allow rustc-perf collection server to access bastion

marcoieni · marcoieni · commit 3664fbe5e75a · 2025-06-20T15:36:47.000+02:00
diff --git a/terraform/rds-databases/instance.tf b/terraform/rds-databases/instance.tf
@@ -16,6 +16,15 @@ resource "aws_db_subnet_group" "public" {
 # All of this security group stuff should go away once we migrate bastion to the
 # prod vpc (vs. the legacy vpc).
 
+data "terraform_remote_state" "rustc_perf" {
+  backend = "s3"
+  config = {
+    bucket = "rust-terraform"
+    key    = "simpleinfra/rustc-perf.tfstate"
+    region = "us-west-1"
+  }
+}
+
 data "aws_security_group" "bastion" {
   vpc_id = data.terraform_remote_state.shared.outputs.prod_vpc.id
   name   = "rust-prod-bastion"
@@ -46,8 +55,10 @@ resource "aws_security_group" "rust_prod_db" {
     from_port   = 5432
     to_port     = 5432
     protocol    = "tcp"
-    cidr_blocks = ["159.69.58.186/32"]
-    description = "Connections from rustc-perf collection server"
+    cidr_blocks = [
+      for ip in data.terraform_remote_state.rustc_perf.outputs.rustc_perf_ips : "${ip}/32"
+    ]
+    description = "Connections from rustc-perf collection servers"
   }
 
   tags = {
diff --git a/terraform/rustc-perf/dns.tf b/terraform/rustc-perf/dns.tf
@@ -17,3 +17,10 @@ resource "aws_route53_record" "one" {
   records = ["144.76.186.39"]
   ttl     = 300
 }
+
+output "rustc_perf_ips" {
+  value = [
+    tolist(aws_route53_record.legacy.records)[0],
+    tolist(aws_route53_record.one.records)[0]
+  ]
+}
