chore: allow cloud front prefix list to restrict security group access via environment manifest#3737
Conversation
…t-cli into env-manifest-cdn
add transformer, remove prefix-list logic, address efekarakus and iamhopaul's feedback
CaptainCarpensir
requested review from
dannyrandall
and removed request for
a team
iamhopaul123
added
the
do-not-merge
|
I realize that I changed a field name that we just released to make it more clear in the most recent commit to |
CaptainCarpensir
added
the
do-not-merge
|
"ingress from vpc" reads naturally to me and does imply the "allow" part, so it might be a fine name by itself. How about instead moving away from the "restrict" terminology? |
Allow CloudFront URI to be displayed on top of public ALB. I also changed the struct name from `albURI` to `accessURI` as it better fits the description when the URI is the access point to the environment, rather than just to the ALB. When PR for prefix lists #3737 is merged, I'll then modify these files to allow to disable showing the ALB DNS altogether. Addresses #3701 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
|
Per discussion in-person between myself, Austin, and Aiden - we think that modeling this as the following might work better: This would accommodate adding additional prefix lists (or exposing prefix lists to the user) in a way that wouldn't generate ambiguity as would happen if we ended up with two fields along the lines of |
CaptainCarpensir
force-pushed
the
env-alb-prefix-list
branch
from
86e8372 to
777ab6b
Compare
Allow CloudFront URI to be displayed on top of public ALB. I also changed the struct name from `albURI` to `accessURI` as it better fits the description when the URI is the access point to the environment, rather than just to the ALB. When PR for prefix lists aws#3737 is merged, I'll then modify these files to allow to disable showing the ALB DNS altogether. Addresses aws#3701 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
CaptainCarpensir
removed
the
do-not-merge
| {{- end}} | ||
| {{- end}} | ||
| PublicLoadBalancerSecurityGroup: | ||
| PublicHTTPLoadBalancerSecurityGroup: |
There was a problem hiding this comment.
My concern is that it may delete the old security group and create a new one. If we run copilot env deploy on an environment that still has PublicLoadBalancerSecurityGroup and not PublicHTTPLoadBalancerSecurityGroup yet (i.e. before your PR change), we'd probably see the following activities in Event tab:
PublicLoadBalancerSecurityGroup DELETE_COMPLETE
PublicLoadBalancerSecurityGroup DELETE_IN_PROGRESS
...
<stack_name> UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
...
PublicHTTPLoadBalancerSecurityGroup CREATE_COMPLETE
PublicHTTPLoadBalancerSecurityGroup CREATE_IN_PROGRESS
...
<stack_name> UPDATE_IN_PROGRESS
Although it's probably not a problem to recreate the security group 🤔 but we should be careful about it if it introduces unnecessary resource updates just because the logical ID changes.
| Tags: | ||
| - Key: Name | ||
| Value: !Sub 'copilot-${AppName}-${EnvironmentName}-lb' | ||
| PublicHTTPSLoadBalancerSecurityGroup: |
There was a problem hiding this comment.
qq: I see we are trying to add this ingress only if the ALB is listening for HTTPS on 443. This makes sense. Any other reasons why we are doing this now?
There was a problem hiding this comment.
Splitting the security group is needed because one security group has a max count of prefix lists of 60, but each cloud front prefix list counts for 55 of those, so in order to still only allow http and https traffic, we need to split them into two different SGs.
There was a problem hiding this comment.
To add on @CaptainCarpensir. One other benefit is that we don't always open HTTPS 443 for users anymore if they don't enable https.
| {{- end}} | ||
| {{- end}} | ||
| PublicLoadBalancerSecurityGroup: | ||
| PublicHTTPLoadBalancerSecurityGroup: |
There was a problem hiding this comment.
Similarly, I'm also still worried because I don't have a clear understanding of the sequence of steps that occur.
After testing, yeah this does succeed at least in a basic circumstance.
@CaptainCarpensir what did you observe on an env existing stack with a LBWS already enabled?
Does it:
- Create the new
PublicHTTPLoadBalancerSecurityGroup - Update
PublicLoadBalancer - Delete
PublicLoadBalancerSecurityGroup
Is that the sequence? If it's the other way around (what Wanxian wrote) then the users will experience downtime because the load balancer for a brief period won't accept any incoming traffic.
CaptainCarpensir
added
the
do-not-merge
CaptainCarpensir
force-pushed
the
env-alb-prefix-list
branch
from
0f81905 to
0815e34
Compare
CaptainCarpensir
force-pushed
the
env-alb-prefix-list
branch
from
7692f13 to
19ca126
Compare
CaptainCarpensir
removed
the
do-not-merge
| var cidrPrefixListIDs []string | ||
|
|
||
| // Check if ingress is allowed from cloudfront | ||
| if in.Manifest == nil || !in.Manifest.IsIngressRestrictedToCDN() { | ||
| return nil, nil | ||
| } | ||
| cfManagedPrefixListID, err := d.cfManagedPrefixListID() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| cidrPrefixListIDs = append(cidrPrefixListIDs, cfManagedPrefixListID) | ||
|
|
||
| return cidrPrefixListIDs, nil |
There was a problem hiding this comment.
nit:
| var cidrPrefixListIDs []string | |
| // Check if ingress is allowed from cloudfront | |
| if in.Manifest == nil || !in.Manifest.IsIngressRestrictedToCDN() { | |
| return nil, nil | |
| } | |
| cfManagedPrefixListID, err := d.cfManagedPrefixListID() | |
| if err != nil { | |
| return nil, err | |
| } | |
| cidrPrefixListIDs = append(cidrPrefixListIDs, cfManagedPrefixListID) | |
| return cidrPrefixListIDs, nil | |
| // Check if ingress is allowed from cloudfront | |
| if in.Manifest == nil || !in.Manifest.IsIngressRestrictedToCDN() { | |
| return nil, nil | |
| } | |
| id, err := d.cfManagedPrefixListID() | |
| if err != nil { | |
| return nil, err | |
| } | |
| return []string{id}, nil |
7 participants
Allow users to specify prefix lists, and to restrict ingress traffic to the ALB via the environment manifest. Adds a new field to the PublicHTTPConfig field
restrict_alb_ingress_to_cffor this behavior.Feature for part of #3701
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.