Match egress rules to the ci_server_url in use

GSA-TTS · Feb 11, 2025 · f578416 · f578416
1 parent 1e8dd08
commit f578416
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@ locals {
   # the list of egress hosts to allow for runner-manager and always needed by runner workers
   devtools_egress_allowlist = [
     "*.fr.cloud.gov",                      # cf-cli calls from manager
-    "gsa-0.gitlab-dedicated.us",           # connections from both manager and runners
+    var.ci_server_url,                     # connections from both manager and runners
     "deb.debian.org",                      # debian runner dependencies install
     "*.ubuntu.com",                        # ubuntu runner dependencies install
     "dl-cdn.alpinelinux.org",              # alpine runner dependencies install
@@ -94,7 +94,7 @@ resource "cloudfoundry_app" "gitlab-runner-manager" {
     # Following vars are used directly by gitlab-runner register
     # See gitlab-runner register --help for available vars
     CI_SERVER_TOKEN = var.ci_server_token
-    CI_SERVER_URL   = var.ci_server_url
+    CI_SERVER_URL   = "https://${var.ci_server_url}"
     RUNNER_EXECUTOR = var.runner_executor
     RUNNER_NAME     = var.runner_manager_app_name
     # Following vars are for tuning worker defaults

diff --git a/sandbox-deploy/main.tf b/sandbox-deploy/main.tf
@@ -27,6 +27,7 @@ module "sandbox-runner" {
 
   cf_user                 = var.cf_user
   cf_space_prefix         = var.cf_space_prefix
+  ci_server_url           = "gsa-0.gitlab-dedicated.us"
   ci_server_token         = var.ci_server_token
   docker_hub_user         = var.docker_hub_user
   docker_hub_token        = var.docker_hub_token

diff --git a/tests/creation.tftest.hcl b/tests/creation.tftest.hcl
@@ -9,7 +9,7 @@ variables {
   cf_space_prefix         = "glr-cg-ci-tests"
   ci_server_token         = "fake-gdg-server-token"
   program_technologies    = ["ruby", "terraform"]
-  worker_egress_allowlist = ["api.example.gov", "gsa-0.gitlab-dedicated.us"]
+  worker_egress_allowlist = ["api.example.gov", "gsa.gitlab-dedicated.us"]
 }
 
 run "test-system-creation" {
@@ -100,7 +100,7 @@ run "test-system-creation" {
   assert {
     condition = local.proxy_allowlist == toset([
       "*.fr.cloud.gov",
-      "gsa-0.gitlab-dedicated.us",
+      "gsa.gitlab-dedicated.us",
       "deb.debian.org",
       "*.ubuntu.com",
       "dl-cdn.alpinelinux.org",

diff --git a/variables.tf b/variables.tf
@@ -28,7 +28,7 @@ variable "ci_server_token" {
 
 variable "ci_server_url" {
   type        = string
-  default     = "https://gsa-0.gitlab-dedicated.us"
+  default     = "gsa.gitlab-dedicated.us"
   description = "Gitlab Dedicated for Government URL"
 }