": "AWS::EC2::SecurityGroup", }, - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33F84B1A15": { + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd464A5B47": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -65972,7 +65972,7 @@ function handler(event) { "Cidr": "20.29.134.17/32", }, { - "Cidr": "20.87.225.211/32", + "Cidr": "20.87.245.6/32", }, ], "MaxEntries": 14, @@ -65980,19 +65980,19 @@ function handler(event) { }, "Type": "AWS::EC2::PrefixList", }, - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33toTestConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33443AF31FD5A": { + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fdtoTestConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd4434DE2B8A6": { "Properties": { "Description": "to github.api (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33F84B1A15", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd464A5B47", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "ConstructHubgithubapiIPv426236bf7f4af9960e4101988140b9b9839c54f33D56BD8BF", + "ConstructHubgithubapiIPv46c1bc55679e33609c63273c203472ce2a9bf66fd14F88243", "GroupId", ], }, @@ -66001,7 +66001,7 @@ function handler(event) { }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f232239AB3FB5": { + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6A453FDD5": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -66072,10 +66072,10 @@ function handler(event) { "Cidr": "20.29.134.23/32", }, { - "Cidr": "20.87.225.212/32", + "Cidr": "20.87.245.0/32", }, { - "Cidr": "20.87.225.214/32", + "Cidr": "20.87.245.4/32", }, ], "MaxEntries": 24, @@ -66083,7 +66083,7 @@ function handler(event) { }, "Type": "AWS::EC2::PrefixList", }, - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589": { + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6": { "Properties": { "GroupDescription": "Test/ConstructHub/github.git-IPv4", "SecurityGroupIngress": [ @@ -66126,19 +66126,19 @@ function handler(event) { }, "Type": "AWS::EC2::SecurityGroup", }, - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f2322toTestConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f2322443DEF80F2E": { + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6toTestConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6443D0428ACA": { "Properties": { "Description": "to github.git (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f232239AB3FB5", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6A453FDD5", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "ConstructHubgithubgitIPv4a9f487f558ec4195bf0d55d246457af82a4f23224C282589", + "ConstructHubgithubgitIPv43af8a6cce8a22001e49990bcb8d029996e58bdd6FDEDA1A6", "GroupId", ], }, @@ -66147,7 +66147,50 @@ function handler(event) { }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb1AC116BE": { + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B": { + "Properties": { + "GroupDescription": "Test/ConstructHub/github.web-IPv4", + "SecurityGroupIngress": [ + { + "CidrIp": { + "Fn::GetAtt": [ + "ConstructHubVPC16ECCEA2", + "CidrBlock", + ], + }, + "Description": { + "Fn::Join": [ + "", + [ + "from ", + { + "Fn::GetAtt": [ + "ConstructHubVPC16ECCEA2", + "CidrBlock", + ], + }, + ":443", + ], + ], + }, + "FromPort": 443, + "IpProtocol": "tcp", + "ToPort": 443, + }, + ], + "Tags": [ + { + "Key": "Name", + "Value": "github.web.IPv4", + }, + ], + "VpcId": { + "Ref": "ConstructHubVPC16ECCEA2", + }, + }, + "Type": "AWS::EC2::SecurityGroup", + }, + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0CC113DD1": { "Properties": { "AddressFamily": "IPv4", "Entries": [ @@ -66191,7 +66234,7 @@ function handler(event) { "Cidr": "20.29.134.23/32", }, { - "Cidr": "20.87.225.212/32", + "Cidr": "20.87.245.0/32", }, ], "MaxEntries": 14, @@ -66199,62 +66242,19 @@ function handler(event) { }, "Type": "AWS::EC2::PrefixList", }, - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562": { - "Properties": { - "GroupDescription": "Test/ConstructHub/github.web-IPv4", - "SecurityGroupIngress": [ - { - "CidrIp": { - "Fn::GetAtt": [ - "ConstructHubVPC16ECCEA2", - "CidrBlock", - ], - }, - "Description": { - "Fn::Join": [ - "", - [ - "from ", - { - "Fn::GetAtt": [ - "ConstructHubVPC16ECCEA2", - "CidrBlock", - ], - }, - ":443", - ], - ], - }, - "FromPort": 443, - "IpProtocol": "tcp", - "ToPort": 443, - }, - ], - "Tags": [ - { - "Key": "Name", - "Value": "github.web.IPv4", - }, - ], - "VpcId": { - "Ref": "ConstructHubVPC16ECCEA2", - }, - }, - "Type": "AWS::EC2::SecurityGroup", - }, - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83ebtoTestConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb443ABFB620D": { + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0toTestConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0443D6F5D3E5": { "Properties": { "Description": "to github.web (IPv4)", "DestinationPrefixListId": { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb1AC116BE", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0CC113DD1", "PrefixListId", ], }, "FromPort": 443, "GroupId": { "Fn::GetAtt": [ - "ConstructHubgithubwebIPv4110b731050c541f4e2ec241604ceffc4ca8e83eb970FF562", + "ConstructHubgithubwebIPv48b2f32b1d10c79d948c448e457e246ed57e1aba0080DB59B", "GroupId", ], },