From a65cb21be5e162dd04862ef8b13db6f96faafedc Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Tue, 2 Jul 2024 10:32:01 +0100
Subject: [PATCH] Remove Pingdom IP rules for mirror buckets

We no longer probe the mirrors from Pingdom.
---
 .../projects/infra-mirror-bucket/README.md    |  1 -
 .../infra-mirror-bucket/mirror-read-policy.tf | 46 -------------------
 .../infra-mirror-bucket/pingdom_probe_ips.sh  | 18 --------
 3 files changed, 65 deletions(-)
 delete mode 100644 terraform/projects/infra-mirror-bucket/pingdom_probe_ips.sh

diff --git a/terraform/projects/infra-mirror-bucket/README.md b/terraform/projects/infra-mirror-bucket/README.md
index 261b9e7d4..c86a3a84b 100644
--- a/terraform/projects/infra-mirror-bucket/README.md
+++ b/terraform/projects/infra-mirror-bucket/README.md
@@ -45,7 +45,6 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.s3_mirror_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_mirror_replica_read_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [external_external.pingdom](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 | [fastly_ip_ranges.fastly](https://registry.terraform.io/providers/fastly/fastly/latest/docs/data-sources/ip_ranges) | data source |
 | [template_file.s3_govuk_mirror_read_policy_template](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.s3_govuk_mirror_replication_policy_template](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
diff --git a/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf b/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf
index aab3bc9e8..a492dbbcd 100644
--- a/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf
+++ b/terraform/projects/infra-mirror-bucket/mirror-read-policy.tf
@@ -17,10 +17,6 @@ locals {
 
 data "fastly_ip_ranges" "fastly" {}
 
-data "external" "pingdom" {
-  program = ["/bin/bash", "${path.module}/pingdom_probe_ips.sh"]
-}
-
 data "aws_iam_policy_document" "s3_mirror_read_policy_doc" {
   statement {
     sid     = "S3FastlyReadBucket"
@@ -43,27 +39,6 @@ data "aws_iam_policy_document" "s3_mirror_read_policy_doc" {
     }
   }
 
-  statement {
-    sid     = "S3PingdomReadBucket"
-    actions = ["s3:GetObject"]
-
-    resources = [
-      "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}",
-      "arn:aws:s3:::${aws_s3_bucket.govuk-mirror.id}/*",
-    ]
-
-    condition {
-      test     = "IpAddress"
-      variable = "aws:SourceIp"
-      values   = split(",", data.external.pingdom.result.pingdom_probe_ips)
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
-
   statement {
     sid     = "S3OfficeReadBucket"
     actions = ["s3:GetObject"]
@@ -149,27 +124,6 @@ data "aws_iam_policy_document" "s3_mirror_replica_read_policy_doc" {
     }
   }
 
-  statement {
-    sid     = "S3PingdomReadBucket"
-    actions = ["s3:GetObject"]
-
-    resources = [
-      "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}",
-      "arn:aws:s3:::${aws_s3_bucket.govuk-mirror-replica.id}/*",
-    ]
-
-    condition {
-      test     = "IpAddress"
-      variable = "aws:SourceIp"
-      values   = split(",", data.external.pingdom.result.pingdom_probe_ips)
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
-
   statement {
     sid     = "S3OfficeReadBucket"
     actions = ["s3:GetObject"]
diff --git a/terraform/projects/infra-mirror-bucket/pingdom_probe_ips.sh b/terraform/projects/infra-mirror-bucket/pingdom_probe_ips.sh
deleted file mode 100644
index 2a37d250f..000000000
--- a/terraform/projects/infra-mirror-bucket/pingdom_probe_ips.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-#
-# This script pulls Pingdom probe IPs from the feed page and prints a sorted
-# list of CIDR blocks to the standard output in JSON format.
-#
-# Pingdom probe IPs information:
-# https://help.pingdom.com/hc/en-us/articles/203682601-Pingdom-probe-servers-IP-addresses
-#
-# The JSON output needs to meet Terraform external data sources requirements
-# and limitations (at the moment Terraform only supports string data types)
-# https://www.terraform.io/docs/providers/external/data_source.html
-# https://github.com/hashicorp/terraform/issues/12256
-
-curl -s https://my.pingdom.com/probes/feed | grep "pingdom:ip" | sed -e 's|</.*||' -e 's|.*>||' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | grep -oE "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | awk '
-BEGIN { ORS = ""; print " { \"pingdom_probe_ips\": \""}
-{ if (NR == 1) { print $1"/32" } else { print ","$1"/32" } }
-END { print "\" }" }
-'