Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up and configure egress proxy services #1015

Closed
6 tasks done
Tracked by #725
JeanMarie-PM opened this issue Apr 17, 2023 · 4 comments · Fixed by #1052
Closed
6 tasks done
Tracked by #725

Set up and configure egress proxy services #1015

JeanMarie-PM opened this issue Apr 17, 2023 · 4 comments · Fixed by #1052
Assignees
@mogul @JeanMarie-PM
Labels
compliance Stuff which may relate to a specific requirement or timelines for resolution MUST Things we gotta do for the tracking epic to be "minimal"

Comments

@JeanMarie-PM
Copy link
Contributor

JeanMarie-PM commented Apr 17, 2023
edited by mogul
Loading

At a glance

In order to restrict app egress while enabling connections that are explicitly allowed for operation (meeting the intent of NIST control SC-7)
As a FAC system architect
I want a proxy in a public-egress space that will only proxy connections to configured domains.

Acceptance Criteria

We use DRY behavior-driven development wherever possible.

Scenario: The egress proxy is deployed and properly configured

Given I am logged into cloud.gov and targeting the gsa-tts-oros-fac organization
When I run cf spaces
...

then...
Beta Give feedback

Given I am logged into cloud.gov
And and I have run cf t -o gsa-tts-oros-fac -s [dev|staging|production]-egress
When I run cf app egress ; cf network-policies; cf env egress | grep PROXY
...

then...
Beta Give feedback

Given I am logged into cloud.gov
And and I have run cf t -o gsa-tts-oros-fac -s [dev|staging|production]
When I run cf service egress-creds
...

then...
Beta Give feedback

Shepherd

  • Design shepherd:
  • Engineering shepherd: @mogul

Background/discussion

While this issue sets up the egress proxy, it does not cover binding the client apps to the egress-creds service and ensuring they use the provided info to make outbound connections. That work will happen in another issue.

Security Considerations

Required per SC-7. This change sets up a proxy that will allow HTTPS and SSH connections only to explicitly expected destinations. The configuration is completely managed via a Terraform module, and the ACLs are maintained in version control. Credentials for using the proxy are not exposed outside the cloud.gov platform. Within the platform, they are only visible to people with SpaceDeveloper permission on the spaces, and to apps that are explicitly bound to the egress-creds service.

Process checklist

Sketch

  • Design designs all the things
  • Engineering engineers all the things

Definition of Done

Triage

If not likely to be important in the next quarter...

  • Archived from the board

Otherwise...

  • Has a clear story statement
  • Design or Engineering accepts that it belongs in their respective backlog

Design Backlog

  • Has clearly stated/testable acceptance criteria
  • Meets the design Definition of Ready [citation needed]
  • A design shepherd has been identified

Design In Progress

  • Meets the design Definition of Done [citation needed]

Design Review Needed

  • Necessary outside review/sign-off was provided

Design Done

  • Presented in a sprint review
  • Includes screenshots or references to artifacts

If no engineering is necessary

  • Tagged with the sprint where it was finished
  • Archived

Engineering Backlog

  • Has clearly stated/testable acceptance criteria
  • Has a sketch or list of tasks
  • Can reasonably be done in a few days (otherwise, split this up!)

Engineering Available

  • There's capacity in the In Progress column
  • An engineering shepherd has been identified

Engineering In Progress

If there's UI...

  • Screen reader - Listen to the experience with a screen reader extension, ensure the information presented in order
  • Keyboard navigation - Run through acceptance criteria with keyboard tabs, ensure it works.
  • Text scaling - Adjust viewport to 1280 pixels wide and zoom to 200%, ensure everything renders as expected. Document 400% zoom issues with USWDS if appropriate.

Engineering Blocked

  • Blocker removed/resolved

Engineering Review Needed

  • Outside review/sign-off was provided

Engineering Done

  • Presented in a sprint review
  • Includes screenshots or references to artifacts
  • Tagged with the sprint where it was finished
  • Archived
@JeanMarie-PM JeanMarie-PM mentioned this issue Apr 17, 2023
Closed
@JeanMarie-PM
Copy link
Contributor Author

JeanMarie-PM commented Apr 17, 2023
edited
Loading

Pasting a comment in Slack by @mogul :
The egress proxy should be in place, and if necessary an SMTP proxy implemented into it. This is for SC-7, arguably the most important NIST control in existence.

@JeanMarie-PM JeanMarie-PM added the compliance Stuff which may relate to a specific requirement or timelines for resolution label Apr 17, 2023
@JeanMarie-PM JeanMarie-PM self-assigned this Apr 18, 2023
@JeanMarie-PM
Copy link
Contributor Author

@mogul , do I get spaces provisioned manually in cloud.gov? Or are you going to do this via terraform?

@mogul
Copy link
Contributor

mogul commented Apr 18, 2023

You should do it via Terraform. I'll put in a PR.

@mogul mogul self-assigned this Apr 20, 2023
@mogul
Copy link
Contributor

mogul commented Apr 20, 2023

This is now in progress on this branch.

@mogul mogul mentioned this issue Apr 27, 2023
Merged
@mogul mogul linked a pull request Apr 27, 2023 that will close this issue
Add egress proxy Terraform configuration #1052
Merged
@mogul mogul mentioned this issue Apr 28, 2023
Merged
@mogul mogul mentioned this issue May 1, 2023
Closed
30 tasks
@mogul mogul added the MUST Things we gotta do for the tracking epic to be "minimal" label Jul 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mogul mogul

@JeanMarie-PM JeanMarie-PM

Labels
compliance Stuff which may relate to a specific requirement or timelines for resolution MUST Things we gotta do for the tracking epic to be "minimal"
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add egress proxy Terraform configuration GSA-TTS/FAC
2 participants
@mogul @JeanMarie-PM