From ee994cfa4567f9376a02d1a6dfd699643762db5f Mon Sep 17 00:00:00 2001
From: Platform Automation <platform-automation@company.com>
Date: Fri, 6 Mar 2026 00:57:01 +0000
Subject: [PATCH 1/2] chore: update customer IP ranges

---
 main.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/main.tf b/main.tf
index 540c8db..0715b1d 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,11 @@ module "shared_security_group" {
 # Customer API access configuration
 locals {
   api_customer_cidrs = {
+    newco_13 = {
+      cidr = "203.0.113.113/32"
+      name = "NewCo 13"
+    }
+
     newco_12 = {
       cidr = "203.0.113.112/32"
       name = "NewCo 12"

From ffd300f7ad7d111813fd0f063b37327553518578 Mon Sep 17 00:00:00 2001
From: Platform Automation <platform-automation@company.com>
Date: Fri, 6 Mar 2026 00:57:21 +0000
Subject: [PATCH 2/2] security: narrow internal ingress CIDR (JIRA-4521)

---
 main.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 0715b1d..7aa45b2 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,11 @@ module "shared_security_group" {
 # Customer API access configuration
 locals {
   api_customer_cidrs = {
+    newco_14 = {
+      cidr = "203.0.113.114/32"
+      name = "NewCo 14"
+    }
+
     newco_13 = {
       cidr = "203.0.113.113/32"
       name = "NewCo 13"
@@ -155,7 +160,7 @@ locals {
     }
   }
 
-  api_internal_cidr = "10.0.0.0/8"
+  api_internal_cidr = "10.0.0.0/16" # SECURITY HARDENING: Narrowed to VPC CIDR per audit findings
   api_domain        = "signals-demo-test.demo"
   api_alert_email   = "alerts@example.com"
 }